# Actions, resources, and condition keys for AWS services
<a name="reference_policies_actions-resources-contextkeys"></a>

Each AWS service can define actions, resources, and condition context keys for use in IAM policies. This topic describes how the elements provided for each service are documented. 

Each topic consists of tables that provide the list of available actions, resources, and condition keys.

## The actions table
<a name="actions_table"></a>

The **Actions** table lists all the actions that you can use in an IAM policy statement's `Action` element. Not all API operations that are defined by a service can be used as an action in an IAM policy. Some services include permission-only actions that don't directly correspond to an API operation. These actions are indicated with **[permission only]**. Use this list to determine which actions you can use in an IAM policy. For more information about the `Action`, `Resource`, or `Condition` elements, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html). The **Actions** and **Description** table columns are self-descriptive.
+ The **Access level** column describes how the action is classified (List, Read, Write, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Understanding access level summaries within policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).
+ The **Resource types** column indicates whether the action supports resource-level permissions. If the column is empty, then the action does not support resource-level permissions and you must specify all resources ("\$1") in your policy. If the column includes a resource type, then you can specify the resource ARN in the `Resource` element of your policy. For more information about that resource, refer to that row in the **Resource types** table. All actions and resources that are included in one statement must be compatible with each other. If you specify a resource that is not valid for the action, any request to use that action fails, and the statement's `Effect` does not apply.

  Required resources are indicated in the table with an asterisk (\$1). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
+ The **Condition keys** column includes keys that you can specify in a policy statement's `Condition` element. Condition keys might be supported with an action, or with an action and a specific resource. Pay close attention to whether the key is in the same row as a specific resource type. This table does not include global condition keys that are available for any action or under unrelated circumstances. For more information about global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

  Dependent actions are not required in all scenarios. Refer to the individual service's documentation for more information about providing granular permissions to users.

## The resource types table
<a name="resources_table"></a>

The **Resource types** table lists all the resource types that you can specify as an ARN in the `Resource` policy element. Not every resource type can be specified with every action. Some resource types work with only certain actions. If you specify a resource type in a statement with an action that does not support that resource type, then the statement doesn't allow access. For more information about the `Resource` element, see [IAM JSON policy elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html).
+ The **ARN** column specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a \$1 must be replaced by the actual values for your scenario. For example, if you see `$user-name` in an ARN, you must replace that string with either the actual user's name or a [policy variable](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) that contains a user's name. For more information about ARNs, see [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns).
+ The **Condition keys** column specifies condition context keys that you can include in an IAM policy statement only when both this resource and a supporting action from the table above are included in the statement.

## The condition keys table
<a name="context_keys_table"></a>

The **condition keys** table lists all of the condition context keys that you can use in an IAM policy statement's `Condition` element. Not every key can be specified with every action or resource. Certain keys only work with certain types of actions and resources. For more information about the `Condition` element, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
+ The **Type** column specifies the data type of the condition key. This data type determines which [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) you can use to compare values in the request with the values in the policy statement. You must use an operator that is appropriate for the data type. If you use an incorrect operator, then the match always fails and the policy statement never applies. 

  If the **Type** column specifies a "List of …" one of the simple types, then you can use [multiple keys and values](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions) in your policies. Do this using condition set prefixes with your operators. Use the `ForAllValues` prefix to specify that **all** values in the request must match a value in the policy statement. Use the `ForAnyValue` prefix to specify that **at least one** value in the request matches one of the values in the policy statement.

**Topics**
+ [Actions table](#actions_table)
+ [Resource types table](#resources_table)
+ [Condition keys table](#context_keys_table)
+ [AWS Account Management](list_awsaccountmanagement.md)
+ [AWS Action Recommendations](list_awsactionrecommendations.md)
+ [AWS Activate](list_awsactivate.md)
+ [Amazon AI Operations](list_amazonaioperations.md)
+ [Alexa for Business](list_alexaforbusiness.md)
+ [AmazonMediaImport](list_amazonmediaimport.md)
+ [AWS Amplify](list_awsamplify.md)
+ [AWS Amplify Admin](list_awsamplifyadmin.md)
+ [AWS Amplify UI Builder](list_awsamplifyuibuilder.md)
+ [Apache Kafka APIs for Amazon MSK clusters](list_apachekafkaapisforamazonmskclusters.md)
+ [Amazon API Gateway](list_amazonapigateway.md)
+ [AWS App Mesh](list_awsappmesh.md)
+ [AWS App Mesh Preview](list_awsappmeshpreview.md)
+ [AWS App Runner](list_awsapprunner.md)
+ [AWS App Studio](list_awsappstudio.md)
+ [AWS App2Container](list_awsapp2container.md)
+ [AWS AppConfig](list_awsappconfig.md)
+ [AWS AppFabric](list_awsappfabric.md)
+ [Amazon AppFlow](list_amazonappflow.md)
+ [Amazon AppIntegrations](list_amazonappintegrations.md)
+ [AWS Application Auto Scaling](list_awsapplicationautoscaling.md)
+ [Application Discovery Arsenal](list_applicationdiscoveryarsenal.md)
+ [AWS Application Discovery Service](list_awsapplicationdiscoveryservice.md)
+ [AWS Application Migration Service](list_awsapplicationmigrationservice.md)
+ [Amazon Application Recovery Controller - Zonal Shift](list_amazonapplicationrecoverycontroller-zonalshift.md)
+ [AWS Application Transformation Service](list_awsapplicationtransformationservice.md)
+ [Amazon AppStream 2.0](list_amazonappstream2.0.md)
+ [AWS AppSync](list_awsappsync.md)
+ [Amazon ARC Region switch](list_amazonarcregionswitch.md)
+ [AWS Artifact](list_awsartifact.md)
+ [Amazon Athena](list_amazonathena.md)
+ [AWS Audit Manager](list_awsauditmanager.md)
+ [Amazon Aurora DSQL](list_amazonauroradsql.md)
+ [AWS Auto Scaling](list_awsautoscaling.md)
+ [AWS B2B Data Interchange](list_awsb2bdatainterchange.md)
+ [AWS Backup](list_awsbackup.md)
+ [AWS Backup Gateway](list_awsbackupgateway.md)
+ [AWS Backup Search](list_awsbackupsearch.md)
+ [AWS Backup storage](list_awsbackupstorage.md)
+ [AWS Batch](list_awsbatch.md)
+ [Amazon Bedrock](list_amazonbedrock.md)
+ [Amazon Bedrock Agentcore](list_amazonbedrockagentcore.md)
+ [Amazon Bedrock Powered by AWS Mantle](list_amazonbedrockpoweredbyawsmantle.md)
+ [AWS Billing](list_awsbilling.md)
+ [AWS Billing and Cost Management Dashboards](list_awsbillingandcostmanagementdashboards.md)
+ [AWS Billing And Cost Management Data Exports](list_awsbillingandcostmanagementdataexports.md)
+ [AWS Billing And Cost Management Pricing Calculator](list_awsbillingandcostmanagementpricingcalculator.md)
+ [AWS Billing And Cost Management Recommended Actions](list_awsbillingandcostmanagementrecommendedactions.md)
+ [AWS Billing Conductor](list_awsbillingconductor.md)
+ [AWS Billing Console](list_awsbillingconsole.md)
+ [Amazon Braket](list_amazonbraket.md)
+ [AWS Budget Service](list_awsbudgetservice.md)
+ [AWS BugBust](list_awsbugbust.md)
+ [AWS Certificate Manager](list_awscertificatemanager.md)
+ [AWS Chatbot](list_awschatbot.md)
+ [Amazon Chime](list_amazonchime.md)
+ [Claude Platform on AWS](list_claudeplatformonaws.md)
+ [AWS Clean Rooms](list_awscleanrooms.md)
+ [AWS Clean Rooms ML](list_awscleanroomsml.md)
+ [AWS Cloud Control API](list_awscloudcontrolapi.md)
+ [Amazon Cloud Directory](list_amazonclouddirectory.md)
+ [AWS Cloud Map](list_awscloudmap.md)
+ [AWS Cloud9](list_awscloud9.md)
+ [AWS CloudFormation](list_awscloudformation.md)
+ [Amazon CloudFront](list_amazoncloudfront.md)
+ [Amazon CloudFront KeyValueStore](list_amazoncloudfrontkeyvaluestore.md)
+ [AWS CloudHSM](list_awscloudhsm.md)
+ [Amazon CloudSearch](list_amazoncloudsearch.md)
+ [AWS CloudShell](list_awscloudshell.md)
+ [AWS CloudTrail](list_awscloudtrail.md)
+ [AWS CloudTrail Data](list_awscloudtraildata.md)
+ [Amazon CloudWatch](list_amazoncloudwatch.md)
+ [Amazon CloudWatch Application Insights](list_amazoncloudwatchapplicationinsights.md)
+ [Amazon CloudWatch Application Signals](list_amazoncloudwatchapplicationsignals.md)
+ [Amazon CloudWatch Evidently](list_amazoncloudwatchevidently.md)
+ [Amazon CloudWatch Internet Monitor](list_amazoncloudwatchinternetmonitor.md)
+ [Amazon CloudWatch Logs](list_amazoncloudwatchlogs.md)
+ [Amazon CloudWatch Network Synthetic Monitor](list_amazoncloudwatchnetworksyntheticmonitor.md)
+ [Amazon CloudWatch Observability Access Manager](list_amazoncloudwatchobservabilityaccessmanager.md)
+ [Amazon CloudWatch Observability Admin Service](list_amazoncloudwatchobservabilityadminservice.md)
+ [AWS CloudWatch RUM](list_awscloudwatchrum.md)
+ [Amazon CloudWatch Synthetics](list_amazoncloudwatchsynthetics.md)
+ [AWS CodeArtifact](list_awscodeartifact.md)
+ [Amazon CodeCatalyst](list_amazoncodecatalyst.md)
+ [AWS CodeCommit](list_awscodecommit.md)
+ [AWS CodeConnections](list_awscodeconnections.md)
+ [AWS CodeDeploy](list_awscodedeploy.md)
+ [AWS CodeDeploy secure host commands service](list_awscodedeploysecurehostcommandsservice.md)
+ [Amazon CodeGuru](list_amazoncodeguru.md)
+ [Amazon CodeGuru Profiler](list_amazoncodeguruprofiler.md)
+ [Amazon CodeGuru Reviewer](list_amazoncodegurureviewer.md)
+ [Amazon CodeGuru Security](list_amazoncodegurusecurity.md)
+ [AWS CodePipeline](list_awscodepipeline.md)
+ [AWS CodeStar](list_awscodestar.md)
+ [AWS CodeStar Connections](list_awscodestarconnections.md)
+ [AWS CodeStar Notifications](list_awscodestarnotifications.md)
+ [Amazon CodeWhisperer](list_amazoncodewhisperer.md)
+ [Amazon Cognito Identity](list_amazoncognitoidentity.md)
+ [Amazon Cognito Sync](list_amazoncognitosync.md)
+ [Amazon Cognito User Pools](list_amazoncognitouserpools.md)
+ [Amazon Comprehend](list_amazoncomprehend.md)
+ [Amazon Comprehend Medical](list_amazoncomprehendmedical.md)
+ [AWS Compute Optimizer](list_awscomputeoptimizer.md)
+ [AWS Compute Optimizer Automation](list_awscomputeoptimizerautomation.md)
+ [AWS Config](list_awsconfig.md)
+ [Amazon Connect Cases](list_amazonconnectcases.md)
+ [Amazon Connect Customer Profiles](list_amazonconnectcustomerprofiles.md)
+ [Amazon Connect Health](list_amazonconnecthealth.md)
+ [Amazon Connect Outbound Campaigns](list_amazonconnectoutboundcampaigns.md)
+ [Amazon Connect Voice ID](list_amazonconnectvoiceid.md)
+ [AWS Connector Service](list_awsconnectorservice.md)
+ [AWS Management Console Mobile App](list_awsconsolemobileapp.md)
+ [AWS Consolidated Billing](list_awsconsolidatedbilling.md)
+ [AWS Control Catalog](list_awscontrolcatalog.md)
+ [AWS Control Tower](list_awscontroltower.md)
+ [AWS Cost and Usage Report](list_awscostandusagereport.md)
+ [AWS Cost Explorer Service](list_awscostexplorerservice.md)
+ [AWS Cost Optimization Hub](list_awscostoptimizationhub.md)
+ [AWS Customer Verification Service](list_awscustomerverificationservice.md)
+ [AWS Data Exchange](list_awsdataexchange.md)
+ [Amazon Data Lifecycle Manager](list_amazondatalifecyclemanager.md)
+ [AWS Data Pipeline](list_awsdatapipeline.md)
+ [AWS Database Migration Service](list_awsdatabasemigrationservice.md)
+ [Database Query Metadata Service](list_databasequerymetadataservice.md)
+ [AWS DataSync](list_awsdatasync.md)
+ [Amazon DataZone](list_amazondatazone.md)
+ [AWS Deadline Cloud](list_awsdeadlinecloud.md)
+ [Amazon Detective](list_amazondetective.md)
+ [AWS Device Farm](list_awsdevicefarm.md)
+ [AWS DevOps Agent Service](list_awsdevopsagentservice.md)
+ [Amazon DevOps Guru](list_amazondevopsguru.md)
+ [AWS Diagnostic tools](list_awsdiagnostictools.md)
+ [AWS Direct Connect](list_awsdirectconnect.md)
+ [AWS Directory Service](list_awsdirectoryservice.md)
+ [AWS Directory Service Data](list_awsdirectoryservicedata.md)
+ [Amazon DocumentDB Elastic Clusters](list_amazondocumentdbelasticclusters.md)
+ [Amazon DynamoDB](list_amazondynamodb.md)
+ [Amazon DynamoDB Accelerator (DAX)](list_amazondynamodbacceleratordax.md)
+ [Amazon EC2 Auto Scaling](list_amazonec2autoscaling.md)
+ [Amazon EC2 Image Builder](list_amazonec2imagebuilder.md)
+ [Amazon EC2 Instance Connect](list_amazonec2instanceconnect.md)
+ [Amazon ECS MCP Service](list_amazonecsmcpservice.md)
+ [Amazon EKS Auth](list_amazoneksauth.md)
+ [Amazon EKS MCP Server](list_amazoneksmcpserver.md)
+ [AWS Elastic Beanstalk](list_awselasticbeanstalk.md)
+ [Amazon Elastic Block Store](list_amazonelasticblockstore.md)
+ [Amazon Elastic Container Registry](list_amazonelasticcontainerregistry.md)
+ [Amazon Elastic Container Registry Public](list_amazonelasticcontainerregistrypublic.md)
+ [AWS Elastic Disaster Recovery](list_awselasticdisasterrecovery.md)
+ [Amazon Elastic File System](list_amazonelasticfilesystem.md)
+ [Amazon Elastic Kubernetes Service](list_amazonelastickubernetesservice.md)
+ [AWS Elastic Load Balancing](list_awselasticloadbalancing.md)
+ [AWS Elastic Load Balancing V2](list_awselasticloadbalancingv2.md)
+ [Amazon Elastic MapReduce](list_amazonelasticmapreduce.md)
+ [Amazon Elastic Transcoder](list_amazonelastictranscoder.md)
+ [Amazon Elastic VMware Service](list_amazonelasticvmwareservice.md)
+ [Amazon ElastiCache](list_amazonelasticache.md)
+ [AWS Elemental Appliances and Software](list_awselementalappliancesandsoftware.md)
+ [AWS Elemental Appliances and Software Activation Service](list_awselementalappliancesandsoftwareactivationservice.md)
+ [AWS Elemental Inference](list_awselementalinference.md)
+ [AWS Elemental MediaConnect](list_awselementalmediaconnect.md)
+ [AWS Elemental MediaConvert](list_awselementalmediaconvert.md)
+ [AWS Elemental MediaLive](list_awselementalmedialive.md)
+ [AWS Elemental MediaPackage](list_awselementalmediapackage.md)
+ [AWS Elemental MediaPackage V2](list_awselementalmediapackagev2.md)
+ [AWS Elemental MediaPackage VOD](list_awselementalmediapackagevod.md)
+ [AWS Elemental MediaStore](list_awselementalmediastore.md)
+ [AWS Elemental MediaTailor](list_awselementalmediatailor.md)
+ [AWS Elemental Support Cases](list_awselementalsupportcases.md)
+ [AWS Elemental Support Content](list_awselementalsupportcontent.md)
+ [Amazon EMR on EKS (EMR Containers)](list_amazonemroneksemrcontainers.md)
+ [Amazon EMR Serverless](list_amazonemrserverless.md)
+ [AWS End User Messaging SMS and Voice V2](list_awsendusermessagingsmsandvoicev2.md)
+ [AWS End User Messaging Social](list_awsendusermessagingsocial.md)
+ [AWS Entity Resolution](list_awsentityresolution.md)
+ [Amazon EventBridge](list_amazoneventbridge.md)
+ [Amazon EventBridge Pipes](list_amazoneventbridgepipes.md)
+ [Amazon EventBridge Scheduler](list_amazoneventbridgescheduler.md)
+ [Amazon EventBridge Schemas](list_amazoneventbridgeschemas.md)
+ [AWS Fault Injection Service](list_awsfaultinjectionservice.md)
+ [Amazon FinSpace](list_amazonfinspace.md)
+ [Amazon FinSpace API](list_amazonfinspaceapi.md)
+ [AWS Firewall Manager](list_awsfirewallmanager.md)
+ [Amazon Forecast](list_amazonforecast.md)
+ [Amazon Fraud Detector](list_amazonfrauddetector.md)
+ [AWS Free Tier](list_awsfreetier.md)
+ [Amazon FreeRTOS](list_amazonfreertos.md)
+ [Amazon FSx](list_amazonfsx.md)
+ [Amazon GameLift Servers](list_amazongameliftservers.md)
+ [Amazon GameLift Streams](list_amazongameliftstreams.md)
+ [AWS Global Accelerator](list_awsglobalaccelerator.md)
+ [AWS Glue](list_awsglue.md)
+ [AWS Glue DataBrew](list_awsgluedatabrew.md)
+ [AWS Ground Station](list_awsgroundstation.md)
+ [Amazon GroundTruth Labeling](list_amazongroundtruthlabeling.md)
+ [Amazon GuardDuty](list_amazonguardduty.md)
+ [AWS Health APIs and Notifications](list_awshealthapisandnotifications.md)
+ [AWS HealthImaging](list_awshealthimaging.md)
+ [AWS HealthLake](list_awshealthlake.md)
+ [AWS HealthOmics](list_awshealthomics.md)
+ [Amazon Honeycode](list_amazonhoneycode.md)
+ [AWS IAM Access Analyzer](list_awsiamaccessanalyzer.md)
+ [AWS IAM Identity Center](list_awsiamidentitycenter.md)
+ [AWS IAM Identity Center directory](list_awsiamidentitycenterdirectory.md)
+ [AWS IAM Identity Center OIDC service](list_awsiamidentitycenteroidcservice.md)
+ [AWS Identity and Access Management Roles Anywhere](list_awsidentityandaccessmanagementrolesanywhere.md)
+ [AWS Identity Store](list_awsidentitystore.md)
+ [AWS Identity Store Auth](list_awsidentitystoreauth.md)
+ [AWS Identity Sync](list_awsidentitysync.md)
+ [AWS Import Export Disk Service](list_awsimportexportdiskservice.md)
+ [Amazon Inspector](list_amazoninspector.md)
+ [Amazon Inspector2](list_amazoninspector2.md)
+ [Amazon Inspector2 Telemetry Channel](list_amazoninspector2telemetrychannel.md)
+ [Amazon InspectorScan](list_amazoninspectorscan.md)
+ [Amazon Interactive Video Service](list_amazoninteractivevideoservice.md)
+ [Amazon Interactive Video Service Chat](list_amazoninteractivevideoservicechat.md)
+ [AWS Interconnect](list_awsinterconnect.md)
+ [AWS Invoicing Service](list_awsinvoicingservice.md)
+ [AWS IoT Analytics](list_awsiotanalytics.md)
+ [AWS IoT Core Device Advisor](list_awsiotcoredeviceadvisor.md)
+ [AWS IoT Device Tester](list_awsiotdevicetester.md)
+ [AWS IoT Events](list_awsiotevents.md)
+ [AWS IoT Fleet Hub for Device Management](list_awsiotfleethubfordevicemanagement.md)
+ [AWS IoT FleetWise](list_awsiotfleetwise.md)
+ [AWS IoT Greengrass](list_awsiotgreengrass.md)
+ [AWS IoT Greengrass V2](list_awsiotgreengrassv2.md)
+ [AWS IoT Jobs DataPlane](list_awsiotjobsdataplane.md)
+ [AWS IoT Managed Integrations](list_awsiotmanagedintegrations.md)
+ [AWS IoT SiteWise](list_awsiotsitewise.md)
+ [AWS IoT TwinMaker](list_awsiottwinmaker.md)
+ [AWS IoT Wireless](list_awsiotwireless.md)
+ [AWS IQ](list_awsiq.md)
+ [AWS IQ Permissions](list_awsiqpermissions.md)
+ [Amazon Kendra](list_amazonkendra.md)
+ [Amazon Kendra Intelligent Ranking](list_amazonkendraintelligentranking.md)
+ [Amazon Keyspaces (for Apache Cassandra)](list_amazonkeyspacesforapachecassandra.md)
+ [Amazon Kinesis Analytics](list_amazonkinesisanalytics.md)
+ [Amazon Kinesis Analytics V2](list_amazonkinesisanalyticsv2.md)
+ [Amazon Kinesis Data Streams](list_amazonkinesisdatastreams.md)
+ [Amazon Kinesis Firehose](list_amazonkinesisfirehose.md)
+ [Amazon Kinesis Video Streams](list_amazonkinesisvideostreams.md)
+ [AWS Lake Formation](list_awslakeformation.md)
+ [AWS Lambda](list_awslambda.md)
+ [AWS Launch Wizard](list_awslaunchwizard.md)
+ [Amazon Lex](list_amazonlex.md)
+ [Amazon Lex V2](list_amazonlexv2.md)
+ [AWS License Manager](list_awslicensemanager.md)
+ [AWS License Manager Linux Subscriptions Manager](list_awslicensemanagerlinuxsubscriptionsmanager.md)
+ [AWS License Manager User Subscriptions](list_awslicensemanagerusersubscriptions.md)
+ [Amazon Lightsail](list_amazonlightsail.md)
+ [Amazon Location](list_amazonlocation.md)
+ [Amazon Location Service Maps](list_amazonlocationservicemaps.md)
+ [Amazon Location Service Places](list_amazonlocationserviceplaces.md)
+ [Amazon Location Service Routes](list_amazonlocationserviceroutes.md)
+ [Amazon Lookout for Equipment](list_amazonlookoutforequipment.md)
+ [Amazon Lookout for Metrics](list_amazonlookoutformetrics.md)
+ [Amazon Lookout for Vision](list_amazonlookoutforvision.md)
+ [Amazon Machine Learning](list_amazonmachinelearning.md)
+ [Amazon Macie](list_amazonmacie.md)
+ [AWS Mainframe Modernization Application Testing](list_awsmainframemodernizationapplicationtesting.md)
+ [AWS Mainframe Modernization Service](list_awsmainframemodernizationservice.md)
+ [Amazon Managed Blockchain](list_amazonmanagedblockchain.md)
+ [Amazon Managed Blockchain Query](list_amazonmanagedblockchainquery.md)
+ [Amazon Managed Grafana](list_amazonmanagedgrafana.md)
+ [Amazon Managed Service for Prometheus](list_amazonmanagedserviceforprometheus.md)
+ [Amazon Managed Streaming for Apache Kafka](list_amazonmanagedstreamingforapachekafka.md)
+ [Amazon Managed Streaming for Kafka Connect](list_amazonmanagedstreamingforkafkaconnect.md)
+ [Amazon Managed Workflows for Apache Airflow](list_amazonmanagedworkflowsforapacheairflow.md)
+ [AWS Marketplace](list_awsmarketplace.md)
+ [AWS Marketplace Catalog](list_awsmarketplacecatalog.md)
+ [AWS Marketplace Commerce Analytics Service](list_awsmarketplacecommerceanalyticsservice.md)
+ [AWS Marketplace Deployment Service](list_awsmarketplacedeploymentservice.md)
+ [AWS Marketplace Discovery](list_awsmarketplacediscovery.md)
+ [AWS Marketplace Entitlement Service](list_awsmarketplaceentitlementservice.md)
+ [AWS Marketplace Image Building Service](list_awsmarketplaceimagebuildingservice.md)
+ [AWS Marketplace Management Portal](list_awsmarketplacemanagementportal.md)
+ [AWS Marketplace Metering Service](list_awsmarketplacemeteringservice.md)
+ [AWS Marketplace Private Marketplace](list_awsmarketplaceprivatemarketplace.md)
+ [AWS Marketplace Procurement Systems Integration](list_awsmarketplaceprocurementsystemsintegration.md)
+ [AWS Marketplace Reporting](list_awsmarketplacereporting.md)
+ [AWS Marketplace Seller Reporting](list_awsmarketplacesellerreporting.md)
+ [AWS Marketplace Vendor Insights](list_awsmarketplacevendorinsights.md)
+ [AWS MCP Server](list_awsmcpserver.md)
+ [Amazon Mechanical Turk](list_amazonmechanicalturk.md)
+ [Amazon MemoryDB](list_amazonmemorydb.md)
+ [Amazon Message Delivery Service](list_amazonmessagedeliveryservice.md)
+ [Amazon Message Gateway Service](list_amazonmessagegatewayservice.md)
+ [AWS Microservice Extractor for .NET](list_awsmicroserviceextractorfor.net.md)
+ [AWS Migration Acceleration Program Credits](list_awsmigrationaccelerationprogramcredits.md)
+ [AWS Migration Hub](list_awsmigrationhub.md)
+ [AWS Migration Hub Orchestrator](list_awsmigrationhuborchestrator.md)
+ [AWS Migration Hub Refactor Spaces](list_awsmigrationhubrefactorspaces.md)
+ [AWS Migration Hub Strategy Recommendations](list_awsmigrationhubstrategyrecommendations.md)
+ [Amazon Mobile Analytics](list_amazonmobileanalytics.md)
+ [Amazon Monitron](list_amazonmonitron.md)
+ [Amazon MQ](list_amazonmq.md)
+ [Multi-party approval](list_multi-partyapproval.md)
+ [AWS MWAA Serverless](list_awsmwaaserverless.md)
+ [Amazon Neptune](list_amazonneptune.md)
+ [Amazon Neptune Analytics](list_amazonneptuneanalytics.md)
+ [AWS Network Firewall](list_awsnetworkfirewall.md)
+ [Network Flow Monitor](list_networkflowmonitor.md)
+ [AWS Network Manager](list_awsnetworkmanager.md)
+ [AWS Network Manager Chat](list_awsnetworkmanagerchat.md)
+ [Amazon Nimble Studio](list_amazonnimblestudio.md)
+ [Amazon Nova Act](list_amazonnovaact.md)
+ [Amazon One Enterprise](list_amazononeenterprise.md)
+ [Amazon OpenSearch](list_amazonopensearch.md)
+ [Amazon OpenSearch Ingestion](list_amazonopensearchingestion.md)
+ [Amazon OpenSearch Serverless](list_amazonopensearchserverless.md)
+ [Amazon OpenSearch Service](list_amazonopensearchservice.md)
+ [AWS OpsWorks](list_awsopsworks.md)
+ [AWS OpsWorks Configuration Management](list_awsopsworksconfigurationmanagement.md)
+ [AWS Organizations](list_awsorganizations.md)
+ [AWS Outposts](list_awsoutposts.md)
+ [AWS Panorama](list_awspanorama.md)
+ [AWS Parallel Computing Service](list_awsparallelcomputingservice.md)
+ [AWS Partner Central](list_awspartnercentral.md)
+ [AWS Partner central account management](list_awspartnercentralaccountmanagement.md)
+ [AWS Payment Cryptography](list_awspaymentcryptography.md)
+ [AWS Payments](list_awspayments.md)
+ [AWS Performance Insights](list_awsperformanceinsights.md)
+ [Amazon Personalize](list_amazonpersonalize.md)
+ [Amazon Pinpoint](list_amazonpinpoint.md)
+ [Amazon Pinpoint Email Service](list_amazonpinpointemailservice.md)
+ [Amazon Pinpoint SMS and Voice Service](list_amazonpinpointsmsandvoiceservice.md)
+ [Amazon Polly](list_amazonpolly.md)
+ [AWS Price List](list_awspricelist.md)
+ [AWS PricingPlanManager Service](list_awspricingplanmanagerservice.md)
+ [AWS Private CA Connector for Active Directory](list_awsprivatecaconnectorforactivedirectory.md)
+ [AWS Private CA Connector for SCEP](list_awsprivatecaconnectorforscep.md)
+ [AWS Private Certificate Authority](list_awsprivatecertificateauthority.md)
+ [AWS PrivateLink](list_awsprivatelink.md)
+ [AWS Proton](list_awsproton.md)
+ [AWS Purchase Orders Console](list_awspurchaseordersconsole.md)
+ [Amazon Q](list_amazonq.md)
+ [Amazon Q Business](list_amazonqbusiness.md)
+ [Amazon Q Business Q Apps](list_amazonqbusinessqapps.md)
+ [Amazon Q Developer](list_amazonqdeveloper.md)
+ [Amazon Q in Connect](list_amazonqinconnect.md)
+ [Amazon QLDB](list_amazonqldb.md)
+ [Amazon QuickSight](list_amazonquicksight.md)
+ [Amazon RDS Data API](list_amazonrdsdataapi.md)
+ [Amazon RDS IAM Authentication](list_amazonrdsiamauthentication.md)
+ [AWS Recycle Bin](list_awsrecyclebin.md)
+ [Amazon Redshift](list_amazonredshift.md)
+ [Amazon Redshift Data API](list_amazonredshiftdataapi.md)
+ [Amazon Redshift Serverless](list_amazonredshiftserverless.md)
+ [Amazon Rekognition](list_amazonrekognition.md)
+ [AWS rePost Private](list_awsrepostprivate.md)
+ [AWS Resilience Hub](list_awsresiliencehub.md)
+ [AWS Resource Access Manager (RAM)](list_awsresourceaccessmanagerram.md)
+ [AWS Resource Explorer](list_awsresourceexplorer.md)
+ [Amazon Resource Group Tagging API](list_amazonresourcegrouptaggingapi.md)
+ [AWS Resource Groups](list_awsresourcegroups.md)
+ [Amazon RHEL Knowledgebase Portal](list_amazonrhelknowledgebaseportal.md)
+ [AWS RoboMaker](list_awsrobomaker.md)
+ [Amazon Route 53](list_amazonroute53.md)
+ [Amazon Route 53 Domains](list_amazonroute53domains.md)
+ [Amazon Route 53 Profiles](list_amazonroute53profiles.md)
+ [Amazon Route 53 Recovery Cluster](list_amazonroute53recoverycluster.md)
+ [Amazon Route 53 Recovery Controls](list_amazonroute53recoverycontrols.md)
+ [Amazon Route 53 Recovery Readiness](list_amazonroute53recoveryreadiness.md)
+ [Amazon Route 53 Resolver](list_amazonroute53resolver.md)
+ [AWS Route53 Global Resolver](list_awsroute53globalresolver.md)
+ [AWS RTB Fabric](list_awsrtbfabric.md)
+ [Amazon S3 Express](list_amazons3express.md)
+ [Amazon S3 Files](list_amazons3files.md)
+ [Amazon S3 Glacier](list_amazons3glacier.md)
+ [Amazon S3 Object Lambda](list_amazons3objectlambda.md)
+ [Amazon S3 on Outposts](list_amazons3onoutposts.md)
+ [Amazon S3 Tables](list_amazons3tables.md)
+ [Amazon S3 Vectors](list_amazons3vectors.md)
+ [Amazon SageMaker data science assistant](list_amazonsagemakerdatascienceassistant.md)
+ [Amazon SageMaker geospatial capabilities](list_amazonsagemakergeospatialcapabilities.md)
+ [Amazon SageMaker Unified Studio MCP](list_amazonsagemakerunifiedstudiomcp.md)
+ [Amazon SageMaker with MLflow](list_amazonsagemakerwithmlflow.md)
+ [AWS Savings Plans](list_awssavingsplans.md)
+ [AWS Secrets Manager](list_awssecretsmanager.md)
+ [AWS Security Agent](list_awssecurityagent.md)
+ [AWS Security Hub](list_awssecurityhub.md)
+ [AWS Security Incident Response](list_awssecurityincidentresponse.md)
+ [Amazon Security Lake](list_amazonsecuritylake.md)
+ [AWS Server Migration Service](list_awsservermigrationservice.md)
+ [AWS Serverless Application Repository](list_awsserverlessapplicationrepository.md)
+ [AWS Service - Oracle Database@AWS](list_awsservice-oracledatabase_aws.md)
+ [AWS Service Catalog](list_awsservicecatalog.md)
+ [AWS service providing managed private networks](list_awsserviceprovidingmanagedprivatenetworks.md)
+ [Service Quotas](list_servicequotas.md)
+ [Amazon SES](list_amazonses.md)
+ [AWS Shield](list_awsshield.md)
+ [AWS Shield network security director](list_awsshieldnetworksecuritydirector.md)
+ [AWS Signer](list_awssigner.md)
+ [AWS Signin](list_awssignin.md)
+ [Amazon Simple Email Service - Mail Manager](list_amazonsimpleemailservice-mailmanager.md)
+ [Amazon Simple Email Service v2](list_amazonsimpleemailservicev2.md)
+ [Amazon Simple Workflow Service](list_amazonsimpleworkflowservice.md)
+ [Amazon SimpleDB](list_amazonsimpledb.md)
+ [AWS SimSpace Weaver](list_awssimspaceweaver.md)
+ [AWS Snow Device Management](list_awssnowdevicemanagement.md)
+ [AWS Snowball](list_awssnowball.md)
+ [Amazon SNS](list_amazonsns.md)
+ [AWS SQL Workbench](list_awssqlworkbench.md)
+ [Amazon SQS](list_amazonsqs.md)
+ [AWS Step Functions](list_awsstepfunctions.md)
+ [AWS Storage Gateway](list_awsstoragegateway.md)
+ [AWS Supply Chain](list_awssupplychain.md)
+ [AWS Support](list_awssupport.md)
+ [AWS Support App in Slack](list_awssupportappinslack.md)
+ [AWS Support Console](list_awssupportconsole.md)
+ [AWS Support Plans](list_awssupportplans.md)
+ [AWS Sustainability](list_awssustainability.md)
+ [AWS Systems Manager for SAP](list_awssystemsmanagerforsap.md)
+ [AWS Systems Manager GUI Connect](list_awssystemsmanagerguiconnect.md)
+ [AWS Systems Manager Incident Manager](list_awssystemsmanagerincidentmanager.md)
+ [AWS Systems Manager Incident Manager Contacts](list_awssystemsmanagerincidentmanagercontacts.md)
+ [AWS Systems Manager Quick Setup](list_awssystemsmanagerquicksetup.md)
+ [Tag Editor](list_tageditor.md)
+ [AWS Tax Settings](list_awstaxsettings.md)
+ [AWS Telco Network Builder](list_awstelconetworkbuilder.md)
+ [Amazon Textract](list_amazontextract.md)
+ [Amazon Timestream](list_amazontimestream.md)
+ [Amazon Timestream InfluxDB](list_amazontimestreaminfluxdb.md)
+ [AWS Tiros](list_awstiros.md)
+ [Amazon Transcribe](list_amazontranscribe.md)
+ [AWS Transfer Family](list_awstransferfamily.md)
+ [AWS Transform](list_awstransform.md)
+ [AWS Transform custom](list_awstransformcustom.md)
+ [Amazon Translate](list_amazontranslate.md)
+ [AWS Trusted Advisor](list_awstrustedadvisor.md)
+ [AWS User Experience Customization](list_awsuserexperiencecustomization.md)
+ [AWS User Notifications](list_awsusernotifications.md)
+ [AWS User Notifications Contacts](list_awsusernotificationscontacts.md)
+ [AWS User Subscriptions](list_awsusersubscriptions.md)
+ [AWS Verified Access](list_awsverifiedaccess.md)
+ [Amazon Verified Permissions](list_amazonverifiedpermissions.md)
+ [Amazon VPC Lattice](list_amazonvpclattice.md)
+ [Amazon VPC Lattice Services](list_amazonvpclatticeservices.md)
+ [AWS WAF](list_awswaf.md)
+ [AWS WAF Regional](list_awswafregional.md)
+ [AWS WAF V2](list_awswafv2.md)
+ [AWS Well-Architected Tool](list_awswell-architectedtool.md)
+ [AWS Wickr](list_awswickr.md)
+ [Amazon WorkDocs](list_amazonworkdocs.md)
+ [Amazon WorkLink](list_amazonworklink.md)
+ [Amazon WorkMail](list_amazonworkmail.md)
+ [Amazon WorkMail Message Flow](list_amazonworkmailmessageflow.md)
+ [Amazon WorkSpaces](list_amazonworkspaces.md)
+ [Amazon WorkSpaces Application Manager](list_amazonworkspacesapplicationmanager.md)
+ [AWS WorkSpaces Managed Instances](list_awsworkspacesmanagedinstances.md)
+ [Amazon WorkSpaces Secure Browser](list_amazonworkspacessecurebrowser.md)
+ [Amazon WorkSpaces Thin Client](list_amazonworkspacesthinclient.md)
+ [AWS X-Ray](list_awsx-ray.md)

# Actions, resources, and condition keys for AWS Account Management
<a name="list_awsaccountmanagement"></a>

AWS Account Management (service prefix: `account`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/accounts/latest/reference/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/accounts/latest/reference/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Account Management
](#awsaccountmanagement-actions-as-permissions)
+ [

## Resource types defined by AWS Account Management
](#awsaccountmanagement-resources-for-iam-policies)
+ [

## Condition keys for AWS Account Management
](#awsaccountmanagement-policy-keys)

## Actions defined by AWS Account Management
<a name="awsaccountmanagement-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsaccountmanagement-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaccountmanagement.html)

## Resource types defined by AWS Account Management
<a name="awsaccountmanagement-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsaccountmanagement-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:account::\$1\$1Account\$1:account  |  | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:account::\$1\$1ManagementAccountId\$1:account/o-\$1\$1OrganizationId\$1/\$1\$1MemberAccountId\$1  |  | 

## Condition keys for AWS Account Management
<a name="awsaccountmanagement-policy-keys"></a>

AWS Account Management defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the resource path for an account in an organization | ArrayOfString | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by resource tags for an account in an organization | String | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by alternate contact types | ArrayOfString | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by email domain of the target email address | String | 
|   [https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by a list of Regions. Enables or disables all the Regions specified here | String | 

# Actions, resources, and condition keys for AWS Action Recommendations
<a name="list_awsactionrecommendations"></a>

AWS Action Recommendations (service prefix: `action-recommendations`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/recommended-actions.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/recommended-actions.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/security-iam-awsmanpol.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Action Recommendations
](#awsactionrecommendations-actions-as-permissions)
+ [

## Resource types defined by AWS Action Recommendations
](#awsactionrecommendations-resources-for-iam-policies)
+ [

## Condition keys for AWS Action Recommendations
](#awsactionrecommendations-policy-keys)

## Actions defined by AWS Action Recommendations
<a name="awsactionrecommendations-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsactionrecommendations-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/recommended-actions.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/recommended-actions.html)  | Grants permission to list recommended actions in the AWS Management Console | List |  |  |  | 

## Resource types defined by AWS Action Recommendations
<a name="awsactionrecommendations-resources-for-iam-policies"></a>

AWS Action Recommendations does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Action Recommendations, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Action Recommendations
<a name="awsactionrecommendations-policy-keys"></a>

Action Recommendations has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Activate
<a name="list_awsactivate"></a>

AWS Activate (service prefix: `activate`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://aws.amazon.com/activate/faq/#AWS_Activate_Console).
+ View a list of the [API operations available for this service](https://aws.amazon.com/activate/faq/#AWS_Activate_Console).
+ Learn how to secure this service and its resources by [using IAM](https://aws.amazon.com/activate/faq/#AWS_Activate_Console) permission policies.

**Topics**
+ [

## Actions defined by AWS Activate
](#awsactivate-actions-as-permissions)
+ [

## Resource types defined by AWS Activate
](#awsactivate-resources-for-iam-policies)
+ [

## Condition keys for AWS Activate
](#awsactivate-policy-keys)

## Actions defined by AWS Activate
<a name="awsactivate-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsactivate-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to submit an Activate application form | Write |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to get the AWS account contact information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to get Activate tech posts and offer information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to get the AWS cost information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to get the AWS credit information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to get the Activate member information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to get an Activate program | Read |  |  |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Grants permission to create or update the Activate member information | Write |  |  |  | 

## Resource types defined by AWS Activate
<a name="awsactivate-resources-for-iam-policies"></a>

AWS Activate does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Activate, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Activate
<a name="awsactivate-policy-keys"></a>

Activate has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon AI Operations
<a name="list_amazonaioperations"></a>

Amazon AI Operations (service prefix: `aiops`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon AI Operations
](#amazonaioperations-actions-as-permissions)
+ [

## Resource types defined by Amazon AI Operations
](#amazonaioperations-resources-for-iam-policies)
+ [

## Condition keys for Amazon AI Operations
](#amazonaioperations-policy-keys)

## Actions defined by Amazon AI Operations
<a name="amazonaioperations-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonaioperations-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonaioperations.html)

## Resource types defined by Amazon AI Operations
<a name="amazonaioperations-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonaioperations-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/API_InvestigationGroup.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/API_InvestigationGroup.html)  |  arn:\$1\$1Partition\$1:aiops:\$1\$1Region\$1:\$1\$1Account\$1:investigation-group/\$1\$1InvestigationGroupId\$1  |   [#amazonaioperations-aws_ResourceTag___TagKey_](#amazonaioperations-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon AI Operations
<a name="amazonaioperations-policy-keys"></a>

Amazon AI Operations defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Alexa for Business
<a name="list_alexaforbusiness"></a>

Alexa for Business (service prefix: `a4b`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/a4b/latest/APIReference/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/a4b/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/a4b/latest/APIReference/) permission policies.

**Topics**
+ [

## Actions defined by Alexa for Business
](#alexaforbusiness-actions-as-permissions)
+ [

## Resource types defined by Alexa for Business
](#alexaforbusiness-resources-for-iam-policies)
+ [

## Condition keys for Alexa for Business
](#alexaforbusiness-policy-keys)

## Actions defined by Alexa for Business
<a name="alexaforbusiness-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#alexaforbusiness-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_alexaforbusiness.html)

## Resource types defined by Alexa for Business
<a name="alexaforbusiness-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#alexaforbusiness-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_Profile.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_Profile.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_Room.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_Room.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:room/\$1\$1ResourceId\$1  |   [#alexaforbusiness-aws_ResourceTag___TagKey_](#alexaforbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_Device.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_Device.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:device/\$1\$1ResourceId\$1  |   [#alexaforbusiness-aws_ResourceTag___TagKey_](#alexaforbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_SkillGroup.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_SkillGroup.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:skill-group/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_UserData.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_UserData.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1ResourceId\$1  |   [#alexaforbusiness-aws_ResourceTag___TagKey_](#alexaforbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_AddressBook.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_AddressBook.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:address-book/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_ConferenceProvider.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_ConferenceProvider.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:conference-provider/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_Contact.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_Contact.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:contact/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_BusinessReportSchedule.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_BusinessReportSchedule.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:schedule/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_NetworkProfile.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_NetworkProfile.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:network-profile/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_Gateway.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_Gateway.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_GatewayGroup.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_GatewayGroup.html)  |  arn:\$1\$1Partition\$1:a4b:\$1\$1Region\$1:\$1\$1Account\$1:gateway-group/\$1\$1ResourceId\$1  |  | 

## Condition keys for Alexa for Business
<a name="alexaforbusiness-policy-keys"></a>

Alexa for Business defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_RegisterAVSDevice.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_RegisterAVSDevice.html)  | Filters actions based on the Amazon Id in the request | String | 
|   [https://docs.aws.amazon.com/a4b/latest/APIReference/API_SearchDevices.html](https://docs.aws.amazon.com/a4b/latest/APIReference/API_SearchDevices.html)  | Filters actions based on the device type in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value assoicated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AmazonMediaImport
<a name="list_amazonmediaimport"></a>

AmazonMediaImport (service prefix: `mediaimport`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/) permission policies.

**Topics**
+ [

## Actions defined by AmazonMediaImport
](#amazonmediaimport-actions-as-permissions)
+ [

## Resource types defined by AmazonMediaImport
](#amazonmediaimport-resources-for-iam-policies)
+ [

## Condition keys for AmazonMediaImport
](#amazonmediaimport-policy-keys)

## Actions defined by AmazonMediaImport
<a name="amazonmediaimport-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmediaimport-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-cev.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-cev.html) [permission only] | Grants permission to create a database binary snapshot on the customer's aws account | Write |  |  |  | 

## Resource types defined by AmazonMediaImport
<a name="amazonmediaimport-resources-for-iam-policies"></a>

AmazonMediaImport does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AmazonMediaImport, specify `"Resource": "*"` in your policy.

## Condition keys for AmazonMediaImport
<a name="amazonmediaimport-policy-keys"></a>

mediaimport has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Amplify
<a name="list_awsamplify"></a>

AWS Amplify (service prefix: `amplify`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amplify/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amplify/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amplify/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Amplify
](#awsamplify-actions-as-permissions)
+ [

## Resource types defined by AWS Amplify
](#awsamplify-resources-for-iam-policies)
+ [

## Condition keys for AWS Amplify
](#awsamplify-policy-keys)

## Actions defined by AWS Amplify
<a name="awsamplify-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsamplify-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html)

## Resource types defined by AWS Amplify
<a name="awsamplify-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsamplify-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html](https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html)  |  arn:\$1\$1Partition\$1:amplify:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1  |   [#awsamplify-aws_ResourceTag___TagKey_](#awsamplify-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html](https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html)  |  arn:\$1\$1Partition\$1:amplify:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/branches/\$1\$1BranchName\$1  |   [#awsamplify-aws_ResourceTag___TagKey_](#awsamplify-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html](https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html)  |  arn:\$1\$1Partition\$1:amplify:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/branches/\$1\$1BranchName\$1/jobs/\$1\$1JobId\$1  |  | 
|   [https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html](https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html)  |  arn:\$1\$1Partition\$1:amplify:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/domains/\$1\$1DomainName\$1  |   [#awsamplify-aws_ResourceTag___TagKey_](#awsamplify-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html](https://docs.aws.amazon.com/amplify/latest/userguide/welcome.html)  |  arn:\$1\$1Partition\$1:amplify:\$1\$1Region\$1:\$1\$1Account\$1:webhooks/\$1\$1WebhookId\$1  |   [#awsamplify-aws_ResourceTag___TagKey_](#awsamplify-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Amplify
<a name="awsamplify-policy-keys"></a>

AWS Amplify defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag's key associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Amplify Admin
<a name="list_awsamplifyadmin"></a>

AWS Amplify Admin (service prefix: `amplifybackend`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/introduction.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/access_policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Amplify Admin
](#awsamplifyadmin-actions-as-permissions)
+ [

## Resource types defined by AWS Amplify Admin
](#awsamplifyadmin-resources-for-iam-policies)
+ [

## Condition keys for AWS Amplify Admin
](#awsamplifyadmin-policy-keys)

## Actions defined by AWS Amplify Admin
<a name="awsamplifyadmin-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsamplifyadmin-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyadmin.html)

## Resource types defined by AWS Amplify Admin
<a name="awsamplifyadmin-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsamplifyadmin-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-api-backendenvironmentname-details.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-api-backendenvironmentname-details.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/environments/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-api.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-api.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/api/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-auth.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-auth.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/auth/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-job-backendenvironmentname.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-job-backendenvironmentname.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/job/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-config.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-config.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/config/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-token.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-token.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/challenge/\$1  |  | 
|   [https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-storage.html](https://docs.aws.amazon.com/amplify-admin-ui/latest/APIReference/backend-appid-storage.html)  |  arn:\$1\$1Partition\$1:amplifybackend:\$1\$1Region\$1:\$1\$1Account\$1:/backend/\$1\$1AppId\$1/storage/\$1  |  | 

## Condition keys for AWS Amplify Admin
<a name="awsamplifyadmin-policy-keys"></a>

Amplify Admin has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Amplify UI Builder
<a name="list_awsamplifyuibuilder"></a>

AWS Amplify UI Builder (service prefix: `amplifyuibuilder`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amplify/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amplify/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Amplify UI Builder
](#awsamplifyuibuilder-actions-as-permissions)
+ [

## Resource types defined by AWS Amplify UI Builder
](#awsamplifyuibuilder-resources-for-iam-policies)
+ [

## Condition keys for AWS Amplify UI Builder
](#awsamplifyuibuilder-policy-keys)

## Actions defined by AWS Amplify UI Builder
<a name="awsamplifyuibuilder-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsamplifyuibuilder-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyuibuilder.html)

## Resource types defined by AWS Amplify UI Builder
<a name="awsamplifyuibuilder-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsamplifyuibuilder-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_CodegenJob.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_CodegenJob.html)  |  arn:\$1\$1Partition\$1:amplifyuibuilder:\$1\$1Region\$1:\$1\$1Account\$1:app/\$1\$1AppId\$1/environment/\$1\$1EnvironmentName\$1/codegen-jobs/\$1\$1Id\$1  |   [#awsamplifyuibuilder-amplifyuibuilder_CodegenJobResourceAppId](#awsamplifyuibuilder-amplifyuibuilder_CodegenJobResourceAppId)   [#awsamplifyuibuilder-amplifyuibuilder_CodegenJobResourceEnvironmentName](#awsamplifyuibuilder-amplifyuibuilder_CodegenJobResourceEnvironmentName)   [#awsamplifyuibuilder-amplifyuibuilder_CodegenJobResourceId](#awsamplifyuibuilder-amplifyuibuilder_CodegenJobResourceId)   [#awsamplifyuibuilder-aws_ResourceTag___TagKey_](#awsamplifyuibuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Component.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Component.html)  |  arn:\$1\$1Partition\$1:amplifyuibuilder:\$1\$1Region\$1:\$1\$1Account\$1:app/\$1\$1AppId\$1/environment/\$1\$1EnvironmentName\$1/components/\$1\$1Id\$1  |   [#awsamplifyuibuilder-amplifyuibuilder_ComponentResourceAppId](#awsamplifyuibuilder-amplifyuibuilder_ComponentResourceAppId)   [#awsamplifyuibuilder-amplifyuibuilder_ComponentResourceEnvironmentName](#awsamplifyuibuilder-amplifyuibuilder_ComponentResourceEnvironmentName)   [#awsamplifyuibuilder-amplifyuibuilder_ComponentResourceId](#awsamplifyuibuilder-amplifyuibuilder_ComponentResourceId)   [#awsamplifyuibuilder-aws_ResourceTag___TagKey_](#awsamplifyuibuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Form.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Form.html)  |  arn:\$1\$1Partition\$1:amplifyuibuilder:\$1\$1Region\$1:\$1\$1Account\$1:app/\$1\$1AppId\$1/environment/\$1\$1EnvironmentName\$1/forms/\$1\$1Id\$1  |   [#awsamplifyuibuilder-amplifyuibuilder_FormResourceAppId](#awsamplifyuibuilder-amplifyuibuilder_FormResourceAppId)   [#awsamplifyuibuilder-amplifyuibuilder_FormResourceEnvironmentName](#awsamplifyuibuilder-amplifyuibuilder_FormResourceEnvironmentName)   [#awsamplifyuibuilder-amplifyuibuilder_FormResourceId](#awsamplifyuibuilder-amplifyuibuilder_FormResourceId)   [#awsamplifyuibuilder-aws_ResourceTag___TagKey_](#awsamplifyuibuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Theme.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Theme.html)  |  arn:\$1\$1Partition\$1:amplifyuibuilder:\$1\$1Region\$1:\$1\$1Account\$1:app/\$1\$1AppId\$1/environment/\$1\$1EnvironmentName\$1/themes/\$1\$1Id\$1  |   [#awsamplifyuibuilder-amplifyuibuilder_ThemeResourceAppId](#awsamplifyuibuilder-amplifyuibuilder_ThemeResourceAppId)   [#awsamplifyuibuilder-amplifyuibuilder_ThemeResourceEnvironmentName](#awsamplifyuibuilder-amplifyuibuilder_ThemeResourceEnvironmentName)   [#awsamplifyuibuilder-amplifyuibuilder_ThemeResourceId](#awsamplifyuibuilder-amplifyuibuilder_ThemeResourceId)   [#awsamplifyuibuilder-aws_ResourceTag___TagKey_](#awsamplifyuibuilder-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Amplify UI Builder
<a name="awsamplifyuibuilder-policy-keys"></a>

AWS Amplify UI Builder defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html)  | Filters access by the app ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html)  | Filters access by the backend environment name | String | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_CodegenJob.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_CodegenJob.html)  | Filters access by the codegen job ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html)  | Filters access by the app ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html)  | Filters access by the backend environment name | String | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Component.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Component.html)  | Filters access by the component ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html)  | Filters access by the app ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html)  | Filters access by the backend environment name | String | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Form.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Form.html)  | Filters access by the form ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_App.html)  | Filters access by the app ID | String | 
|   [https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html](https://docs.aws.amazon.com/amplify/latest/APIReference/API_BackendEnvironment.html)  | Filters access by the backend environment name | String | 
|   [https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Theme.html](https://docs.aws.amazon.com/amplifyuibuilder/latest/APIReference/API_Theme.html)  | Filters access by the theme ID | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Apache Kafka APIs for Amazon MSK clusters
<a name="list_apachekafkaapisforamazonmskclusters"></a>

Apache Kafka APIs for Amazon MSK clusters (service prefix: `kafka-cluster`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Apache Kafka APIs for Amazon MSK clusters
](#apachekafkaapisforamazonmskclusters-actions-as-permissions)
+ [

## Resource types defined by Apache Kafka APIs for Amazon MSK clusters
](#apachekafkaapisforamazonmskclusters-resources-for-iam-policies)
+ [

## Condition keys for Apache Kafka APIs for Amazon MSK clusters
](#apachekafkaapisforamazonmskclusters-policy-keys)

## Actions defined by Apache Kafka APIs for Amazon MSK clusters
<a name="apachekafkaapisforamazonmskclusters-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#apachekafkaapisforamazonmskclusters-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to alter various aspects of the cluster, equivalent to Apache Kafka's ALTER CLUSTER ACL | Write |   [#apachekafkaapisforamazonmskclusters-cluster](#apachekafkaapisforamazonmskclusters-cluster)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeCluster   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to alter the dynamic configuration of a cluster, equivalent to Apache Kafka's ALTER\$1CONFIGS CLUSTER ACL | Write |   [#apachekafkaapisforamazonmskclusters-cluster](#apachekafkaapisforamazonmskclusters-cluster)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeClusterDynamicConfiguration   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to join groups on a cluster, equivalent to Apache Kafka's READ GROUP ACL | Write |   [#apachekafkaapisforamazonmskclusters-group](#apachekafkaapisforamazonmskclusters-group)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeGroup   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to alter topics on a cluster, equivalent to Apache Kafka's ALTER TOPIC ACL | Write |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeTopic   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to alter the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's ALTER\$1CONFIGS TOPIC ACL | Write |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeTopicDynamicConfiguration   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to alter transactional IDs on a cluster, equivalent to Apache Kafka's WRITE TRANSACTIONAL\$1ID ACL | Write |   [#apachekafkaapisforamazonmskclusters-transactional-id](#apachekafkaapisforamazonmskclusters-transactional-id)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeTransactionalId   kafka-cluster:WriteData   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to connect and authenticate to the cluster | Write |   [#apachekafkaapisforamazonmskclusters-cluster](#apachekafkaapisforamazonmskclusters-cluster)   |  |  | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to create topics on a cluster, equivalent to Apache Kafka's CREATE CLUSTER/TOPIC ACL | Write |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to delete groups on a cluster, equivalent to Apache Kafka's DELETE GROUP ACL | Write |   [#apachekafkaapisforamazonmskclusters-group](#apachekafkaapisforamazonmskclusters-group)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeGroup   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to delete topics on a cluster, equivalent to Apache Kafka's DELETE TOPIC ACL | Write |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeTopic   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to describe various aspects of the cluster, equivalent to Apache Kafka's DESCRIBE CLUSTER ACL | List |   [#apachekafkaapisforamazonmskclusters-cluster](#apachekafkaapisforamazonmskclusters-cluster)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to describe the dynamic configuration of a cluster, equivalent to Apache Kafka's DESCRIBE\$1CONFIGS CLUSTER ACL | List |   [#apachekafkaapisforamazonmskclusters-cluster](#apachekafkaapisforamazonmskclusters-cluster)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to describe groups on a cluster, equivalent to Apache Kafka's DESCRIBE GROUP ACL | List |   [#apachekafkaapisforamazonmskclusters-group](#apachekafkaapisforamazonmskclusters-group)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to describe topics on a cluster, equivalent to Apache Kafka's DESCRIBE TOPIC ACL | List |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to describe the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's DESCRIBE\$1CONFIGS TOPIC ACL | List |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to describe transactional IDs on a cluster, equivalent to Apache Kafka's DESCRIBE TRANSACTIONAL\$1ID ACL | List |   [#apachekafkaapisforamazonmskclusters-transactional-id](#apachekafkaapisforamazonmskclusters-transactional-id)   |  |   kafka-cluster:Connect   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to read data from topics on a cluster, equivalent to Apache Kafka's READ TOPIC ACL | Read |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:AlterGroup   kafka-cluster:Connect   kafka-cluster:DescribeTopic   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to write data to topics on a cluster, equivalent to Apache Kafka's WRITE TOPIC ACL | Write |   [#apachekafkaapisforamazonmskclusters-topic](#apachekafkaapisforamazonmskclusters-topic)   |  |   kafka-cluster:Connect   kafka-cluster:DescribeTopic   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#actions)  | Grants permission to write data idempotently on a cluster, equivalent to Apache Kafka's IDEMPOTENT\$1WRITE CLUSTER ACL | Write |   [#apachekafkaapisforamazonmskclusters-cluster](#apachekafkaapisforamazonmskclusters-cluster)   |  |   kafka-cluster:Connect   kafka-cluster:WriteData   | 

## Resource types defined by Apache Kafka APIs for Amazon MSK clusters
<a name="apachekafkaapisforamazonmskclusters-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#apachekafkaapisforamazonmskclusters-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1  |   [#apachekafkaapisforamazonmskclusters-aws_ResourceTag___TagKey_](#apachekafkaapisforamazonmskclusters-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:topic/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1/\$1\$1TopicName\$1  |  | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1/\$1\$1GroupName\$1  |  | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:transactional-id/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1/\$1\$1TransactionalId\$1  |  | 

## Condition keys for Apache Kafka APIs for Amazon MSK clusters
<a name="apachekafkaapisforamazonmskclusters-policy-keys"></a>

Apache Kafka APIs for Amazon MSK clusters defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource. The resource tag context key will only apply to the cluster resource, not topics, groups and transactional IDs | String | 

# Actions, resources, and condition keys for Amazon API Gateway
<a name="list_amazonapigateway"></a>

Amazon API Gateway (service prefix: `execute-api`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon API Gateway
](#amazonapigateway-actions-as-permissions)
+ [

## Resource types defined by Amazon API Gateway
](#amazonapigateway-resources-for-iam-policies)
+ [

## Condition keys for Amazon API Gateway
](#amazonapigateway-policy-keys)

## Actions defined by Amazon API Gateway
<a name="amazonapigateway-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonapigateway-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html)

## Resource types defined by Amazon API Gateway
<a name="amazonapigateway-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonapigateway-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html)  |  arn:\$1\$1Partition\$1:execute-api:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ApiId\$1/\$1\$1Stage\$1/\$1\$1Method\$1/\$1\$1ApiSpecificResourcePath\$1  |   [#amazonapigateway-execute-api_viaDomainArn](#amazonapigateway-execute-api_viaDomainArn)   | 
|   [https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html)  |  arn:\$1\$1Partition\$1:execute-api:\$1\$1Region\$1:\$1\$1Account\$1:/domainnames/\$1\$1DomainName\$1\$1\$1\$1DomainIdentifier\$1  |  | 

## Condition keys for Amazon API Gateway
<a name="amazonapigateway-policy-keys"></a>

Amazon API Gateway defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html)  | Filters access by the DomainName ARN the API is called from | ARN | 

# Actions, resources, and condition keys for AWS App Mesh
<a name="list_awsappmesh"></a>

AWS App Mesh (service prefix: `appmesh`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/app-mesh/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/app-mesh/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/app-mesh/latest/userguide/IAM_policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS App Mesh
](#awsappmesh-actions-as-permissions)
+ [

## Resource types defined by AWS App Mesh
](#awsappmesh-resources-for-iam-policies)
+ [

## Condition keys for AWS App Mesh
](#awsappmesh-policy-keys)

## Actions defined by AWS App Mesh
<a name="awsappmesh-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsappmesh-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html)

## Resource types defined by AWS App Mesh
<a name="awsappmesh-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsappmesh-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/meshes.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/meshes.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_services.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_services.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualService/\$1\$1VirtualServiceName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualNode/\$1\$1VirtualNodeName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_routers.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_routers.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualRouter/\$1\$1VirtualRouterName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/routes.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/routes.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualRouter/\$1\$1VirtualRouterName\$1/route/\$1\$1RouteName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualGateway/\$1\$1VirtualGatewayName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html)  |  arn:\$1\$1Partition\$1:appmesh:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualGateway/\$1\$1VirtualGatewayName\$1/gatewayRoute/\$1\$1GatewayRouteName\$1  |   [#awsappmesh-aws_ResourceTag___TagKey_](#awsappmesh-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS App Mesh
<a name="awsappmesh-policy-keys"></a>

AWS App Mesh defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS App Mesh Preview
<a name="list_awsappmeshpreview"></a>

AWS App Mesh Preview (service prefix: `appmesh-preview`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/app-mesh/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/app-mesh/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/app-mesh/latest/userguide/IAM_policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS App Mesh Preview
](#awsappmeshpreview-actions-as-permissions)
+ [

## Resource types defined by AWS App Mesh Preview
](#awsappmeshpreview-resources-for-iam-policies)
+ [

## Condition keys for AWS App Mesh Preview
](#awsappmeshpreview-policy-keys)

## Actions defined by AWS App Mesh Preview
<a name="awsappmeshpreview-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsappmeshpreview-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmeshpreview.html)

## Resource types defined by AWS App Mesh Preview
<a name="awsappmeshpreview-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsappmeshpreview-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/meshes.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/meshes.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1  |  | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_services.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_services.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualService/\$1\$1VirtualServiceName\$1  |  | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualNode/\$1\$1VirtualNodeName\$1  |  | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_routers.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_routers.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualRouter/\$1\$1VirtualRouterName\$1  |  | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/routes.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/routes.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualRouter/\$1\$1VirtualRouterName\$1/route/\$1\$1RouteName\$1  |  | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualGateway/\$1\$1VirtualGatewayName\$1  |  | 
|   [https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html)  |  arn:\$1\$1Partition\$1:appmesh-preview:\$1\$1Region\$1:\$1\$1Account\$1:mesh/\$1\$1MeshName\$1/virtualGateway/\$1\$1VirtualGatewayName\$1/gatewayRoute/\$1\$1GatewayRouteName\$1  |  | 

## Condition keys for AWS App Mesh Preview
<a name="awsappmeshpreview-policy-keys"></a>

App Mesh Preview has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS App Runner
<a name="list_awsapprunner"></a>

AWS App Runner (service prefix: `apprunner`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/apprunner/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/apprunner/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](${UserGuideDocPage}security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS App Runner
](#awsapprunner-actions-as-permissions)
+ [

## Resource types defined by AWS App Runner
](#awsapprunner-resources-for-iam-policies)
+ [

## Condition keys for AWS App Runner
](#awsapprunner-policy-keys)

## Actions defined by AWS App Runner
<a name="awsapprunner-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsapprunner-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html)

## Resource types defined by AWS App Runner
<a name="awsapprunner-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsapprunner-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [${UserGuideDocPage}architecture.html#architecture.resources](${UserGuideDocPage}architecture.html#architecture.resources)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceName\$1/\$1\$1ServiceId\$1  |   [#awsapprunner-aws_ResourceTag___TagKey_](#awsapprunner-aws_ResourceTag___TagKey_)   | 
|   [${UserGuideDocPage}architecture.html#architecture.resources](${UserGuideDocPage}architecture.html#architecture.resources)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1ConnectionName\$1/\$1\$1ConnectionId\$1  |   [#awsapprunner-aws_ResourceTag___TagKey_](#awsapprunner-aws_ResourceTag___TagKey_)   | 
|   [${UserGuideDocPage}architecture.html#architecture.resources](${UserGuideDocPage}architecture.html#architecture.resources)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:autoscalingconfiguration/\$1\$1AutoscalingConfigurationName\$1/\$1\$1AutoscalingConfigurationVersion\$1/\$1\$1AutoscalingConfigurationId\$1  |   [#awsapprunner-aws_ResourceTag___TagKey_](#awsapprunner-aws_ResourceTag___TagKey_)   | 
|   [${UserGuideDocPage}architecture.html#architecture.resources](${UserGuideDocPage}architecture.html#architecture.resources)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:observabilityconfiguration/\$1\$1ObservabilityConfigurationName\$1/\$1\$1ObservabilityConfigurationVersion\$1/\$1\$1ObservabilityConfigurationId\$1  |   [#awsapprunner-aws_ResourceTag___TagKey_](#awsapprunner-aws_ResourceTag___TagKey_)   | 
|   [${UserGuideDocPage}architecture.html#architecture.resources](${UserGuideDocPage}architecture.html#architecture.resources)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:vpcconnector/\$1\$1VpcConnectorName\$1/\$1\$1VpcConnectorVersion\$1/\$1\$1VpcConnectorId\$1  |   [#awsapprunner-aws_ResourceTag___TagKey_](#awsapprunner-aws_ResourceTag___TagKey_)   | 
|   [${UserGuideDocPage}architecture.html#architecture.resources](${UserGuideDocPage}architecture.html#architecture.resources)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:vpcingressconnection/\$1\$1VpcIngressConnectionName\$1/\$1\$1VpcIngressConnectionId\$1  |   [#awsapprunner-aws_ResourceTag___TagKey_](#awsapprunner-aws_ResourceTag___TagKey_)   | 
|   [${UserGuideDocPage}waf.html](${UserGuideDocPage}waf.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/webacl/\$1\$1Name\$1/\$1\$1Id\$1  |  | 

## Condition keys for AWS App Runner
<a name="awsapprunner-policy-keys"></a>

AWS App Runner defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateService and UpdateService actions based on the ARN of an associated AutoScalingConfiguration resource | ARN | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateService and UpdateService actions based on the ARN of an associated Connection resource | ARN | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateService and UpdateService actions based on the ARN of an associated ObservabilityConfiguration resource | ARN | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateVpcIngressConnection action based on the ARN of an associated Service resource | ARN | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateService and UpdateService actions based on the ARN of an associated VpcConnector resource | ARN | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateVpcIngressConnection and UpdateVpcIngressConnection actions based on the VPC Endpoint in the request | String | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by the CreateVpcIngressConnection and UpdateVpcIngressConnection actions based on the VPC in the request | String | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by actions based on the presence of tag key-value pairs in the request | String | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by actions based on tag key-value pairs attached to the resource | String | 
|   [${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies](${UserGuideDocPage}security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies)  | Filters access by actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS App Studio
<a name="list_awsappstudio"></a>

AWS App Studio (service prefix: `appstudio`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/appstudio/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appstudio/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/appstudio/latest/userguide/) permission policies.

**Topics**
+ [

## Actions defined by AWS App Studio
](#awsappstudio-actions-as-permissions)
+ [

## Resource types defined by AWS App Studio
](#awsappstudio-resources-for-iam-policies)
+ [

## Condition keys for AWS App Studio
](#awsappstudio-policy-keys)

## Actions defined by AWS App Studio
<a name="awsappstudio-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsappstudio-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/](https://docs.aws.amazon.com/appstudio/latest/userguide/) [permission only] | Grants permission to describe the account's current status | Read |  |  |  | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/](https://docs.aws.amazon.com/appstudio/latest/userguide/) [permission only] | Grants permission to fetch status of a enablement job | Read |  |  |  | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/](https://docs.aws.amazon.com/appstudio/latest/userguide/) [permission only] | Grants permission to submit a enablement job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/](https://docs.aws.amazon.com/appstudio/latest/userguide/) [permission only] | Grants permission to rollback an enablement job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/](https://docs.aws.amazon.com/appstudio/latest/userguide/) [permission only] | Grants permission to start a team deployment | Write |  |  |  | 

## Resource types defined by AWS App Studio
<a name="awsappstudio-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsappstudio-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/concepts.html#concepts-instance](https://docs.aws.amazon.com/appstudio/latest/userguide/concepts.html#concepts-instance)  |  arn:\$1\$1Partition\$1:appstudio:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1  |  | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/concepts.html#concepts-application](https://docs.aws.amazon.com/appstudio/latest/userguide/concepts.html#concepts-application)  |  arn:\$1\$1Partition\$1:appstudio:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |  | 
|   [https://docs.aws.amazon.com/appstudio/latest/userguide/concepts.html#concepts-connector](https://docs.aws.amazon.com/appstudio/latest/userguide/concepts.html#concepts-connector)  |  arn:\$1\$1Partition\$1:appstudio:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectionId\$1  |  | 

## Condition keys for AWS App Studio
<a name="awsappstudio-policy-keys"></a>

App Studio has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS App2Container
<a name="list_awsapp2container"></a>

AWS App2Container (service prefix: `a2c`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/dotnet-refactoring-security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS App2Container
](#awsapp2container-actions-as-permissions)
+ [

## Resource types defined by AWS App2Container
](#awsapp2container-resources-for-iam-policies)
+ [

## Condition keys for AWS App2Container
](#awsapp2container-policy-keys)

## Actions defined by AWS App2Container
<a name="awsapp2container-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsapp2container-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to get the details of all Containerization jobs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to get the details of all Deployment jobs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to start a Containerization job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to start a Deploymnet job | Write |  |  |  | 

## Resource types defined by AWS App2Container
<a name="awsapp2container-resources-for-iam-policies"></a>

AWS App2Container does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS App2Container, specify `"Resource": "*"` in your policy.

## Condition keys for AWS App2Container
<a name="awsapp2container-policy-keys"></a>

App2Container has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS AppConfig
<a name="list_awsappconfig"></a>

AWS AppConfig (service prefix: `appconfig`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS AppConfig
](#awsappconfig-actions-as-permissions)
+ [

## Resource types defined by AWS AppConfig
](#awsappconfig-resources-for-iam-policies)
+ [

## Condition keys for AWS AppConfig
](#awsappconfig-policy-keys)

## Actions defined by AWS AppConfig
<a name="awsappconfig-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsappconfig-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html)

## Resource types defined by AWS AppConfig
<a name="awsappconfig-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsappconfig-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-namespace.html](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-namespace.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-environment.html](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-environment.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/environment/\$1\$1EnvironmentId\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-configuration-profile.html](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-configuration-profile.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/configurationprofile/\$1\$1ConfigurationProfileId\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-deployment-strategy.html](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-deployment-strategy.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:deploymentstrategy/\$1\$1DeploymentStrategyId\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-deploying.html](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-deploying.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/environment/\$1\$1EnvironmentId\$1/deployment/\$1\$1DeploymentNumber\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-configuration-profile.html](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-configuration-profile.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/configurationprofile/\$1\$1ConfigurationProfileId\$1  |  | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/retrieving-feature-flags.html](https://docs.aws.amazon.com/appconfig/latest/userguide/retrieving-feature-flags.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/environment/\$1\$1EnvironmentId\$1/configuration/\$1\$1ConfigurationProfileId\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:extension/\$1\$1ExtensionId\$1/\$1\$1ExtensionVersionNumber\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html)  |  arn:\$1\$1Partition\$1:appconfig:\$1\$1Region\$1:\$1\$1Account\$1:extensionassociation/\$1\$1ExtensionAssociationId\$1  |   [#awsappconfig-aws_ResourceTag___TagKey_](#awsappconfig-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS AppConfig
<a name="awsappconfig-policy-keys"></a>

AWS AppConfig defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the allowed set of values for a specified tag | String | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by a tag key-value pair assigned to the AWS resource | String | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS AppFabric
<a name="list_awsappfabric"></a>

AWS AppFabric (service prefix: `appfabric`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/appfabric/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appfabric/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/appfabric/latest/adminguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS AppFabric
](#awsappfabric-actions-as-permissions)
+ [

## Resource types defined by AWS AppFabric
](#awsappfabric-resources-for-iam-policies)
+ [

## Condition keys for AWS AppFabric
](#awsappfabric-policy-keys)

## Actions defined by AWS AppFabric
<a name="awsappfabric-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsappfabric-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappfabric.html)

## Resource types defined by AWS AppFabric
<a name="awsappfabric-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsappfabric-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appfabric/latest/api/API_AppBundle.html](https://docs.aws.amazon.com/appfabric/latest/api/API_AppBundle.html)  |  arn:\$1\$1Partition\$1:appfabric:\$1\$1Region\$1:\$1\$1Account\$1:appbundle/\$1\$1AppBundleIdentifier\$1  |   [#awsappfabric-aws_ResourceTag___TagKey_](#awsappfabric-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appfabric/latest/api/API_AppAuthorization.html](https://docs.aws.amazon.com/appfabric/latest/api/API_AppAuthorization.html)  |  arn:\$1\$1Partition\$1:appfabric:\$1\$1Region\$1:\$1\$1Account\$1:appbundle/\$1\$1AppbundleId\$1/appauthorization/\$1\$1AppAuthorizationIdentifier\$1  |   [#awsappfabric-aws_ResourceTag___TagKey_](#awsappfabric-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appfabric/latest/api/API_Ingestion.html](https://docs.aws.amazon.com/appfabric/latest/api/API_Ingestion.html)  |  arn:\$1\$1Partition\$1:appfabric:\$1\$1Region\$1:\$1\$1Account\$1:appbundle/\$1\$1AppbundleId\$1/ingestion/\$1\$1IngestionIdentifier\$1  |   [#awsappfabric-aws_ResourceTag___TagKey_](#awsappfabric-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appfabric/latest/api/API_IngestionDestination.html](https://docs.aws.amazon.com/appfabric/latest/api/API_IngestionDestination.html)  |  arn:\$1\$1Partition\$1:appfabric:\$1\$1Region\$1:\$1\$1Account\$1:appbundle/\$1\$1AppbundleId\$1/ingestion/\$1\$1IngestionIdentifier\$1/ingestiondestination/\$1\$1IngestionDestinationIdentifier\$1  |   [#awsappfabric-aws_ResourceTag___TagKey_](#awsappfabric-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS AppFabric
<a name="awsappfabric-policy-keys"></a>

AWS AppFabric defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon AppFlow
<a name="list_amazonappflow"></a>

Amazon AppFlow (service prefix: `appflow`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/appflow/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appflow/1.0/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/appflow/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon AppFlow
](#amazonappflow-actions-as-permissions)
+ [

## Resource types defined by Amazon AppFlow
](#amazonappflow-resources-for-iam-policies)
+ [

## Condition keys for Amazon AppFlow
](#amazonappflow-policy-keys)

## Actions defined by Amazon AppFlow
<a name="amazonappflow-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonappflow-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html)

## Resource types defined by Amazon AppFlow
<a name="amazonappflow-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonappflow-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appflow/1.0/APIReference/API_ConnectorProfile.html](https://docs.aws.amazon.com/appflow/1.0/APIReference/API_ConnectorProfile.html)  |  arn:\$1\$1Partition\$1:appflow:\$1\$1Region\$1:\$1\$1Account\$1:connectorprofile/\$1\$1ProfileName\$1  |  | 
|   [https://docs.aws.amazon.com/appflow/1.0/APIReference/API_FlowDefinition.html](https://docs.aws.amazon.com/appflow/1.0/APIReference/API_FlowDefinition.html)  |  arn:\$1\$1Partition\$1:appflow:\$1\$1Region\$1:\$1\$1Account\$1:flow/\$1\$1FlowName\$1  |   [#amazonappflow-aws_ResourceTag___TagKey_](#amazonappflow-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appflow/1.0/APIReference/API_ConnectorDetail.html](https://docs.aws.amazon.com/appflow/1.0/APIReference/API_ConnectorDetail.html)  |  arn:\$1\$1Partition\$1:appflow:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorLabel\$1  |   [#amazonappflow-aws_ResourceTag___TagKey_](#amazonappflow-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon AppFlow
<a name="amazonappflow-policy-keys"></a>

Amazon AppFlow defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon AppIntegrations
<a name="list_amazonappintegrations"></a>

Amazon AppIntegrations (service prefix: `app-integrations`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connect/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appintegrations/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/connect/latest/adminguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon AppIntegrations
](#amazonappintegrations-actions-as-permissions)
+ [

## Resource types defined by Amazon AppIntegrations
](#amazonappintegrations-resources-for-iam-policies)
+ [

## Condition keys for Amazon AppIntegrations
](#amazonappintegrations-policy-keys)

## Actions defined by Amazon AppIntegrations
<a name="amazonappintegrations-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonappintegrations-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html)

## Resource types defined by Amazon AppIntegrations
<a name="amazonappintegrations-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonappintegrations-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_EventIntegration.html](https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_EventIntegration.html)  |  arn:\$1\$1Partition\$1:app-integrations:\$1\$1Region\$1:\$1\$1Account\$1:event-integration/\$1\$1EventIntegrationName\$1  |   [#amazonappintegrations-aws_ResourceTag___TagKey_](#amazonappintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_EventIntegrationAssociation.html](https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_EventIntegrationAssociation.html)  |  arn:\$1\$1Partition\$1:app-integrations:\$1\$1Region\$1:\$1\$1Account\$1:event-integration-association/\$1\$1EventIntegrationName\$1/\$1\$1ResourceId\$1  |   [#amazonappintegrations-aws_ResourceTag___TagKey_](#amazonappintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_DataIntegrationSummary.html](https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_DataIntegrationSummary.html)  |  arn:\$1\$1Partition\$1:app-integrations:\$1\$1Region\$1:\$1\$1Account\$1:data-integration/\$1\$1DataIntegrationId\$1  |   [#amazonappintegrations-aws_ResourceTag___TagKey_](#amazonappintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_DataIntegrationAssociationSummary.html](https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_DataIntegrationAssociationSummary.html)  |  arn:\$1\$1Partition\$1:app-integrations:\$1\$1Region\$1:\$1\$1Account\$1:data-integration-association/\$1\$1DataIntegrationId\$1/\$1\$1ResourceId\$1  |   [#amazonappintegrations-aws_ResourceTag___TagKey_](#amazonappintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_ApplicationSummary.html](https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_ApplicationSummary.html)  |  arn:\$1\$1Partition\$1:app-integrations:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |   [#amazonappintegrations-aws_ResourceTag___TagKey_](#amazonappintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_ApplicationAssociationSummary.html](https://docs.aws.amazon.com/appintegrations/latest/APIReference/API_ApplicationAssociationSummary.html)  |  arn:\$1\$1Partition\$1:app-integrations:\$1\$1Region\$1:\$1\$1Account\$1:application-association/\$1\$1ApplicationId\$1/\$1\$1ApplicationAssociationId\$1  |   [#amazonappintegrations-aws_ResourceTag___TagKey_](#amazonappintegrations-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon AppIntegrations
<a name="amazonappintegrations-policy-keys"></a>

Amazon AppIntegrations defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Application Auto Scaling
<a name="list_awsapplicationautoscaling"></a>

AWS Application Auto Scaling (service prefix: `application-autoscaling`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/autoscaling/application/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/autoscaling/application/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/autoscaling/application/userguide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Application Auto Scaling
](#awsapplicationautoscaling-actions-as-permissions)
+ [

## Resource types defined by AWS Application Auto Scaling
](#awsapplicationautoscaling-resources-for-iam-policies)
+ [

## Condition keys for AWS Application Auto Scaling
](#awsapplicationautoscaling-policy-keys)

## Actions defined by AWS Application Auto Scaling
<a name="awsapplicationautoscaling-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsapplicationautoscaling-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationautoscaling.html)

## Resource types defined by AWS Application Auto Scaling
<a name="awsapplicationautoscaling-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsapplicationautoscaling-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:application-autoscaling:\$1\$1Region\$1:\$1\$1Account\$1:scalable-target/\$1\$1ResourceId\$1  |   [#awsapplicationautoscaling-aws_ResourceTag___TagKey_](#awsapplicationautoscaling-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Application Auto Scaling
<a name="awsapplicationautoscaling-policy-keys"></a>

AWS Application Auto Scaling defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the scalable dimension that is passed in the request | String | 
|   [https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the service namespace that is passed in the request | String | 
|   [https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Application Discovery Arsenal
<a name="list_applicationdiscoveryarsenal"></a>

Application Discovery Arsenal (service prefix: `arsenal`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/application-discovery/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/application-discovery/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/application-discovery/latest/userguide/setting-up.html#setting-up-user-policy) permission policies.

**Topics**
+ [

## Actions defined by Application Discovery Arsenal
](#applicationdiscoveryarsenal-actions-as-permissions)
+ [

## Resource types defined by Application Discovery Arsenal
](#applicationdiscoveryarsenal-resources-for-iam-policies)
+ [

## Condition keys for Application Discovery Arsenal
](#applicationdiscoveryarsenal-policy-keys)

## Actions defined by Application Discovery Arsenal
<a name="applicationdiscoveryarsenal-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#applicationdiscoveryarsenal-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/application-discovery/latest/userguide/setting-up.html](https://docs.aws.amazon.com/application-discovery/latest/userguide/setting-up.html) [permission only] | Grants permission to register AWS provided data collectors to the Application Discovery Service | Write |  |  |  | 

## Resource types defined by Application Discovery Arsenal
<a name="applicationdiscoveryarsenal-resources-for-iam-policies"></a>

Application Discovery Arsenal does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Application Discovery Arsenal, specify `"Resource": "*"` in your policy.

## Condition keys for Application Discovery Arsenal
<a name="applicationdiscoveryarsenal-policy-keys"></a>

Application Discovery Arsenal has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Application Discovery Service
<a name="list_awsapplicationdiscoveryservice"></a>

AWS Application Discovery Service (service prefix: `discovery`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/application-discovery/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/application-discovery/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/application-discovery/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Application Discovery Service
](#awsapplicationdiscoveryservice-actions-as-permissions)
+ [

## Resource types defined by AWS Application Discovery Service
](#awsapplicationdiscoveryservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Application Discovery Service
](#awsapplicationdiscoveryservice-policy-keys)

## Actions defined by AWS Application Discovery Service
<a name="awsapplicationdiscoveryservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsapplicationdiscoveryservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_AssociateConfigurationItemsToApplication.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_AssociateConfigurationItemsToApplication.html)  | Grants permission to AssociateConfigurationItemsToApplication API. AssociateConfigurationItemsToApplication associates one or more configuration items with an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_BatchDeleteAgents.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_BatchDeleteAgents.html)  | Grants permission to BatchDeleteAgents API. BatchDeleteAgents deletes one or more agents/data collectors associated with your account, each identified by its agent ID. Deleting a data collector does not delete the previous data collected | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_BatchDeleteImportData.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_BatchDeleteImportData.html)  | Grants permission to BatchDeleteImportData API. BatchDeleteImportData deletes one or more Migration Hub import tasks, each identified by their import ID. Each import task has a number of records, which can identify servers or applications | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_CreateApplication.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_CreateApplication.html)  | Grants permission to CreateApplication API. CreateApplication creates an application with the given name and description | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_CreateTags.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_CreateTags.html)  | Grants permission to CreateTags API. CreateTags creates one or more tags for configuration items. Tags are metadata that help you categorize IT assets. This API accepts a list of multiple configuration items | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DeleteApplications.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DeleteApplications.html)  | Grants permission to DeleteApplications API. DeleteApplications deletes a list of applications and their associations with configuration items | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DeleteTags.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DeleteTags.html)  | Grants permission to DeleteTags API. DeleteTags deletes the association between configuration items and one or more tags. This API accepts a list of multiple configuration items | Tagging |  |   [#awsapplicationdiscoveryservice-aws_TagKeys](#awsapplicationdiscoveryservice-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeAgents.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeAgents.html)  | Grants permission to DescribeAgents API. DescribeAgents lists agents or the Connector by ID or lists all agents/Connectors associated with your user if you did not specify an ID | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeBatchDeleteConfigurationTask.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeBatchDeleteConfigurationTask.html)  | Grants permission to DescribeBatchDeleteConfigurationTask API. DescribeBatchDeleteConfigurationTask returns attributes about a batched deletion task to delete a set of configuration items. The supplied task ID should be the task ID receieved from the output of StartBatchDeleteConfigurationTask | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeConfigurations.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeConfigurations.html)  | Grants permission to DescribeConfigurations API. DescribeConfigurations retrieves attributes for a list of configuration item IDs. All of the supplied IDs must be for the same asset type (server, application, process, or connection). Output fields are specific to the asset type selected. For example, the output for a server configuration item includes a list of attributes about the server, such as host name, operating system, and number of network cards | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeContinuousExports.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeContinuousExports.html)  | Grants permission to DescribeContinuousExports API. DescribeContinuousExports lists exports as specified by ID. All continuous exports associated with your user can be listed if you call DescribeContinuousExports as is without passing any parameters | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeExportConfigurations.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeExportConfigurations.html)  | Grants permission to DescribeExportConfigurations API. DescribeExportConfigurations retrieves the status of a given export process. You can retrieve status from a maximum of 100 processes | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeExportTasks.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeExportTasks.html)  | Grants permission to DescribeExportTasks API. DescribeExportTasks retrieve status of one or more export tasks. You can retrieve the status of up to 100 export tasks | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeImportTasks.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeImportTasks.html)  | Grants permission to DescribeImportTasks API. DescribeImportTasks returns an array of import tasks for your user, including status information, times, IDs, the Amazon S3 Object URL for the import file, and more | List |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeTags.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeTags.html)  | Grants permission to DescribeTags API. DescribeTags retrieves a list of configuration items that are tagged with a specific tag. Or retrieves a list of all tags assigned to a specific configuration item | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DisassociateConfigurationItemsFromApplication.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DisassociateConfigurationItemsFromApplication.html)  | Grants permission to DisassociateConfigurationItemsFromApplication API. DisassociateConfigurationItemsFromApplication disassociates one or more configuration items from an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_ExportConfigurations.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_ExportConfigurations.html)  | Grants permission to ExportConfigurations API. ExportConfigurations exports all discovered configuration data to an Amazon S3 bucket or an application that enables you to view and evaluate the data. Data includes tags and tag associations, processes, connections, servers, and system performance | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_GetDiscoverySummary.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_GetDiscoverySummary.html)  | Grants permission to GetDiscoverySummary API. GetDiscoverySummary retrieves a short summary of discovered assets | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_GetNetworkConnectionGraph.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_GetNetworkConnectionGraph.html)  | Grants permission to GetNetworkConnectionGraph API. GetNetworkConnectionGraph accepts input list of one of - Ip Addresses, server ids or node ids. Returns a list of nodes and edges which help customer visualize network connection graph. This API is used for visualize network graph functionality in MigrationHub console | Read |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_ListConfigurations.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_ListConfigurations.html)  | Grants permission to ListConfigurations API. ListConfigurations retrieves a list of configuration items according to criteria you specify in a filter. The filter criteria identify relationship requirements | List |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_ListServerNeighbors.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_ListServerNeighbors.html)  | Grants permission to ListServerNeighbors API. ListServerNeighbors retrieves a list of servers which are one network hop away from a specified server | List |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartBatchDeleteConfigurationTask.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartBatchDeleteConfigurationTask.html)  | Grants permission to StartBatchDeleteConfigurationTask API. StartBatchDeleteConfigurationTask starts an asynchronous batch deletion of your configuration items. All of the supplied IDs must be for the same asset type (server, application, process, or connection). Output is a unique task ID you can use to check back on the deletions progress | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartContinuousExport.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartContinuousExport.html)  | Grants permission to StartContinuousExport API. StartContinuousExport start the continuous flow of agent's discovered data into Amazon Athena | Write |  |  |   iam:AttachRolePolicy   iam:CreatePolicy   iam:CreateRole   iam:CreateServiceLinkedRole   | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartDataCollectionByAgentIds.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartDataCollectionByAgentIds.html)  | Grants permission to StartDataCollectionByAgentIds API. StartDataCollectionByAgentIds instructs the specified agents or Connectors to start collecting data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartExportTask.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartExportTask.html)  | Grants permission to StartExportTask API. StartExportTask export the configuration data about discovered configuration items and relationships to an S3 bucket in a specified format | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartImportTask.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StartImportTask.html)  | Grants permission to StartImportTask API. StartImportTask starts an import task. The Migration Hub import feature allows you to import details of your on-premises environment directly into AWS without having to use the Application Discovery Service (ADS) tools such as the Discovery Connector or Discovery Agent. This gives you the option to perform migration assessment and planning directly from your imported data including the ability to group your devices as applications and track their migration status | Write |  |  |   discovery:AssociateConfigurationItemsToApplication   discovery:CreateApplication   discovery:CreateTags   discovery:GetDiscoverySummary   discovery:ListConfigurations   s3:GetObject   | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StopContinuousExport.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StopContinuousExport.html)  | Grants permission to StopContinuousExport API. StopContinuousExport stops the continuous flow of agent's discovered data into Amazon Athena | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StopDataCollectionByAgentIds.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_StopDataCollectionByAgentIds.html)  | Grants permission to StopDataCollectionByAgentIds API. StopDataCollectionByAgentIds instructs the specified agents or Connectors to stop collecting data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_UpdateApplication.html](https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_UpdateApplication.html)  | Grants permission to UpdateApplication API. UpdateApplication updates metadata about an application | Write |  |  |  | 

## Resource types defined by AWS Application Discovery Service
<a name="awsapplicationdiscoveryservice-resources-for-iam-policies"></a>

AWS Application Discovery Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Application Discovery Service, specify `"Resource": "*"` in your policy.

**Note**  
To separate access, create and use separate AWS accounts.

## Condition keys for AWS Application Discovery Service
<a name="awsapplicationdiscoveryservice-policy-keys"></a>

AWS Application Discovery Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Application Migration Service
<a name="list_awsapplicationmigrationservice"></a>

AWS Application Migration Service (service prefix: `mgn`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mgn/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mgn/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mgn/latest/ug/security_iam_authentication.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Application Migration Service
](#awsapplicationmigrationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Application Migration Service
](#awsapplicationmigrationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Application Migration Service
](#awsapplicationmigrationservice-policy-keys)

## Actions defined by AWS Application Migration Service
<a name="awsapplicationmigrationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsapplicationmigrationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationmigrationservice.html)

## Resource types defined by AWS Application Migration Service
<a name="awsapplicationmigrationservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsapplicationmigrationservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/launching-target-servers.html](https://docs.aws.amazon.com/mgn/latest/ug/launching-target-servers.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1JobID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/replication-settings-template.html](https://docs.aws.amazon.com/mgn/latest/ug/replication-settings-template.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:replication-configuration-template/\$1\$1ReplicationConfigurationTemplateID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/post-launch-settings.html](https://docs.aws.amazon.com/mgn/latest/ug/post-launch-settings.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:launch-configuration-template/\$1\$1LaunchConfigurationTemplateID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/agentless-mgn.html](https://docs.aws.amazon.com/mgn/latest/ug/agentless-mgn.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:vcenter-client/\$1\$1VcenterClientID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/source-servers.html](https://docs.aws.amazon.com/mgn/latest/ug/source-servers.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:source-server/\$1\$1SourceServerID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/applications.html](https://docs.aws.amazon.com/mgn/latest/ug/applications.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/waves.html](https://docs.aws.amazon.com/mgn/latest/ug/waves.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:wave/\$1\$1WaveID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/imports.html](https://docs.aws.amazon.com/mgn/latest/ug/imports.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:import/\$1\$1ImportID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/exports.html](https://docs.aws.amazon.com/mgn/latest/ug/exports.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:export/\$1\$1ExportID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/connectors.html](https://docs.aws.amazon.com/mgn/latest/ug/connectors.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/network-migration-definition.html](https://docs.aws.amazon.com/mgn/latest/ug/network-migration-definition.html)  |  arn:\$1\$1Partition\$1:mgn:\$1\$1Region\$1:\$1\$1Account\$1:network-migration-definition/\$1\$1NetworkMigrationDefinitionID\$1  |   [#awsapplicationmigrationservice-aws_ResourceTag___TagKey_](#awsapplicationmigrationservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Application Migration Service
<a name="awsapplicationmigrationservice-policy-keys"></a>

AWS Application Migration Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/mgn/latest/ug/supported-iam-actions-tagging.html](https://docs.aws.amazon.com/mgn/latest/ug/supported-iam-actions-tagging.html)  | Filters access by the name of a resource-creating API action | String | 

# Actions, resources, and condition keys for Amazon Application Recovery Controller - Zonal Shift
<a name="list_amazonapplicationrecoverycontroller-zonalshift"></a>

Amazon Application Recovery Controller - Zonal Shift (service prefix: `arc-zonal-shift`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/r53recovery/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/arc-zonal-shift/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/r53recovery/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Application Recovery Controller - Zonal Shift
](#amazonapplicationrecoverycontroller-zonalshift-actions-as-permissions)
+ [

## Resource types defined by Amazon Application Recovery Controller - Zonal Shift
](#amazonapplicationrecoverycontroller-zonalshift-resources-for-iam-policies)
+ [

## Condition keys for Amazon Application Recovery Controller - Zonal Shift
](#amazonapplicationrecoverycontroller-zonalshift-policy-keys)

## Actions defined by Amazon Application Recovery Controller - Zonal Shift
<a name="amazonapplicationrecoverycontroller-zonalshift-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonapplicationrecoverycontroller-zonalshift-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapplicationrecoverycontroller-zonalshift.html)

## Resource types defined by Amazon Application Recovery Controller - Zonal Shift
<a name="amazonapplicationrecoverycontroller-zonalshift-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonapplicationrecoverycontroller-zonalshift-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/app/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |   [#amazonapplicationrecoverycontroller-zonalshift-arc-zonal-shift_ResourceIdentifier](#amazonapplicationrecoverycontroller-zonalshift-arc-zonal-shift_ResourceIdentifier)   [#amazonapplicationrecoverycontroller-zonalshift-aws_ResourceTag___TagKey_](#amazonapplicationrecoverycontroller-zonalshift-aws_ResourceTag___TagKey_)   [#amazonapplicationrecoverycontroller-zonalshift-elasticloadbalancing_ResourceTag___TagKey_](#amazonapplicationrecoverycontroller-zonalshift-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/net/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |   [#amazonapplicationrecoverycontroller-zonalshift-arc-zonal-shift_ResourceIdentifier](#amazonapplicationrecoverycontroller-zonalshift-arc-zonal-shift_ResourceIdentifier)   [#amazonapplicationrecoverycontroller-zonalshift-aws_ResourceTag___TagKey_](#amazonapplicationrecoverycontroller-zonalshift-aws_ResourceTag___TagKey_)   [#amazonapplicationrecoverycontroller-zonalshift-elasticloadbalancing_ResourceTag___TagKey_](#amazonapplicationrecoverycontroller-zonalshift-elasticloadbalancing_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Application Recovery Controller - Zonal Shift
<a name="amazonapplicationrecoverycontroller-zonalshift-policy-keys"></a>

Amazon Application Recovery Controller - Zonal Shift defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53applicationrecoverycontroller-zonalshift.html#amazonroute53applicationrecoverycontroller-zonalshift-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53applicationrecoverycontroller-zonalshift.html#amazonroute53applicationrecoverycontroller-zonalshift-policy-keys)  | Filters access by the resource identifier of the managed resource | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html#elb-condition-keys](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html#elb-condition-keys)  | Filters access by the tags associated with the managed resource | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html#elb-condition-keys](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html#elb-condition-keys)  | Filters access by the tags associated with the managed resource | String | 

# Actions, resources, and condition keys for AWS Application Transformation Service
<a name="list_awsapplicationtransformationservice"></a>

AWS Application Transformation Service (service prefix: `application-transformation`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Application Transformation Service
](#awsapplicationtransformationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Application Transformation Service
](#awsapplicationtransformationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Application Transformation Service
](#awsapplicationtransformationservice-policy-keys)

## Actions defined by AWS Application Transformation Service
<a name="awsapplicationtransformationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsapplicationtransformationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to get the details of all Containerization jobs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to get the details of all Deployment jobs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Get the details of a Grouping Assessment Operation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Get Porting Compatibility Operation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Get the details of a Porting Recommendation Assessment Operation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Get the details of a Runtime Assessment Operation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Push Logs (Intended for Clients Only) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Push Metrics Data (Intended for Clients Only) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to start a Containerization job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html](https://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/what-is-tk-dotnet-refactoring.html)  | Grants permission to start a Deployment job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Start a Grouping Assessment Operation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Start Porting Compatibility Operation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Start the Porting Recommendation Assessment Operation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html)  | Grants permission to Start a Runtime Assessment Operation | Write |  |  |  | 

## Resource types defined by AWS Application Transformation Service
<a name="awsapplicationtransformationservice-resources-for-iam-policies"></a>

AWS Application Transformation Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Application Transformation Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Application Transformation Service
<a name="awsapplicationtransformationservice-policy-keys"></a>

Application Transformation Service has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon AppStream 2.0
<a name="list_amazonappstream2.0"></a>

Amazon AppStream 2.0 (service prefix: `appstream`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/appstream2/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appstream2/latest/developerguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/appstream2/latest/developerguide/controlling-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon AppStream 2.0
](#amazonappstream2.0-actions-as-permissions)
+ [

## Resource types defined by Amazon AppStream 2.0
](#amazonappstream2.0-resources-for-iam-policies)
+ [

## Condition keys for Amazon AppStream 2.0
](#amazonappstream2.0-policy-keys)

## Actions defined by Amazon AppStream 2.0
<a name="amazonappstream2.0-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonappstream2.0-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream2.0.html)

## Resource types defined by Amazon AppStream 2.0
<a name="amazonappstream2.0-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonappstream2.0-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:fleet/\$1\$1FleetName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:image/\$1\$1ImageName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:image-builder/\$1\$1ImageBuilderName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:stack/\$1\$1StackName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:app-block/\$1\$1AppBlockName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html#what-is-concepts)  |  arn:\$1\$1Partition\$1:appstream:\$1\$1Region\$1:\$1\$1Account\$1:app-block-builder/\$1\$1AppBlockBuilderName\$1  |   [#amazonappstream2.0-aws_ResourceTag___TagKey_](#amazonappstream2.0-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon AppStream 2.0
<a name="amazonappstream2.0-policy-keys"></a>

Amazon AppStream 2.0 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-embed-inline-policy-for-IAM-role](https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-embed-inline-policy-for-IAM-role)  | Filters access by the ID of the AppStream 2.0 user | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS AppSync
<a name="list_awsappsync"></a>

AWS AppSync (service prefix: `appsync`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/appsync/latest/devguide/what-is-appsync.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/appsync/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/appsync/latest/devguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS AppSync
](#awsappsync-actions-as-permissions)
+ [

## Resource types defined by AWS AppSync
](#awsappsync-resources-for-iam-policies)
+ [

## Condition keys for AWS AppSync
](#awsappsync-policy-keys)

## Actions defined by AWS AppSync
<a name="awsappsync-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsappsync-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html)

## Resource types defined by AWS AppSync
<a name="awsappsync-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsappsync-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/attaching-a-data-source.html](https://docs.aws.amazon.com/appsync/latest/devguide/attaching-a-data-source.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1GraphQLAPIId\$1/datasources/\$1\$1DatasourceName\$1  |  | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/custom-domain-name.html](https://docs.aws.amazon.com/appsync/latest/devguide/custom-domain-name.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:domainnames/\$1\$1DomainName\$1  |   [#awsappsync-aws_ResourceTag___TagKey_](#awsappsync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/designing-a-graphql-api.html](https://docs.aws.amazon.com/appsync/latest/devguide/designing-a-graphql-api.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1GraphQLAPIId\$1  |   [#awsappsync-aws_ResourceTag___TagKey_](#awsappsync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/configuring-resolvers.html](https://docs.aws.amazon.com/appsync/latest/devguide/configuring-resolvers.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1GraphQLAPIId\$1/types/\$1\$1TypeName\$1/fields/\$1\$1FieldName\$1  |  | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/designing-your-schema.html#adding-a-root-query-type](https://docs.aws.amazon.com/appsync/latest/devguide/designing-your-schema.html#adding-a-root-query-type)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1GraphQLAPIId\$1/types/\$1\$1TypeName\$1  |  | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html](https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1GraphQLAPIId\$1/functions/\$1\$1FunctionId\$1  |  | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/merged-api.html](https://docs.aws.amazon.com/appsync/latest/devguide/merged-api.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1MergedGraphQLAPIId\$1/sourceApiAssociations/\$1\$1Associationid\$1  |  | 
|   [https://docs.aws.amazon.com/appsync/latest/devguide/merged-api.html](https://docs.aws.amazon.com/appsync/latest/devguide/merged-api.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1SourceGraphQLAPIId\$1/mergedApiAssociations/\$1\$1Associationid\$1  |  | 
|   [https://docs.aws.amazon.com/appsync/latest/eventapi/event-api-welcome.html](https://docs.aws.amazon.com/appsync/latest/eventapi/event-api-welcome.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1ApiId\$1  |   [#awsappsync-aws_ResourceTag___TagKey_](#awsappsync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/appsync/latest/eventapi/channel-namespaces.html](https://docs.aws.amazon.com/appsync/latest/eventapi/channel-namespaces.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1ApiId\$1/channelNamespace/\$1\$1ChannelNamespaceName\$1  |   [#awsappsync-aws_ResourceTag___TagKey_](#awsappsync-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS AppSync
<a name="awsappsync-policy-keys"></a>

AWS AppSync defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [iam-policy-structure.html#amazon-appsync-keys](iam-policy-structure.html#amazon-appsync-keys)  | Filters access by the visibility of an API | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon ARC Region switch
<a name="list_amazonarcregionswitch"></a>

Amazon ARC Region switch (service prefix: `arc-region-switch`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/r53recovery/latest/dg/region-switch.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/arc-region-switch/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/r53recovery/latest/dg/security-iam-region-switch.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon ARC Region switch
](#amazonarcregionswitch-actions-as-permissions)
+ [

## Resource types defined by Amazon ARC Region switch
](#amazonarcregionswitch-resources-for-iam-policies)
+ [

## Condition keys for Amazon ARC Region switch
](#amazonarcregionswitch-policy-keys)

## Actions defined by Amazon ARC Region switch
<a name="amazonarcregionswitch-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonarcregionswitch-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonarcregionswitch.html)

## Resource types defined by Amazon ARC Region switch
<a name="amazonarcregionswitch-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonarcregionswitch-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/arc-region-switch/latest/api/API_Plan.html](https://docs.aws.amazon.com/arc-region-switch/latest/api/API_Plan.html)  |  arn:\$1\$1Partition\$1:arc-region-switch::\$1\$1Account\$1:plan/\$1\$1ResourceId\$1  |   [#amazonarcregionswitch-aws_ResourceTag___TagKey_](#amazonarcregionswitch-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon ARC Region switch
<a name="amazonarcregionswitch-policy-keys"></a>

Amazon ARC Region switch defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Artifact
<a name="list_awsartifact"></a>

AWS Artifact (service prefix: `artifact`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/artifact/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/artifact/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/artifact/latest/ug/getting-started.html#create-iam-policy) permission policies.

**Topics**
+ [

## Actions defined by AWS Artifact
](#awsartifact-actions-as-permissions)
+ [

## Resource types defined by AWS Artifact
](#awsartifact-resources-for-iam-policies)
+ [

## Condition keys for AWS Artifact
](#awsartifact-policy-keys)

## Actions defined by AWS Artifact
<a name="awsartifact-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsartifact-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_AcceptAgreement.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_AcceptAgreement.html)  | Grants permission to accept an AWS agreement that has not yet been accepted by the customer account | Write |   [#awsartifact-agreement](#awsartifact-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_AcceptNdaForAgreement.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_AcceptNdaForAgreement.html)  | Grants permission to accept the terms of an NDA Document for a given agreement resource | Write |   [#awsartifact-agreement](#awsartifact-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetAccountSettings.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetAccountSettings.html)  | Grants permission to get the account settings for Artifact | Read |  |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetAgreement.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetAgreement.html)  | Grants permission to get an AWS agreement that has not yet been accepted by the customer account | Read |   [#awsartifact-agreement](#awsartifact-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetCustomerAgreement.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetCustomerAgreement.html)  | Grants permission to get an AWS agreement that has been accepted by the customer account | Read |   [#awsartifact-customer-agreement](#awsartifact-customer-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetNdaForAgreement.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetNdaForAgreement.html)  | Grants permission to retrieve the NDA Document for a given agreement resource | Read |   [#awsartifact-agreement](#awsartifact-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetReport.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetReport.html)  | Grants permission to download a report | Read |   [#awsartifact-report](#awsartifact-report)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetReportMetadata.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetReportMetadata.html)  | Grants permission to download metadata associated with a report | Read |   [#awsartifact-report](#awsartifact-report)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetTermForReport.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_GetTermForReport.html)  | Grants permission to download a term associated with a report | Read |   [#awsartifact-report](#awsartifact-report)   |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListAgreements.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListAgreements.html)  | Grants permission to list AWS agreements | List |  |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListCustomerAgreements.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListCustomerAgreements.html)  | Grants permission to list customer-agreement resources that have been accepted by the customer account | List |  |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListReportVersions.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListReportVersions.html)  | Grants permission to list report versions in your account | List |  |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListReports.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_ListReports.html)  | Grants permission to list reports in your account | List |  |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_PutAccountSettings.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_PutAccountSettings.html)  | Grants permission to put account settings for Artifact | Write |  |  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/APIReference/API_TerminateAgreement.html](https://docs.aws.amazon.com/artifact/latest/APIReference/API_TerminateAgreement.html)  | Grants permission to terminate a customer agreement that was previously accepted by the customer account | Write |   [#awsartifact-customer-agreement](#awsartifact-customer-agreement)   |  |  | 

## Resource types defined by AWS Artifact
<a name="awsartifact-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsartifact-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/artifact/latest/ug/managing-agreements.html](https://docs.aws.amazon.com/artifact/latest/ug/managing-agreements.html)  |  arn:\$1\$1Partition\$1:artifact::\$1\$1Account\$1:customer-agreement/\$1  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/ug/managing-agreements.html](https://docs.aws.amazon.com/artifact/latest/ug/managing-agreements.html)  |  arn:\$1\$1Partition\$1:artifact:::agreement/\$1  |  | 
|   [https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html](https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html)  |  arn:\$1\$1Partition\$1:artifact:\$1\$1Region\$1::report/\$1\$1ReportId\$1:\$1\$1Version\$1  |   [#awsartifact-artifact_ReportCategory](#awsartifact-artifact_ReportCategory)   [#awsartifact-artifact_ReportSeries](#awsartifact-artifact_ReportSeries)   | 

## Condition keys for AWS Artifact
<a name="awsartifact-policy-keys"></a>

AWS Artifact defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/artifact/latest/ug/using-condition-keys.html](https://docs.aws.amazon.com/artifact/latest/ug/using-condition-keys.html)  | Filters access by which category reports are associated with | String | 
|   [https://docs.aws.amazon.com/artifact/latest/ug/using-condition-keys.html](https://docs.aws.amazon.com/artifact/latest/ug/using-condition-keys.html)  | Filters access by which series reports are associated with | String | 

# Actions, resources, and condition keys for Amazon Athena
<a name="list_amazonathena"></a>

Amazon Athena (service prefix: `athena`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/athena/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/athena/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Athena
](#amazonathena-actions-as-permissions)
+ [

## Resource types defined by Amazon Athena
](#amazonathena-resources-for-iam-policies)
+ [

## Condition keys for Amazon Athena
](#amazonathena-policy-keys)

## Actions defined by Amazon Athena
<a name="amazonathena-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonathena-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html)

## Resource types defined by Amazon Athena
<a name="amazonathena-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonathena-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html](https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html)  |  arn:\$1\$1Partition\$1:athena:\$1\$1Region\$1:\$1\$1Account\$1:datacatalog/\$1\$1DataCatalogName\$1  |   [#amazonathena-aws_ResourceTag___TagKey_](#amazonathena-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/athena/latest/ug/example-policies-workgroup.html](https://docs.aws.amazon.com/athena/latest/ug/example-policies-workgroup.html)  |  arn:\$1\$1Partition\$1:athena:\$1\$1Region\$1:\$1\$1Account\$1:workgroup/\$1\$1WorkGroupName\$1  |   [#amazonathena-aws_ResourceTag___TagKey_](#amazonathena-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/athena/latest/ug/example-policies-capacity-reservations.html](https://docs.aws.amazon.com/athena/latest/ug/example-policies-capacity-reservations.html)  |  arn:\$1\$1Partition\$1:athena:\$1\$1Region\$1:\$1\$1Account\$1:capacity-reservation/\$1\$1CapacityReservationName\$1  |   [#amazonathena-aws_ResourceTag___TagKey_](#amazonathena-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/athena/latest/ug/example-policies-workgroup.html](https://docs.aws.amazon.com/athena/latest/ug/example-policies-workgroup.html)  |  arn:\$1\$1Partition\$1:athena:\$1\$1Region\$1:\$1\$1Account\$1:workgroup/\$1\$1WorkGroupName\$1/session/\$1\$1SessionId\$1  |   [#amazonathena-aws_ResourceTag___TagKey_](#amazonathena-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Athena
<a name="amazonathena-policy-keys"></a>

Amazon Athena defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Audit Manager
<a name="list_awsauditmanager"></a>

AWS Audit Manager (service prefix: `auditmanager`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/audit-manager/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/audit-manager/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/audit-manager/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Audit Manager
](#awsauditmanager-actions-as-permissions)
+ [

## Resource types defined by AWS Audit Manager
](#awsauditmanager-resources-for-iam-policies)
+ [

## Condition keys for AWS Audit Manager
](#awsauditmanager-policy-keys)

## Actions defined by AWS Audit Manager
<a name="awsauditmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsauditmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html)

## Resource types defined by AWS Audit Manager
<a name="awsauditmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsauditmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_Assessment.html](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_Assessment.html)  |  arn:\$1\$1Partition\$1:auditmanager:\$1\$1Region\$1:\$1\$1Account\$1:assessment/\$1\$1AssessmentId\$1  |   [#awsauditmanager-aws_ResourceTag___TagKey_](#awsauditmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_AssessmentFramework.html](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_AssessmentFramework.html)  |  arn:\$1\$1Partition\$1:auditmanager:\$1\$1Region\$1:\$1\$1Account\$1:assessmentFramework/\$1\$1AssessmentFrameworkId\$1  |   [#awsauditmanager-aws_ResourceTag___TagKey_](#awsauditmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_AssessmentControlSet.html](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_AssessmentControlSet.html)  |  arn:\$1\$1Partition\$1:auditmanager:\$1\$1Region\$1:\$1\$1Account\$1:assessment/\$1\$1AssessmentId\$1/controlSet/\$1\$1ControlSetId\$1  |  | 
|   [https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_Control.html](https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_Control.html)  |  arn:\$1\$1Partition\$1:auditmanager:\$1\$1Region\$1:\$1\$1Account\$1:control/\$1\$1ControlId\$1  |   [#awsauditmanager-aws_ResourceTag___TagKey_](#awsauditmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Audit Manager
<a name="awsauditmanager-policy-keys"></a>

AWS Audit Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Aurora DSQL
<a name="list_amazonauroradsql"></a>

Amazon Aurora DSQL (service prefix: `dsql`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/what-is-aurora-dsql.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Aurora DSQL
](#amazonauroradsql-actions-as-permissions)
+ [

## Resource types defined by Amazon Aurora DSQL
](#amazonauroradsql-resources-for-iam-policies)
+ [

## Condition keys for Amazon Aurora DSQL
](#amazonauroradsql-policy-keys)

## Actions defined by Amazon Aurora DSQL
<a name="amazonauroradsql-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonauroradsql-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonauroradsql.html)

## Resource types defined by Amazon Aurora DSQL
<a name="amazonauroradsql-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonauroradsql-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aurora-dsql/latest/userguide/what-is-aurora-dsql.html](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/what-is-aurora-dsql.html)  |  arn:\$1\$1Partition\$1:dsql:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1Identifier\$1  |   [#amazonauroradsql-aws_ResourceTag___TagKey_](#amazonauroradsql-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Aurora DSQL
<a name="amazonauroradsql-policy-keys"></a>

Amazon Aurora DSQL defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html)  | Filters access by the ID of an AWS FIS action | String | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html)  | Filters access by the ARN of an AWS FIS target | ArrayOfARN | 
|   [https://docs.aws.amazon.com/aurora-dsql/latest/userguide/using-iam-condition-keys.html#using-iam-condition-keys-create-mr-cluster-witness](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/using-iam-condition-keys.html#using-iam-condition-keys-create-mr-cluster-witness)  | Filters access by the witness region of multi-Region clusters | String | 

# Actions, resources, and condition keys for AWS Auto Scaling
<a name="list_awsautoscaling"></a>

AWS Auto Scaling (service prefix: `autoscaling-plans`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/autoscaling/plans/userguide/what-is-aws-auto-scaling.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/autoscaling/plans/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/autoscaling/plans/userguide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Auto Scaling
](#awsautoscaling-actions-as-permissions)
+ [

## Resource types defined by AWS Auto Scaling
](#awsautoscaling-resources-for-iam-policies)
+ [

## Condition keys for AWS Auto Scaling
](#awsautoscaling-policy-keys)

## Actions defined by AWS Auto Scaling
<a name="awsautoscaling-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsautoscaling-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_CreateScalingPlan.html](https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_CreateScalingPlan.html)  | Creates a scaling plan. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_DeleteScalingPlan.html](https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_DeleteScalingPlan.html)  | Deletes the specified scaling plan. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_DescribeScalingPlanResources.html](https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_DescribeScalingPlanResources.html)  | Describes the scalable resources in the specified scaling plan. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_DescribeScalingPlans.html](https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_DescribeScalingPlans.html)  | Describes the specified scaling plans or all of your scaling plans. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_GetScalingPlanResourceForecastData.html](https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_GetScalingPlanResourceForecastData.html)  | Retrieves the forecast data for a scalable resource. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_UpdateScalingPlan.html](https://docs.aws.amazon.com/autoscaling/plans/APIReference/API_UpdateScalingPlan.html)  | Updates a scaling plan. | Write |  |  |  | 

## Resource types defined by AWS Auto Scaling
<a name="awsautoscaling-resources-for-iam-policies"></a>

AWS Auto Scaling does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Auto Scaling, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Auto Scaling
<a name="awsautoscaling-policy-keys"></a>

Auto Scaling has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS B2B Data Interchange
<a name="list_awsb2bdatainterchange"></a>

AWS B2B Data Interchange (service prefix: `b2bi`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/b2bi/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/b2bi/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/b2bi/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS B2B Data Interchange
](#awsb2bdatainterchange-actions-as-permissions)
+ [

## Resource types defined by AWS B2B Data Interchange
](#awsb2bdatainterchange-resources-for-iam-policies)
+ [

## Condition keys for AWS B2B Data Interchange
](#awsb2bdatainterchange-policy-keys)

## Actions defined by AWS B2B Data Interchange
<a name="awsb2bdatainterchange-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsb2bdatainterchange-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsb2bdatainterchange.html)

## Resource types defined by AWS B2B Data Interchange
<a name="awsb2bdatainterchange-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsb2bdatainterchange-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/b2bi/latest/userguide/](https://docs.aws.amazon.com/b2bi/latest/userguide/)  |  arn:\$1\$1Partition\$1:b2bi:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1ResourceId\$1  |   [#awsb2bdatainterchange-aws_ResourceTag___TagKey_](#awsb2bdatainterchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/b2bi/latest/userguide/](https://docs.aws.amazon.com/b2bi/latest/userguide/)  |  arn:\$1\$1Partition\$1:b2bi:\$1\$1Region\$1:\$1\$1Account\$1:capability/\$1\$1ResourceId\$1  |   [#awsb2bdatainterchange-aws_ResourceTag___TagKey_](#awsb2bdatainterchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/b2bi/latest/userguide/](https://docs.aws.amazon.com/b2bi/latest/userguide/)  |  arn:\$1\$1Partition\$1:b2bi:\$1\$1Region\$1:\$1\$1Account\$1:partnership/\$1\$1ResourceId\$1  |   [#awsb2bdatainterchange-aws_ResourceTag___TagKey_](#awsb2bdatainterchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/b2bi/latest/userguide/](https://docs.aws.amazon.com/b2bi/latest/userguide/)  |  arn:\$1\$1Partition\$1:b2bi:\$1\$1Region\$1:\$1\$1Account\$1:transformer/\$1\$1ResourceId\$1  |   [#awsb2bdatainterchange-aws_ResourceTag___TagKey_](#awsb2bdatainterchange-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS B2B Data Interchange
<a name="awsb2bdatainterchange-policy-keys"></a>

AWS B2B Data Interchange defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Backup
<a name="list_awsbackup"></a>

AWS Backup (service prefix: `backup`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html#authentication) permission policies.

**Topics**
+ [

## Actions defined by AWS Backup
](#awsbackup-actions-as-permissions)
+ [

## Resource types defined by AWS Backup
](#awsbackup-resources-for-iam-policies)
+ [

## Condition keys for AWS Backup
](#awsbackup-policy-keys)

## Actions defined by AWS Backup
<a name="awsbackup-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbackup-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html)

## Resource types defined by AWS Backup
<a name="awsbackup-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbackup-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:backup-vault:\$1\$1BackupVaultName\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:backup-plan:\$1\$1BackupPlanId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/recovery-points.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/recovery-points.html)  |  arn:\$1\$1Partition\$1:\$1\$1Vendor\$1:\$1\$1Region\$1:\$1:\$1\$1ResourceType\$1:\$1\$1RecoveryPointId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/working-with-audit-frameworks.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/working-with-audit-frameworks.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:framework:\$1\$1FrameworkName\$1-\$1\$1FrameworkId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-api.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-api.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:report-plan:\$1\$1ReportPlanName\$1-\$1\$1ReportPlanId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/legalhold.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/legalhold.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:legal-hold:\$1\$1LegalHoldId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:restore-testing-plan:\$1\$1RestoreTestingPlanName\$1-\$1\$1RestoreTestingPlanId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/tiering-configuration.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/tiering-configuration.html)  |  arn:\$1\$1Partition\$1:backup:\$1\$1Region\$1:\$1\$1Account\$1:tiering-configuration:\$1\$1TieringConfigurationName\$1-\$1\$1TieringConfigurationId\$1  |   [#awsbackup-aws_ResourceTag___TagKey_](#awsbackup-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Backup
<a name="awsbackup-policy-keys"></a>

AWS Backup defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the value of the ChangeableForDays parameter | Numeric | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the organization unit | ArrayOfString | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the ARN of a backup vault | ArrayOfARN | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the Framework ARNs | ArrayOfARN | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the value of Index parameter | String | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the value of the MaxRetentionDays parameter | Numeric | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the value of the MinRetentionDays parameter | Numeric | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#amazon-backup-keys)  | Filters access by the MPA Approval Team ARN of a backup vault | ARN | 

# Actions, resources, and condition keys for AWS Backup Gateway
<a name="list_awsbackupgateway"></a>

AWS Backup Gateway (service prefix: `backup-gateway`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html#authentication) permission policies.

**Topics**
+ [

## Actions defined by AWS Backup Gateway
](#awsbackupgateway-actions-as-permissions)
+ [

## Resource types defined by AWS Backup Gateway
](#awsbackupgateway-resources-for-iam-policies)
+ [

## Condition keys for AWS Backup Gateway
](#awsbackupgateway-policy-keys)

## Actions defined by AWS Backup Gateway
<a name="awsbackupgateway-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbackupgateway-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackupgateway.html)

## Resource types defined by AWS Backup Gateway
<a name="awsbackupgateway-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbackupgateway-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BGW_Gateway.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BGW_Gateway.html)  |  arn:\$1\$1Partition\$1:backup-gateway:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1  |   [#awsbackupgateway-aws_ResourceTag___TagKey_](#awsbackupgateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BGW_Hypervisor.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BGW_Hypervisor.html)  |  arn:\$1\$1Partition\$1:backup-gateway:\$1\$1Region\$1:\$1\$1Account\$1:hypervisor/\$1\$1HypervisorId\$1  |   [#awsbackupgateway-aws_ResourceTag___TagKey_](#awsbackupgateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BGW_VirtualMachine.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_BGW_VirtualMachine.html)  |  arn:\$1\$1Partition\$1:backup-gateway:\$1\$1Region\$1:\$1\$1Account\$1:vm/\$1\$1VirtualmachineId\$1  |   [#awsbackupgateway-aws_ResourceTag___TagKey_](#awsbackupgateway-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Backup Gateway
<a name="awsbackupgateway-policy-keys"></a>

AWS Backup Gateway defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Backup Search
<a name="list_awsbackupsearch"></a>

AWS Backup Search (service prefix: `backup-search`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html#authentication) permission policies.

**Topics**
+ [

## Actions defined by AWS Backup Search
](#awsbackupsearch-actions-as-permissions)
+ [

## Resource types defined by AWS Backup Search
](#awsbackupsearch-resources-for-iam-policies)
+ [

## Condition keys for AWS Backup Search
](#awsbackupsearch-policy-keys)

## Actions defined by AWS Backup Search
<a name="awsbackupsearch-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbackupsearch-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackupsearch.html)

## Resource types defined by AWS Backup Search
<a name="awsbackupsearch-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbackupsearch-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-search.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-search.html)  |  arn:\$1\$1Partition\$1:backup-search:\$1\$1Region\$1:\$1\$1Account\$1:search-job/\$1\$1ResourceId\$1  |   [#awsbackupsearch-aws_ResourceTag___TagKey_](#awsbackupsearch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-search.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-search.html)  |  arn:\$1\$1Partition\$1:backup-search:\$1\$1Region\$1:\$1\$1Account\$1:search-export-job/\$1\$1ResourceId\$1  |   [#awsbackupsearch-aws_ResourceTag___TagKey_](#awsbackupsearch-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Backup Search
<a name="awsbackupsearch-policy-keys"></a>

AWS Backup Search defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Backup storage
<a name="list_awsbackupstorage"></a>

AWS Backup storage (service prefix: `backup-storage`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-backup/latest/devguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html#authentication) permission policies.

**Topics**
+ [

## Actions defined by AWS Backup storage
](#awsbackupstorage-actions-as-permissions)
+ [

## Resource types defined by AWS Backup storage
](#awsbackupstorage-resources-for-iam-policies)
+ [

## Condition keys for AWS Backup storage
](#awsbackupstorage-policy-keys)

## Actions defined by AWS Backup storage
<a name="awsbackupstorage-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbackupstorage-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to commit backup job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to delete objects | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to describe backup job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to get base backup | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to get data from a recovery point for a restore job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to get incremental base backup | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to get metadata from a recovery point for a restore job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to list data from a recovery point for a restore job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to list data from a recovery point for a restore job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CreateBackupVault.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_CreateBackupVault.html) [permission only] | Associates a KMS key to a backup vault | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to mark an uploaded data as completed for a backup job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to upload data to an AWS Backup-managed recovery point for a backup job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to put object | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to upload data to an AWS Backup-managed recovery point for a backup job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-data-transfer.html) [permission only] | Grants permission to update object complete | Write |  |  |  | 

## Resource types defined by AWS Backup storage
<a name="awsbackupstorage-resources-for-iam-policies"></a>

AWS Backup storage does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Backup storage, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Backup storage
<a name="awsbackupstorage-policy-keys"></a>

Backup Storage has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Batch
<a name="list_awsbatch"></a>

AWS Batch (service prefix: `batch`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/batch/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/batch/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/batch/latest/userguide/IAM_policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Batch
](#awsbatch-actions-as-permissions)
+ [

## Resource types defined by AWS Batch
](#awsbatch-resources-for-iam-policies)
+ [

## Condition keys for AWS Batch
](#awsbatch-policy-keys)

## Actions defined by AWS Batch
<a name="awsbatch-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbatch-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html)

## Resource types defined by AWS Batch
<a name="awsbatch-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbatch-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html](https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:compute-environment/\$1\$1ComputeEnvironmentName\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/job_queues.html](https://docs.aws.amazon.com/batch/latest/userguide/job_queues.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:job-queue/\$1\$1JobQueueName\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/job_definitions.html](https://docs.aws.amazon.com/batch/latest/userguide/job_definitions.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:job-definition/\$1\$1JobDefinitionName\$1  |  | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/job_definitions.html](https://docs.aws.amazon.com/batch/latest/userguide/job_definitions.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:job-definition/\$1\$1JobDefinitionName\$1:\$1\$1Revision\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/jobs.html](https://docs.aws.amazon.com/batch/latest/userguide/jobs.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1JobId\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/scheduling-policies.html](https://docs.aws.amazon.com/batch/latest/userguide/scheduling-policies.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:scheduling-policy/\$1\$1SchedulingPolicyName\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/service-environments.html](https://docs.aws.amazon.com/batch/latest/userguide/service-environments.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:service-environment/\$1\$1ServiceEnvironmentName\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/service-jobs.html](https://docs.aws.amazon.com/batch/latest/userguide/service-jobs.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:service-job/\$1\$1JobId\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/resource-aware-scheduling.html](https://docs.aws.amazon.com/batch/latest/userguide/resource-aware-scheduling.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:consumable-resource/\$1\$1ConsumableResourceName\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/batch/latest/userguide/quota-shares.html](https://docs.aws.amazon.com/batch/latest/userguide/quota-shares.html)  |  arn:\$1\$1Partition\$1:batch:\$1\$1Region\$1:\$1\$1Account\$1:job-queue/\$1\$1JobQueueName\$1/quota-share/\$1\$1QuotaShareName\$1  |   [#awsbatch-aws_ResourceTag___TagKey_](#awsbatch-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Batch
<a name="awsbatch-policy-keys"></a>

AWS Batch defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the specified logging driver to determine whether awslogs group will be created for the logs | Bool | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the awslogs group where the logs are located | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the region where the logs are sent to | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the awslogs log stream prefix | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the image used to start a container for an Amazon EKS job | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the namespace of a cluster used to run the pod for an Amazon EKS job | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the specified privileged parameter value that determines whether the container is given elevated privileges on the host container instance (similar to the root user) for an Amazon EKS job | Bool | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the specified group numeric ID (gid) used to start a container in an Amazon EKS job | Numeric | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the specified user numeric ID (uid) used to start a a container in an Amazon EKS job | Numeric | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the name of the service account used to run the pod for an Amazon EKS job | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the image used to start a container | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the log driver used for the container | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the specified privileged parameter value that determines whether the container is given elevated privileges on the host container instance (similar to the root user) | Bool | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the scheduling priority for jobs in the job queue | Numeric | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by the shareIdentifier used inside submit job | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html#awsbatch-policy-keys)  | Filters access by user name or numeric uid used inside the container | String | 

# Actions, resources, and condition keys for Amazon Bedrock
<a name="list_amazonbedrock"></a>

Amazon Bedrock (service prefix: `bedrock`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/bedrock/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Bedrock
](#amazonbedrock-actions-as-permissions)
+ [

## Resource types defined by Amazon Bedrock
](#amazonbedrock-resources-for-iam-policies)
+ [

## Condition keys for Amazon Bedrock
](#amazonbedrock-policy-keys)

## Actions defined by Amazon Bedrock
<a name="amazonbedrock-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonbedrock-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html)

## Resource types defined by Amazon Bedrock
<a name="amazonbedrock-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonbedrock-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1::foundation-model/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock::\$1\$1Account\$1:system-tool/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:async-invoke/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:inference-profile/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:default-prompt-router/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:prompt-router/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:application-inference-profile/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:custom-model/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:provisioned-model/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:model-customization-job/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:agent/\$1\$1AgentId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:agent-alias/\$1\$1AgentId\$1/\$1\$1AgentAliasId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:knowledge-base/\$1\$1KnowledgeBaseId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:model-evaluation-job/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:evaluation-job/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:model-invocation-job/\$1\$1JobIdentifier\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:guardrail/\$1\$1GuardrailId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/userguide/guardrail-profiles-permissions.html](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrail-profiles-permissions.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:guardrail-profile/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:automated-reasoning-policy/\$1\$1AutomatedReasoningPolicyId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:automated-reasoning-policy/\$1\$1AutomatedReasoningPolicyId\$1:\$1\$1AutomatedReasoningPolicyVersion\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_FlowSummary.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_FlowSummary.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:flow/\$1\$1FlowId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_FlowAliasSummary.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_FlowAliasSummary.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:flow/\$1\$1FlowId\$1/alias/\$1\$1FlowAliasId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent-runtime_FlowExecutionSummary.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent-runtime_FlowExecutionSummary.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:flow/\$1\$1FlowId\$1/alias/\$1\$1FlowAliasId\$1/execution/\$1\$1FlowExecutionId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:model-copy-job/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_PromptSummary.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_PromptSummary.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:prompt/\$1\$1PromptId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_PromptSummary.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_PromptSummary.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:prompt/\$1\$1PromptId\$1:\$1\$1PromptVersion\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:model-import-job/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:imported-model/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:marketplace/model-endpoint/all-access  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:data-automation-project/\$1\$1ProjectId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:blueprint/\$1\$1BlueprintId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Operations_Data_Automation_for_Amazon_Bedrock.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Operations_Data_Automation_for_Amazon_Bedrock.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:blueprint-optimization-invocation/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:data-automation-invocation/\$1\$1JobId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:data-automation-profile/\$1\$1ProfileId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:data-automation-library/\$1\$1DataAutomationLibraryId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:data-automation-library-ingestion-job/\$1\$1IngestionJobId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:session/\$1\$1SessionId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html)  |  arn:\$1\$1Partition\$1:bedrock:\$1\$1Region\$1:\$1\$1Account\$1:custom-model-deployment/\$1\$1ResourceId\$1  |   [#amazonbedrock-aws_ResourceTag___TagKey_](#amazonbedrock-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Bedrock
<a name="amazonbedrock-policy-keys"></a>

Amazon Bedrock defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by creating requests based on the allowed set of values for each of the mandatory tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by having actions based on the tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by creating requests based on the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys)  | Filters access by the Short-term or Long-term bearer tokens | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys)  | Filters access by the GuardrailIdentifier containing the GuardrailArn or the GuardrailArn:NumericVersion | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by the specified inference profile | ARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys)  | Filters access by the Inline Agent Names, this will be used in InvokeInlineAgent API names | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by the specified prompt router | ARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html#amazonbedrock-policy-keys)  | Filters access by the specified ServiceTier | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by the secretArn containing the credentials of the third party platform | ARN | 

# Actions, resources, and condition keys for Amazon Bedrock Agentcore
<a name="list_amazonbedrockagentcore"></a>

Amazon Bedrock Agentcore (service prefix: `bedrock-agentcore`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/) permission policies.

**Topics**
+ [

## Actions defined by Amazon Bedrock Agentcore
](#amazonbedrockagentcore-actions-as-permissions)
+ [

## Resource types defined by Amazon Bedrock Agentcore
](#amazonbedrockagentcore-resources-for-iam-policies)
+ [

## Condition keys for Amazon Bedrock Agentcore
](#amazonbedrockagentcore-policy-keys)

## Actions defined by Amazon Bedrock Agentcore
<a name="amazonbedrockagentcore-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonbedrockagentcore-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html)

## Resource types defined by Amazon Bedrock Agentcore
<a name="amazonbedrockagentcore-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonbedrockagentcore-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/evaluator.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/evaluator.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:evaluator/\$1\$1EvaluatorId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/onlineEvaluationConfig.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/onlineEvaluationConfig.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:online-evaluation-config/\$1\$1OnlineEvaluationConfigId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/memory.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/memory.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:memory/\$1\$1MemoryId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/gateway.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/gateway.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/workloadIdentity.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/workloadIdentity.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:workload-identity-directory/\$1\$1DirectoryId\$1/workload-identity/\$1\$1WorkloadIdentityName\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/oauth2credentialprovider.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/oauth2credentialprovider.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:token-vault/\$1\$1TokenVaultId\$1/oauth2credentialprovider/\$1\$1Name\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/apikeycredentialprovider.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/apikeycredentialprovider.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:token-vault/\$1\$1TokenVaultId\$1/apikeycredentialprovider/\$1\$1Name\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/runtime.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/runtime.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:runtime/\$1\$1RuntimeId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/runtimeEndpoint.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/runtimeEndpoint.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:runtime/\$1\$1RuntimeId\$1/runtime-endpoint/\$1\$1Name\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/codeInterpreter.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/codeInterpreter.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:code-interpreter-custom/\$1\$1CodeInterpreterId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/codeInterpreter.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/codeInterpreter.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:aws:code-interpreter/\$1\$1CodeInterpreterId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browser.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browser.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:browser-custom/\$1\$1BrowserId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browser.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browser.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:aws:browser/\$1\$1BrowserId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browserProfile.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/browserProfile.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:browser-profile/\$1\$1BrowserProfileId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/workloadIdentityDirectory.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/workloadIdentityDirectory.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:workload-identity-directory/\$1\$1DirectoryId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/tokenVault.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/tokenVault.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:token-vault/\$1\$1TokenVaultId\$1  |   [#amazonbedrockagentcore-aws_ResourceTag___TagKey_](#amazonbedrockagentcore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/policyEngine.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/policyEngine.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:policy-engine/\$1\$1PolicyEngineId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/policy.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/policy.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:policy-engine/\$1\$1PolicyEngineId\$1/policy/\$1\$1PolicyId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/policyGeneration.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/policyGeneration.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:policy-engine/\$1\$1PolicyEngineId\$1/policy-generation/\$1\$1PolicyGenerationId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/registry.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/registry.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:registry/\$1\$1RegistryId\$1  |  | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/registryRecord.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/registryRecord.html)  |  arn:\$1\$1Partition\$1:bedrock-agentcore:\$1\$1Region\$1:\$1\$1Account\$1:registry/\$1\$1RegistryId\$1/record/\$1\$1RecordId\$1  |  | 

## Condition keys for Amazon Bedrock Agentcore
<a name="amazonbedrockagentcore-policy-keys"></a>

Amazon Bedrock Agentcore defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by creating requests based on the allowed set of values for each of the mandatory tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by having actions based on the tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by creating requests based on the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-gatewayAuthorizerType](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-gatewayAuthorizerType)  | Filters access by the authorizerType attribute on a Gateway | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-aud](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-aud)  | Filters access by the audience claim (aud) in the JWT passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-client_id](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-client_id)  | Filters access by the client\$1id claim in the JWT passed in the request | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-iss](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-iss)  | Filters access by the issuer (iss) claim present in the JWT passed in the request | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-scope](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-scope)  | Filters access by the scope claim in the JWT passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-sub](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-sub)  | Filters access by the subject claim (sub) in the JWT passed in the request | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-kmsKeyArn](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-kmsKeyArn)  | Filters access by KMS Key arn provided | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-actorId](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-actorId)  | Filters access by Actor Id | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-namespace](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-namespace)  | Filters access by namespace | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-vpc-condition.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-vpc-condition.html)  | Filters access by the ID of security groups configured for the AgentCore runtime | ArrayOfString | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-sessionId](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-sessionId)  | Filters access by Session Id | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-strategyId](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-strategyId)  | Filters access by Memory Strategy Id | String | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-vpc-condition.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-vpc-condition.html)  | Filters access by the ID of subnets configured for the AgentCore runtime | ArrayOfString | 
|   [https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-userid](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-userid)  | Filters access by the static user ID value passed in the request | String | 

# Actions, resources, and condition keys for Amazon Bedrock Powered by AWS Mantle
<a name="list_amazonbedrockpoweredbyawsmantle"></a>

Amazon Bedrock Powered by AWS Mantle (service prefix: `bedrock-mantle`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/bedrock/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam-awsmanpol.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Bedrock Powered by AWS Mantle
](#amazonbedrockpoweredbyawsmantle-actions-as-permissions)
+ [

## Resource types defined by Amazon Bedrock Powered by AWS Mantle
](#amazonbedrockpoweredbyawsmantle-resources-for-iam-policies)
+ [

## Condition keys for Amazon Bedrock Powered by AWS Mantle
](#amazonbedrockpoweredbyawsmantle-policy-keys)

## Actions defined by Amazon Bedrock Powered by AWS Mantle
<a name="amazonbedrockpoweredbyawsmantle-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonbedrockpoweredbyawsmantle-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockpoweredbyawsmantle.html)

## Resource types defined by Amazon Bedrock Powered by AWS Mantle
<a name="amazonbedrockpoweredbyawsmantle-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonbedrockpoweredbyawsmantle-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html#Project](https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html#Project)  |  arn:\$1\$1Partition\$1:bedrock-mantle:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ResourceId\$1  |   [#amazonbedrockpoweredbyawsmantle-aws_ResourceTag___TagKey_](#amazonbedrockpoweredbyawsmantle-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html#CustomizedModel](https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html#CustomizedModel)  |  arn:\$1\$1Partition\$1:bedrock-mantle:\$1\$1Region\$1:\$1\$1Account\$1:customized-model/\$1\$1ResourceId\$1  |   [#amazonbedrockpoweredbyawsmantle-aws_ResourceTag___TagKey_](#amazonbedrockpoweredbyawsmantle-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html#Reservation](https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html#Reservation)  |  arn:\$1\$1Partition\$1:bedrock-mantle:\$1\$1Region\$1:\$1\$1Account\$1:reservation/\$1\$1ResourceId\$1  |   [#amazonbedrockpoweredbyawsmantle-aws_ResourceTag___TagKey_](#amazonbedrockpoweredbyawsmantle-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Bedrock Powered by AWS Mantle
<a name="amazonbedrockpoweredbyawsmantle-policy-keys"></a>

Amazon Bedrock Powered by AWS Mantle defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the Short-term or Long-term bearer tokens | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the ARN of the customized model being associated or referenced in cross-resource operations | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the specified file identifiers | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the specified fine-tuning job identifier | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the specified Model | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the ARN of the project being associated or referenced in cross-resource operations | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the ARN of the reservation being referenced in cross-resource operations | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockmantle.html#amazonbedrockmantle-policy-keys)  | Filters access by the specified ServiceTier | String | 

# Actions, resources, and condition keys for AWS Billing
<a name="list_awsbilling"></a>

AWS Billing (service prefix: `billing`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Billing.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing
](#awsbilling-actions-as-permissions)
+ [

## Resource types defined by AWS Billing
](#awsbilling-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing
](#awsbilling-policy-keys)

## Actions defined by AWS Billing
<a name="awsbilling-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbilling-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbilling.html)

## Resource types defined by AWS Billing
<a name="awsbilling-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbilling-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/)  |  arn:\$1\$1Partition\$1:billing::\$1\$1Account\$1:billingview/\$1\$1ResourceId\$1  |   [#awsbilling-aws_ResourceTag___TagKey_](#awsbilling-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Billing
<a name="awsbilling-policy-keys"></a>

AWS Billing defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Billing and Cost Management Dashboards
<a name="list_awsbillingandcostmanagementdashboards"></a>

AWS Billing and Cost Management Dashboards (service prefix: `bcm-dashboards`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cost-management/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cost-management/latest/userguide/) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing and Cost Management Dashboards
](#awsbillingandcostmanagementdashboards-actions-as-permissions)
+ [

## Resource types defined by AWS Billing and Cost Management Dashboards
](#awsbillingandcostmanagementdashboards-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing and Cost Management Dashboards
](#awsbillingandcostmanagementdashboards-policy-keys)

## Actions defined by AWS Billing and Cost Management Dashboards
<a name="awsbillingandcostmanagementdashboards-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbillingandcostmanagementdashboards-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_CreateDashboard.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_CreateDashboard.html)  | Grants permission to create a dashboard | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_CreateScheduledReport.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_CreateScheduledReport.html)  | Grants permission to create a scheduled report | Write |  |   [#awsbillingandcostmanagementdashboards-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementdashboards-aws_ResourceTag___TagKey_)   [#awsbillingandcostmanagementdashboards-aws_TagKeys](#awsbillingandcostmanagementdashboards-aws_TagKeys)   |   iam:PassRole   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_DeleteDashboard.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_DeleteDashboard.html)  | Grants permission to delete a dashboard | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_DeleteScheduledReport.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_DeleteScheduledReport.html)  | Grants permission to delete a scheduled report | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ExecuteScheduledReport.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ExecuteScheduledReport.html)  | Grants permission to execute a scheduled report | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_GetDashboard.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_GetDashboard.html)  | Grants permission to get dashboard information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_GetResourcePolicy.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_GetResourcePolicy.html)  | Grants permission to get the resource policy for a dashboard | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_GetScheduledReport.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_GetScheduledReport.html)  | Grants permission to get scheduled report information | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ListDashboards.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ListDashboards.html)  | Grants permission to list information about all of the dashboards for a user | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ListScheduledReports.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ListScheduledReports.html)  | Grants permission to list information about all of the scheduled reports for a user | List |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ListTagsForResource.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_ListTagsForResource.html)  | Grants permission to list all of the tags for a resource | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_TagResource.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_TagResource.html)  | Grants permission to create a tag for a resource | Tagging |  |   [#awsbillingandcostmanagementdashboards-aws_TagKeys](#awsbillingandcostmanagementdashboards-aws_TagKeys)   [#awsbillingandcostmanagementdashboards-aws_RequestTag___TagKey_](#awsbillingandcostmanagementdashboards-aws_RequestTag___TagKey_)   |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_UntagResource.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_UntagResource.html)  | Grants permission to remove a tag for a resource | Tagging |  |   [#awsbillingandcostmanagementdashboards-aws_TagKeys](#awsbillingandcostmanagementdashboards-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_UpdateDashboard.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_UpdateDashboard.html)  | Grants permission to update an existing dashboard | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_UpdateScheduledReport.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_bcmDashboards_UpdateScheduledReport.html)  | Grants permission to update an existing scheduled report | Write |  |  |  | 

## Resource types defined by AWS Billing and Cost Management Dashboards
<a name="awsbillingandcostmanagementdashboards-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbillingandcostmanagementdashboards-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/](https://docs.aws.amazon.com/cost-management/latest/userguide/)  |  arn:\$1\$1Partition\$1:bcm-dashboards::\$1\$1Account\$1:dashboard/\$1\$1DashboardName\$1  |   [#awsbillingandcostmanagementdashboards-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementdashboards-aws_ResourceTag___TagKey_)   [#awsbillingandcostmanagementdashboards-aws_TagKeys](#awsbillingandcostmanagementdashboards-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/](https://docs.aws.amazon.com/cost-management/latest/userguide/)  |  arn:\$1\$1Partition\$1:bcm-dashboards::\$1\$1Account\$1:scheduled-report/\$1\$1ScheduledReportName\$1  |   [#awsbillingandcostmanagementdashboards-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementdashboards-aws_ResourceTag___TagKey_)   [#awsbillingandcostmanagementdashboards-aws_TagKeys](#awsbillingandcostmanagementdashboards-aws_TagKeys)   | 

## Condition keys for AWS Billing and Cost Management Dashboards
<a name="awsbillingandcostmanagementdashboards-policy-keys"></a>

AWS Billing and Cost Management Dashboards defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/cost-management/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Billing And Cost Management Data Exports
<a name="list_awsbillingandcostmanagementdataexports"></a>

AWS Billing And Cost Management Data Exports (service prefix: `bcm-data-exports`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cur/latest/userguide/what-is-data-exports.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Billing_and_Cost_Management_Data_Exports.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cur/latest/userguide/bcm-data-exports-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing And Cost Management Data Exports
](#awsbillingandcostmanagementdataexports-actions-as-permissions)
+ [

## Resource types defined by AWS Billing And Cost Management Data Exports
](#awsbillingandcostmanagementdataexports-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing And Cost Management Data Exports
](#awsbillingandcostmanagementdataexports-policy-keys)

## Actions defined by AWS Billing And Cost Management Data Exports
<a name="awsbillingandcostmanagementdataexports-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbillingandcostmanagementdataexports-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbillingandcostmanagementdataexports.html)

## Resource types defined by AWS Billing And Cost Management Data Exports
<a name="awsbillingandcostmanagementdataexports-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbillingandcostmanagementdataexports-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_DataExports_Export.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_DataExports_Export.html)  |  arn:\$1\$1Partition\$1:bcm-data-exports:\$1\$1Region\$1:\$1\$1Account\$1:export/\$1\$1Identifier\$1  |   [#awsbillingandcostmanagementdataexports-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementdataexports-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_DataExports_Table.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_DataExports_Table.html)  |  arn:\$1\$1Partition\$1:bcm-data-exports:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/cur/latest/userguide/](https://docs.aws.amazon.com/cur/latest/userguide/)  |  arn:\$1\$1Partition\$1:billing::\$1\$1Account\$1:billingview/\$1\$1ResourceId\$1  |   [#awsbillingandcostmanagementdataexports-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementdataexports-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Billing And Cost Management Data Exports
<a name="awsbillingandcostmanagementdataexports-policy-keys"></a>

AWS Billing And Cost Management Data Exports defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Billing And Cost Management Pricing Calculator
<a name="list_awsbillingandcostmanagementpricingcalculator"></a>

AWS Billing And Cost Management Pricing Calculator (service prefix: `bcm-pricing-calculator`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cost-management/latest/userguide/pricing-calculator.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Billing_and_Cost_Management_Pricing_Calculator.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cost-management/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing And Cost Management Pricing Calculator
](#awsbillingandcostmanagementpricingcalculator-actions-as-permissions)
+ [

## Resource types defined by AWS Billing And Cost Management Pricing Calculator
](#awsbillingandcostmanagementpricingcalculator-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing And Cost Management Pricing Calculator
](#awsbillingandcostmanagementpricingcalculator-policy-keys)

## Actions defined by AWS Billing And Cost Management Pricing Calculator
<a name="awsbillingandcostmanagementpricingcalculator-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbillingandcostmanagementpricingcalculator-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbillingandcostmanagementpricingcalculator.html)

## Resource types defined by AWS Billing And Cost Management Pricing Calculator
<a name="awsbillingandcostmanagementpricingcalculator-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbillingandcostmanagementpricingcalculator-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/pc-bill-estimate.html](https://docs.aws.amazon.com/cost-management/latest/userguide/pc-bill-estimate.html)  |  arn:\$1\$1Partition\$1:bcm-pricing-calculator::\$1\$1Account\$1:bill-estimate/\$1\$1BillEstimateId\$1  |  | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/pc-bill-scenario.html](https://docs.aws.amazon.com/cost-management/latest/userguide/pc-bill-scenario.html)  |  arn:\$1\$1Partition\$1:bcm-pricing-calculator::\$1\$1Account\$1:bill-scenario/\$1\$1BillScenarioId\$1  |   [#awsbillingandcostmanagementpricingcalculator-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementpricingcalculator-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/pc-workload-estimate.html](https://docs.aws.amazon.com/cost-management/latest/userguide/pc-workload-estimate.html)  |  arn:\$1\$1Partition\$1:bcm-pricing-calculator::\$1\$1Account\$1:workload-estimate/\$1\$1WorkloadEstimateId\$1  |   [#awsbillingandcostmanagementpricingcalculator-aws_ResourceTag___TagKey_](#awsbillingandcostmanagementpricingcalculator-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Billing And Cost Management Pricing Calculator
<a name="awsbillingandcostmanagementpricingcalculator-policy-keys"></a>

AWS Billing And Cost Management Pricing Calculator defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Billing And Cost Management Recommended Actions
<a name="list_awsbillingandcostmanagementrecommendedactions"></a>

AWS Billing And Cost Management Recommended Actions (service prefix: `bcm-recommended-actions`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cost-management/latest/userguide/view-billing-dashboard.html#recommended-actions-widget).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Billing_and_Cost_Management_Recommended_Actions.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cost-management/latest/userguide/billing-permissions-ref.html#allows-recommended-actions-access) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing And Cost Management Recommended Actions
](#awsbillingandcostmanagementrecommendedactions-actions-as-permissions)
+ [

## Resource types defined by AWS Billing And Cost Management Recommended Actions
](#awsbillingandcostmanagementrecommendedactions-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing And Cost Management Recommended Actions
](#awsbillingandcostmanagementrecommendedactions-policy-keys)

## Actions defined by AWS Billing And Cost Management Recommended Actions
<a name="awsbillingandcostmanagementrecommendedactions-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbillingandcostmanagementrecommendedactions-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_BillingAndCostManagementRecommendedActions_ListRecommendedActions.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_BillingAndCostManagementRecommendedActions_ListRecommendedActions.html)  | Grants permission to list all recommended actions | List |  |  |  | 

## Resource types defined by AWS Billing And Cost Management Recommended Actions
<a name="awsbillingandcostmanagementrecommendedactions-resources-for-iam-policies"></a>

AWS Billing And Cost Management Recommended Actions does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Billing And Cost Management Recommended Actions, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Billing And Cost Management Recommended Actions
<a name="awsbillingandcostmanagementrecommendedactions-policy-keys"></a>

BillingAndCostManagementRecommendedActions has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Billing Conductor
<a name="list_awsbillingconductor"></a>

AWS Billing Conductor (service prefix: `billingconductor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/billingconductor/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/billingconductor/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/billingconductor/latest/userguide/) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing Conductor
](#awsbillingconductor-actions-as-permissions)
+ [

## Resource types defined by AWS Billing Conductor
](#awsbillingconductor-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing Conductor
](#awsbillingconductor-policy-keys)

## Actions defined by AWS Billing Conductor
<a name="awsbillingconductor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbillingconductor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbillingconductor.html)

## Resource types defined by AWS Billing Conductor
<a name="awsbillingconductor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbillingconductor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html](https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html)  |  arn:\$1\$1Partition\$1:billingconductor::\$1\$1Account\$1:billinggroup/\$1\$1BillingGroupId\$1  |   [#awsbillingconductor-aws_ResourceTag___TagKey_](#awsbillingconductor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html](https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html)  |  arn:\$1\$1Partition\$1:billingconductor::\$1\$1Account\$1:pricingplan/\$1\$1PricingPlanId\$1  |   [#awsbillingconductor-aws_ResourceTag___TagKey_](#awsbillingconductor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html](https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html)  |  arn:\$1\$1Partition\$1:billingconductor::\$1\$1Account\$1:pricingrule/\$1\$1PricingRuleId\$1  |   [#awsbillingconductor-aws_ResourceTag___TagKey_](#awsbillingconductor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html](https://docs.aws.amazon.com/billingconductor/latest/userguide/understanding-abc.html)  |  arn:\$1\$1Partition\$1:billingconductor::\$1\$1Account\$1:customlineitem/\$1\$1CustomLineItemId\$1  |   [#awsbillingconductor-aws_ResourceTag___TagKey_](#awsbillingconductor-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Billing Conductor
<a name="awsbillingconductor-policy-keys"></a>

AWS Billing Conductor defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Billing Console
<a name="list_awsbillingconsole"></a>

AWS Billing Console (service prefix: `aws-portal`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Billing Console
](#awsbillingconsole-actions-as-permissions)
+ [

## Resource types defined by AWS Billing Console
](#awsbillingconsole-resources-for-iam-policies)
+ [

## Condition keys for AWS Billing Console
](#awsbillingconsole-policy-keys)

## Actions defined by AWS Billing Console
<a name="awsbillingconsole-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbillingconsole-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to view whether existing or fine-grained IAM actions are being used to control authorization to Billing, Cost Management, and Account consoles | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to modify Account Settings | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to modify billing settings | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to modify payment methods | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to change whether existing or fine-grained IAM actions will be used to control authorization to Billing, Cost Management, and Account consoles | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to view account settings | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to view billing pages in the console | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to view payment methods | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Allow or deny IAM users permission to view AWS usage reports | Read |  |  |  | 

## Resource types defined by AWS Billing Console
<a name="awsbillingconsole-resources-for-iam-policies"></a>

AWS Billing Console does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Billing Console, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Billing Console
<a name="awsbillingconsole-policy-keys"></a>

Billing Console has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Braket
<a name="list_amazonbraket"></a>

Amazon Braket (service prefix: `braket`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/braket/latest/developerguide/what-is-braket.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/braket/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Braket
](#amazonbraket-actions-as-permissions)
+ [

## Resource types defined by Amazon Braket
](#amazonbraket-resources-for-iam-policies)
+ [

## Condition keys for Amazon Braket
](#amazonbraket-policy-keys)

## Actions defined by Amazon Braket
<a name="amazonbraket-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonbraket-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html)

## Resource types defined by Amazon Braket
<a name="amazonbraket-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonbraket-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html#resources](https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html#resources)  |  arn:\$1\$1Partition\$1:braket:\$1\$1Region\$1:\$1\$1Account\$1:quantum-task/\$1\$1RandomId\$1  |   [#amazonbraket-aws_ResourceTag___TagKey_](#amazonbraket-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html#resources](https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html#resources)  |  arn:\$1\$1Partition\$1:braket:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1JobName\$1  |   [#amazonbraket-aws_ResourceTag___TagKey_](#amazonbraket-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html#resources](https://docs.aws.amazon.com/braket/latest/developerguide/braket-manage-access.html#resources)  |  arn:\$1\$1Partition\$1:braket:\$1\$1Region\$1:\$1\$1Account\$1:spending-limit/\$1\$1RandomId\$1  |   [#amazonbraket-aws_ResourceTag___TagKey_](#amazonbraket-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Braket
<a name="amazonbraket-policy-keys"></a>

Amazon Braket defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Budget Service
<a name="list_awsbudgetservice"></a>

AWS Budget Service (service prefix: `budgets`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Budgets.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cost-management/latest/userguide/billing-permissions-ref.html#user-permissions) permission policies.

**Topics**
+ [

## Actions defined by AWS Budget Service
](#awsbudgetservice-actions-as-permissions)
+ [

## Resource types defined by AWS Budget Service
](#awsbudgetservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Budget Service
](#awsbudgetservice-policy-keys)

## Actions defined by AWS Budget Service
<a name="awsbudgetservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbudgetservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
The actions in this table are not APIs, but are instead permissions that grant access to the AWS Billing and Cost Management APIs that access budgets.


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html)

## Resource types defined by AWS Budget Service
<a name="awsbudgetservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbudgetservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html)  |  arn:\$1\$1Partition\$1:budgets::\$1\$1Account\$1:budget/\$1\$1BudgetName\$1  |   [#awsbudgetservice-aws_RequestTag___TagKey_](#awsbudgetservice-aws_RequestTag___TagKey_)   [#awsbudgetservice-aws_ResourceTag___TagKey_](#awsbudgetservice-aws_ResourceTag___TagKey_)   [#awsbudgetservice-aws_TagKeys](#awsbudgetservice-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-controls.html](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-controls.html)  |  arn:\$1\$1Partition\$1:budgets::\$1\$1Account\$1:budget/\$1\$1BudgetName\$1/action/\$1\$1ActionId\$1  |   [#awsbudgetservice-aws_RequestTag___TagKey_](#awsbudgetservice-aws_RequestTag___TagKey_)   [#awsbudgetservice-aws_ResourceTag___TagKey_](#awsbudgetservice-aws_ResourceTag___TagKey_)   [#awsbudgetservice-aws_TagKeys](#awsbudgetservice-aws_TagKeys)   | 

## Condition keys for AWS Budget Service
<a name="awsbudgetservice-policy-keys"></a>

AWS Budget Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS BugBust
<a name="list_awsbugbust"></a>

AWS BugBust (service prefix: `bugbust`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/auth-and-access-control-permissions-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS BugBust
](#awsbugbust-actions-as-permissions)
+ [

## Resource types defined by AWS BugBust
](#awsbugbust-resources-for-iam-policies)
+ [

## Condition keys for AWS BugBust
](#awsbugbust-policy-keys)

## Actions defined by AWS BugBust
<a name="awsbugbust-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsbugbust-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbugbust.html)

## Resource types defined by AWS BugBust
<a name="awsbugbust-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsbugbust-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/event-managing.html](https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/event-managing.html)  |  arn:\$1\$1Partition\$1:bugbust:\$1\$1Region\$1:\$1\$1Account\$1:events/\$1\$1EventId\$1  |   [#awsbugbust-aws_ResourceTag___TagKey_](#awsbugbust-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS BugBust
<a name="awsbugbust-policy-keys"></a>

AWS BugBust defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Certificate Manager
<a name="list_awscertificatemanager"></a>

AWS Certificate Manager (service prefix: `acm`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/acm/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/acm/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Certificate Manager
](#awscertificatemanager-actions-as-permissions)
+ [

## Resource types defined by AWS Certificate Manager
](#awscertificatemanager-resources-for-iam-policies)
+ [

## Condition keys for AWS Certificate Manager
](#awscertificatemanager-policy-keys)

## Actions defined by AWS Certificate Manager
<a name="awscertificatemanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscertificatemanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html)

## Resource types defined by AWS Certificate Manager
<a name="awscertificatemanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscertificatemanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-acm-cert](https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-acm-cert)  |  arn:\$1\$1Partition\$1:acm:\$1\$1Region\$1:\$1\$1Account\$1:certificate/\$1\$1CertificateId\$1  |   [#awscertificatemanager-aws_ResourceTag___TagKey_](#awscertificatemanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Certificate Manager
<a name="awscertificatemanager-policy-keys"></a>

AWS Certificate Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html)  | Filters access by certificateAuthority in the request. Can be used to restrict which Certificate Authorites certificates can be issued from | String | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html)  | Filters access by certificateTransparencyLogging option in the request. Default 'ENABLED' if no key is present in the request | String | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html)  | Filters access by domainNames in the request. This key can be used to restrict which domains can be in certificate requests | ArrayOfString | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html)  | Filters access by the export option in the request. Can be used to restrict creation of certificates that can be exported | String | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html)  | Filters access by keyAlgorithm in the request | String | 
|   [https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html](https://docs.aws.amazon.com/acm/latest/userguide/security-iam.html)  | Filters access by validationMethod in the request. Default 'EMAIL' if no key is present in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Chatbot
<a name="list_awschatbot"></a>

AWS Chatbot (service prefix: `chatbot`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/chatbot/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/chatbot/latest/adminguide/security_iam_service-with-iam-id-based-policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Chatbot
](#awschatbot-actions-as-permissions)
+ [

## Resource types defined by AWS Chatbot
](#awschatbot-resources-for-iam-policies)
+ [

## Condition keys for AWS Chatbot
](#awschatbot-policy-keys)

## Actions defined by AWS Chatbot
<a name="awschatbot-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awschatbot-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html)

## Resource types defined by AWS Chatbot
<a name="awschatbot-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awschatbot-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html](https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html)  |  arn:\$1\$1Partition\$1:chatbot::\$1\$1Account\$1:chat-configuration/\$1\$1ConfigurationType\$1/\$1\$1ChatbotConfigurationName\$1  |   [#awschatbot-aws_ResourceTag___TagKey_](#awschatbot-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html](https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html)  |  arn:\$1\$1Partition\$1:chatbot::\$1\$1Account\$1:custom-action/\$1\$1ActionName\$1  |   [#awschatbot-aws_ResourceTag___TagKey_](#awschatbot-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Chatbot
<a name="awschatbot-policy-keys"></a>

AWS Chatbot defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Chime
<a name="list_amazonchime"></a>

Amazon Chime (service prefix: `chime`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/chime/latest/ug/what-is-chime.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/chime/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/chime/latest/ag/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Chime
](#amazonchime-actions-as-permissions)
+ [

## Resource types defined by Amazon Chime
](#amazonchime-resources-for-iam-policies)
+ [

## Condition keys for Amazon Chime
](#amazonchime-policy-keys)

## Actions defined by Amazon Chime
<a name="amazonchime-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonchime-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html)

## Resource types defined by Amazon Chime
<a name="amazonchime-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonchime-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/chime/latest/APIReference/API_Meeting.html](https://docs.aws.amazon.com/chime/latest/APIReference/API_Meeting.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:meeting/\$1\$1MeetingId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_identity-chime_AppInstance.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_identity-chime_AppInstance.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:app-instance/\$1\$1AppInstanceId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_identity-chime_AppInstanceUser.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_identity-chime_AppInstanceUser.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:app-instance/\$1\$1AppInstanceId\$1/user/\$1\$1AppInstanceUserId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_identity-chime_AppInstanceBot.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_identity-chime_AppInstanceBot.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:app-instance/\$1\$1AppInstanceId\$1/bot/\$1\$1AppInstanceBotId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_messaging-chime_Channel.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_messaging-chime_Channel.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:app-instance/\$1\$1AppInstanceId\$1/channel/\$1\$1ChannelId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_messaging-chime_ChannelFlow.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_messaging-chime_ChannelFlow.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:app-instance/\$1\$1AppInstanceId\$1/channel-flow/\$1\$1ChannelFlowId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_media-pipelines-chime_MediaPipeline.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_media-pipelines-chime_MediaPipeline.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:media-pipeline/\$1\$1MediaPipelineId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_media-pipelines-chime_MediaInsightsPipelineConfiguration.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_media-pipelines-chime_MediaInsightsPipelineConfiguration.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:media-insights-pipeline-configuration/\$1\$1ConfigurationName\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_media-pipelines-chime_KinesisVideoStreamPoolConfiguration.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_media-pipelines-chime_KinesisVideoStreamPoolConfiguration.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:media-pipeline-kinesis-video-stream-pool/\$1\$1PoolName\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_CreateVoiceProfileDomain.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_CreateVoiceProfileDomain.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:voice-profile-domain/\$1\$1VoiceProfileDomainId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_CreateVoiceProfile.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_CreateVoiceProfile.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:voice-profile/\$1\$1VoiceProfileId\$1  |  | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_VoiceConnector.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_VoiceConnector.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:vc/\$1\$1VoiceConnectorId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_SipMediaApplication.html](https://docs.aws.amazon.com/chime-sdk/latest/APIReference/API_voice-chime_SipMediaApplication.html)  |  arn:\$1\$1Partition\$1:chime:\$1\$1Region\$1:\$1\$1AccountId\$1:sma/\$1\$1SipMediaApplicationId\$1  |   [#amazonchime-aws_ResourceTag___TagKey_](#amazonchime-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Chime
<a name="amazonchime-policy-keys"></a>

Amazon Chime defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for Claude Platform on AWS
<a name="list_claudeplatformonaws"></a>

Claude Platform on AWS (service prefix: `aws-external-anthropic`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/) permission policies.

**Topics**
+ [

## Actions defined by Claude Platform on AWS
](#claudeplatformonaws-actions-as-permissions)
+ [

## Resource types defined by Claude Platform on AWS
](#claudeplatformonaws-resources-for-iam-policies)
+ [

## Condition keys for Claude Platform on AWS
](#claudeplatformonaws-policy-keys)

## Actions defined by Claude Platform on AWS
<a name="claudeplatformonaws-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#claudeplatformonaws-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to archive a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to assume console access on Claude Platform | Write |  |   [#claudeplatformonaws-aws-external-anthropic_Capability](#claudeplatformonaws-aws-external-anthropic_Capability)   |  | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/) [permission only] | Grants permission to make API calls using bearer token authentication | List |  |   [#claudeplatformonaws-aws-external-anthropic_BearerTokenType](#claudeplatformonaws-aws-external-anthropic_BearerTokenType)   |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to cancel an in-progress batch inference request | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to count tokens for a message request | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to create a batch inference request | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to upload a file to a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to create a chat completion inference request | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to create a skill in a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to create a user profile in a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to create a workspace in an organization | Write |  |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to delete a batch inference request | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to delete a file from a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to delete a skill from a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve the status of account setup and AWS Marketplace registration | Read |  |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve details of a batch inference request | Read |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve a file or its content from a workspace | Read |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve information about a specific model | Read |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve details of a skill or its versions | Read |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve details of a user profile | Read |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to retrieve details of a workspace | Read |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to list batch inference requests in a workspace | List |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to list files in a workspace | List |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to list available models in a workspace | List |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to list skills in a workspace | List |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to list user profiles in a workspace | List |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to list workspaces in an organization | List |  |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to create or delete a skill version | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to update a user profile in a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 
|   [https://docs.aws.amazon.com/#welcome](https://docs.aws.amazon.com/#welcome)  | Grants permission to update a workspace | Write |   [#claudeplatformonaws-workspace](#claudeplatformonaws-workspace)   |  |  | 

## Resource types defined by Claude Platform on AWS
<a name="claudeplatformonaws-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#claudeplatformonaws-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/#Workspace](https://docs.aws.amazon.com/#Workspace)  |  arn:\$1\$1Partition\$1:aws-external-anthropic:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1ResourceId\$1  |  | 

## Condition keys for Claude Platform on AWS
<a name="claudeplatformonaws-policy-keys"></a>

Claude Platform on AWS defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Filters access by the Short-term or Long-term bearer tokens | String | 
|   [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/)  | Filters access by the Claude Platform role used for the console session | String | 

# Actions, resources, and condition keys for AWS Clean Rooms
<a name="list_awscleanrooms"></a>

AWS Clean Rooms (service prefix: `cleanrooms`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/clean-rooms/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Clean Rooms
](#awscleanrooms-actions-as-permissions)
+ [

## Resource types defined by AWS Clean Rooms
](#awscleanrooms-resources-for-iam-policies)
+ [

## Condition keys for AWS Clean Rooms
](#awscleanrooms-policy-keys)

## Actions defined by AWS Clean Rooms
<a name="awscleanrooms-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscleanrooms-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscleanrooms.html)

## Resource types defined by AWS Clean Rooms
<a name="awscleanrooms-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscleanrooms-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/analysistemplate/\$1\$1AnalysisTemplateId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:collaboration/\$1\$1CollaborationId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/configuredaudiencemodelassociation/\$1\$1ConfiguredAudienceModelAssociationId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:configuredtable/\$1\$1ConfiguredTableId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/configuredtableassociation/\$1\$1ConfiguredTableAssociationId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/idmappingtable/\$1\$1IdMappingTableId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/idnamespaceassociation/\$1\$1IdNamespaceAssociationId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:cleanrooms:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/privacybudgettemplate/\$1\$1PrivacyBudgetTemplateId\$1  |   [#awscleanrooms-aws_ResourceTag___TagKey_](#awscleanrooms-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Clean Rooms
<a name="awscleanrooms-policy-keys"></a>

AWS Clean Rooms defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Clean Rooms ML
<a name="list_awscleanroomsml"></a>

AWS Clean Rooms ML (service prefix: `cleanrooms-ml`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/clean-rooms/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cleanrooms-ml/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/clean-rooms/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Clean Rooms ML
](#awscleanroomsml-actions-as-permissions)
+ [

## Resource types defined by AWS Clean Rooms ML
](#awscleanroomsml-resources-for-iam-policies)
+ [

## Condition keys for AWS Clean Rooms ML
](#awscleanroomsml-policy-keys)

## Actions defined by AWS Clean Rooms ML
<a name="awscleanroomsml-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscleanroomsml-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscleanroomsml.html)

## Resource types defined by AWS Clean Rooms ML
<a name="awscleanroomsml-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscleanroomsml-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:training-dataset/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:audience-model/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:configured-audience-model/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:audience-generation-job/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:configured-model-algorithm/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/configured-model-algorithm-association/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/ml-input-channel/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/trained-model/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 
|   [${AuthZDocPage}](${AuthZDocPage})  |  arn:\$1\$1Partition\$1:cleanrooms-ml:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1/trained-model-inference-job/\$1\$1ResourceId\$1  |   [#awscleanroomsml-aws_ResourceTag___TagKey_](#awscleanroomsml-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Clean Rooms ML
<a name="awscleanroomsml-policy-keys"></a>

AWS Clean Rooms ML defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/TBD](https://docs.aws.amazon.com/TBD)  | Filters access by Clean rooms collaboration id | String | 

# Actions, resources, and condition keys for AWS Cloud Control API
<a name="list_awscloudcontrolapi"></a>

AWS Cloud Control API (service prefix: `cloudformation`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/what-is-cloudcontrolapi.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Cloud Control API
](#awscloudcontrolapi-actions-as-permissions)
+ [

## Resource types defined by AWS Cloud Control API
](#awscloudcontrolapi-resources-for-iam-policies)
+ [

## Condition keys for AWS Cloud Control API
](#awscloudcontrolapi-policy-keys)

## Actions defined by AWS Cloud Control API
<a name="awscloudcontrolapi-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudcontrolapi-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_CancelResourceRequest.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_CancelResourceRequest.html)  | Grants permission to cancel resource requests in your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_CreateResource.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_CreateResource.html)  | Grants permission to create resources in your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_DeleteResource.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_DeleteResource.html)  | Grants permission to delete resources in your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_GetResource.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_GetResource.html)  | Grants permission to get resources in your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_GetResourceRequestStatus.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_GetResourceRequestStatus.html)  | Grants permission to get resource requests in your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_ListResourceRequests.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_ListResourceRequests.html)  | Grants permission to list resource requests in your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_ListResources.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_ListResources.html)  | Grants permission to list resources in your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_UpdateResource.html](https://docs.aws.amazon.com/cloudcontrolapi/latest/APIReference/API_UpdateResource.html)  | Grants permission to update resources in your account | Write |  |  |  | 

## Resource types defined by AWS Cloud Control API
<a name="awscloudcontrolapi-resources-for-iam-policies"></a>

AWS Cloud Control API does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Cloud Control API, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Cloud Control API
<a name="awscloudcontrolapi-policy-keys"></a>

Cloud Control API has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Cloud Directory
<a name="list_amazonclouddirectory"></a>

Amazon Cloud Directory (service prefix: `clouddirectory`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_amazon_cd.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/directoryservice/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_AuthNAccess.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Cloud Directory
](#amazonclouddirectory-actions-as-permissions)
+ [

## Resource types defined by Amazon Cloud Directory
](#amazonclouddirectory-resources-for-iam-policies)
+ [

## Condition keys for Amazon Cloud Directory
](#amazonclouddirectory-policy-keys)

## Actions defined by Amazon Cloud Directory
<a name="amazonclouddirectory-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonclouddirectory-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonclouddirectory.html)

## Resource types defined by Amazon Cloud Directory
<a name="amazonclouddirectory-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonclouddirectory-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory)  |  arn:\$1\$1Partition\$1:clouddirectory:\$1\$1Region\$1:\$1\$1Account\$1:directory/\$1\$1DirectoryId\$1/schema/\$1\$1SchemaName\$1/\$1\$1Version\$1  |  | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory)  |  arn:\$1\$1Partition\$1:clouddirectory:\$1\$1Region\$1:\$1\$1Account\$1:schema/development/\$1\$1SchemaName\$1  |  | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory)  |  arn:\$1\$1Partition\$1:clouddirectory:\$1\$1Region\$1:\$1\$1Account\$1:directory/\$1\$1DirectoryId\$1  |  | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/cd_key_concepts.html#whatisdirectory)  |  arn:\$1\$1Partition\$1:clouddirectory:\$1\$1Region\$1:\$1\$1Account\$1:schema/published/\$1\$1SchemaName\$1/\$1\$1Version\$1  |  | 

## Condition keys for Amazon Cloud Directory
<a name="amazonclouddirectory-policy-keys"></a>

Cloud Directory has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Cloud Map
<a name="list_awscloudmap"></a>

AWS Cloud Map (service prefix: `servicediscovery`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cloud-map/latest/dg/what-is-cloud-map.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloud-map/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cloud-map/latest/dg/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Cloud Map
](#awscloudmap-actions-as-permissions)
+ [

## Resource types defined by AWS Cloud Map
](#awscloudmap-resources-for-iam-policies)
+ [

## Condition keys for AWS Cloud Map
](#awscloudmap-policy-keys)

## Actions defined by AWS Cloud Map
<a name="awscloudmap-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudmap-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html)

## Resource types defined by AWS Cloud Map
<a name="awscloudmap-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudmap-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/API_Namespace.html](https://docs.aws.amazon.com/cloud-map/latest/dg/API_Namespace.html)  |  arn:\$1\$1Partition\$1:servicediscovery:\$1\$1Region\$1:\$1\$1Account\$1:namespace/\$1\$1NamespaceId\$1  |   [#awscloudmap-aws_ResourceTag___TagKey_](#awscloudmap-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/API_Service.html](https://docs.aws.amazon.com/cloud-map/latest/dg/API_Service.html)  |  arn:\$1\$1Partition\$1:servicediscovery:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1  |   [#awscloudmap-aws_ResourceTag___TagKey_](#awscloudmap-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Cloud Map
<a name="awscloudmap-policy-keys"></a>

AWS Cloud Map defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions](https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions)  | Filters access by specifying the Amazon Resource Name (ARN) for the related namespace | ARN | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions](https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions)  | Filters access by specifying the name of the related namespace | String | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions](https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions)  | Filters access by specifying the Amazon Resource Name (ARN) for the related service | ARN | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions](https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions)  | Filters access by specifying the account id of the related service creator | String | 
|   [https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions](https://docs.aws.amazon.com/cloud-map/latest/dg/access-control-overview.html#specifying-conditions)  | Filters access by specifying the name of the related service | String | 

# Actions, resources, and condition keys for AWS Cloud9
<a name="list_awscloud9"></a>

AWS Cloud9 (service prefix: `cloud9`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cloud9/latest/user-guide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloud9/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Cloud9
](#awscloud9-actions-as-permissions)
+ [

## Resource types defined by AWS Cloud9
](#awscloud9-resources-for-iam-policies)
+ [

## Condition keys for AWS Cloud9
](#awscloud9-policy-keys)

## Actions defined by AWS Cloud9
<a name="awscloud9-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloud9-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html)

## Resource types defined by AWS Cloud9
<a name="awscloud9-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloud9-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-environment](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-environment)  |  arn:\$1\$1Partition\$1:cloud9:\$1\$1Region\$1:\$1\$1Account\$1:environment:\$1\$1ResourceId\$1  |   [#awscloud9-aws_ResourceTag___TagKey_](#awscloud9-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Cloud9
<a name="awscloud9-policy-keys"></a>

AWS Cloud9 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_EnvironmentId](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_EnvironmentId)  | Filters access by the AWS Cloud9 environment ID | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_EnvironmentName](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_EnvironmentName)  | Filters access by the AWS Cloud9 environment name | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_InstanceType](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_InstanceType)  | Filters access by the instance type of the AWS Cloud9 environment's Amazon EC2 instance | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_OwnerArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_OwnerArn)  | Filters access by the owner ARN specified | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_Permissions)  | Filters access by the type of AWS Cloud9 permissions | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_SubnetId](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_SubnetId)  | Filters access by the subnet ID that the AWS Cloud9 environment will be created in | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_UserArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloud9.html##awscloud9-cloud9_UserArn)  | Filters access by the user ARN specified | ARN | 

# Actions, resources, and condition keys for AWS CloudFormation
<a name="list_awscloudformation"></a>

AWS CloudFormation (service prefix: `cloudformation`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CloudFormation
](#awscloudformation-actions-as-permissions)
+ [

## Resource types defined by AWS CloudFormation
](#awscloudformation-resources-for-iam-policies)
+ [

## Condition keys for AWS CloudFormation
](#awscloudformation-policy-keys)

## Actions defined by AWS CloudFormation
<a name="awscloudformation-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudformation-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html)

## Resource types defined by AWS CloudFormation
<a name="awscloudformation-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudformation-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html#w2ab1b5c15c11](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html#w2ab1b5c15c11)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:changeSet/\$1\$1ChangeSetName\$1/\$1\$1Id\$1  |   [#awscloudformation-aws_ResourceTag___TagKey_](#awscloudformation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html#w2ab1b5c15b9](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html#w2ab1b5c15b9)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:stack/\$1\$1StackName\$1/\$1\$1Id\$1  |   [#awscloudformation-aws_ResourceTag___TagKey_](#awscloudformation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-stackset](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-stackset)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:stackset/\$1\$1StackSetName\$1:\$1\$1Id\$1  |   [#awscloudformation-aws_ResourceTag___TagKey_](#awscloudformation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:stackset-target/\$1\$1StackSetTarget\$1  |  | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:type/resource/\$1\$1Type\$1  |  | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:type/hook/\$1\$1Type\$1  |  | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:generatedTemplate/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html)  |  arn:\$1\$1Partition\$1:cloudformation:\$1\$1Region\$1:\$1\$1Account\$1:resourceScan/\$1\$1Id\$1  |  | 

## Condition keys for AWS CloudFormation
<a name="awscloudformation-policy-keys"></a>

AWS CloudFormation defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by an AWS CloudFormation change set name. Use to control which change sets IAM users can execute or delete | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the name of a resource-mutating API action. Use to control which APIs IAM users can use to add or remove tags on a stack or stack set | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they want to import a resource into a stack | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they create or update a stack | ArrayOfString | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the ARN of an IAM service role. Use to control which service role IAM users can use to work with stacks or change sets | ARN | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by an Amazon S3 stack policy URL. Use to control which stack policies IAM users can associate with a stack during a create or update stack action | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by stack set target region. Use to control which regions IAM users can use when they create or update stack sets | ArrayOfString | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by an Amazon S3 template URL. Use to control which templates IAM users can use when they create or update stacks | String | 
|   [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions)  | Filters access by the ARN of a CloudFormation extension | ARN | 

# Actions, resources, and condition keys for Amazon CloudFront
<a name="list_amazoncloudfront"></a>

Amazon CloudFront (service prefix: `cloudfront`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudfront/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudFront
](#amazoncloudfront-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudFront
](#amazoncloudfront-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudFront
](#amazoncloudfront-policy-keys)

## Actions defined by Amazon CloudFront
<a name="amazoncloudfront-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudfront-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html)

## Resource types defined by Amazon CloudFront
<a name="amazoncloudfront-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudfront-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:distribution/\$1\$1DistributionId\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:streaming-distribution/\$1\$1DistributionId\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-overview](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-overview)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:origin-access-identity/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:field-level-encryption-config/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:field-level-encryption-profile/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-key-create-cache-policy.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-key-create-cache-policy.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:cache-policy/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:origin-request-policy/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:realtime-log-config/\$1\$1Name\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:function/\$1\$1Name\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:key-value-store/\$1\$1Name\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:response-headers-policy/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-origin.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-origin.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:origin-access-control/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/working-with-staging-distribution-continuous-deployment-policy.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/working-with-staging-distribution-continuous-deployment-policy.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:continuous-deployment-policy/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:anycast-ip-list/\$1\$1Id\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:vpcorigin/\$1\$1Id\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:distribution-tenant/\$1\$1Id\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-connection-group.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-connection-group.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:connection-group/\$1\$1Id\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-trust-stores.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewer-mtls-trust-stores.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:trust-store/\$1\$1Id\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-connection-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-connection-functions.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:connection-function/\$1\$1Id\$1  |   [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudFront
<a name="amazoncloudfront-policy-keys"></a>

Amazon CloudFront defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudFront KeyValueStore
<a name="list_amazoncloudfrontkeyvaluestore"></a>

Amazon CloudFront KeyValueStore (service prefix: `cloudfront-keyvaluestore`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudfront/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudFront KeyValueStore
](#amazoncloudfrontkeyvaluestore-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudFront KeyValueStore
](#amazoncloudfrontkeyvaluestore-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudFront KeyValueStore
](#amazoncloudfrontkeyvaluestore-policy-keys)

## Actions defined by Amazon CloudFront KeyValueStore
<a name="amazoncloudfrontkeyvaluestore-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudfrontkeyvaluestore-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_DeleteKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_DeleteKey.html)  | Grants permission to delete the key value pair specified by the key | Write |   [#amazoncloudfrontkeyvaluestore-key-value-store](#amazoncloudfrontkeyvaluestore-key-value-store)   |  |  | 
|   [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_DescribeKeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_DescribeKeyValueStore.html)  | Grants permission to return metadata information about Key Value Store | Read |   [#amazoncloudfrontkeyvaluestore-key-value-store](#amazoncloudfrontkeyvaluestore-key-value-store)   |  |  | 
|   [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_GetKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_GetKey.html)  | Grants permission to return a key value pair | Read |   [#amazoncloudfrontkeyvaluestore-key-value-store](#amazoncloudfrontkeyvaluestore-key-value-store)   |  |  | 
|   [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_ListKeys.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_ListKeys.html)  | Grants permission to returns a list of key value pairs | List |   [#amazoncloudfrontkeyvaluestore-key-value-store](#amazoncloudfrontkeyvaluestore-key-value-store)   |  |  | 
|   [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_PutKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_PutKey.html)  | Grants permission to create a new key value pair or replace the value of an existing key | Write |   [#amazoncloudfrontkeyvaluestore-key-value-store](#amazoncloudfrontkeyvaluestore-key-value-store)   |  |  | 
|   [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_UpdateKeys.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_kvs_UpdateKeys.html)  | Grants permission to put or delete multiple key value pairs in a single, all-or-nothing operation | Write |   [#amazoncloudfrontkeyvaluestore-key-value-store](#amazoncloudfrontkeyvaluestore-key-value-store)   |  |  | 

## Resource types defined by Amazon CloudFront KeyValueStore
<a name="amazoncloudfrontkeyvaluestore-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudfrontkeyvaluestore-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html)  |  arn:\$1\$1Partition\$1:cloudfront::\$1\$1Account\$1:key-value-store/\$1\$1ResourceId\$1  |  | 

## Condition keys for Amazon CloudFront KeyValueStore
<a name="amazoncloudfrontkeyvaluestore-policy-keys"></a>

CloudFront KeyValueStore has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS CloudHSM
<a name="list_awscloudhsm"></a>

AWS CloudHSM (service prefix: `cloudhsm`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cloudhsm/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudhsm/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cloudhsm/latest/userguide/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CloudHSM
](#awscloudhsm-actions-as-permissions)
+ [

## Resource types defined by AWS CloudHSM
](#awscloudhsm-resources-for-iam-policies)
+ [

## Condition keys for AWS CloudHSM
](#awscloudhsm-policy-keys)

## Actions defined by AWS CloudHSM
<a name="awscloudhsm-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudhsm-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudhsm.html)

## Resource types defined by AWS CloudHSM
<a name="awscloudhsm-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudhsm-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudhsm/latest/userguide/backups.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/backups.html)  |  arn:\$1\$1Partition\$1:cloudhsm:\$1\$1Region\$1:\$1\$1Account\$1:backup/\$1\$1CloudHsmBackupInstanceName\$1  |   [#awscloudhsm-aws_ResourceTag___TagKey_](#awscloudhsm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html)  |  arn:\$1\$1Partition\$1:cloudhsm:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1CloudHsmClusterInstanceName\$1  |   [#awscloudhsm-aws_ResourceTag___TagKey_](#awscloudhsm-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CloudHSM
<a name="awscloudhsm-policy-keys"></a>

AWS CloudHSM defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudSearch
<a name="list_amazoncloudsearch"></a>

Amazon CloudSearch (service prefix: `cloudsearch`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/api-ref.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/access_permissions.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudSearch
](#amazoncloudsearch-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudSearch
](#amazoncloudsearch-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudSearch
](#amazoncloudsearch-policy-keys)

## Actions defined by Amazon CloudSearch
<a name="amazoncloudsearch-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudsearch-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_AddTags.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_AddTags.html)  | Attaches resource tags to an Amazon CloudSearch domain | Tagging |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_BuildSuggesters.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_BuildSuggesters.html)  | Indexes the search suggestions | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_CreateDomain.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_CreateDomain.html)  | Creates a new search domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineAnalysisScheme.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineAnalysisScheme.html)  | Configures an analysis scheme that can be applied to a text or text-array field to define language-specific text processing options | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineExpression.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineExpression.html)  | Configures an Expression for the search domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineIndexField.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineIndexField.html)  | Configures an IndexField for the search domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineSuggester.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DefineSuggester.html)  | Configures a suggester for a domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteAnalysisScheme.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteAnalysisScheme.html)  | Deletes an analysis scheme | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteDomain.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteDomain.html)  | Permanently deletes a search domain and all of its data | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteExpression.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteExpression.html)  | Removes an Expression from the search domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteIndexField.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteIndexField.html)  | Removes an IndexField from the search domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteSuggester.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DeleteSuggester.html)  | Deletes a suggester | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeAnalysisSchemes.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeAnalysisSchemes.html)  | Gets the analysis schemes configured for a domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeAvailabilityOptions.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeAvailabilityOptions.html)  | Gets the availability options configured for a domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeDomainEndpointOptions.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeDomainEndpointOptions.html)  | Gets the domain endpoint options configured for a domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeDomains.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeDomains.html)  | Gets information about the search domains owned by this account | List |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeExpressions.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeExpressions.html)  | Gets the expressions configured for the search domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeIndexFields.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeIndexFields.html)  | Gets information about the index fields configured for the search domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeScalingParameters.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeScalingParameters.html)  | Gets the scaling parameters configured for a domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeServiceAccessPolicies.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeServiceAccessPolicies.html)  | Gets information about the access policies that control access to the domain's document and search endpoints | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeSuggesters.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_DescribeSuggesters.html)  | Gets the suggesters configured for a domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_IndexDocuments.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_IndexDocuments.html)  | Tells the search domain to start indexing its documents using the latest indexing options | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_ListDomainNames.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_ListDomainNames.html)  | Lists all search domains owned by an account | List |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_ListTags.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_ListTags.html)  | Displays all of the resource tags for an Amazon CloudSearch domain | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_RemoveTags.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_RemoveTags.html)  | Removes the specified resource tags from an Amazon ES domain | Tagging |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateAvailabilityOptions.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateAvailabilityOptions.html)  | Configures the availability options for a domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateDomainEndpointOptions.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateDomainEndpointOptions.html)  | Configures the domain endpoint options for a domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateScalingParameters.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateScalingParameters.html)  | Configures scaling parameters for a domain | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateServiceAccessPolicies.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/API_UpdateServiceAccessPolicies.html)  | Configures the access rules that control access to the domain's document and search endpoints | Permissions management |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-actions](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-actions) [permission only] | Allows access to the document service operations | Write |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-actions](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-actions) [permission only] | Allows access to the search operations | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-actions](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-actions) [permission only] | Allows access to the suggest operations | Read |   [#amazoncloudsearch-domain](#amazoncloudsearch-domain)   |  |  | 

## Resource types defined by Amazon CloudSearch
<a name="amazoncloudsearch-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudsearch-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
For information about using Amazon CloudSearch resource ARNs in an IAM policy, see [Amazon CloudSearch ARNs](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configuring-access.html#cloudsearch-arns) in the *Amazon CloudSearch Developer Guide*.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudsearch/latest/developerguide/creating-domains.html](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/creating-domains.html)  |  arn:\$1\$1Partition\$1:cloudsearch:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainName\$1  |  | 

## Condition keys for Amazon CloudSearch
<a name="amazoncloudsearch-policy-keys"></a>

CloudSearch has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS CloudShell
<a name="list_awscloudshell"></a>

AWS CloudShell (service prefix: `cloudshell`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CloudShell
](#awscloudshell-actions-as-permissions)
+ [

## Resource types defined by AWS CloudShell
](#awscloudshell-resources-for-iam-policies)
+ [

## Condition keys for AWS CloudShell
](#awscloudshell-policy-keys)

## Actions defined by AWS CloudShell
<a name="awscloudshell-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudshell-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#ApproveCommand](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#ApproveCommand) [permission only] | Grants permission to approve a command sent by another AWS service | Read |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#CreateEnvironment](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#CreateEnvironment) [permission only] | Grants permissions to create a CloudShell environment | Write |  |   [#awscloudshell-cloudshell_SecurityGroupIds](#awscloudshell-cloudshell_SecurityGroupIds)   [#awscloudshell-cloudshell_SubnetIds](#awscloudshell-cloudshell_SubnetIds)   [#awscloudshell-cloudshell_VpcIds](#awscloudshell-cloudshell_VpcIds)   |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#CreateSession](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#CreateSession) [permission only] | Grants permissions to connect to a CloudShell environment from the AWS Management Console | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#DeleteEnvironment](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#DeleteEnvironment) [permission only] | Grants permission to delete a CloudShell environment | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#DescribeEnvironments](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#DescribeEnvironments) [permission only] | Grants permission to return descriptions of existing user's environments | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#GetEnvironmentStatus](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#GetEnvironmentStatus) [permission only] | Grants permission to read a CloudShell environment status | Read |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#GetFileDownloadUrls](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#GetFileDownloadUrls) [permission only] | Grants permissions to download files from a CloudShell environment | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#GetFileUploadUrls](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#GetFileUploadUrls) [permission only] | Grants permissions to upload files to a CloudShell environment | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#PutCredentials](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#PutCredentials) [permission only] | Grants permissions to forward console credentials to the environment | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#StartEnvironment](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#StartEnvironment) [permission only] | Grants permission to start a stopped CloudShell environment | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#StopEnvironment](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#StopEnvironment) [permission only] | Grants permission to stop a running CloudShell environment | Write |   [#awscloudshell-Environment](#awscloudshell-Environment)   |  |  | 

## Resource types defined by AWS CloudShell
<a name="awscloudshell-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudshell-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#Environment](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html#Environment)  |  arn:\$1\$1Partition\$1:cloudshell:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1  |  | 

## Condition keys for AWS CloudShell
<a name="awscloudshell-policy-keys"></a>

AWS CloudShell defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html#vpc-condition-keys-examples-1](https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html#vpc-condition-keys-examples-1)  | Filters access by security group ids. Available during CreateEnvironment operation | ArrayOfString | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html#vpc-condition-keys-examples-1](https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html#vpc-condition-keys-examples-1)  | Filters access by subnet ids. Available during CreateEnvironment operation | ArrayOfString | 
|   [https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html#vpc-condition-keys-examples-1](https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html#vpc-condition-keys-examples-1)  | Filters access by vpc ids. Available during CreateEnvironment operation | ArrayOfString | 

# Actions, resources, and condition keys for AWS CloudTrail
<a name="list_awscloudtrail"></a>

AWS CloudTrail (service prefix: `cloudtrail`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CloudTrail
](#awscloudtrail-actions-as-permissions)
+ [

## Resource types defined by AWS CloudTrail
](#awscloudtrail-resources-for-iam-policies)
+ [

## Condition keys for AWS CloudTrail
](#awscloudtrail-policy-keys)

## Actions defined by AWS CloudTrail
<a name="awscloudtrail-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudtrail-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html)

## Resource types defined by AWS CloudTrail
<a name="awscloudtrail-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudtrail-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
For policies that control access to CloudTrail actions, the Resource element is always set to "\$1". For information about using resource ARNs in an IAM policy, see [How AWS CloudTrail works with IAM](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_service-with-iam.html) in the *AWS CloudTrail User Guide*.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-trails)  |  arn:\$1\$1Partition\$1:cloudtrail:\$1\$1Region\$1:\$1\$1Account\$1:trail/\$1\$1TrailName\$1  |   [#awscloudtrail-aws_ResourceTag___TagKey_](#awscloudtrail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-lake)  |  arn:\$1\$1Partition\$1:cloudtrail:\$1\$1Region\$1:\$1\$1Account\$1:eventdatastore/\$1\$1EventDataStoreId\$1  |   [#awscloudtrail-aws_ResourceTag___TagKey_](#awscloudtrail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-channels)  |  arn:\$1\$1Partition\$1:cloudtrail:\$1\$1Region\$1:\$1\$1Account\$1:channel/\$1\$1ChannelId\$1  |   [#awscloudtrail-aws_ResourceTag___TagKey_](#awscloudtrail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-dashboard.html](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-dashboard.html)  |  arn:\$1\$1Partition\$1:cloudtrail:\$1\$1Region\$1:\$1\$1Account\$1:dashboard/\$1\$1DashboardName\$1  |   [#awscloudtrail-aws_ResourceTag___TagKey_](#awscloudtrail-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CloudTrail
<a name="awscloudtrail-policy-keys"></a>

AWS CloudTrail defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for AWS CloudTrail Data
<a name="list_awscloudtraildata"></a>

AWS CloudTrail Data (service prefix: `cloudtrail-data`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CloudTrail Data
](#awscloudtraildata-actions-as-permissions)
+ [

## Resource types defined by AWS CloudTrail Data
](#awscloudtraildata-resources-for-iam-policies)
+ [

## Condition keys for AWS CloudTrail Data
](#awscloudtraildata-policy-keys)

## Actions defined by AWS CloudTrail Data
<a name="awscloudtraildata-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudtraildata-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html](https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html)  | Grants permission to ingest your application events into CloudTrail Lake | Write |   [#awscloudtraildata-channel](#awscloudtraildata-channel)   |  |  | 

## Resource types defined by AWS CloudTrail Data
<a name="awscloudtraildata-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudtraildata-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
For policies that control access to CloudTrail actions, the Resource element is always set to "\$1". For information about using resource ARNs in an IAM policy, see [How AWS CloudTrail works with IAM](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_service-with-iam.html) in the *AWS CloudTrail User Guide*.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-channels)  |  arn:\$1\$1Partition\$1:cloudtrail:\$1\$1Region\$1:\$1\$1Account\$1:channel/\$1\$1ChannelId\$1  |   [#awscloudtraildata-aws_ResourceTag___TagKey_](#awscloudtraildata-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CloudTrail Data
<a name="awscloudtraildata-policy-keys"></a>

AWS CloudTrail Data defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch
<a name="list_amazoncloudwatch"></a>

Amazon CloudWatch (service prefix: `cloudwatch`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch
](#amazoncloudwatch-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch
](#amazoncloudwatch-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch
](#amazoncloudwatch-policy-keys)

## Actions defined by Amazon CloudWatch
<a name="amazoncloudwatch-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatch-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html)

## Resource types defined by Amazon CloudWatch
<a name="amazoncloudwatch-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatch-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch:\$1\$1Region\$1:\$1\$1Account\$1:alarm:\$1\$1AlarmName\$1  |   [#amazoncloudwatch-aws_ResourceTag___TagKey_](#amazoncloudwatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch:\$1\$1Region\$1:\$1\$1Account\$1:alarm-mute-rule:\$1\$1AlarmMuteRuleName\$1  |   [#amazoncloudwatch-aws_ResourceTag___TagKey_](#amazoncloudwatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch::\$1\$1Account\$1:dashboard/\$1\$1DashboardName\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch:\$1\$1Region\$1:\$1\$1Account\$1:insight-rule/\$1\$1InsightRuleName\$1  |   [#amazoncloudwatch-aws_ResourceTag___TagKey_](#amazoncloudwatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch:\$1\$1Region\$1:\$1\$1Account\$1:metric-stream/\$1\$1MetricStreamName\$1  |   [#amazoncloudwatch-aws_ResourceTag___TagKey_](#amazoncloudwatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch:\$1\$1Region\$1:\$1\$1Account\$1:slo/\$1\$1SloName\$1  |   [#amazoncloudwatch-aws_ResourceTag___TagKey_](#amazoncloudwatch-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html)  |  arn:\$1\$1Partition\$1:cloudwatch:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceName\$1-\$1\$1UniqueAttributesHex\$1  |   [#amazoncloudwatch-aws_ResourceTag___TagKey_](#amazoncloudwatch-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch
<a name="amazoncloudwatch-policy-keys"></a>

Amazon CloudWatch defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-alarm-actions.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-alarm-actions.html)  | Filters actions based on defined alarm actions | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html)  | Filters actions based on the presence of optional namespace values | String | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-contributor.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-contributor.html)  | Filters actions based on the Log Groups specified in an Insight Rule | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-contributor.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-contributor.html)  | Filters access by the Resource ARNs specified in a managed Insight Rule | ArrayOfARN | 

# Actions, resources, and condition keys for Amazon CloudWatch Application Insights
<a name="list_amazoncloudwatchapplicationinsights"></a>

Amazon CloudWatch Application Insights (service prefix: `applicationinsights`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Application Insights
](#amazoncloudwatchapplicationinsights-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Application Insights
](#amazoncloudwatchapplicationinsights-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Application Insights
](#amazoncloudwatchapplicationinsights-policy-keys)

## Actions defined by Amazon CloudWatch Application Insights
<a name="amazoncloudwatchapplicationinsights-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchapplicationinsights-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_AddWorkload.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_AddWorkload.html)  | Grants permission to add a workload | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_CreateApplication.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_CreateApplication.html)  | Grants permission to create an application from a resource group | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_CreateComponent.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_CreateComponent.html)  | Grants permission to create a component from a group of resources | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_CreateLogPattern.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_CreateLogPattern.html)  | Grants permission to create log a pattern | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DeleteApplication.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DeleteApplication.html)  | Grants permission to delete an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DeleteComponent.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DeleteComponent.html)  | Grants permission to delete a component | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DeleteLogPattern.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DeleteLogPattern.html)  | Grants permission to delete a log pattern | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeApplication.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeApplication.html)  | Grants permission to describe an application | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeComponent.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeComponent.html)  | Grants permission to describe a component | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeComponentConfiguration.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeComponentConfiguration.html)  | Grants permission to describe a component's configuration | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeComponentConfigurationRecommendation.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeComponentConfigurationRecommendation.html)  | Grants permission to describe the recommended application component configuration | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeLogPattern.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeLogPattern.html)  | Grants permission to describe a log pattern | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeObservation.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeObservation.html)  | Grants permission to describe an observation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeProblem.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeProblem.html)  | Grants permission to describe a problem | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeProblemObservations.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeProblemObservations.html)  | Grants permission to describe the observation in a problem | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeWorkload.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_DescribeWorkload.html)  | Grants permission to describe a workload | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account-Setup.html#CloudWatch-Unified-Cross-Account-Setup-permissions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account-Setup.html#CloudWatch-Unified-Cross-Account-Setup-permissions) [permission only] | Grants permission to share Application Insights resources with a monitoring account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListApplications.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListApplications.html)  | Grants permission to list all applications | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListComponents.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListComponents.html)  | Grants permission to list an application's components | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListConfigurationHistory.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListConfigurationHistory.html)  | Grants permission to list configuration history | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListLogPatternSets.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListLogPatternSets.html)  | Grants permission to list log pattern sets for an application | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListLogPatterns.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListLogPatterns.html)  | Grants permission to list log patterns | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListProblems.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListProblems.html)  | Grants permission to list the problems in an application | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListTagsForResource.html)  | Grants permission to list tags for the resource | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListWorkloads.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_ListWorkloads.html)  | Grants permission to list workloads | List |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_RemoveWorkload.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_RemoveWorkload.html)  | Grants permission to remove a workload | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_TagResource.html)  | Grants permission to tag a resource | Tagging |  |   [#amazoncloudwatchapplicationinsights-aws_RequestTag___TagKey_](#amazoncloudwatchapplicationinsights-aws_RequestTag___TagKey_)   [#amazoncloudwatchapplicationinsights-aws_TagKeys](#amazoncloudwatchapplicationinsights-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UntagResource.html)  | Grants permission to untag a resource | Tagging |  |   [#amazoncloudwatchapplicationinsights-aws_TagKeys](#amazoncloudwatchapplicationinsights-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateApplication.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateApplication.html)  | Grants permission to update an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateComponent.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateComponent.html)  | Grants permission to update a component | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateComponentConfiguration.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateComponentConfiguration.html)  | Grants permission to update a component's configuration | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateLogPattern.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateLogPattern.html)  | Grants permission to update a log pattern | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateProblem.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateProblem.html)  | Grants permission to update a problem | Write |  |  |  | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateWorkload.html](https://docs.aws.amazon.com/cloudwatch/latest/APIReference/API_UpdateWorkload.html)  | Grants permission to update a workload | Write |  |  |  | 

## Resource types defined by Amazon CloudWatch Application Insights
<a name="amazoncloudwatchapplicationinsights-resources-for-iam-policies"></a>

Amazon CloudWatch Application Insights does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon CloudWatch Application Insights, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon CloudWatch Application Insights
<a name="amazoncloudwatchapplicationinsights-policy-keys"></a>

Amazon CloudWatch Application Insights defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Application Signals
<a name="list_amazoncloudwatchapplicationsignals"></a>

Amazon CloudWatch Application Signals (service prefix: `application-signals`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Monitoring-Sections.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/applicationsignals/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Application Signals
](#amazoncloudwatchapplicationsignals-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Application Signals
](#amazoncloudwatchapplicationsignals-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Application Signals
](#amazoncloudwatchapplicationsignals-policy-keys)

## Actions defined by Amazon CloudWatch Application Signals
<a name="amazoncloudwatchapplicationsignals-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchapplicationsignals-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationsignals.html)

## Resource types defined by Amazon CloudWatch Application Signals
<a name="amazoncloudwatchapplicationsignals-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchapplicationsignals-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html)  |  arn:\$1\$1Partition\$1:application-signals:\$1\$1Region\$1:\$1\$1Account\$1:slo/\$1\$1SloName\$1  |   [#amazoncloudwatchapplicationsignals-aws_ResourceTag___TagKey_](#amazoncloudwatchapplicationsignals-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Application Signals
<a name="amazoncloudwatchapplicationsignals-policy-keys"></a>

Amazon CloudWatch Application Signals defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Evidently
<a name="list_amazoncloudwatchevidently"></a>

Amazon CloudWatch Evidently (service prefix: `evidently`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Evidently
](#amazoncloudwatchevidently-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Evidently
](#amazoncloudwatchevidently-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Evidently
](#amazoncloudwatchevidently-policy-keys)

## Actions defined by Amazon CloudWatch Evidently
<a name="amazoncloudwatchevidently-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchevidently-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchevidently.html)

## Resource types defined by Amazon CloudWatch Evidently
<a name="amazoncloudwatchevidently-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchevidently-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Project.html](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Project.html)  |  arn:\$1\$1Partition\$1:evidently:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1  |   [#amazoncloudwatchevidently-aws_ResourceTag___TagKey_](#amazoncloudwatchevidently-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Feature.html](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Feature.html)  |  arn:\$1\$1Partition\$1:evidently:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1/feature/\$1\$1FeatureName\$1  |   [#amazoncloudwatchevidently-aws_ResourceTag___TagKey_](#amazoncloudwatchevidently-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Experiment.html](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Experiment.html)  |  arn:\$1\$1Partition\$1:evidently:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1/experiment/\$1\$1ExperimentName\$1  |   [#amazoncloudwatchevidently-aws_ResourceTag___TagKey_](#amazoncloudwatchevidently-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Launch.html](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Launch.html)  |  arn:\$1\$1Partition\$1:evidently:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1/launch/\$1\$1LaunchName\$1  |   [#amazoncloudwatchevidently-aws_ResourceTag___TagKey_](#amazoncloudwatchevidently-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Segment.html](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_Segment.html)  |  arn:\$1\$1Partition\$1:evidently:\$1\$1Region\$1:\$1\$1Account\$1:segment/\$1\$1SegmentName\$1  |   [#amazoncloudwatchevidently-aws_ResourceTag___TagKey_](#amazoncloudwatchevidently-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Evidently
<a name="amazoncloudwatchevidently-policy-keys"></a>

Amazon CloudWatch Evidently defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed the request on behalf of the IAM principal | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the tags associated with the resource that make the request on behalf of the IAM principal | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request on behalf of the IAM principal | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Internet Monitor
<a name="list_amazoncloudwatchinternetmonitor"></a>

Amazon CloudWatch Internet Monitor (service prefix: `internetmonitor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/internet-monitor/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Internet Monitor
](#amazoncloudwatchinternetmonitor-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Internet Monitor
](#amazoncloudwatchinternetmonitor-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Internet Monitor
](#amazoncloudwatchinternetmonitor-policy-keys)

## Actions defined by Amazon CloudWatch Internet Monitor
<a name="amazoncloudwatchinternetmonitor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchinternetmonitor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchinternetmonitor.html)

## Resource types defined by Amazon CloudWatch Internet Monitor
<a name="amazoncloudwatchinternetmonitor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchinternetmonitor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-components.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-components.html)  |  arn:\$1\$1Partition\$1:internetmonitor:\$1\$1Region\$1:\$1\$1Account\$1:monitor/\$1\$1MonitorName\$1/health-event/\$1\$1EventId\$1  |   [#amazoncloudwatchinternetmonitor-aws_ResourceTag___TagKey_](#amazoncloudwatchinternetmonitor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-components.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-components.html)  |  arn:\$1\$1Partition\$1:internetmonitor:\$1\$1Region\$1:\$1\$1Account\$1:monitor/\$1\$1MonitorName\$1  |   [#amazoncloudwatchinternetmonitor-aws_ResourceTag___TagKey_](#amazoncloudwatchinternetmonitor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-components.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-components.html)  |  arn:\$1\$1Partition\$1:internetmonitor::\$1\$1Account\$1:internet-event/\$1\$1InternetEventId\$1  |  | 

## Condition keys for Amazon CloudWatch Internet Monitor
<a name="amazoncloudwatchinternetmonitor-policy-keys"></a>

Amazon CloudWatch Internet Monitor defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Logs
<a name="list_amazoncloudwatchlogs"></a>

Amazon CloudWatch Logs (service prefix: `logs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Logs
](#amazoncloudwatchlogs-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Logs
](#amazoncloudwatchlogs-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Logs
](#amazoncloudwatchlogs-policy-keys)

## Actions defined by Amazon CloudWatch Logs
<a name="amazoncloudwatchlogs-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchlogs-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html)

## Resource types defined by Amazon CloudWatch Logs
<a name="amazoncloudwatchlogs-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchlogs-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LogGroup.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LogGroup.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:log-group:\$1\$1LogGroupName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LogStream.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LogStream.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:log-group:\$1\$1LogGroupName\$1:log-stream:\$1\$1LogStreamName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_Destination.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_Destination.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:destination:\$1\$1DestinationName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeliverySource.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeliverySource.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:delivery-source:\$1\$1DeliverySourceName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_Delivery.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_Delivery.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:delivery:\$1\$1DeliveryName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeliveryDestination.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeliveryDestination.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:delivery-destination:\$1\$1DeliveryDestinationName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_AnomalyDetector.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_AnomalyDetector.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:anomaly-detector:\$1\$1DetectorId\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_ScheduledQuery.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_ScheduledQuery.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:scheduled-query:\$1\$1ScheduledQueryId\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LookupTable.html](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_LookupTable.html)  |  arn:\$1\$1Partition\$1:logs:\$1\$1Region\$1:\$1\$1Account\$1:lookup-table:\$1\$1LookupTableName\$1  |   [#amazoncloudwatchlogs-aws_ResourceTag___TagKey_](#amazoncloudwatchlogs-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Logs
<a name="amazoncloudwatchlogs-policy-keys"></a>

Amazon CloudWatch Logs defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html)  | Filters access by the Log Destination ARN passed in the request | ARN | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html)  | Filters access by the Log Generating Resource ARNs passed in the request | ArrayOfARN | 

# Actions, resources, and condition keys for Amazon CloudWatch Network Synthetic Monitor
<a name="list_amazoncloudwatchnetworksyntheticmonitor"></a>

Amazon CloudWatch Network Synthetic Monitor (service prefix: `networkmonitor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/what-is-network-monitor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/networkmonitor/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Network Synthetic Monitor
](#amazoncloudwatchnetworksyntheticmonitor-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Network Synthetic Monitor
](#amazoncloudwatchnetworksyntheticmonitor-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Network Synthetic Monitor
](#amazoncloudwatchnetworksyntheticmonitor-policy-keys)

## Actions defined by Amazon CloudWatch Network Synthetic Monitor
<a name="amazoncloudwatchnetworksyntheticmonitor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchnetworksyntheticmonitor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchnetworksyntheticmonitor.html)

## Resource types defined by Amazon CloudWatch Network Synthetic Monitor
<a name="amazoncloudwatchnetworksyntheticmonitor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchnetworksyntheticmonitor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/nw-monitor-working-with.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/nw-monitor-working-with.html)  |  arn:\$1\$1Partition\$1:networkmonitor:\$1\$1Region\$1:\$1\$1Account\$1:monitor/\$1\$1MonitorName\$1  |   [#amazoncloudwatchnetworksyntheticmonitor-aws_ResourceTag___TagKey_](#amazoncloudwatchnetworksyntheticmonitor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/nw-monitor-working-with.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/nw-monitor-working-with.html)  |  arn:\$1\$1Partition\$1:networkmonitor:\$1\$1Region\$1:\$1\$1Account\$1:probe/\$1\$1ProbeId\$1  |   [#amazoncloudwatchnetworksyntheticmonitor-aws_ResourceTag___TagKey_](#amazoncloudwatchnetworksyntheticmonitor-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Network Synthetic Monitor
<a name="amazoncloudwatchnetworksyntheticmonitor-policy-keys"></a>

Amazon CloudWatch Network Synthetic Monitor defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Observability Access Manager
<a name="list_amazoncloudwatchobservabilityaccessmanager"></a>

Amazon CloudWatch Observability Access Manager (service prefix: `oam`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/OAM/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Observability Access Manager
](#amazoncloudwatchobservabilityaccessmanager-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Observability Access Manager
](#amazoncloudwatchobservabilityaccessmanager-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Observability Access Manager
](#amazoncloudwatchobservabilityaccessmanager-policy-keys)

## Actions defined by Amazon CloudWatch Observability Access Manager
<a name="amazoncloudwatchobservabilityaccessmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchobservabilityaccessmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchobservabilityaccessmanager.html)

## Resource types defined by Amazon CloudWatch Observability Access Manager
<a name="amazoncloudwatchobservabilityaccessmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchobservabilityaccessmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html)  |  arn:\$1\$1Partition\$1:oam:\$1\$1Region\$1:\$1\$1Account\$1:link/\$1\$1ResourceId\$1  |   [#amazoncloudwatchobservabilityaccessmanager-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityaccessmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html)  |  arn:\$1\$1Partition\$1:oam:\$1\$1Region\$1:\$1\$1Account\$1:sink/\$1\$1ResourceId\$1  |   [#amazoncloudwatchobservabilityaccessmanager-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityaccessmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Observability Access Manager
<a name="amazoncloudwatchobservabilityaccessmanager-policy-keys"></a>

Amazon CloudWatch Observability Access Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatchobservabilityaccessmanager.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatchobservabilityaccessmanager.html)  | Filters access by the presence of resource types in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Observability Admin Service
<a name="list_amazoncloudwatchobservabilityadminservice"></a>

Amazon CloudWatch Observability Admin Service (service prefix: `observabilityadmin`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Observability Admin Service
](#amazoncloudwatchobservabilityadminservice-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Observability Admin Service
](#amazoncloudwatchobservabilityadminservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Observability Admin Service
](#amazoncloudwatchobservabilityadminservice-policy-keys)

## Actions defined by Amazon CloudWatch Observability Admin Service
<a name="amazoncloudwatchobservabilityadminservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchobservabilityadminservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchobservabilityadminservice.html)

## Resource types defined by Amazon CloudWatch Observability Admin Service
<a name="amazoncloudwatchobservabilityadminservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchobservabilityadminservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_TelemetryRule.html](https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_TelemetryRule.html)  |  arn:\$1\$1Partition\$1:observabilityadmin:\$1\$1Region\$1:\$1\$1Account\$1:telemetry-rule/\$1\$1TelemetryRuleName\$1  |   [#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_TelemetryRule.html](https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_TelemetryRule.html)  |  arn:\$1\$1Partition\$1:observabilityadmin:\$1\$1Region\$1:\$1\$1Account\$1:organization-telemetry-rule/\$1\$1TelemetryRuleName\$1  |   [#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_CentralizationRule.html](https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_CentralizationRule.html)  |  arn:\$1\$1Partition\$1:observabilityadmin:\$1\$1Region\$1:\$1\$1Account\$1:organization-centralization-rule/\$1\$1CentralizationRuleName\$1  |   [#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_TelemetryPipeline.html](https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_TelemetryPipeline.html)  |  arn:\$1\$1Partition\$1:observabilityadmin:\$1\$1Region\$1:\$1\$1Account\$1:telemetry-pipeline/\$1\$1TelemetryPipelineIdentifier\$1  |   [#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_S3TableIntegration.html](https://docs.aws.amazon.com/cloudwatch/latest/observabilityadmin/API_S3TableIntegration.html)  |  arn:\$1\$1Partition\$1:observabilityadmin:\$1\$1Region\$1:\$1\$1Account\$1:s3tableintegration/\$1\$1S3TableIntegrationIdentifier\$1  |   [#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_](#amazoncloudwatchobservabilityadminservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Observability Admin Service
<a name="amazoncloudwatchobservabilityadminservice-policy-keys"></a>

Amazon CloudWatch Observability Admin Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationbackupregion](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationbackupregion)  | Filters access by the backup region that is passed in the request | String | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationdestinationaccount](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationdestinationaccount)  | Filters access by the destination account that is passed in the request | String | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationdestinationregion](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationdestinationregion)  | Filters access by the destination region that is passed in the request | String | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationrulename](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationrulename)  | Filters access by the name of the centralization rule that is passed in the request | String | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationsourceid](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationsourceid)  | Filters access by the source account, organizational unit, or organization IDs that is passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationsourceregions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-centralizationsourceregions)  | Filters access by the source regions that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-sourcetype](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-sourcetype)  | Filters access by the source type that is passed in the request | String | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-targetregions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/reference_policies_condition-keys.htmlcondition-keys-observabilityadmin.html#condition-keys-targetregions)  | Filters access by the regions that are targetted by the request | String | 

# Actions, resources, and condition keys for AWS CloudWatch RUM
<a name="list_awscloudwatchrum"></a>

AWS CloudWatch RUM (service prefix: `rum`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudwatchrum/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CloudWatch RUM
](#awscloudwatchrum-actions-as-permissions)
+ [

## Resource types defined by AWS CloudWatch RUM
](#awscloudwatchrum-resources-for-iam-policies)
+ [

## Condition keys for AWS CloudWatch RUM
](#awscloudwatchrum-policy-keys)

## Actions defined by AWS CloudWatch RUM
<a name="awscloudwatchrum-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscloudwatchrum-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudwatchrum.html)

## Resource types defined by AWS CloudWatch RUM
<a name="awscloudwatchrum-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscloudwatchrum-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/API_AppMonitor.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/API_AppMonitor.html)  |  arn:\$1\$1Partition\$1:rum:\$1\$1Region\$1:\$1\$1Account\$1:appmonitor/\$1\$1Name\$1  |   [#awscloudwatchrum-aws_ResourceTag___TagKey_](#awscloudwatchrum-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CloudWatch RUM
<a name="awscloudwatchrum-policy-keys"></a>

AWS CloudWatch RUM defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed the request on behalf of the IAM principal | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the tags associated with the resource that make the request on behalf of the IAM principal | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request on behalf of the IAM principal | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CloudWatch Synthetics
<a name="list_amazoncloudwatchsynthetics"></a>

Amazon CloudWatch Synthetics (service prefix: `synthetics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonSynthetics/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CloudWatch Synthetics
](#amazoncloudwatchsynthetics-actions-as-permissions)
+ [

## Resource types defined by Amazon CloudWatch Synthetics
](#amazoncloudwatchsynthetics-resources-for-iam-policies)
+ [

## Condition keys for Amazon CloudWatch Synthetics
](#amazoncloudwatchsynthetics-policy-keys)

## Actions defined by Amazon CloudWatch Synthetics
<a name="amazoncloudwatchsynthetics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncloudwatchsynthetics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html)

## Resource types defined by Amazon CloudWatch Synthetics
<a name="amazoncloudwatchsynthetics-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudwatchsynthetics-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html)  |  arn:\$1\$1Partition\$1:synthetics:\$1\$1Region\$1:\$1\$1Account\$1:canary:\$1\$1CanaryName\$1  |   [#amazoncloudwatchsynthetics-aws_ResourceTag___TagKey_](#amazoncloudwatchsynthetics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Groups.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Groups.html)  |  arn:\$1\$1Partition\$1:synthetics:\$1\$1Region\$1:\$1\$1Account\$1:group:\$1\$1GroupId\$1  |   [#amazoncloudwatchsynthetics-aws_ResourceTag___TagKey_](#amazoncloudwatchsynthetics-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CloudWatch Synthetics
<a name="amazoncloudwatchsynthetics-policy-keys"></a>

Amazon CloudWatch Synthetics defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Restricted.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Restricted.html)  | Filters access based on the name of the canary | ArrayOfString | 

# Actions, resources, and condition keys for AWS CodeArtifact
<a name="list_awscodeartifact"></a>

AWS CodeArtifact (service prefix: `codeartifact`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codeartifact/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeartifact/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeArtifact
](#awscodeartifact-actions-as-permissions)
+ [

## Resource types defined by AWS CodeArtifact
](#awscodeartifact-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeArtifact
](#awscodeartifact-policy-keys)

## Actions defined by AWS CodeArtifact
<a name="awscodeartifact-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodeartifact-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html)

## Resource types defined by AWS CodeArtifact
<a name="awscodeartifact-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodeartifact-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
The ARN of the package groups resource must use an encoded package group pattern.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codeartifact/latest/ug/domains.html](https://docs.aws.amazon.com/codeartifact/latest/ug/domains.html)  |  arn:\$1\$1Partition\$1:codeartifact:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainName\$1  |   [#awscodeartifact-aws_ResourceTag___TagKey_](#awscodeartifact-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codeartifact/latest/ug/repos.html](https://docs.aws.amazon.com/codeartifact/latest/ug/repos.html)  |  arn:\$1\$1Partition\$1:codeartifact:\$1\$1Region\$1:\$1\$1Account\$1:repository/\$1\$1DomainName\$1/\$1\$1RepositoryName\$1  |   [#awscodeartifact-aws_ResourceTag___TagKey_](#awscodeartifact-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codeartifact/latest/ug/package-groups.html](https://docs.aws.amazon.com/codeartifact/latest/ug/package-groups.html)  |  arn:\$1\$1Partition\$1:codeartifact:\$1\$1Region\$1:\$1\$1Account\$1:package-group/\$1\$1DomainName\$1\$1\$1EncodedPackageGroupPattern\$1  |   [#awscodeartifact-aws_ResourceTag___TagKey_](#awscodeartifact-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codeartifact/latest/ug/packages.html](https://docs.aws.amazon.com/codeartifact/latest/ug/packages.html)  |  arn:\$1\$1Partition\$1:codeartifact:\$1\$1Region\$1:\$1\$1Account\$1:package/\$1\$1DomainName\$1/\$1\$1RepositoryName\$1/\$1\$1PackageFormat\$1/\$1\$1PackageNamespace\$1/\$1\$1PackageName\$1  |  | 

## Condition keys for AWS CodeArtifact
<a name="awscodeartifact-policy-keys"></a>

AWS CodeArtifact defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CodeCatalyst
<a name="list_amazoncodecatalyst"></a>

Amazon CodeCatalyst (service prefix: `codecatalyst`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codecatalyst/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codecatalyst/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codecatalyst/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CodeCatalyst
](#amazoncodecatalyst-actions-as-permissions)
+ [

## Resource types defined by Amazon CodeCatalyst
](#amazoncodecatalyst-resources-for-iam-policies)
+ [

## Condition keys for Amazon CodeCatalyst
](#amazoncodecatalyst-policy-keys)

## Actions defined by Amazon CodeCatalyst
<a name="amazoncodecatalyst-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncodecatalyst-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodecatalyst.html)

## Resource types defined by Amazon CodeCatalyst
<a name="amazoncodecatalyst-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncodecatalyst-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codecatalyst/latest/userguide/#](https://docs.aws.amazon.com/codecatalyst/latest/userguide/#)  |  arn:\$1\$1Partition\$1:codecatalyst:\$1\$1Region\$1:\$1\$1Account\$1:/connections/\$1\$1ConnectionId\$1  |   [#amazoncodecatalyst-aws_ResourceTag___TagKey_](#amazoncodecatalyst-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codecatalyst/latest/userguide/#](https://docs.aws.amazon.com/codecatalyst/latest/userguide/#)  |  arn:\$1\$1Partition\$1:codecatalyst:\$1\$1Region\$1:\$1\$1Account\$1:/identity-center-applications/\$1\$1IdentityCenterApplicationId\$1  |   [#amazoncodecatalyst-aws_ResourceTag___TagKey_](#amazoncodecatalyst-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codecatalyst/latest/userguide/#](https://docs.aws.amazon.com/codecatalyst/latest/userguide/#)  |  arn:\$1\$1Partition\$1:codecatalyst:::space/\$1\$1SpaceId\$1  |  | 
|   [https://docs.aws.amazon.com/codecatalyst/latest/userguide/#](https://docs.aws.amazon.com/codecatalyst/latest/userguide/#)  |  arn:\$1\$1Partition\$1:codecatalyst:::space/\$1\$1SpaceId\$1/project/\$1\$1ProjectId\$1  |  | 

## Condition keys for Amazon CodeCatalyst
<a name="amazoncodecatalyst-policy-keys"></a>

Amazon CodeCatalyst defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for AWS CodeCommit
<a name="list_awscodecommit"></a>

AWS CodeCommit (service prefix: `codecommit`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codecommit/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeCommit
](#awscodecommit-actions-as-permissions)
+ [

## Resource types defined by AWS CodeCommit
](#awscodecommit-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeCommit
](#awscodecommit-policy-keys)

## Actions defined by AWS CodeCommit
<a name="awscodecommit-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodecommit-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html)

## Resource types defined by AWS CodeCommit
<a name="awscodecommit-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodecommit-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control.html#arn-formats](https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control.html#arn-formats)  |  arn:\$1\$1Partition\$1:codecommit:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1RepositoryName\$1  |   [#awscodecommit-aws_ResourceTag___TagKey_](#awscodecommit-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CodeCommit
<a name="awscodecommit-policy-keys"></a>

AWS CodeCommit defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html](https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html)  | Filters access by Git reference to specified AWS CodeCommit actions | String | 

# Actions, resources, and condition keys for AWS CodeConnections
<a name="list_awscodeconnections"></a>

AWS CodeConnections (service prefix: `codeconnections`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeconnections/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeConnections
](#awscodeconnections-actions-as-permissions)
+ [

## Resource types defined by AWS CodeConnections
](#awscodeconnections-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeConnections
](#awscodeconnections-policy-keys)

## Actions defined by AWS CodeConnections
<a name="awscodeconnections-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodeconnections-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeconnections.html)

## Resource types defined by AWS CodeConnections
<a name="awscodeconnections-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodeconnections-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html)  |  arn:\$1\$1Partition\$1:codeconnections:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1ConnectionId\$1  |   [#awscodeconnections-aws_ResourceTag___TagKey_](#awscodeconnections-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-hosts.html](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-hosts.html)  |  arn:\$1\$1Partition\$1:codeconnections:\$1\$1Region\$1:\$1\$1Account\$1:host/\$1\$1HostId\$1  |   [#awscodeconnections-aws_ResourceTag___TagKey_](#awscodeconnections-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/repositorylinks.html](https://docs.aws.amazon.com/dtconsole/latest/userguide/repositorylinks.html)  |  arn:\$1\$1Partition\$1:codeconnections:\$1\$1Region\$1:\$1\$1Account\$1:repository-link/\$1\$1RepositoryLinkId\$1  |   [#awscodeconnections-aws_ResourceTag___TagKey_](#awscodeconnections-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CodeConnections
<a name="awscodeconnections-policy-keys"></a>

AWS CodeConnections defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake)  | Filters access by the branch name that is passed in the request | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the branch name that is passed in the request. Applies only to UseConnection requests for access to a specific repository branch | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the repository that is passed in the request. Applies only to UseConnection requests for access to a specific repository | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts)  | Filters access by the host resource associated with the connection used in the request | ARN | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake)  | Filters access by the third-party ID (such as the Bitbucket App installation ID for CodeConnections) that is used to update a Connection. Allows you to restrict which third-party App installations can be used to make a Connection | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the owner of the third-party repository. Applies only to UseConnection requests for access to repositories owned by a specific user | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-passconnection](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-passconnection)  | Filters access by the service to which the principal is allowed to pass a Connection or RepositoryLink | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-access](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-access)  | Filters access by the provider action in a UseConnection request such as ListRepositories. See documentation for all valid values | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the write permissions of a provider action in a UseConnection request. Valid types include read\$1only and read\$1write | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing)  | Filters access by the type of third-party provider passed in the request | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing)  | Filters access by the type of third-party provider used to filter results | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the repository name that is passed in the request. Applies only to UseConnection requests for access to repositories owned by a specific user | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts)  | Filters access by the VpcId passed in the request | String | 

# Actions, resources, and condition keys for AWS CodeDeploy
<a name="list_awscodedeploy"></a>

AWS CodeDeploy (service prefix: `codedeploy`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codedeploy/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codedeploy/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeDeploy
](#awscodedeploy-actions-as-permissions)
+ [

## Resource types defined by AWS CodeDeploy
](#awscodedeploy-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeDeploy
](#awscodedeploy-policy-keys)

## Actions defined by AWS CodeDeploy
<a name="awscodedeploy-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodedeploy-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html)

## Resource types defined by AWS CodeDeploy
<a name="awscodedeploy-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodedeploy-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html](https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html)  |  arn:\$1\$1Partition\$1:codedeploy:\$1\$1Region\$1:\$1\$1Account\$1:application:\$1\$1ApplicationName\$1  |   [#awscodedeploy-aws_ResourceTag___TagKey_](#awscodedeploy-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html](https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html)  |  arn:\$1\$1Partition\$1:codedeploy:\$1\$1Region\$1:\$1\$1Account\$1:deploymentconfig:\$1\$1DeploymentConfigurationName\$1  |  | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html](https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html)  |  arn:\$1\$1Partition\$1:codedeploy:\$1\$1Region\$1:\$1\$1Account\$1:deploymentgroup:\$1\$1ApplicationName\$1/\$1\$1DeploymentGroupName\$1  |   [#awscodedeploy-aws_ResourceTag___TagKey_](#awscodedeploy-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html](https://docs.aws.amazon.com/codedeploy/latest/userguide/auth-and-access-control-permissions-reference.html)  |  arn:\$1\$1Partition\$1:codedeploy:\$1\$1Region\$1:\$1\$1Account\$1:instance:\$1\$1InstanceName\$1  |  | 

## Condition keys for AWS CodeDeploy
<a name="awscodedeploy-policy-keys"></a>

AWS CodeDeploy defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS CodeDeploy secure host commands service
<a name="list_awscodedeploysecurehostcommandsservice"></a>

AWS CodeDeploy secure host commands service (service prefix: `codedeploy-commands-secure`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeDeploy secure host commands service
](#awscodedeploysecurehostcommandsservice-actions-as-permissions)
+ [

## Resource types defined by AWS CodeDeploy secure host commands service
](#awscodedeploysecurehostcommandsservice-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeDeploy secure host commands service
](#awscodedeploysecurehostcommandsservice-policy-keys)

## Actions defined by AWS CodeDeploy secure host commands service
<a name="awscodedeploysecurehostcommandsservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodedeploysecurehostcommandsservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration)  | Grants permission to get deployment specification | Read |  |  |  | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration)  | Grants permission to request host agent commands | Read |  |  |  | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration)  | Grants permission to mark host agent commands acknowledged | Write |  |  |  | 
|   [https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration)  | Grants permission to mark host agent commands completed | Write |  |  |  | 

## Resource types defined by AWS CodeDeploy secure host commands service
<a name="awscodedeploysecurehostcommandsservice-resources-for-iam-policies"></a>

AWS CodeDeploy secure host commands service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS CodeDeploy secure host commands service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS CodeDeploy secure host commands service
<a name="awscodedeploysecurehostcommandsservice-policy-keys"></a>

CodeDeploy Commands Secure has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon CodeGuru
<a name="list_amazoncodeguru"></a>

Amazon CodeGuru (service prefix: `codeguru`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codeguru/latest/profiler-ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeguru/latest/profiler-api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CodeGuru
](#amazoncodeguru-actions-as-permissions)
+ [

## Resource types defined by Amazon CodeGuru
](#amazoncodeguru-resources-for-iam-policies)
+ [

## Condition keys for Amazon CodeGuru
](#amazoncodeguru-policy-keys)

## Actions defined by Amazon CodeGuru
<a name="amazoncodeguru-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncodeguru-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/codeguru/latest/profiler-api/API_GetCodeGuruFreeTrialSummary.html](https://docs.aws.amazon.com/codeguru/latest/profiler-api/API_GetCodeGuruFreeTrialSummary.html) [permission only] | Grants permission to get free trial summary for the CodeGuru service which includes expiration date | Read |  |  |  | 

## Resource types defined by Amazon CodeGuru
<a name="amazoncodeguru-resources-for-iam-policies"></a>

Amazon CodeGuru does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon CodeGuru, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon CodeGuru
<a name="amazoncodeguru-policy-keys"></a>

CodeGuru has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon CodeGuru Profiler
<a name="list_amazoncodeguruprofiler"></a>

Amazon CodeGuru Profiler (service prefix: `codeguru-profiler`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codeguru/latest/profiler-ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeguru/latest/profiler-api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codeguru/latest/profiler-ug/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CodeGuru Profiler
](#amazoncodeguruprofiler-actions-as-permissions)
+ [

## Resource types defined by Amazon CodeGuru Profiler
](#amazoncodeguruprofiler-resources-for-iam-policies)
+ [

## Condition keys for Amazon CodeGuru Profiler
](#amazoncodeguruprofiler-policy-keys)

## Actions defined by Amazon CodeGuru Profiler
<a name="amazoncodeguruprofiler-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncodeguruprofiler-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html)

## Resource types defined by Amazon CodeGuru Profiler
<a name="amazoncodeguruprofiler-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncodeguruprofiler-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codeguru/latest/profiler-ug/working-with-profiling-groups.html](https://docs.aws.amazon.com/codeguru/latest/profiler-ug/working-with-profiling-groups.html)  |  arn:\$1\$1Partition\$1:codeguru-profiler:\$1\$1Region\$1:\$1\$1Account\$1:profilingGroup/\$1\$1ProfilingGroupName\$1  |   [#amazoncodeguruprofiler-aws_ResourceTag___TagKey_](#amazoncodeguruprofiler-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CodeGuru Profiler
<a name="amazoncodeguruprofiler-policy-keys"></a>

Amazon CodeGuru Profiler defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CodeGuru Reviewer
<a name="list_amazoncodegurureviewer"></a>

Amazon CodeGuru Reviewer (service prefix: `codeguru-reviewer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeguru/latest/reviewer-api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CodeGuru Reviewer
](#amazoncodegurureviewer-actions-as-permissions)
+ [

## Resource types defined by Amazon CodeGuru Reviewer
](#amazoncodegurureviewer-resources-for-iam-policies)
+ [

## Condition keys for Amazon CodeGuru Reviewer
](#amazoncodegurureviewer-policy-keys)

## Actions defined by Amazon CodeGuru Reviewer
<a name="amazoncodegurureviewer-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncodegurureviewer-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html)

## Resource types defined by Amazon CodeGuru Reviewer
<a name="amazoncodegurureviewer-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncodegurureviewer-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/working-with-repositories.html](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/working-with-repositories.html)  |  arn:\$1\$1Partition\$1:codeguru-reviewer:\$1\$1Region\$1:\$1\$1Account\$1:association:\$1\$1ResourceId\$1  |   [#amazoncodegurureviewer-aws_ResourceTag___TagKey_](#amazoncodegurureviewer-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/code-reviews.html](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/code-reviews.html)  |  arn:\$1\$1Partition\$1:codeguru-reviewer:\$1\$1Region\$1:\$1\$1Account\$1:association:\$1\$1ResourceId\$1:codereview:\$1\$1CodeReviewId\$1  |  | 

## Condition keys for Amazon CodeGuru Reviewer
<a name="amazoncodegurureviewer-policy-keys"></a>

Amazon CodeGuru Reviewer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon CodeGuru Security
<a name="list_amazoncodegurusecurity"></a>

Amazon CodeGuru Security (service prefix: `codeguru-security`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codeguru/latest/security-ug/what-is-codeguru-security.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codeguru/latest/security-api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codeguru/latest/security-ug/permissions-reference.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CodeGuru Security
](#amazoncodegurusecurity-actions-as-permissions)
+ [

## Resource types defined by Amazon CodeGuru Security
](#amazoncodegurusecurity-resources-for-iam-policies)
+ [

## Condition keys for Amazon CodeGuru Security
](#amazoncodegurusecurity-policy-keys)

## Actions defined by Amazon CodeGuru Security
<a name="amazoncodegurusecurity-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncodegurusecurity-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurusecurity.html)

## Resource types defined by Amazon CodeGuru Security
<a name="amazoncodegurusecurity-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncodegurusecurity-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codeguru/latest/security-ug/working-with-code-scans.html](https://docs.aws.amazon.com/codeguru/latest/security-ug/working-with-code-scans.html)  |  arn:\$1\$1Partition\$1:codeguru-security:\$1\$1Region\$1:\$1\$1Account\$1:scans/\$1\$1ScanName\$1  |   [#amazoncodegurusecurity-aws_ResourceTag___TagKey_](#amazoncodegurusecurity-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CodeGuru Security
<a name="amazoncodegurusecurity-policy-keys"></a>

Amazon CodeGuru Security defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS CodePipeline
<a name="list_awscodepipeline"></a>

AWS CodePipeline (service prefix: `codepipeline`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codepipeline/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codepipeline/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codepipeline/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodePipeline
](#awscodepipeline-actions-as-permissions)
+ [

## Resource types defined by AWS CodePipeline
](#awscodepipeline-resources-for-iam-policies)
+ [

## Condition keys for AWS CodePipeline
](#awscodepipeline-policy-keys)

## Actions defined by AWS CodePipeline
<a name="awscodepipeline-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodepipeline-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html)

## Resource types defined by AWS CodePipeline
<a name="awscodepipeline-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodepipeline-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format](https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format)  |  arn:\$1\$1Partition\$1:codepipeline:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1PipelineName\$1/\$1\$1StageName\$1/\$1\$1ActionName\$1  |   [#awscodepipeline-aws_ResourceTag___TagKey_](#awscodepipeline-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format](https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format)  |  arn:\$1\$1Partition\$1:codepipeline:\$1\$1Region\$1:\$1\$1Account\$1:actiontype:\$1\$1Owner\$1/\$1\$1Category\$1/\$1\$1Provider\$1/\$1\$1Version\$1  |   [#awscodepipeline-aws_ResourceTag___TagKey_](#awscodepipeline-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format](https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format)  |  arn:\$1\$1Partition\$1:codepipeline:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1PipelineName\$1  |   [#awscodepipeline-aws_ResourceTag___TagKey_](#awscodepipeline-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format](https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format)  |  arn:\$1\$1Partition\$1:codepipeline:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1PipelineName\$1/\$1\$1StageName\$1  |   [#awscodepipeline-aws_ResourceTag___TagKey_](#awscodepipeline-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format](https://docs.aws.amazon.com/codepipeline/latest/userguide/iam-access-control-identity-based.html#ACP_ARN_Format)  |  arn:\$1\$1Partition\$1:codepipeline:\$1\$1Region\$1:\$1\$1Account\$1:webhook:\$1\$1WebhookName\$1  |   [#awscodepipeline-aws_ResourceTag___TagKey_](#awscodepipeline-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CodePipeline
<a name="awscodepipeline-policy-keys"></a>

AWS CodePipeline defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS CodeStar
<a name="list_awscodestar"></a>

AWS CodeStar (service prefix: `codestar`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codestar/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codestar/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codestar/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeStar
](#awscodestar-actions-as-permissions)
+ [

## Resource types defined by AWS CodeStar
](#awscodestar-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeStar
](#awscodestar-policy-keys)

## Actions defined by AWS CodeStar
<a name="awscodestar-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodestar-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html)

## Resource types defined by AWS CodeStar
<a name="awscodestar-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodestar-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codestar/latest/userguide/working-with-projects.html](https://docs.aws.amazon.com/codestar/latest/userguide/working-with-projects.html)  |  arn:\$1\$1Partition\$1:codestar:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectId\$1  |   [#awscodestar-aws_ResourceTag___TagKey_](#awscodestar-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codestar/latest/userguide/working-with-user-info.html](https://docs.aws.amazon.com/codestar/latest/userguide/working-with-user-info.html)  |  arn:\$1\$1Partition\$1:iam::\$1\$1Account\$1:user/\$1\$1AwsUserName\$1  |   [#awscodestar-iam_ResourceTag___TagKey_](#awscodestar-iam_ResourceTag___TagKey_)   | 

## Condition keys for AWS CodeStar
<a name="awscodestar-policy-keys"></a>

AWS CodeStar defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   aws:RequestTag/\$1\$1TagKey\$1  | Filters access by requests based on the allowed set of values for each of the tags | String | 
|   aws:ResourceTag/\$1\$1TagKey\$1  | Filters access by actions based on tag-value associated with the resource | String | 
|   aws:TagKeys  | Filters access by requests based on the presence of mandatory tags in the request | ArrayOfString | 
|   iam:ResourceTag/\$1\$1TagKey\$1  | Filters access by actions based on tag-value associated with the resource | String | 

# Actions, resources, and condition keys for AWS CodeStar Connections
<a name="list_awscodestarconnections"></a>

AWS CodeStar Connections (service prefix: `codestar-connections`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeStar Connections
](#awscodestarconnections-actions-as-permissions)
+ [

## Resource types defined by AWS CodeStar Connections
](#awscodestarconnections-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeStar Connections
](#awscodestarconnections-policy-keys)

## Actions defined by AWS CodeStar Connections
<a name="awscodestarconnections-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodestarconnections-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html)

## Resource types defined by AWS CodeStar Connections
<a name="awscodestarconnections-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodestarconnections-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html)  |  arn:\$1\$1Partition\$1:codestar-connections:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1ConnectionId\$1  |   [#awscodestarconnections-aws_ResourceTag___TagKey_](#awscodestarconnections-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-hosts.html](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-hosts.html)  |  arn:\$1\$1Partition\$1:codestar-connections:\$1\$1Region\$1:\$1\$1Account\$1:host/\$1\$1HostId\$1  |   [#awscodestarconnections-aws_ResourceTag___TagKey_](#awscodestarconnections-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/repositorylinks.html](https://docs.aws.amazon.com/dtconsole/latest/userguide/repositorylinks.html)  |  arn:\$1\$1Partition\$1:codestar-connections:\$1\$1Region\$1:\$1\$1Account\$1:repository-link/\$1\$1RepositoryLinkId\$1  |   [#awscodestarconnections-aws_ResourceTag___TagKey_](#awscodestarconnections-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CodeStar Connections
<a name="awscodestarconnections-policy-keys"></a>

AWS CodeStar Connections defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake)  | Filters access by the branch name that is passed in the request | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the branch name that is passed in the request. Applies only to UseConnection requests for access to a specific repository branch | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the repository that is passed in the request. Applies only to UseConnection requests for access to a specific repository | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts)  | Filters access by the host resource associated with the connection used in the request | ARN | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-handshake)  | Filters access by the third-party ID (such as the Bitbucket App installation ID for CodeStar Connections) that is used to update a Connection. Allows you to restrict which third-party App installations can be used to make a Connection | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the owner of the third-party repository. Applies only to UseConnection requests for access to repositories owned by a specific user | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-passconnection](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-passconnection)  | Filters access by the service to which the principal is allowed to pass a Connection or RepositoryLink | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-access](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-access)  | Filters access by the provider action in a UseConnection request such as ListRepositories. See documentation for all valid values | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the write permissions of a provider action in a UseConnection request. Valid types include read\$1only and read\$1write | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing)  | Filters access by the type of third-party provider passed in the request | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-managing)  | Filters access by the type of third-party provider used to filter results | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use)  | Filters access by the repository name that is passed in the request. Applies only to UseConnection requests for access to repositories owned by a specific user | String | 
|   [https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-hosts)  | Filters access by the VpcId passed in the request | String | 

# Actions, resources, and condition keys for AWS CodeStar Notifications
<a name="list_awscodestarnotifications"></a>

AWS CodeStar Notifications (service prefix: `codestar-notifications`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codestar-notifications/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS CodeStar Notifications
](#awscodestarnotifications-actions-as-permissions)
+ [

## Resource types defined by AWS CodeStar Notifications
](#awscodestarnotifications-resources-for-iam-policies)
+ [

## Condition keys for AWS CodeStar Notifications
](#awscodestarnotifications-policy-keys)

## Actions defined by AWS CodeStar Notifications
<a name="awscodestarnotifications-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscodestarnotifications-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html)

## Resource types defined by AWS CodeStar Notifications
<a name="awscodestarnotifications-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscodestarnotifications-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security_iam_service-with-iam.html)  |  arn:\$1\$1Partition\$1:codestar-notifications:\$1\$1Region\$1:\$1\$1Account\$1:notificationrule/\$1\$1NotificationRuleId\$1  |   [#awscodestarnotifications-aws_ResourceTag___TagKey_](#awscodestarnotifications-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS CodeStar Notifications
<a name="awscodestarnotifications-policy-keys"></a>

AWS CodeStar Notifications defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security_iam_id-based-policy-examples.html](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security_iam_id-based-policy-examples.html)  | Filters access based on the ARN of the resource for which notifications are configured | ARN | 

# Actions, resources, and condition keys for Amazon CodeWhisperer
<a name="list_amazoncodewhisperer"></a>

Amazon CodeWhisperer (service prefix: `codewhisperer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/codewhisperer/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/codewhisperer/latest/userguide/security_iam_id-based-policy-examples.html#permissions-required-console/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/codewhisperer/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon CodeWhisperer
](#amazoncodewhisperer-actions-as-permissions)
+ [

## Resource types defined by Amazon CodeWhisperer
](#amazoncodewhisperer-resources-for-iam-policies)
+ [

## Condition keys for Amazon CodeWhisperer
](#amazoncodewhisperer-policy-keys)

## Actions defined by Amazon CodeWhisperer
<a name="amazoncodewhisperer-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncodewhisperer-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodewhisperer.html)

## Resource types defined by Amazon CodeWhisperer
<a name="amazoncodewhisperer-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncodewhisperer-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#about-profiles](https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#about-profiles)  |  arn:\$1\$1Partition\$1:codewhisperer:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1Identifier\$1  |   [#amazoncodewhisperer-aws_ResourceTag___TagKey_](#amazoncodewhisperer-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#about-customizations](https://docs.aws.amazon.com/codewhisperer/latest/userguide/as-whisper-admin.html#about-customizations)  |  arn:\$1\$1Partition\$1:codewhisperer:\$1\$1Region\$1:\$1\$1Account\$1:customization/\$1\$1Identifier\$1  |   [#amazoncodewhisperer-aws_ResourceTag___TagKey_](#amazoncodewhisperer-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon CodeWhisperer
<a name="amazoncodewhisperer-policy-keys"></a>

Amazon CodeWhisperer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/codewhisperer/latest/userguide/codewhisperer-setup-enterprise-admin.html](https://docs.aws.amazon.com/codewhisperer/latest/userguide/codewhisperer-setup-enterprise-admin.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/codewhisperer/latest/userguide/codewhisperer-setup-enterprise-admin.html](https://docs.aws.amazon.com/codewhisperer/latest/userguide/codewhisperer-setup-enterprise-admin.html)  | Filters access by the tags associated with CodeWhisperer resource | String | 
|   [https://docs.aws.amazon.com/codewhisperer/latest/userguide/codewhisperer-setup-enterprise-admin.html](https://docs.aws.amazon.com/codewhisperer/latest/userguide/codewhisperer-setup-enterprise-admin.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Cognito Identity
<a name="list_amazoncognitoidentity"></a>

Amazon Cognito Identity (service prefix: `cognito-identity`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cognito/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Cognito Identity
](#amazoncognitoidentity-actions-as-permissions)
+ [

## Resource types defined by Amazon Cognito Identity
](#amazoncognitoidentity-resources-for-iam-policies)
+ [

## Condition keys for Amazon Cognito Identity
](#amazoncognitoidentity-policy-keys)

## Actions defined by Amazon Cognito Identity
<a name="amazoncognitoidentity-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncognitoidentity-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html)

## Resource types defined by Amazon Cognito Identity
<a name="amazoncognitoidentity-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncognitoidentity-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html)  |  arn:\$1\$1Partition\$1:cognito-identity:\$1\$1Region\$1:\$1\$1Account\$1:identitypool/\$1\$1IdentityPoolId\$1  |   [#amazoncognitoidentity-aws_ResourceTag___TagKey_](#amazoncognitoidentity-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Cognito Identity
<a name="amazoncognitoidentity-policy-keys"></a>

Amazon Cognito Identity defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a key that is present in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-auth-account-id](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-auth-account-id)  | Filters access by the owning AWS account ID for identity pool authenticated users. Applies to unauthenticated (public) API operations | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-auth-identity-pool-arn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-auth-identity-pool-arn)  | Filters access by the identity pool ID for a given authenticated-user identity ID. Applies to unauthenticated (public) API operations | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-unauth-account-id](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-unauth-account-id)  | Filters access by the owning AWS account ID of an identity pool for identity pool guest users. Applies to unauthenticated (public) API operations | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-unauth-identity-pool-arn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-unauth-identity-pool-arn)  | Filters access by the identity pool ID for a given guest-user identity ID. Applies to unauthenticated (public) API operations | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-identity-pool-arn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-identity-pool-arn)  | Filters access by the identity pool ID for a given identity ID for DeleteIdentities and DescribeIdentity | ARN | 

# Actions, resources, and condition keys for Amazon Cognito Sync
<a name="list_amazoncognitosync"></a>

Amazon Cognito Sync (service prefix: `cognito-sync`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sync.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cognitosync/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cognito/latest/developerguide/resource-permissions.html#amazon-cognito-amazon-resource-names) permission policies.

**Topics**
+ [

## Actions defined by Amazon Cognito Sync
](#amazoncognitosync-actions-as-permissions)
+ [

## Resource types defined by Amazon Cognito Sync
](#amazoncognitosync-resources-for-iam-policies)
+ [

## Condition keys for Amazon Cognito Sync
](#amazoncognitosync-policy-keys)

## Actions defined by Amazon Cognito Sync
<a name="amazoncognitosync-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncognitosync-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_BulkPublish.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_BulkPublish.html)  | Grants permission to initiate a bulk publish of all existing datasets for an Identity Pool to the configured stream | Write |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DeleteDataset.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DeleteDataset.html)  | Grants permission to delete a specific dataset | Write |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DescribeDataset.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DescribeDataset.html)  | Grants permission to get metadata about a dataset by identity and dataset name | Read |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DescribeIdentityPoolUsage.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DescribeIdentityPoolUsage.html)  | Grants permission to get usage details (for example, data storage) about a particular identity pool | Read |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DescribeIdentityUsage.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_DescribeIdentityUsage.html)  | Grants permission to get usage information for an identity, including number of datasets and data usage | Read |   [#amazoncognitosync-identity](#amazoncognitosync-identity)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_GetBulkPublishDetails.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_GetBulkPublishDetails.html)  | Grants permission to get the status of the last BulkPublish operation for an identity pool | Read |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_GetCognitoEvents.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_GetCognitoEvents.html)  | Grants permission to get the events and the corresponding Lambda functions associated with an identity pool | Read |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_GetIdentityPoolConfiguration.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_GetIdentityPoolConfiguration.html)  | Grants permission to get the configuration settings of an identity pool | Read |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_ListDatasets.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_ListDatasets.html)  | Grants permission to list datasets for an identity | List |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_ListIdentityPoolUsage.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_ListIdentityPoolUsage.html)  | Grants permission to get a list of identity pools registered with Cognito | Read |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_ListRecords.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_ListRecords.html)  | Grants permission to get paginated records, optionally changed after a particular sync count for a dataset and identity | Read |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   QueryRecords [permission only] | Grants permission to query records | Read |  |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_RegisterDevice.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_RegisterDevice.html)  | Grants permission to register a device to receive push sync notifications | Write |   [#amazoncognitosync-identity](#amazoncognitosync-identity)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_SetCognitoEvents.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_SetCognitoEvents.html)  | Grants permission to set the AWS Lambda function for a given event type for an identity pool | Write |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   SetDatasetConfiguration [permission only] | Grants permission to configure datasets | Write |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_SetIdentityPoolConfiguration.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_SetIdentityPoolConfiguration.html)  | Grants permission to set the necessary configuration for push sync | Write |   [#amazoncognitosync-identitypool](#amazoncognitosync-identitypool)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_SubscribeToDataset.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_SubscribeToDataset.html)  | Grants permission to subscribe to receive notifications when a dataset is modified by another device | Write |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_UnsubscribeFromDataset.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_UnsubscribeFromDataset.html)  | Grants permission to unsubscribe from receiving notifications when a dataset is modified by another device | Write |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 
|   [https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_UpdateRecords.html](https://docs.aws.amazon.com/cognitosync/latest/APIReference/API_UpdateRecords.html)  | Grants permission to post updates to records and add and delete records for a dataset and user | Write |   [#amazoncognitosync-dataset](#amazoncognitosync-dataset)   |  |  | 

## Resource types defined by Amazon Cognito Sync
<a name="amazoncognitosync-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncognitosync-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cognito/latest/developerguide/synchronizing-data.html#understanding-datasets](https://docs.aws.amazon.com/cognito/latest/developerguide/synchronizing-data.html#understanding-datasets)  |  arn:\$1\$1Partition\$1:cognito-sync:\$1\$1Region\$1:\$1\$1Account\$1:identitypool/\$1\$1IdentityPoolId\$1/identity/\$1\$1IdentityId\$1/dataset/\$1\$1DatasetName\$1  |  | 
|   [https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html#authenticated-and-unauthenticated-identities](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html#authenticated-and-unauthenticated-identities)  |  arn:\$1\$1Partition\$1:cognito-sync:\$1\$1Region\$1:\$1\$1Account\$1:identitypool/\$1\$1IdentityPoolId\$1/identity/\$1\$1IdentityId\$1  |  | 
|   [https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html)  |  arn:\$1\$1Partition\$1:cognito-sync:\$1\$1Region\$1:\$1\$1Account\$1:identitypool/\$1\$1IdentityPoolId\$1  |  | 

## Condition keys for Amazon Cognito Sync
<a name="amazoncognitosync-policy-keys"></a>

Cognito Sync has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Cognito User Pools
<a name="list_amazoncognitouserpools"></a>

Amazon Cognito User Pools (service prefix: `cognito-idp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cognito/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cognito/latest/developerguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Cognito User Pools
](#amazoncognitouserpools-actions-as-permissions)
+ [

## Resource types defined by Amazon Cognito User Pools
](#amazoncognitouserpools-resources-for-iam-policies)
+ [

## Condition keys for Amazon Cognito User Pools
](#amazoncognitouserpools-policy-keys)

## Actions defined by Amazon Cognito User Pools
<a name="amazoncognitouserpools-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncognitouserpools-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html)

## Resource types defined by Amazon Cognito User Pools
<a name="amazoncognitouserpools-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncognitouserpools-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html)  |  arn:\$1\$1Partition\$1:cognito-idp:\$1\$1Region\$1:\$1\$1Account\$1:userpool/\$1\$1UserPoolId\$1  |   [#amazoncognitouserpools-aws_ResourceTag___TagKey_](#amazoncognitouserpools-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/webacl/\$1\$1Name\$1/\$1\$1Id\$1  |  | 

## Condition keys for Amazon Cognito User Pools
<a name="amazoncognitouserpools-policy-keys"></a>

Amazon Cognito User Pools defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a key that is present in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Comprehend
<a name="list_amazoncomprehend"></a>

Amazon Comprehend (service prefix: `comprehend`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/comprehend/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/comprehend/latest/APIReference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/comprehend/latest/dg/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Comprehend
](#amazoncomprehend-actions-as-permissions)
+ [

## Resource types defined by Amazon Comprehend
](#amazoncomprehend-resources-for-iam-policies)
+ [

## Condition keys for Amazon Comprehend
](#amazoncomprehend-policy-keys)

## Actions defined by Amazon Comprehend
<a name="amazoncomprehend-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncomprehend-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehend.html)

## Resource types defined by Amazon Comprehend
<a name="amazoncomprehend-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncomprehend-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartTargetedSentimentDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartTargetedSentimentDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:targeted-sentiment-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/dg/how-document-classification-training.html](https://docs.aws.amazon.com/comprehend/latest/dg/how-document-classification-training.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:document-classifier/\$1\$1DocumentClassifierName\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/dg/manage-endpoints.html](https://docs.aws.amazon.com/comprehend/latest/dg/manage-endpoints.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:document-classifier-endpoint/\$1\$1DocumentClassifierEndpointName\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/dg/training-recognizers.html](https://docs.aws.amazon.com/comprehend/latest/dg/training-recognizers.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:entity-recognizer/\$1\$1EntityRecognizerName\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/dg/manage-endpoints.html](https://docs.aws.amazon.com/comprehend/latest/dg/manage-endpoints.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:entity-recognizer-endpoint/\$1\$1EntityRecognizerEndpointName\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartDominantLanguageDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartDominantLanguageDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:dominant-language-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartEntitiesDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartEntitiesDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:entities-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartPiiEntitiesDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartPiiEntitiesDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:pii-entities-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartEventsDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartEventsDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:events-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartKeyPhrasesDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartKeyPhrasesDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:key-phrases-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartSentimentDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartSentimentDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:sentiment-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartTopicsDetectionJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartTopicsDetectionJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:topics-detection-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartDocumentClassificationJob.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_StartDocumentClassificationJob.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:document-classification-job/\$1\$1JobId\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_CreateFlywheel.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_CreateFlywheel.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:flywheel/\$1\$1FlywheelName\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/comprehend/latest/APIReference/API_CreateDataset.html](https://docs.aws.amazon.com/comprehend/latest/APIReference/API_CreateDataset.html)  |  arn:\$1\$1Partition\$1:comprehend:\$1\$1Region\$1:\$1\$1Account\$1:flywheel/\$1\$1FlywheelName\$1/dataset/\$1\$1DatasetName\$1  |   [#amazoncomprehend-aws_ResourceTag___TagKey_](#amazoncomprehend-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Comprehend
<a name="amazoncomprehend-policy-keys"></a>

Amazon Comprehend defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring tag values present in a resource creation request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by the DataLake Kms Key associated with the flywheel resource in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by particular Iteration Id for a flywheel | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by the model KMS key associated with the resource in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by the output KMS key associated with the resource in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by the volume KMS key associated with the resource in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by the list of all VPC security group ids associated with the resource in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncomprehend.html#amazoncomprehend-policy-keys)  | Filters access by the list of all VPC subnets associated with the resource in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Comprehend Medical
<a name="list_amazoncomprehendmedical"></a>

Amazon Comprehend Medical (service prefix: `comprehendmedical`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/comprehend-medical/latest/dev/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/comprehend-medical/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/comprehend-medical/latest/dev/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Comprehend Medical
](#amazoncomprehendmedical-actions-as-permissions)
+ [

## Resource types defined by Amazon Comprehend Medical
](#amazoncomprehendmedical-resources-for-iam-policies)
+ [

## Condition keys for Amazon Comprehend Medical
](#amazoncomprehendmedical-policy-keys)

## Actions defined by Amazon Comprehend Medical
<a name="amazoncomprehendmedical-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoncomprehendmedical-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeEntitiesDetectionV2Job.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeEntitiesDetectionV2Job.html)  | Grants permission to describe the properties of a medical entity detection job that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeICD10CMInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeICD10CMInferenceJob.html)  | Grants permission to describe the properties of an ICD-10-CM linking job that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribePHIDetectionJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribePHIDetectionJob.html)  | Grants permission to describe the properties of a PHI entity detection job that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeRxNormInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeRxNormInferenceJob.html)  | Grants permission to describe the properties of an RxNorm linking job that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeSNOMEDCTInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DescribeSNOMEDCTInferenceJob.html)  | Grants permission to describe the properties of a SNOMED-CT linking job that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DetectEntitiesV2.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DetectEntitiesV2.html)  | Grants permission to detect the named medical entities, and their relationships and traits within the given text document | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DetectPHI.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_DetectPHI.html)  | Grants permission to detect the protected health information (PHI) entities within the given text document | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_InferICD10CM.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_InferICD10CM.html)  | Grants permission to detect the medical condition entities within the given text document and link them to ICD-10-CM codes | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_InferRxNorm.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_InferRxNorm.html)  | Grants permission to detect the medication entities within the given text document and link them to RxCUI concept identifiers from the National Library of Medicine RxNorm database | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_InferSNOMEDCT.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_InferSNOMEDCT.html)  | Grants permission to detect the medical condition, anatomy, and test, treatment, and procedure entities within the given text document and link them to SNOMED-CT codes | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListEntitiesDetectionV2Jobs.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListEntitiesDetectionV2Jobs.html)  | Grants permission to list the medical entity detection jobs that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListICD10CMInferenceJobs.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListICD10CMInferenceJobs.html)  | Grants permission to list the ICD-10-CM linking jobs that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListPHIDetectionJobs.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListPHIDetectionJobs.html)  | Grants permission to list the PHI entity detection jobs that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListRxNormInferenceJobs.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListRxNormInferenceJobs.html)  | Grants permission to list the RxNorm linking jobs that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListSNOMEDCTInferenceJobs.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_ListSNOMEDCTInferenceJobs.html)  | Grants permission to list the SNOMED-CT linking jobs that you have submitted | Read |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartEntitiesDetectionV2Job.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartEntitiesDetectionV2Job.html)  | Grants permission to start an asynchronous medical entity detection job for a collection of documents | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartICD10CMInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartICD10CMInferenceJob.html)  | Grants permission to start an asynchronous ICD-10-CM linking job for a collection of documents | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartPHIDetectionJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartPHIDetectionJob.html)  | Grants permission to start an asynchronous PHI entity detection job for a collection of documents | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartRxNormInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartRxNormInferenceJob.html)  | Grants permission to start an asynchronous RxNorm linking job for a collection of documents | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartSNOMEDCTInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StartSNOMEDCTInferenceJob.html)  | Grants permission to start an asynchronous SNOMED-CT linking job for a collection of documents | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopEntitiesDetectionV2Job.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopEntitiesDetectionV2Job.html)  | Grants permission to stop a medical entity detection job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopICD10CMInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopICD10CMInferenceJob.html)  | Grants permission to stop an ICD-10-CM linking job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopPHIDetectionJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopPHIDetectionJob.html)  | Grants permission to stop a PHI entity detection job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopRxNormInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopRxNormInferenceJob.html)  | Grants permission to stop an RxNorm linking job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopSNOMEDCTInferenceJob.html](https://docs.aws.amazon.com/comprehend-medical/latest/api/API_StopSNOMEDCTInferenceJob.html)  | Grants permission to stop a SNOMED-CT linking job | Write |  |  |  | 

## Resource types defined by Amazon Comprehend Medical
<a name="amazoncomprehendmedical-resources-for-iam-policies"></a>

Amazon Comprehend Medical does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Comprehend Medical, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Comprehend Medical
<a name="amazoncomprehendmedical-policy-keys"></a>

Amazon Comprehend Medical defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Compute Optimizer
<a name="list_awscomputeoptimizer"></a>

AWS Compute Optimizer (service prefix: `compute-optimizer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/compute-optimizer/latest/ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Compute Optimizer
](#awscomputeoptimizer-actions-as-permissions)
+ [

## Resource types defined by AWS Compute Optimizer
](#awscomputeoptimizer-resources-for-iam-policies)
+ [

## Condition keys for AWS Compute Optimizer
](#awscomputeoptimizer-policy-keys)

## Actions defined by AWS Compute Optimizer
<a name="awscomputeoptimizer-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscomputeoptimizer-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_DeleteRecommendationPreferences.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_DeleteRecommendationPreferences.html)  | Grants permission to delete recommendation preferences | Write |  |   [#awscomputeoptimizer-compute-optimizer_ResourceType](#awscomputeoptimizer-compute-optimizer_ResourceType)   |   autoscaling:DescribeAutoScalingGroups   ec2:DescribeInstances   rds:DescribeDBClusters   rds:DescribeDBInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_DescribeRecommendationExportJobs.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_DescribeRecommendationExportJobs.html)  | Grants permission to view the status of recommendation export jobs | List |  |  |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportAutoScalingGroupRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportAutoScalingGroupRecommendations.html)  | Grants permission to export AutoScaling group recommendations to S3 for the provided accounts | Write |  |  |   autoscaling:DescribeAutoScalingGroups   compute-optimizer:GetAutoScalingGroupRecommendations   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportEBSVolumeRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportEBSVolumeRecommendations.html)  | Grants permission to export EBS volume recommendations to S3 for the provided accounts | Write |  |  |   compute-optimizer:GetEBSVolumeRecommendations   ec2:DescribeVolumes   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportEC2InstanceRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportEC2InstanceRecommendations.html)  | Grants permission to export EC2 instance recommendations to S3 for the provided accounts | Write |  |  |   compute-optimizer:GetEC2InstanceRecommendations   ec2:DescribeInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportECSServiceRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportECSServiceRecommendations.html)  | Grants permission to export ECS service recommendations to S3 for the provided accounts | Write |  |  |   compute-optimizer:GetECSServiceRecommendations   ecs:ListClusters   ecs:ListServices   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportIdleRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportIdleRecommendations.html)  | Grants permission to export idle recommendations to S3 for the provided accounts | Write |  |  |   compute-optimizer:GetIdleRecommendations   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportLambdaFunctionRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportLambdaFunctionRecommendations.html)  | Grants permission to export Lambda function recommendations to S3 for the provided accounts | Write |  |  |   compute-optimizer:GetLambdaFunctionRecommendations   lambda:ListFunctions   lambda:ListProvisionedConcurrencyConfigs   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportLicenseRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportLicenseRecommendations.html)  | Grants permission to export license recommendations to S3 for the provided account(s) | Write |  |  |   compute-optimizer:GetLicenseRecommendations   ec2:DescribeInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportRDSDatabaseRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportRDSDatabaseRecommendations.html)  | Grants permission to export rds recommendations to S3 for the provided accounts | Write |  |  |   compute-optimizer:GetRDSDatabaseRecommendations   rds:DescribeDBClusters   rds:DescribeDBInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetAutoScalingGroupRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetAutoScalingGroupRecommendations.html)  | Grants permission to get recommendations for the provided AutoScaling groups | List |  |  |   autoscaling:DescribeAutoScalingGroups   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEBSVolumeRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEBSVolumeRecommendations.html)  | Grants permission to get recommendations for the provided EBS volumes | List |  |  |   ec2:DescribeVolumes   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEC2InstanceRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEC2InstanceRecommendations.html)  | Grants permission to get recommendations for the provided EC2 instances | List |  |  |   ec2:DescribeInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEC2RecommendationProjectedMetrics.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEC2RecommendationProjectedMetrics.html)  | Grants permission to get the recommendation projected metrics of the specified instance | List |  |  |   ec2:DescribeInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetECSServiceRecommendationProjectedMetrics.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetECSServiceRecommendationProjectedMetrics.html)  | Grants permission to get the recommendation projected metrics of the specified ECS service | List |  |  |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetECSServiceRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetECSServiceRecommendations.html)  | Grants permission to get recommendations for the provided ECS services | List |  |  |   ecs:ListClusters   ecs:ListServices   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEffectiveRecommendationPreferences.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEffectiveRecommendationPreferences.html)  | Grants permission to get recommendation preferences that are in effect | Read |  |   [#awscomputeoptimizer-compute-optimizer_ResourceType](#awscomputeoptimizer-compute-optimizer_ResourceType)   |   autoscaling:DescribeAutoScalingGroups   autoscaling:DescribeAutoScalingInstances   ec2:DescribeInstances   rds:DescribeDBClusters   rds:DescribeDBInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEnrollmentStatus.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEnrollmentStatus.html)  | Grants permission to get the enrollment status for the specified account | List |  |  |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEnrollmentStatusesForOrganization.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEnrollmentStatusesForOrganization.html)  | Grants permission to get the enrollment statuses for member accounts of the organization | List |  |  |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetIdleRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetIdleRecommendations.html)  | Grants permission to get idle recommendations for the specified account(s) | List |  |  |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetLambdaFunctionRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetLambdaFunctionRecommendations.html)  | Grants permission to get recommendations for the provided Lambda functions | List |  |  |   lambda:ListFunctions   lambda:ListProvisionedConcurrencyConfigs   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetLicenseRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetLicenseRecommendations.html)  | Grants permission to get license recommendations for the specified account(s) | List |  |  |   ec2:DescribeInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRDSDatabaseRecommendationProjectedMetrics.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRDSDatabaseRecommendationProjectedMetrics.html)  | Grants permission to get the recommendation projected metrics of the specified instance | List |  |  |   rds:DescribeDBClusters   rds:DescribeDBInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRDSDatabaseRecommendations.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRDSDatabaseRecommendations.html)  | Grants permission to get rds recommendations for the specified account(s) | List |  |  |   rds:DescribeDBClusters   rds:DescribeDBInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRecommendationPreferences.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRecommendationPreferences.html)  | Grants permission to get recommendation preferences | Read |  |   [#awscomputeoptimizer-compute-optimizer_ResourceType](#awscomputeoptimizer-compute-optimizer_ResourceType)   |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRecommendationSummaries.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRecommendationSummaries.html)  | Grants permission to get the recommendation summaries for the specified account(s) | List |  |  |  | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_PutRecommendationPreferences.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_PutRecommendationPreferences.html)  | Grants permission to put recommendation preferences | Write |  |   [#awscomputeoptimizer-compute-optimizer_ResourceType](#awscomputeoptimizer-compute-optimizer_ResourceType)   |   autoscaling:DescribeAutoScalingGroups   autoscaling:DescribeAutoScalingInstances   ec2:DescribeInstances   rds:DescribeDBClusters   rds:DescribeDBInstances   | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_UpdateEnrollmentStatus.html](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_UpdateEnrollmentStatus.html)  | Grants permission to update the enrollment status | Write |  |  |  | 

## Resource types defined by AWS Compute Optimizer
<a name="awscomputeoptimizer-resources-for-iam-policies"></a>

AWS Compute Optimizer does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Compute Optimizer, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Compute Optimizer
<a name="awscomputeoptimizer-policy-keys"></a>

AWS Compute Optimizer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/ug/security-iam.html](https://docs.aws.amazon.com/compute-optimizer/latest/ug/security-iam.html)  | Filters access by the resource type | String | 

# Actions, resources, and condition keys for AWS Compute Optimizer Automation
<a name="list_awscomputeoptimizerautomation"></a>

AWS Compute Optimizer Automation (service prefix: `aco-automation`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is-compute-optimizer.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_Operations_Compute_Optimizer_Automation.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/compute-optimizer/latest/ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Compute Optimizer Automation
](#awscomputeoptimizerautomation-actions-as-permissions)
+ [

## Resource types defined by AWS Compute Optimizer Automation
](#awscomputeoptimizerautomation-resources-for-iam-policies)
+ [

## Condition keys for AWS Compute Optimizer Automation
](#awscomputeoptimizerautomation-policy-keys)

## Actions defined by AWS Compute Optimizer Automation
<a name="awscomputeoptimizerautomation-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscomputeoptimizerautomation-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizerautomation.html)

## Resource types defined by AWS Compute Optimizer Automation
<a name="awscomputeoptimizerautomation-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscomputeoptimizerautomation-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/compute-optimizer/latest/ug/automation-rules.html](https://docs.aws.amazon.com/compute-optimizer/latest/ug/automation-rules.html)  |  arn:\$1\$1Partition\$1:compute-optimizer::\$1\$1Account\$1:automation-rule/\$1\$1RuleId\$1  |   [#awscomputeoptimizerautomation-aws_ResourceTag___TagKey_](#awscomputeoptimizerautomation-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Compute Optimizer Automation
<a name="awscomputeoptimizerautomation-policy-keys"></a>

AWS Compute Optimizer Automation defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [API_automation_Tag.html](API_automation_Tag.html)  | Filters access by the tags that are passed in the request | String | 
|   [API_automation_TagResource.html](API_automation_TagResource.html)  | Filters access by the tags associated with the resource | String | 
|   [API_automation_Tag.html](API_automation_Tag.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Config
<a name="list_awsconfig"></a>

AWS Config (service prefix: `config`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/config/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/config/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/config/latest/developerguide/example-policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Config
](#awsconfig-actions-as-permissions)
+ [

## Resource types defined by AWS Config
](#awsconfig-resources-for-iam-policies)
+ [

## Condition keys for AWS Config
](#awsconfig-policy-keys)

## Actions defined by AWS Config
<a name="awsconfig-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsconfig-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html)

## Resource types defined by AWS Config
<a name="awsconfig-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsconfig-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_AggregationAuthorization.html](https://docs.aws.amazon.com/config/latest/APIReference/API_AggregationAuthorization.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:aggregation-authorization/\$1\$1AggregatorAccount\$1/\$1\$1AggregatorRegion\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigurationAggregator.html](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigurationAggregator.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:config-aggregator/\$1\$1AggregatorId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigRule.html](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigRule.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:config-rule/\$1\$1ConfigRuleId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_ConformancePackDetail.html](https://docs.aws.amazon.com/config/latest/APIReference/API_ConformancePackDetail.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:conformance-pack/\$1\$1ConformancePackName\$1/\$1\$1ConformancePackId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_OrganizationConfigRule.html](https://docs.aws.amazon.com/config/latest/APIReference/API_OrganizationConfigRule.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:organization-config-rule/\$1\$1OrganizationConfigRuleId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_OrganizationConformancePack.html](https://docs.aws.amazon.com/config/latest/APIReference/API_OrganizationConformancePack.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:organization-conformance-pack/\$1\$1OrganizationConformancePackId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_RemediationConfiguration.html](https://docs.aws.amazon.com/config/latest/APIReference/API_RemediationConfiguration.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:remediation-configuration/\$1\$1RemediationConfigurationId\$1  |  | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_StoredQuery.html](https://docs.aws.amazon.com/config/latest/APIReference/API_StoredQuery.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:stored-query/\$1\$1StoredQueryName\$1/\$1\$1StoredQueryId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigurationRecorder.html](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigurationRecorder.html)  |  arn:\$1\$1Partition\$1:config:\$1\$1Region\$1:\$1\$1Account\$1:configuration-recorder/\$1\$1RecorderName\$1/\$1\$1RecorderId\$1  |   [#awsconfig-aws_ResourceTag___TagKey_](#awsconfig-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Config
<a name="awsconfig-policy-keys"></a>

AWS Config defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/config/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/config/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by service principal of the configuration recorder | String | 

# Actions, resources, and condition keys for Amazon Connect Cases
<a name="list_amazonconnectcases"></a>

Amazon Connect Cases (service prefix: `cases`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connect/latest/adminguide/cases.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cases/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/connect/latest/adminguide/assign-security-profile-cases.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Connect Cases
](#amazonconnectcases-actions-as-permissions)
+ [

## Resource types defined by Amazon Connect Cases
](#amazonconnectcases-resources-for-iam-policies)
+ [

## Condition keys for Amazon Connect Cases
](#amazonconnectcases-policy-keys)

## Actions defined by Amazon Connect Cases
<a name="amazonconnectcases-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonconnectcases-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcases.html)

## Resource types defined by Amazon Connect Cases
<a name="amazonconnectcases-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonconnectcases-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/cases.html](https://docs.aws.amazon.com/connect/latest/adminguide/cases.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/case/\$1\$1CaseId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/cases.html](https://docs.aws.amazon.com/connect/latest/adminguide/cases.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/case-fields.html](https://docs.aws.amazon.com/connect/latest/adminguide/case-fields.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/field/\$1\$1FieldId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/case-layouts.html](https://docs.aws.amazon.com/connect/latest/adminguide/case-layouts.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/layout/\$1\$1LayoutId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/associatecontactandcase.html](https://docs.aws.amazon.com/connect/latest/adminguide/associatecontactandcase.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/case/\$1\$1CaseId\$1/related-item/\$1\$1RelatedItemId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/case-templates.html](https://docs.aws.amazon.com/connect/latest/adminguide/case-templates.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/template/\$1\$1TemplateId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/case-rules.html](https://docs.aws.amazon.com/connect/latest/adminguide/case-rules.html)  |  arn:\$1\$1Partition\$1:cases:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/case-rule/\$1\$1CaseRuleId\$1  |   [#amazonconnectcases-aws_ResourceTag___TagKey_](#amazonconnectcases-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Connect Cases
<a name="amazonconnectcases-policy-keys"></a>

Amazon Connect Cases defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/connect/latest/APIReference/API_User.html](https://docs.aws.amazon.com/connect/latest/APIReference/API_User.html)  | Filters access by connect's UserArn | ARN | 

# Actions, resources, and condition keys for Amazon Connect Customer Profiles
<a name="list_amazonconnectcustomerprofiles"></a>

Amazon Connect Customer Profiles (service prefix: `profile`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connect/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/) permission policies.

**Topics**
+ [

## Actions defined by Amazon Connect Customer Profiles
](#amazonconnectcustomerprofiles-actions-as-permissions)
+ [

## Resource types defined by Amazon Connect Customer Profiles
](#amazonconnectcustomerprofiles-resources-for-iam-policies)
+ [

## Condition keys for Amazon Connect Customer Profiles
](#amazonconnectcustomerprofiles-policy-keys)

## Actions defined by Amazon Connect Customer Profiles
<a name="amazonconnectcustomerprofiles-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonconnectcustomerprofiles-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html)

## Resource types defined by Amazon Connect Customer Profiles
<a name="amazonconnectcustomerprofiles-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonconnectcustomerprofiles-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/object-types/\$1\$1ObjectTypeName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/integrations/\$1\$1Uri\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/event-streams/\$1\$1EventStreamName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/calculated-attributes/\$1\$1CalculatedAttributeName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/segment-definitions/\$1\$1SegmentDefinitionName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/event-triggers/\$1\$1EventTriggerName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/layouts/\$1\$1LayoutDefinitionName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/recommenders/\$1\$1RecommenderTypeName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/customerprofiles/latest/APIReference/](https://docs.aws.amazon.com/customerprofiles/latest/APIReference/)  |  arn:\$1\$1Partition\$1:profile:\$1\$1Region\$1:\$1\$1Account\$1:domains/\$1\$1DomainName\$1/domain-object-types/\$1\$1ObjectTypeName\$1  |   [#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_](#amazonconnectcustomerprofiles-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Connect Customer Profiles
<a name="amazonconnectcustomerprofiles-policy-keys"></a>

Amazon Connect Customer Profiles defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by a key that is present in the request the user makes to the customer profile service | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by a tag key and value pair | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by the list of all the tag key names present in the request the user makes to the customer profile service | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Connect Health
<a name="list_amazonconnecthealth"></a>

Amazon Connect Health (service prefix: `health-agent`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connecthealth/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/connecthealth/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Connect Health
](#amazonconnecthealth-actions-as-permissions)
+ [

## Resource types defined by Amazon Connect Health
](#amazonconnecthealth-resources-for-iam-policies)
+ [

## Condition keys for Amazon Connect Health
](#amazonconnecthealth-policy-keys)

## Actions defined by Amazon Connect Health
<a name="amazonconnecthealth-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonconnecthealth-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnecthealth.html)

## Resource types defined by Amazon Connect Health
<a name="amazonconnecthealth-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonconnecthealth-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/setting-up.html#setting-up-create-domain](https://docs.aws.amazon.com/connecthealth/latest/userguide/setting-up.html#setting-up-create-domain)  |  arn:\$1\$1Partition\$1:health-agent:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1  |   [#amazonconnecthealth-aws_ResourceTag___TagKey_](#amazonconnecthealth-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/patient-insights.html](https://docs.aws.amazon.com/connecthealth/latest/userguide/patient-insights.html)  |  arn:\$1\$1Partition\$1:health-agent:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/patient-insights-job/\$1\$1JobId\$1  |   [#amazonconnecthealth-aws_ResourceTag___TagKey_](#amazonconnecthealth-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/ambient-documentation.html#al-subscription-management](https://docs.aws.amazon.com/connecthealth/latest/userguide/ambient-documentation.html#al-subscription-management)  |  arn:\$1\$1Partition\$1:health-agent:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/subscription/\$1\$1SubscriptionId\$1  |   [#amazonconnecthealth-aws_ResourceTag___TagKey_](#amazonconnecthealth-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/configuring-testing-pe-agents.html](https://docs.aws.amazon.com/connecthealth/latest/userguide/configuring-testing-pe-agents.html)  |  arn:\$1\$1Partition\$1:health-agent:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/integration/\$1\$1IntegrationId\$1  |   [#amazonconnecthealth-aws_ResourceTag___TagKey_](#amazonconnecthealth-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/agent-customization.html](https://docs.aws.amazon.com/connecthealth/latest/userguide/agent-customization.html)  |  arn:\$1\$1Partition\$1:health-agent:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/agent/\$1\$1AgentId\$1  |   [#amazonconnecthealth-aws_ResourceTag___TagKey_](#amazonconnecthealth-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/patient-engagement-overview.html](https://docs.aws.amazon.com/connecthealth/latest/userguide/patient-engagement-overview.html)  |  arn:\$1\$1Partition\$1:health-agent:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1/session/\$1\$1SessionId\$1  |   [#amazonconnecthealth-aws_ResourceTag___TagKey_](#amazonconnecthealth-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Connect Health
<a name="amazonconnecthealth-policy-keys"></a>

Amazon Connect Health defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam-service-with-iam.htmlsecurity-iam-service-with-iam.html#security-iam-service-with-iam-tags](https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam-service-with-iam.htmlsecurity-iam-service-with-iam.html#security-iam-service-with-iam-tags)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam-service-with-iam.htmlsecurity-iam-service-with-iam.html#security-iam-service-with-iam-tags](https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam-service-with-iam.htmlsecurity-iam-service-with-iam.html#security-iam-service-with-iam-tags)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam-service-with-iam.htmlsecurity-iam-service-with-iam.html#security-iam-service-with-iam-tags](https://docs.aws.amazon.com/connecthealth/latest/userguide/security-iam-service-with-iam.htmlsecurity-iam-service-with-iam.html#security-iam-service-with-iam-tags)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Connect Outbound Campaigns
<a name="list_amazonconnectoutboundcampaigns"></a>

Amazon Connect Outbound Campaigns (service prefix: `connect-campaigns`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connect/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/connect/latest/adminguide/enable-outbound-campaigns.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/connect/latest/adminguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Connect Outbound Campaigns
](#amazonconnectoutboundcampaigns-actions-as-permissions)
+ [

## Resource types defined by Amazon Connect Outbound Campaigns
](#amazonconnectoutboundcampaigns-resources-for-iam-policies)
+ [

## Condition keys for Amazon Connect Outbound Campaigns
](#amazonconnectoutboundcampaigns-policy-keys)

## Actions defined by Amazon Connect Outbound Campaigns
<a name="amazonconnectoutboundcampaigns-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonconnectoutboundcampaigns-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectoutboundcampaigns.html)

## Resource types defined by Amazon Connect Outbound Campaigns
<a name="amazonconnectoutboundcampaigns-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonconnectoutboundcampaigns-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/enable-outbound-campaigns.html](https://docs.aws.amazon.com/connect/latest/adminguide/enable-outbound-campaigns.html)  |  arn:\$1\$1Partition\$1:connect-campaigns:\$1\$1Region\$1:\$1\$1Account\$1:campaign/\$1\$1CampaignId\$1  |   [#amazonconnectoutboundcampaigns-aws_ResourceTag___TagKey_](#amazonconnectoutboundcampaigns-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Connect Outbound Campaigns
<a name="amazonconnectoutboundcampaigns-policy-keys"></a>

Amazon Connect Outbound Campaigns defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Connect Voice ID
<a name="list_amazonconnectvoiceid"></a>

Amazon Connect Voice ID (service prefix: `voiceid`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connect/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/voiceid/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/console/connect/security/access-control/) permission policies.

**Topics**
+ [

## Actions defined by Amazon Connect Voice ID
](#amazonconnectvoiceid-actions-as-permissions)
+ [

## Resource types defined by Amazon Connect Voice ID
](#amazonconnectvoiceid-resources-for-iam-policies)
+ [

## Condition keys for Amazon Connect Voice ID
](#amazonconnectvoiceid-policy-keys)

## Actions defined by Amazon Connect Voice ID
<a name="amazonconnectvoiceid-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonconnectvoiceid-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectvoiceid.html)

## Resource types defined by Amazon Connect Voice ID
<a name="amazonconnectvoiceid-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonconnectvoiceid-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/connect/latest/adminguide/enable-voiceid.html#voiceid-domain](https://docs.aws.amazon.com/connect/latest/adminguide/enable-voiceid.html#voiceid-domain)  |  arn:\$1\$1Partition\$1:voiceid:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1  |   [#amazonconnectvoiceid-aws_ResourceTag___TagKey_](#amazonconnectvoiceid-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Connect Voice ID
<a name="amazonconnectvoiceid-policy-keys"></a>

Amazon Connect Voice ID defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Connector Service
<a name="list_awsconnectorservice"></a>

AWS Connector Service (service prefix: `awsconnector`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/server-migration-service/latest/userguide/SMS_setup.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/server-migration-service/latest/userguide/SMS_setup.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Connector Service
](#awsconnectorservice-actions-as-permissions)
+ [

## Resource types defined by AWS Connector Service
](#awsconnectorservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Connector Service
](#awsconnectorservice-policy-keys)

## Actions defined by AWS Connector Service
<a name="awsconnectorservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsconnectorservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#connector-permissions](https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#connector-permissions) [permission only] | Retrieves all health metrics that were published from the Server Migration Connector. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#connector-permissions](https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#connector-permissions) [permission only] | Registers AWS Connector with AWS Connector Service. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#connector-permissions](https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#connector-permissions) [permission only] | Validates Server Migration Connector Id that was registered with AWS Connector Service. | Read |  |  |  | 

## Resource types defined by AWS Connector Service
<a name="awsconnectorservice-resources-for-iam-policies"></a>

AWS Connector Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Connector Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Connector Service
<a name="awsconnectorservice-policy-keys"></a>

Connector Service has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Management Console Mobile App
<a name="list_awsconsolemobileapp"></a>

AWS Management Console Mobile App (service prefix: `consoleapp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/what-is-consolemobileapp.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Management Console Mobile App
](#awsconsolemobileapp-actions-as-permissions)
+ [

## Resource types defined by AWS Management Console Mobile App
](#awsconsolemobileapp-resources-for-iam-policies)
+ [

## Condition keys for AWS Management Console Mobile App
](#awsconsolemobileapp-policy-keys)

## Actions defined by AWS Management Console Mobile App
<a name="awsconsolemobileapp-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsconsolemobileapp-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html)  | Grants permission to retrieve the device identity for a Console Mobile App device | Read |   [#awsconsolemobileapp-DeviceIdentity](#awsconsolemobileapp-DeviceIdentity)   |  |  | 
|   [https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html)  | Grants permission to retrieve a list of device identities | List |  |  |  | 

## Resource types defined by AWS Management Console Mobile App
<a name="awsconsolemobileapp-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsconsolemobileapp-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/permissions-policies.html)  |  arn:\$1\$1Partition\$1:consoleapp::\$1\$1Account\$1:device/\$1\$1DeviceId\$1/identity/\$1\$1IdentityId\$1  |  | 

## Condition keys for AWS Management Console Mobile App
<a name="awsconsolemobileapp-policy-keys"></a>

Console Mobile App has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Consolidated Billing
<a name="list_awsconsolidatedbilling"></a>

AWS Consolidated Billing (service prefix: `consolidatedbilling`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Consolidated Billing
](#awsconsolidatedbilling-actions-as-permissions)
+ [

## Resource types defined by AWS Consolidated Billing
](#awsconsolidatedbilling-resources-for-iam-policies)
+ [

## Condition keys for AWS Consolidated Billing
](#awsconsolidatedbilling-policy-keys)

## Actions defined by AWS Consolidated Billing
<a name="awsconsolidatedbilling-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsconsolidatedbilling-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) [permission only] | Grants permission to get account role (Payer, Linked, Regular) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) [permission only] | Grants permission to get list of member/linked accounts | List |  |  |  | 

## Resource types defined by AWS Consolidated Billing
<a name="awsconsolidatedbilling-resources-for-iam-policies"></a>

AWS Consolidated Billing does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Consolidated Billing, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Consolidated Billing
<a name="awsconsolidatedbilling-policy-keys"></a>

Consolidated Billing has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Control Catalog
<a name="list_awscontrolcatalog"></a>

AWS Control Catalog (service prefix: `controlcatalog`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/controlcatalog/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/controlcatalog/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Control Catalog
](#awscontrolcatalog-actions-as-permissions)
+ [

## Resource types defined by AWS Control Catalog
](#awscontrolcatalog-resources-for-iam-policies)
+ [

## Condition keys for AWS Control Catalog
](#awscontrolcatalog-policy-keys)

## Actions defined by AWS Control Catalog
<a name="awscontrolcatalog-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscontrolcatalog-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_GetControl.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_GetControl.html)  | Grants permission to return details about a specific control | Read |   [#awscontrolcatalog-control](#awscontrolcatalog-control)   |  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListCommonControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListCommonControls.html)  | Grants permission to return a paginated list of common controls from the AWS Control Catalog | List |  |  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControlMappings.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControlMappings.html)  | Grants permission to return a paginated list of control mappings from the AWS Control Catalog | List |  |  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html)  | Grants permission to return a paginated list of all available controls in the AWS Control Catalog library | List |   [#awscontrolcatalog-control](#awscontrolcatalog-control)   |  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListDomains.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListDomains.html)  | Grants permission to return a paginated list of domains from the AWS Control Catalog | List |  |  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListObjectives.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListObjectives.html)  | Grants permission to return a paginated list of objectives from the AWS Control Catalog | List |  |  |  | 

## Resource types defined by AWS Control Catalog
<a name="awscontrolcatalog-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscontrolcatalog-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_CommonControlSummary.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_CommonControlSummary.html)  |  arn:\$1\$1Partition\$1:controlcatalog:::common-control/\$1\$1CommonControlId\$1  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ControlSummary.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ControlSummary.html)  |  arn:\$1\$1Partition\$1:controlcatalog:::control/\$1\$1ControlId\$1  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_DomainSummary.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_DomainSummary.html)  |  arn:\$1\$1Partition\$1:controlcatalog:::domain/\$1\$1DomainId\$1  |  | 
|   [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ObjectiveSummary.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ObjectiveSummary.html)  |  arn:\$1\$1Partition\$1:controlcatalog:::objective/\$1\$1ObjectiveId\$1  |  | 

## Condition keys for AWS Control Catalog
<a name="awscontrolcatalog-policy-keys"></a>

Control Catalog has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Control Tower
<a name="list_awscontroltower"></a>

AWS Control Tower (service prefix: `controltower`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/controltower/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/controltower/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/controltower/latest/userguide/auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Control Tower
](#awscontroltower-actions-as-permissions)
+ [

## Resource types defined by AWS Control Tower
](#awscontroltower-resources-for-iam-policies)
+ [

## Condition keys for AWS Control Tower
](#awscontroltower-policy-keys)

## Actions defined by AWS Control Tower
<a name="awscontroltower-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscontroltower-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscontroltower.html)

## Resource types defined by AWS Control Tower
<a name="awscontroltower-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscontroltower-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html)  |  arn:\$1\$1Partition\$1:controltower:\$1\$1Region\$1:\$1\$1Account\$1:enabledcontrol/\$1\$1EnabledControlId\$1  |   [#awscontroltower-aws_ResourceTag___TagKey_](#awscontroltower-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/controltower/latest/APIReference/API_GetBaseline.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_GetBaseline.html)  |  arn:\$1\$1Partition\$1:controltower:\$1\$1Region\$1::baseline/\$1\$1BaselineId\$1  |  | 
|   [https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableBaseline.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableBaseline.html)  |  arn:\$1\$1Partition\$1:controltower:\$1\$1Region\$1:\$1\$1Account\$1:enabledbaseline/\$1\$1EnabledBaselineId\$1  |   [#awscontroltower-aws_ResourceTag___TagKey_](#awscontroltower-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/controltower/latest/APIReference/API_CreateLandingZone.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_CreateLandingZone.html)  |  arn:\$1\$1Partition\$1:controltower:\$1\$1Region\$1:\$1\$1Account\$1:landingzone/\$1\$1LandingZoneId\$1  |   [#awscontroltower-aws_ResourceTag___TagKey_](#awscontroltower-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Control Tower
<a name="awscontroltower-policy-keys"></a>

AWS Control Tower defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Cost and Usage Report
<a name="list_awscostandusagereport"></a>

AWS Cost and Usage Report (service prefix: `cur`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cur/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cur/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Cost and Usage Report
](#awscostandusagereport-actions-as-permissions)
+ [

## Resource types defined by AWS Cost and Usage Report
](#awscostandusagereport-resources-for-iam-policies)
+ [

## Condition keys for AWS Cost and Usage Report
](#awscostandusagereport-policy-keys)

## Actions defined by AWS Cost and Usage Report
<a name="awscostandusagereport-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscostandusagereport-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html)

## Resource types defined by AWS Cost and Usage Report
<a name="awscostandusagereport-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscostandusagereport-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html)  |  arn:\$1\$1Partition\$1:cur:\$1\$1Region\$1:\$1\$1Account\$1:definition/\$1\$1ReportName\$1  |  | 

## Condition keys for AWS Cost and Usage Report
<a name="awscostandusagereport-policy-keys"></a>

AWS Cost and Usage Report defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Cost Explorer Service
<a name="list_awscostexplorerservice"></a>

AWS Cost Explorer Service (service prefix: `ce`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Cost_Explorer_Service.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Cost Explorer Service
](#awscostexplorerservice-actions-as-permissions)
+ [

## Resource types defined by AWS Cost Explorer Service
](#awscostexplorerservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Cost Explorer Service
](#awscostexplorerservice-policy-keys)

## Actions defined by AWS Cost Explorer Service
<a name="awscostexplorerservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscostexplorerservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostexplorerservice.html)

## Resource types defined by AWS Cost Explorer Service
<a name="awscostexplorerservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awscostexplorerservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_AnomalySubscription.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_AnomalySubscription.html)  |  arn:\$1\$1Partition\$1:ce::\$1\$1Account\$1:anomalysubscription/\$1\$1Identifier\$1  |   [#awscostexplorerservice-aws_ResourceTag___TagKey_](#awscostexplorerservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_AnomalyMonitor.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_AnomalyMonitor.html)  |  arn:\$1\$1Partition\$1:ce::\$1\$1Account\$1:anomalymonitor/\$1\$1Identifier\$1  |   [#awscostexplorerservice-aws_ResourceTag___TagKey_](#awscostexplorerservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostCategory.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostCategory.html)  |  arn:\$1\$1Partition\$1:ce::\$1\$1Account\$1:costcategory/\$1\$1Identifier\$1  |   [#awscostexplorerservice-aws_ResourceTag___TagKey_](#awscostexplorerservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/cost-management/latest/userguide/](https://docs.aws.amazon.com/cost-management/latest/userguide/)  |  arn:\$1\$1Partition\$1:billing::\$1\$1Account\$1:billingview/\$1\$1ResourceId\$1  |   [#awscostexplorerservice-aws_ResourceTag___TagKey_](#awscostexplorerservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Cost Explorer Service
<a name="awscostexplorerservice-policy-keys"></a>

AWS Cost Explorer Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Cost Optimization Hub
<a name="list_awscostoptimizationhub"></a>

AWS Cost Optimization Hub (service prefix: `cost-optimization-hub`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/cost-management/latest/userguide/cost-optimization-hub.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/cost-management/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Cost Optimization Hub
](#awscostoptimizationhub-actions-as-permissions)
+ [

## Resource types defined by AWS Cost Optimization Hub
](#awscostoptimizationhub-resources-for-iam-policies)
+ [

## Condition keys for AWS Cost Optimization Hub
](#awscostoptimizationhub-policy-keys)

## Actions defined by AWS Cost Optimization Hub
<a name="awscostoptimizationhub-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscostoptimizationhub-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_GetPreferences.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_GetPreferences.html)  | Grants permission to get preferences | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_GetRecommendation.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_GetRecommendation.html)  | Grants permission to get resource configuration and estimated cost impact for a recommendation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListEfficiencyMetrics.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListEfficiencyMetrics.html)  | Grants permission to list efficiency metric scores by group | List |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListEnrollmentStatuses.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListEnrollmentStatuses.html)  | Grants permission to list enrollment statuses for the specified account or all members under a management account | List |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListRecommendationSummaries.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListRecommendationSummaries.html)  | Grants permission to list recommendation summaries by group | List |  |  |   cost-optimization-hub:GetRecommendation   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListRecommendations.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_ListRecommendations.html)  | Grants permission to list summary view of recommendations | List |  |  |   cost-optimization-hub:GetRecommendation   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_UpdateEnrollmentStatus.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_UpdateEnrollmentStatus.html)  | Grants permission to update the enrollment status | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_UpdatePreferences.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_CostOptimizationHub_UpdatePreferences.html)  | Grants permission to update preferences | Write |  |  |  | 

## Resource types defined by AWS Cost Optimization Hub
<a name="awscostoptimizationhub-resources-for-iam-policies"></a>

AWS Cost Optimization Hub does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Cost Optimization Hub, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Cost Optimization Hub
<a name="awscostoptimizationhub-policy-keys"></a>

Cost Optimization Hub has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Customer Verification Service
<a name="list_awscustomerverificationservice"></a>

AWS Customer Verification Service (service prefix: `customer-verification`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) permission policies.

**Topics**
+ [

## Actions defined by AWS Customer Verification Service
](#awscustomerverificationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Customer Verification Service
](#awscustomerverificationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Customer Verification Service
](#awscustomerverificationservice-policy-keys)

## Actions defined by AWS Customer Verification Service
<a name="awscustomerverificationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awscustomerverificationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to create customer verification data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to create upload URLs | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to get customer verification data | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to get customer verification eligibility | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) [permission only] | Grants permission to update customer verification data | Write |  |  |  | 

## Resource types defined by AWS Customer Verification Service
<a name="awscustomerverificationservice-resources-for-iam-policies"></a>

AWS Customer Verification Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Customer Verification Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Customer Verification Service
<a name="awscustomerverificationservice-policy-keys"></a>

Customer Verification Service has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Data Exchange
<a name="list_awsdataexchange"></a>

AWS Data Exchange (service prefix: `dataexchange`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/data-exchange/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/data-exchange/latest/apireference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/data-exchange/latest/userguide/auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Data Exchange
](#awsdataexchange-actions-as-permissions)
+ [

## Resource types defined by AWS Data Exchange
](#awsdataexchange-resources-for-iam-policies)
+ [

## Condition keys for AWS Data Exchange
](#awsdataexchange-policy-keys)

## Actions defined by AWS Data Exchange
<a name="awsdataexchange-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdataexchange-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdataexchange.html)

## Resource types defined by AWS Data Exchange
<a name="awsdataexchange-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdataexchange-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/jobs.html](https://docs.aws.amazon.com/data-exchange/latest/userguide/jobs.html)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1:\$1\$1Account\$1:jobs/\$1\$1JobId\$1  |   [#awsdataexchange-dataexchange_JobType](#awsdataexchange-dataexchange_JobType)   | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1:\$1\$1Account\$1:data-sets/\$1\$1DataSetId\$1  |   [#awsdataexchange-aws_ResourceTag___TagKey_](#awsdataexchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1::data-sets/\$1\$1DataSetId\$1  |  | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#revisions](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#revisions)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1:\$1\$1Account\$1:data-sets/\$1\$1DataSetId\$1/revisions/\$1\$1RevisionId\$1  |   [#awsdataexchange-aws_ResourceTag___TagKey_](#awsdataexchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#revisions](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#revisions)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1::data-sets/\$1\$1DataSetId\$1/revisions/\$1\$1RevisionId\$1  |  | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#assets](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#assets)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1:\$1\$1Account\$1:data-sets/\$1\$1DataSetId\$1/revisions/\$1\$1RevisionId\$1/assets/\$1\$1AssetId\$1  |   [#awsdataexchange-aws_ResourceTag___TagKey_](#awsdataexchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#assets](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html#assets)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1::data-sets/\$1\$1DataSetId\$1/revisions/\$1\$1RevisionId\$1/assets/\$1\$1AssetId\$1  |  | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1:\$1\$1Account\$1:event-actions/\$1\$1EventActionId\$1  |   [#awsdataexchange-aws_ResourceTag___TagKey_](#awsdataexchange-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html](https://docs.aws.amazon.com/data-exchange/latest/userguide/data-sets.html)  |  arn:\$1\$1Partition\$1:dataexchange:\$1\$1Region\$1:\$1\$1Account\$1:data-grants/\$1\$1DataGrantId\$1  |   [#awsdataexchange-aws_ResourceTag___TagKey_](#awsdataexchange-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Data Exchange
<a name="awsdataexchange-policy-keys"></a>

AWS Data Exchange defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by the allowed set of values for each of the mandatory tags in the create request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by the tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by the presence of mandatory tags in the create request | ArrayOfString | 
|   [https://docs.aws.amazon.com/data-exchange/latest/userguide/access-control.html](https://docs.aws.amazon.com/data-exchange/latest/userguide/access-control.html)  | Filters access by the specified job type | String | 

# Actions, resources, and condition keys for Amazon Data Lifecycle Manager
<a name="list_amazondatalifecyclemanager"></a>

Amazon Data Lifecycle Manager (service prefix: `dlm`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/dlm/latest/APIReference/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/dlm/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazondatalifecyclemanager.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Data Lifecycle Manager
](#amazondatalifecyclemanager-actions-as-permissions)
+ [

## Resource types defined by Amazon Data Lifecycle Manager
](#amazondatalifecyclemanager-resources-for-iam-policies)
+ [

## Condition keys for Amazon Data Lifecycle Manager
](#amazondatalifecyclemanager-policy-keys)

## Actions defined by Amazon Data Lifecycle Manager
<a name="amazondatalifecyclemanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondatalifecyclemanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html)

## Resource types defined by Amazon Data Lifecycle Manager
<a name="amazondatalifecyclemanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondatalifecyclemanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/dlm/latest/APIReference/API_LifecyclePolicy.html](https://docs.aws.amazon.com/dlm/latest/APIReference/API_LifecyclePolicy.html)  |  arn:\$1\$1Partition\$1:dlm:\$1\$1Region\$1:\$1\$1Account\$1:policy/\$1\$1ResourceName\$1  |   [#amazondatalifecyclemanager-aws_ResourceTag___TagKey_](#amazondatalifecyclemanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Data Lifecycle Manager
<a name="amazondatalifecyclemanager-policy-keys"></a>

Amazon Data Lifecycle Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Data Pipeline
<a name="list_awsdatapipeline"></a>

AWS Data Pipeline (service prefix: `datapipeline`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/datapipeline/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-control-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Data Pipeline
](#awsdatapipeline-actions-as-permissions)
+ [

## Resource types defined by AWS Data Pipeline
](#awsdatapipeline-resources-for-iam-policies)
+ [

## Condition keys for AWS Data Pipeline
](#awsdatapipeline-policy-keys)

## Actions defined by AWS Data Pipeline
<a name="awsdatapipeline-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdatapipeline-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html)

## Resource types defined by AWS Data Pipeline
<a name="awsdatapipeline-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdatapipeline-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html)  |  arn:\$1\$1Partition\$1:datapipeline:\$1\$1Region\$1:\$1\$1Account\$1:pipeline/\$1\$1PipelineId\$1  |   [#awsdatapipeline-aws_ResourceTag___TagKey_](#awsdatapipeline-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Data Pipeline
<a name="awsdatapipeline-policy-keys"></a>

AWS Data Pipeline defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-example-tag-policies.html#ex3](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-example-tag-policies.html#ex3)  | Filters access by the IAM user that created the pipeline | ArrayOfString | 
|   [https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-resourcebased-access.html#dp-control-access-tags](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-resourcebased-access.html#dp-control-access-tags)  | Filters access by customer-specified key/value pair that can be attached to a resource | String | 
|   [https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-resourcebased-access.html#dp-control-access-workergroup](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-resourcebased-access.html#dp-control-access-workergroup)  | Filters access by the name of a worker group for which a Task Runner retrieves work | ArrayOfString | 

# Actions, resources, and condition keys for AWS Database Migration Service
<a name="list_awsdatabasemigrationservice"></a>

AWS Database Migration Service (service prefix: `dms`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/dms/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/dms/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Database Migration Service
](#awsdatabasemigrationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Database Migration Service
](#awsdatabasemigrationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Database Migration Service
](#awsdatabasemigrationservice-policy-keys)

## Actions defined by AWS Database Migration Service
<a name="awsdatabasemigrationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdatabasemigrationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html)

## Resource types defined by AWS Database Migration Service
<a name="awsdatabasemigrationservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdatabasemigrationservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_Certificate.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_Certificate.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:cert:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_cert-tag___TagKey_](#awsdatabasemigrationservice-dms_cert-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:data-provider:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_data-provider-tag___TagKey_](#awsdatabasemigrationservice-dms_data-provider-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:data-migration:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_data-migration-tag___TagKey_](#awsdatabasemigrationservice-dms_data-migration-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_Endpoint.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_Endpoint.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:endpoint:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_endpoint-tag___TagKey_](#awsdatabasemigrationservice-dms_endpoint-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_EventSubscription.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_EventSubscription.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:es:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_es-tag___TagKey_](#awsdatabasemigrationservice-dms_es-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:instance-profile:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_instance-profile-tag___TagKey_](#awsdatabasemigrationservice-dms_instance-profile-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:migration-project:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_migration-project-tag___TagKey_](#awsdatabasemigrationservice-dms_migration-project-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/dms/latest/APIReference/Welcome.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:replication-config:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_replication-config-tag___TagKey_](#awsdatabasemigrationservice-dms_replication-config-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationInstance.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationInstance.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:rep:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_rep-tag___TagKey_](#awsdatabasemigrationservice-dms_rep-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationSubnetGroup.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationSubnetGroup.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:subgrp:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_subgrp-tag___TagKey_](#awsdatabasemigrationservice-dms_subgrp-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationTask.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationTask.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:task:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_task-tag___TagKey_](#awsdatabasemigrationservice-dms_task-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationTaskAssessmentRun.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationTaskAssessmentRun.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:assessment-run:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_assessment-run-tag___TagKey_](#awsdatabasemigrationservice-dms_assessment-run-tag___TagKey_)   | 
|   [https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationTaskIndividualAssessment.html](https://docs.aws.amazon.com/dms/latest/APIReference/API_ReplicationTaskIndividualAssessment.html)  |  arn:\$1\$1Partition\$1:dms:\$1\$1Region\$1:\$1\$1Account\$1:individual-assessment:\$1  |   [#awsdatabasemigrationservice-aws_ResourceTag___TagKey_](#awsdatabasemigrationservice-aws_ResourceTag___TagKey_)   [#awsdatabasemigrationservice-dms_individual-assessment-tag___TagKey_](#awsdatabasemigrationservice-dms_individual-assessment-tag___TagKey_)   | 

## Condition keys for AWS Database Migration Service
<a name="awsdatabasemigrationservice-policy-keys"></a>

AWS Database Migration Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_assessment-run-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_assessment-run-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for AssessmentRun | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_cert-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_cert-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for Certificate | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_data-migration-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_data-migration-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for DataMigration | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_dp-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_dp-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for DataProvider | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_endpoint-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_endpoint-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for Endpoint | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_es-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_es-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for EventSubscription | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_individual-assessment-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_individual-assessment-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for IndividualAssessment | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_ip-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_ip-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for InstanceProfile | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_mp-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice--dms_mp-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for MigrationProject | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_rep-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_rep-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for ReplicationInstance | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_replication-config-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_replication-config-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for ReplicationConfig | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_req-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_req-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the given request | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_subgrp-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_subgrp-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for ReplicationSubnetGroup | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_task-tag___TagKey_](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html#awsdatabasemigrationservice-dms_task-tag___TagKey_)  | Filters access by the presence of tag key-value pairs in the request for ReplicationTask | String | 

# Actions, resources, and condition keys for Database Query Metadata Service
<a name="list_databasequerymetadataservice"></a>

Database Query Metadata Service (service prefix: `dbqms`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html) permission policies.

**Topics**
+ [

## Actions defined by Database Query Metadata Service
](#databasequerymetadataservice-actions-as-permissions)
+ [

## Resource types defined by Database Query Metadata Service
](#databasequerymetadataservice-resources-for-iam-policies)
+ [

## Condition keys for Database Query Metadata Service
](#databasequerymetadataservice-policy-keys)

## Actions defined by Database Query Metadata Service
<a name="databasequerymetadataservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#databasequerymetadataservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#CreateFavoriteQuery](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#CreateFavoriteQuery)  | Grants permission to create a new favorite query | Write |  |  |  | 
|   CreateQueryHistory  | Grants permission to add a query to the history | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#CreateTab](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#CreateTab)  | Grants permission to create a new query tab | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DeleteFavoriteQueries](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DeleteFavoriteQueries)  | Grants permission to delete saved queries | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DeleteQueryHistory](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DeleteQueryHistory)  | Grants permission to delete a historical query | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DeleteTab](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DeleteTab)  | Grants permission to delete query tab | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DescribeFavoriteQueries](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DescribeFavoriteQueries)  | Grants permission to list saved queries and associated metadata | List |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DescribeQueryHistory](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DescribeQueryHistory)  | Grants permission to list history of queries that were run | List |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DescribeTabs](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#DescribeTabs)  | Grants permission to list query tabs and associated metadata | List |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#GetQueryString](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#GetQueryString)  | Grants permission to retrieve favorite or history query string by id | Read |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#UpdateFavoriteQuery](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#UpdateFavoriteQuery)  | Grants permission to update saved query and description | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#UpdateQueryHistory](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#UpdateQueryHistory)  | Grants permission to update the query history | Write |  |  |  | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#UpdateTab](https://docs.aws.amazon.com/qldb/latest/developerguide/dbqms-api.html#UpdateTab)  | Grants permission to update query tab | Write |  |  |  | 

## Resource types defined by Database Query Metadata Service
<a name="databasequerymetadataservice-resources-for-iam-policies"></a>

Database Query Metadata Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Database Query Metadata Service, specify `"Resource": "*"` in your policy.

## Condition keys for Database Query Metadata Service
<a name="databasequerymetadataservice-policy-keys"></a>

DBQMS has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS DataSync
<a name="list_awsdatasync"></a>

AWS DataSync (service prefix: `datasync`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/datasync/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/datasync/latest/userguide/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/datasync/latest/userguide/iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS DataSync
](#awsdatasync-actions-as-permissions)
+ [

## Resource types defined by AWS DataSync
](#awsdatasync-resources-for-iam-policies)
+ [

## Condition keys for AWS DataSync
](#awsdatasync-policy-keys)

## Actions defined by AWS DataSync
<a name="awsdatasync-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdatasync-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html)

## Resource types defined by AWS DataSync
<a name="awsdatasync-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdatasync-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/datasync/latest/userguide/working-with-agents.html](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-agents.html)  |  arn:\$1\$1Partition\$1:datasync:\$1\$1Region\$1:\$1\$1AccountId\$1:agent/\$1\$1AgentId\$1  |   [#awsdatasync-aws_ResourceTag___TagKey_](#awsdatasync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html)  |  arn:\$1\$1Partition\$1:datasync:\$1\$1Region\$1:\$1\$1AccountId\$1:location/\$1\$1LocationId\$1  |   [#awsdatasync-aws_ResourceTag___TagKey_](#awsdatasync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/datasync/latest/userguide/working-with-tasks.html](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-tasks.html)  |  arn:\$1\$1Partition\$1:datasync:\$1\$1Region\$1:\$1\$1AccountId\$1:task/\$1\$1TaskId\$1  |   [#awsdatasync-aws_ResourceTag___TagKey_](#awsdatasync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/datasync/latest/userguide/working-with-task-executions.html](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-task-executions.html)  |  arn:\$1\$1Partition\$1:datasync:\$1\$1Region\$1:\$1\$1AccountId\$1:task/\$1\$1TaskId\$1/execution/\$1\$1ExecutionId\$1  |   [#awsdatasync-aws_ResourceTag___TagKey_](#awsdatasync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/datasync/latest/userguide/discovery-configure-storage.html](https://docs.aws.amazon.com/datasync/latest/userguide/discovery-configure-storage.html)  |  arn:\$1\$1Partition\$1:datasync:\$1\$1Region\$1:\$1\$1AccountId\$1:system/\$1\$1StorageSystemId\$1  |   [#awsdatasync-aws_ResourceTag___TagKey_](#awsdatasync-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/datasync/latest/userguide/discovery-job-create.html](https://docs.aws.amazon.com/datasync/latest/userguide/discovery-job-create.html)  |  arn:\$1\$1Partition\$1:datasync:\$1\$1Region\$1:\$1\$1AccountId\$1:system/\$1\$1StorageSystemId\$1/job/\$1\$1DiscoveryJobId\$1  |   [#awsdatasync-aws_ResourceTag___TagKey_](#awsdatasync-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS DataSync
<a name="awsdatasync-policy-keys"></a>

AWS DataSync defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon DataZone
<a name="list_amazondatazone"></a>

Amazon DataZone (service prefix: `datazone`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/datazone/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/datazone/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/datazone/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon DataZone
](#amazondatazone-actions-as-permissions)
+ [

## Resource types defined by Amazon DataZone
](#amazondatazone-resources-for-iam-policies)
+ [

## Condition keys for Amazon DataZone
](#amazondatazone-policy-keys)

## Actions defined by Amazon DataZone
<a name="amazondatazone-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondatazone-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatazone.html)

## Resource types defined by Amazon DataZone
<a name="amazondatazone-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondatazone-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/datazone/latest/userguide/create-domain.html](https://docs.aws.amazon.com/datazone/latest/userguide/create-domain.html)  |  arn:\$1\$1Partition\$1:datazone:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainId\$1  |   [#amazondatazone-aws_ResourceTag___TagKey_](#amazondatazone-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon DataZone
<a name="amazondatazone-policy-keys"></a>

Amazon DataZone defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#amazondatazone-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#amazondatazone-policy-keys)  | Filters access by the domain ID passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#amazondatazone-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#amazondatazone-policy-keys)  | Filters access by the project ID passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#amazondatazone-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#amazondatazone-policy-keys)  | Filters access by the user ID passed in the request | String | 

# Actions, resources, and condition keys for AWS Deadline Cloud
<a name="list_awsdeadlinecloud"></a>

AWS Deadline Cloud (service prefix: `deadline`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Deadline Cloud
](#awsdeadlinecloud-actions-as-permissions)
+ [

## Resource types defined by AWS Deadline Cloud
](#awsdeadlinecloud-resources-for-iam-policies)
+ [

## Condition keys for AWS Deadline Cloud
](#awsdeadlinecloud-policy-keys)

## Actions defined by AWS Deadline Cloud
<a name="awsdeadlinecloud-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdeadlinecloud-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeadlinecloud.html)

## Resource types defined by AWS Deadline Cloud
<a name="awsdeadlinecloud-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdeadlinecloud-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/manage-costs.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/manage-costs.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:farm/\$1\$1FarmId\$1/budget/\$1\$1BudgetId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   [#awsdeadlinecloud-deadline_FarmMembershipLevels](#awsdeadlinecloud-deadline_FarmMembershipLevels)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/farms.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/farms.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:farm/\$1\$1FarmId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   [#awsdeadlinecloud-deadline_FarmMembershipLevels](#awsdeadlinecloud-deadline_FarmMembershipLevels)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/manage-fleets.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/manage-fleets.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:farm/\$1\$1FarmId\$1/fleet/\$1\$1FleetId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   [#awsdeadlinecloud-deadline_FarmMembershipLevels](#awsdeadlinecloud-deadline_FarmMembershipLevels)   [#awsdeadlinecloud-deadline_FleetMembershipLevels](#awsdeadlinecloud-deadline_FleetMembershipLevels)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/deadline-cloud-jobs.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/deadline-cloud-jobs.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:farm/\$1\$1FarmId\$1/queue/\$1\$1QueueId\$1/job/\$1\$1JobId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   [#awsdeadlinecloud-deadline_FarmMembershipLevels](#awsdeadlinecloud-deadline_FarmMembershipLevels)   [#awsdeadlinecloud-deadline_JobMembershipLevels](#awsdeadlinecloud-deadline_JobMembershipLevels)   [#awsdeadlinecloud-deadline_QueueMembershipLevels](#awsdeadlinecloud-deadline_QueueMembershipLevels)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/cmf-ubl.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/cmf-ubl.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:license-endpoint/\$1\$1LicenseEndpointId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/working-with-deadline-monitor.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/working-with-deadline-monitor.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:monitor/\$1\$1MonitorId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/queues.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/queues.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:farm/\$1\$1FarmId\$1/queue/\$1\$1QueueId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   [#awsdeadlinecloud-deadline_FarmMembershipLevels](#awsdeadlinecloud-deadline_FarmMembershipLevels)   [#awsdeadlinecloud-deadline_QueueMembershipLevels](#awsdeadlinecloud-deadline_QueueMembershipLevels)   | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:deadline:\$1\$1Region\$1:\$1\$1Account\$1:farm/\$1\$1FarmId\$1/fleet/\$1\$1FleetId\$1/worker/\$1\$1WorkerId\$1  |   [#awsdeadlinecloud-aws_ResourceTag___TagKey_](#awsdeadlinecloud-aws_ResourceTag___TagKey_)   [#awsdeadlinecloud-deadline_FarmMembershipLevels](#awsdeadlinecloud-deadline_FarmMembershipLevels)   [#awsdeadlinecloud-deadline_FleetMembershipLevels](#awsdeadlinecloud-deadline_FleetMembershipLevels)   | 

## Condition keys for AWS Deadline Cloud
<a name="awsdeadlinecloud-policy-keys"></a>

AWS Deadline Cloud defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the associated membership level of the principal provided in the request | String | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the allowed action in the request | String | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by membership levels on the farm | ArrayOfString | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by membership levels on the fleet | ArrayOfString | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by membership levels on the job | ArrayOfString | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the membership level passed in the request | String | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the principle ID provided in the request | String | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by membership levels on the queue | ArrayOfString | 
|   [https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the user calling the Deadline Cloud API | String | 

# Actions, resources, and condition keys for Amazon Detective
<a name="list_amazondetective"></a>

Amazon Detective (service prefix: `detective`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/detective/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/detective/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/detective/latest/adminguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Detective
](#amazondetective-actions-as-permissions)
+ [

## Resource types defined by Amazon Detective
](#amazondetective-resources-for-iam-policies)
+ [

## Condition keys for Amazon Detective
](#amazondetective-policy-keys)

## Actions defined by Amazon Detective
<a name="amazondetective-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondetective-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html)

## Resource types defined by Amazon Detective
<a name="amazondetective-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondetective-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/detective/latest/adminguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/detective/latest/adminguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:detective:\$1\$1Region\$1:\$1\$1Account\$1:graph:\$1\$1ResourceId\$1  |   [#amazondetective-aws_ResourceTag___TagKey_](#amazondetective-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Detective
<a name="amazondetective-policy-keys"></a>

Amazon Detective defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by specifying the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by specifying the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by specifying the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Device Farm
<a name="list_awsdevicefarm"></a>

AWS Device Farm (service prefix: `devicefarm`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/devicefarm/latest/developerguide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/devicefarm/latest/developerguide/permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Device Farm
](#awsdevicefarm-actions-as-permissions)
+ [

## Resource types defined by AWS Device Farm
](#awsdevicefarm-resources-for-iam-policies)
+ [

## Condition keys for AWS Device Farm
](#awsdevicefarm-policy-keys)

## Actions defined by AWS Device Farm
<a name="awsdevicefarm-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdevicefarm-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html)

## Resource types defined by AWS Device Farm
<a name="awsdevicefarm-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdevicefarm-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Project.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Project.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:project:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Run.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Run.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:run:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Job.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Job.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:job:\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Suite.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Suite.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:suite:\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Test.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Test.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:test:\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Upload.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Upload.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:upload:\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Artifact.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Artifact.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:artifact:\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Sample.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Sample.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:sample:\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_NetworkProfile.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_NetworkProfile.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:networkprofile:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_DeviceInstance.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_DeviceInstance.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1::deviceinstance:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_RemoteAccessSession.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_RemoteAccessSession.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:session:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_DevicePool.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_DevicePool.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:devicepool:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Device.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_Device.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1::device:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_InstanceProfile.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_InstanceProfile.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:instanceprofile:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_VPCEConfiguration.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_VPCEConfiguration.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:vpceconfiguration:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_TestGridProject.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_TestGridProject.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:testgrid-project:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_TestGridSession.html](https://docs.aws.amazon.com/devicefarm/latest/APIReference/API_TestGridSession.html)  |  arn:\$1\$1Partition\$1:devicefarm:\$1\$1Region\$1:\$1\$1Account\$1:testgrid-session:\$1\$1ResourceId\$1  |   [#awsdevicefarm-aws_ResourceTag___TagKey_](#awsdevicefarm-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Device Farm
<a name="awsdevicefarm-policy-keys"></a>

AWS Device Farm defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value assoicated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS DevOps Agent Service
<a name="list_awsdevopsagentservice"></a>

AWS DevOps Agent Service (service prefix: `aidevops`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/devopsagent/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/devopsagent/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/devopsagent/latest/userguide/security-and-access-control-devops-agent-iam-permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS DevOps Agent Service
](#awsdevopsagentservice-actions-as-permissions)
+ [

## Resource types defined by AWS DevOps Agent Service
](#awsdevopsagentservice-resources-for-iam-policies)
+ [

## Condition keys for AWS DevOps Agent Service
](#awsdevopsagentservice-policy-keys)

## Actions defined by AWS DevOps Agent Service
<a name="awsdevopsagentservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdevopsagentservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevopsagentservice.html)

## Resource types defined by AWS DevOps Agent Service
<a name="awsdevopsagentservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdevopsagentservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/devopsagent/latest/userguide/](https://docs.aws.amazon.com/devopsagent/latest/userguide/)  |  arn:\$1\$1Partition\$1:aidevops:\$1\$1Region\$1:\$1\$1Account\$1:agentspace/\$1\$1AgentSpaceId\$1  |   [#awsdevopsagentservice-aws_ResourceTag___TagKey_](#awsdevopsagentservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/devopsagent/latest/userguide/](https://docs.aws.amazon.com/devopsagent/latest/userguide/)  |  arn:\$1\$1Partition\$1:aidevops:\$1\$1Region\$1:\$1\$1Account\$1:agentspace/\$1\$1AgentSpaceId\$1/associations/\$1\$1AssociationId\$1  |  | 
|   [https://docs.aws.amazon.com/devopsagent/latest/userguide/](https://docs.aws.amazon.com/devopsagent/latest/userguide/)  |  arn:\$1\$1Partition\$1:aidevops:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1  |   [#awsdevopsagentservice-aws_ResourceTag___TagKey_](#awsdevopsagentservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS DevOps Agent Service
<a name="awsdevopsagentservice-policy-keys"></a>

AWS DevOps Agent Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon DevOps Guru
<a name="list_amazondevopsguru"></a>

Amazon DevOps Guru (service prefix: `devops-guru`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/devops-guru/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/devops-guru/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/devops-guru/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon DevOps Guru
](#amazondevopsguru-actions-as-permissions)
+ [

## Resource types defined by Amazon DevOps Guru
](#amazondevopsguru-resources-for-iam-policies)
+ [

## Condition keys for Amazon DevOps Guru
](#amazondevopsguru-policy-keys)

## Actions defined by Amazon DevOps Guru
<a name="amazondevopsguru-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondevopsguru-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_AddNotificationChannel.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_AddNotificationChannel.html)  | Grants permission to add a notification channel to DevOps Guru | Write |   [#amazondevopsguru-topic](#amazondevopsguru-topic)   |  |   sns:GetTopicAttributes   sns:SetTopicAttributes   | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DeleteInsight.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DeleteInsight.html)  | Grants permission to delete specified insight in your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeAccountHealth.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeAccountHealth.html)  | Grants permission to view the health of operations in your AWS account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeAccountOverview.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeAccountOverview.html)  | Grants permission to view the health of operations within a time range in your AWS account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeAnomaly.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeAnomaly.html)  | Grants permission to list the details of a specified anomaly | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeEventSourcesConfig.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeEventSourcesConfig.html)  | Grants permission to retrieve details about event sources for DevOps Guru | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeFeedback.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeFeedback.html)  | Grants permission to view the feedback details of a specified insight | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeInsight.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeInsight.html)  | Grants permission to list the details of a specified insight | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeOrganizationHealth.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeOrganizationHealth.html)  | Grants permission to view the health of operations in your organization | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeOrganizationOverview.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeOrganizationOverview.html)  | Grants permission to view the health of operations within a time range in your organization | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeOrganizationResourceCollectionHealth.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeOrganizationResourceCollectionHealth.html)  | Grants permission to view the health of operations for each AWS CloudFormation stack or AWS Services or accounts specified in DevOps Guru in your organization | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeResourceCollectionHealth.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeResourceCollectionHealth.html)  | Grants permission to view the health of operations for each AWS CloudFormation stack specified in DevOps Guru | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeServiceIntegration.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_DescribeServiceIntegration.html)  | Grants permission to view the integration status of services that can be integrated with DevOps Guru | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_GetCostEstimation.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_GetCostEstimation.html)  | Grants permission to list service resource cost estimates | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_GetResourceCollection.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_GetResourceCollection.html)  | Grants permission to list AWS CloudFormation stacks that DevOps Guru is configured to use | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListAnomaliesForInsight.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListAnomaliesForInsight.html)  | Grants permission to list anomalies of a given insight in your account | List |  |   [#amazondevopsguru-devops-guru_ServiceNames](#amazondevopsguru-devops-guru_ServiceNames)   |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListAnomalousLogGroups.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListAnomalousLogGroups.html)  | Grants permission to list log anomalies of a given insight in your account | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListEvents.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListEvents.html)  | Grants permission to list resource events that are evaluated by DevOps Guru | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListInsights.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListInsights.html)  | Grants permission to list insights in your account | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListMonitoredResources.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListMonitoredResources.html)  | Grants permission to list resource monitored by DevOps Guru in your account | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListNotificationChannels.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListNotificationChannels.html)  | Grants permission to list notification channels configured for DevOps Guru in your account | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListOrganizationInsights.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListOrganizationInsights.html)  | Grants permission to list insights in your organization | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListRecommendations.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ListRecommendations.html)  | Grants permission to list a specified insight's recommendations | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_PutFeedback.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_PutFeedback.html)  | Grants permission to submit a feedback to DevOps Guru | Write |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_RemoveNotificationChannel.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_RemoveNotificationChannel.html)  | Grants permission to remove a notification channel from DevOps Guru | Write |   [#amazondevopsguru-topic](#amazondevopsguru-topic)   |  |   sns:GetTopicAttributes   sns:SetTopicAttributes   | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_SearchInsights.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_SearchInsights.html)  | Grants permission to search insights in your account | List |  |   [#amazondevopsguru-devops-guru_ServiceNames](#amazondevopsguru-devops-guru_ServiceNames)   |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_SearchOrganizationInsights.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_SearchOrganizationInsights.html)  | Grants permission to search insights in your organization | List |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_StartCostEstimation.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_StartCostEstimation.html)  | Grants permission to start the creation of an estimate of the monthly cost | Read |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_UpdateEventSourcesConfig.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_UpdateEventSourcesConfig.html)  | Grants permission to update an event source for DevOps Guru | Write |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_UpdateResourceCollection.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_UpdateResourceCollection.html)  | Grants permission to update the list of AWS CloudFormation stacks that are used to specify which AWS resources in your account are analyzed by DevOps Guru | Write |  |  |  | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_UpdateServiceIntegration.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_UpdateServiceIntegration.html)  | Grants permission to enable or disable a service that integrates with DevOps Guru | Write |  |  |  | 

## Resource types defined by Amazon DevOps Guru
<a name="amazondevopsguru-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondevopsguru-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/devops-guru/latest/userguide/setting-up.html#setting-up-notifications](https://docs.aws.amazon.com/devops-guru/latest/userguide/setting-up.html#setting-up-notifications)  |  arn:\$1\$1Partition\$1:sns:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1TopicName\$1  |  | 

## Condition keys for Amazon DevOps Guru
<a name="amazondevopsguru-policy-keys"></a>

Amazon DevOps Guru defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ServiceCollection.html](https://docs.aws.amazon.com/devops-guru/latest/APIReference/API_ServiceCollection.html)  | Filters access by API to restrict access to given AWS service names | ArrayOfString | 

# Actions, resources, and condition keys for AWS Diagnostic tools
<a name="list_awsdiagnostictools"></a>

AWS Diagnostic tools (service prefix: `ts`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/diagnostic-tools/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/diagnostic-tools/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ts/latest/diagnostic-tools/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Diagnostic tools
](#awsdiagnostictools-actions-as-permissions)
+ [

## Resource types defined by AWS Diagnostic tools
](#awsdiagnostictools-resources-for-iam-policies)
+ [

## Condition keys for AWS Diagnostic tools
](#awsdiagnostictools-policy-keys)

## Actions defined by AWS Diagnostic tools
<a name="awsdiagnostictools-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdiagnostictools-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdiagnostictools.html)

## Resource types defined by AWS Diagnostic tools
<a name="awsdiagnostictools-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdiagnostictools-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/diagnostic-tools/latest/APIReference/API_Execution.html](https://docs.aws.amazon.com/diagnostic-tools/latest/APIReference/API_Execution.html)  |  arn:\$1\$1Partition\$1:ts::\$1\$1Account\$1:execution/\$1\$1UserId\$1/\$1\$1ToolId\$1/\$1\$1ExecutionId\$1  |   [#awsdiagnostictools-aws_ResourceTag___TagKey_](#awsdiagnostictools-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/diagnostic-tools/latest/APIReference/API_Tool.html](https://docs.aws.amazon.com/diagnostic-tools/latest/APIReference/API_Tool.html)  |  arn:\$1\$1Partition\$1:ts::aws:tool/\$1\$1ToolId\$1  |  | 

## Condition keys for AWS Diagnostic tools
<a name="awsdiagnostictools-policy-keys"></a>

AWS Diagnostic tools defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Direct Connect
<a name="list_awsdirectconnect"></a>

AWS Direct Connect (service prefix: `directconnect`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/directconnect/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/directconnect/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/directconnect/latest/UserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Direct Connect
](#awsdirectconnect-actions-as-permissions)
+ [

## Resource types defined by AWS Direct Connect
](#awsdirectconnect-resources-for-iam-policies)
+ [

## Condition keys for AWS Direct Connect
](#awsdirectconnect-policy-keys)

## Actions defined by AWS Direct Connect
<a name="awsdirectconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdirectconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectconnect.html)

## Resource types defined by AWS Direct Connect
<a name="awsdirectconnect-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdirectconnect-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/directconnect/latest/APIReference/API_Connection.html](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_Connection.html)  |  arn:\$1\$1Partition\$1:directconnect:\$1\$1Region\$1:\$1\$1Account\$1:dxcon/\$1\$1ConnectionId\$1  |   [#awsdirectconnect-aws_ResourceTag___TagKey_](#awsdirectconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/directconnect/latest/APIReference/API_Lag.html](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_Lag.html)  |  arn:\$1\$1Partition\$1:directconnect:\$1\$1Region\$1:\$1\$1Account\$1:dxlag/\$1\$1LagId\$1  |   [#awsdirectconnect-aws_ResourceTag___TagKey_](#awsdirectconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/directconnect/latest/APIReference/API_VirtualInterface.html](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_VirtualInterface.html)  |  arn:\$1\$1Partition\$1:directconnect:\$1\$1Region\$1:\$1\$1Account\$1:dxvif/\$1\$1VirtualInterfaceId\$1  |   [#awsdirectconnect-aws_ResourceTag___TagKey_](#awsdirectconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DirectConnectGateway.html](https://docs.aws.amazon.com/directconnect/latest/APIReference/API_DirectConnectGateway.html)  |  arn:\$1\$1Partition\$1:directconnect::\$1\$1Account\$1:dx-gateway/\$1\$1DirectConnectGatewayId\$1  |   [#awsdirectconnect-aws_ResourceTag___TagKey_](#awsdirectconnect-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Direct Connect
<a name="awsdirectconnect-policy-keys"></a>

AWS Direct Connect defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Directory Service
<a name="list_awsdirectoryservice"></a>

AWS Directory Service (service prefix: `ds`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/directoryservice/latest/devguide/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_auth_access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Directory Service
](#awsdirectoryservice-actions-as-permissions)
+ [

## Resource types defined by AWS Directory Service
](#awsdirectoryservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Directory Service
](#awsdirectoryservice-policy-keys)

## Actions defined by AWS Directory Service
<a name="awsdirectoryservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdirectoryservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html)

## Resource types defined by AWS Directory Service
<a name="awsdirectoryservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdirectoryservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/directoryservice/latest/devguide/welcome.html](https://docs.aws.amazon.com/directoryservice/latest/devguide/welcome.html)  |  arn:\$1\$1Partition\$1:ds:\$1\$1Region\$1:\$1\$1Account\$1:directory/\$1\$1DirectoryId\$1  |   [#awsdirectoryservice-aws_ResourceTag___TagKey_](#awsdirectoryservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Directory Service
<a name="awsdirectoryservice-policy-keys"></a>

AWS Directory Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html)  | Filters access by the value of the request to AWS DS | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html)  | Filters access by the AWS DS Resource being acted upon | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Directory Service Data
<a name="list_awsdirectoryservicedata"></a>

AWS Directory Service Data (service prefix: `ds-data`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_AuthNAccess.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Directory Service Data
](#awsdirectoryservicedata-actions-as-permissions)
+ [

## Resource types defined by AWS Directory Service Data
](#awsdirectoryservicedata-resources-for-iam-policies)
+ [

## Condition keys for AWS Directory Service Data
](#awsdirectoryservicedata-policy-keys)

## Actions defined by AWS Directory Service Data
<a name="awsdirectoryservicedata-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsdirectoryservicedata-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservicedata.html)

## Resource types defined by AWS Directory Service Data
<a name="awsdirectoryservicedata-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsdirectoryservicedata-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_Overview.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_Overview.html)  |  arn:\$1\$1Partition\$1:ds:\$1\$1Region\$1:\$1\$1Account\$1:directory/\$1\$1DirectoryId\$1  |   [#awsdirectoryservicedata-aws_ResourceTag___TagKey_](#awsdirectoryservicedata-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Directory Service Data
<a name="awsdirectoryservicedata-policy-keys"></a>

AWS Directory Service Data defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the AWS DS Resource being acted upon | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-Identifier](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-Identifier)  | Filters access by the type of identifier provided in the request (i.e. SAM Account Name) | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-MemberName](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-MemberName)  | Filters access by the directory SAM Account Name included in the MemberName input of the request | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-MemberRealm](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-MemberRealm)  | Filters access by the directory realm name included in the MemberRealm input of the request | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-Realm](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-Realm)  | Filters access by the directory realm name for the request | String | 
|   [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-SAMAccountName](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_dsdata-condition-keys.html#dsdata_condition-SAMAccountName)  | Filters access by the directory SAM Account Name included in the SAMAccountName input of the request | String | 

# Actions, resources, and condition keys for Amazon DocumentDB Elastic Clusters
<a name="list_amazondocumentdbelasticclusters"></a>

Amazon DocumentDB Elastic Clusters (service prefix: `docdb-elastic`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-using-elastic-clusters.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_Operations_Amazon_DocumentDB_Elastic_Clusters.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/documentdb/latest/developerguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon DocumentDB Elastic Clusters
](#amazondocumentdbelasticclusters-actions-as-permissions)
+ [

## Resource types defined by Amazon DocumentDB Elastic Clusters
](#amazondocumentdbelasticclusters-resources-for-iam-policies)
+ [

## Condition keys for Amazon DocumentDB Elastic Clusters
](#amazondocumentdbelasticclusters-policy-keys)

## Actions defined by Amazon DocumentDB Elastic Clusters
<a name="amazondocumentdbelasticclusters-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondocumentdbelasticclusters-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocumentdbelasticclusters.html)

## Resource types defined by Amazon DocumentDB Elastic Clusters
<a name="amazondocumentdbelasticclusters-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondocumentdbelasticclusters-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/documentdb/latest/developerguide/elastic-managing.html](https://docs.aws.amazon.com/documentdb/latest/developerguide/elastic-managing.html)  |  arn:\$1\$1Partition\$1:docdb-elastic:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ResourceId\$1  |   [#amazondocumentdbelasticclusters-aws_ResourceTag___TagKey_](#amazondocumentdbelasticclusters-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/documentdb/latest/developerguide/elastic-managing.html#elastic-manage-snapshots](https://docs.aws.amazon.com/documentdb/latest/developerguide/elastic-managing.html#elastic-manage-snapshots)  |  arn:\$1\$1Partition\$1:docdb-elastic:\$1\$1Region\$1:\$1\$1Account\$1:cluster-snapshot/\$1\$1ResourceId\$1  |   [#amazondocumentdbelasticclusters-aws_ResourceTag___TagKey_](#amazondocumentdbelasticclusters-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon DocumentDB Elastic Clusters
<a name="amazondocumentdbelasticclusters-policy-keys"></a>

Amazon DocumentDB Elastic Clusters defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the set of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the set of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the set of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon DynamoDB
<a name="list_amazondynamodb"></a>

Amazon DynamoDB (service prefix: `dynamodb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon DynamoDB
](#amazondynamodb-actions-as-permissions)
+ [

## Resource types defined by Amazon DynamoDB
](#amazondynamodb-resources-for-iam-policies)
+ [

## Condition keys for Amazon DynamoDB
](#amazondynamodb-policy-keys)

## Actions defined by Amazon DynamoDB
<a name="amazondynamodb-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondynamodb-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html)

## Resource types defined by Amazon DynamoDB
<a name="amazondynamodb-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondynamodb-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.PrimaryKey](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.PrimaryKey)  |  arn:\$1\$1Partition\$1:dynamodb:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1/index/\$1\$1IndexName\$1  |   [#amazondynamodb-aws_ResourceTag___TagKey_](#amazondynamodb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.Streams](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.Streams)  |  arn:\$1\$1Partition\$1:dynamodb:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1/stream/\$1\$1StreamLabel\$1  |  | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.TablesItemsAttributes](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.CoreComponents.html#HowItWorks.CoreComponents.TablesItemsAttributes)  |  arn:\$1\$1Partition\$1:dynamodb:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1  |   [#amazondynamodb-aws_ResourceTag___TagKey_](#amazondynamodb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/backuprestore_HowItWorks.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/backuprestore_HowItWorks.html)  |  arn:\$1\$1Partition\$1:dynamodb:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1/backup/\$1\$1BackupName\$1  |  | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/S3DataExport.HowItWorks.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/S3DataExport.HowItWorks.html)  |  arn:\$1\$1Partition\$1:dynamodb:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1/export/\$1\$1ExportName\$1  |  | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables_HowItWorks.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables_HowItWorks.html)  |  arn:\$1\$1Partition\$1:dynamodb::\$1\$1Account\$1:global-table/\$1\$1GlobalTableName\$1  |  | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/S3DataImport.HowItWorks.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/S3DataImport.HowItWorks.html)  |  arn:\$1\$1Partition\$1:dynamodb:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1/import/\$1\$1ImportName\$1  |  | 

## Condition keys for Amazon DynamoDB
<a name="amazondynamodb-policy-keys"></a>

Amazon DynamoDB defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

**Note**  
For information about how to use context keys to refine DynamoDB access using an IAM policy, see [Using IAM Policy Conditions for Fine-Grained Access Control](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html) in the *Amazon DynamoDB Developer Guide*.


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by attribute (field or column) names of the table | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by blocking Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa | String | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the first partition key of the table | ArrayOfString | 
|   [specifying-conditions.html#FGAC_DDB.ConditionKeys](specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the ID of an AWS FIS action | String | 
|   [specifying-conditions.html#FGAC_DDB.ConditionKeys](specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the ARN of an AWS FIS target | ArrayOfARN | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the forth partition key of the table | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-iam.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-iam.html)  | Filters access by blocking full table scan | Bool | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the first partition key of the table | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the ReturnConsumedCapacity parameter of a request. Contains either "TOTAL" or "NONE" | String | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the ReturnValues parameter of request. Contains one of the following: "ALL\$1OLD", "UPDATED\$1OLD","ALL\$1NEW","UPDATED\$1NEW", or "NONE" | String | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the second partition key of the table | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the Select parameter of a Query or Scan request | String | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys)  | Filters access by the third partition key of the table | ArrayOfString | 

# Actions, resources, and condition keys for Amazon DynamoDB Accelerator (DAX)
<a name="list_amazondynamodbacceleratordax"></a>

Amazon DynamoDB Accelerator (DAX) (service prefix: `dax`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access_permissions.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon DynamoDB Accelerator (DAX)
](#amazondynamodbacceleratordax-actions-as-permissions)
+ [

## Resource types defined by Amazon DynamoDB Accelerator (DAX)
](#amazondynamodbacceleratordax-resources-for-iam-policies)
+ [

## Condition keys for Amazon DynamoDB Accelerator (DAX)
](#amazondynamodbacceleratordax-policy-keys)

## Actions defined by Amazon DynamoDB Accelerator (DAX)
<a name="amazondynamodbacceleratordax-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazondynamodbacceleratordax-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html)

## Resource types defined by Amazon DynamoDB Accelerator (DAX)
<a name="amazondynamodbacceleratordax-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazondynamodbacceleratordax-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.access-control.html](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.access-control.html)  |  arn:\$1\$1Partition\$1:dax:\$1\$1Region\$1:\$1\$1Account\$1:cache/\$1\$1ClusterName\$1  |  | 

## Condition keys for Amazon DynamoDB Accelerator (DAX)
<a name="amazondynamodbacceleratordax-policy-keys"></a>

Amazon DynamoDB Accelerator (DAX) defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.access-control.htmlspecifying-conditions.html#FGAC_DDB.ConditionKeys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.access-control.htmlspecifying-conditions.html#FGAC_DDB.ConditionKeys)  | Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa | String | 

# Actions, resources, and condition keys for Amazon EC2 Auto Scaling
<a name="list_amazonec2autoscaling"></a>

Amazon EC2 Auto Scaling (service prefix: `autoscaling`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/autoscaling/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AutoScaling/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/autoscaling/latest/userguide/IAM.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EC2 Auto Scaling
](#amazonec2autoscaling-actions-as-permissions)
+ [

## Resource types defined by Amazon EC2 Auto Scaling
](#amazonec2autoscaling-resources-for-iam-policies)
+ [

## Condition keys for Amazon EC2 Auto Scaling
](#amazonec2autoscaling-policy-keys)

## Actions defined by Amazon EC2 Auto Scaling
<a name="amazonec2autoscaling-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonec2autoscaling-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html)

## Resource types defined by Amazon EC2 Auto Scaling
<a name="amazonec2autoscaling-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonec2autoscaling-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources)  |  arn:\$1\$1Partition\$1:autoscaling:\$1\$1Region\$1:\$1\$1Account\$1:autoScalingGroup:\$1\$1GroupId\$1:autoScalingGroupName/\$1\$1GroupFriendlyName\$1  |   [#amazonec2autoscaling-autoscaling_ResourceTag___TagKey_](#amazonec2autoscaling-autoscaling_ResourceTag___TagKey_)   [#amazonec2autoscaling-aws_ResourceTag___TagKey_](#amazonec2autoscaling-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources)  |  arn:\$1\$1Partition\$1:autoscaling:\$1\$1Region\$1:\$1\$1Account\$1:launchConfiguration:\$1\$1Id\$1:launchConfigurationName/\$1\$1LaunchConfigurationName\$1  |  | 

## Condition keys for Amazon EC2 Auto Scaling
<a name="amazonec2autoscaling-policy-keys"></a>

Amazon EC2 Auto Scaling defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the Capacity Reservation IDs | ArrayOfString | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the ARN of a Capacity Reservation resource group | ArrayOfString | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on whether the force delete option is specified when deleting an Auto Scaling group | Bool | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the AMI ID for the launch configuration | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the instance type for the launch configuration | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the instance types present as overrides to a launch template for a mixed instances policy. Use it to qualify which instance types can be explicitly defined in the policy | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the name of a launch configuration | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on whether users can specify any version of a launch template or only the Latest or Default version | Bool | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the name of the load balancer | ArrayOfString | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the maximum scaling size in the request | Numeric | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on whether the HTTP endpoint is enabled for the instance metadata service | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the allowed number of hops when calling the instance metadata service | Numeric | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on whether tokens are required when calling the instance metadata service (optional or required) | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the minimum scaling size in the request | Numeric | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the price for Spot Instances for the launch configuration | Numeric | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the ARN of a target group | ArrayOfARN | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the identifiers of the traffic sources | ArrayOfString | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the identifier of a VPC zone | ArrayOfString | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-condition-keys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon EC2 Image Builder
<a name="list_amazonec2imagebuilder"></a>

Amazon EC2 Image Builder (service prefix: `imagebuilder`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/imagebuilder/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EC2 Image Builder
](#amazonec2imagebuilder-actions-as-permissions)
+ [

## Resource types defined by Amazon EC2 Image Builder
](#amazonec2imagebuilder-resources-for-iam-policies)
+ [

## Condition keys for Amazon EC2 Image Builder
](#amazonec2imagebuilder-policy-keys)

## Actions defined by Amazon EC2 Image Builder
<a name="amazonec2imagebuilder-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonec2imagebuilder-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html)

## Resource types defined by Amazon EC2 Image Builder
<a name="amazonec2imagebuilder-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonec2imagebuilder-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Component.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Component.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:component/\$1\$1ComponentName\$1/\$1\$1ComponentVersion\$1/\$1\$1ComponentBuildVersion\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_DistributionConfiguration.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_DistributionConfiguration.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:distribution-configuration/\$1\$1DistributionConfigurationName\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Image.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Image.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:image/\$1\$1ImageName\$1/\$1\$1ImageVersion\$1/\$1\$1ImageBuildVersion\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImageVersion.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImageVersion.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:image/\$1\$1ImageName\$1/\$1\$1ImageVersion\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImageRecipe.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImageRecipe.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:image-recipe/\$1\$1ImageRecipeName\$1/\$1\$1ImageRecipeVersion\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ContainerRecipe.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ContainerRecipe.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:container-recipe/\$1\$1ContainerRecipeName\$1/\$1\$1ContainerRecipeVersion\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImagePipeline.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImagePipeline.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:image-pipeline/\$1\$1ImagePipelineName\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_InfrastructureConfiguration.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_InfrastructureConfiguration.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:infrastructure-configuration/\$1\$1ResourceId\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_LifecycleExecution.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_LifecycleExecution.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:lifecycle-execution/\$1\$1LifecycleExecutionId\$1  |  | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_LifecyclePolicy.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_LifecyclePolicy.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:lifecycle-policy/\$1\$1LifecyclePolicyName\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Workflow.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Workflow.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1WorkflowType\$1/\$1\$1WorkflowName\$1/\$1\$1WorkflowVersion\$1/\$1\$1WorkflowBuildVersion\$1  |   [#amazonec2imagebuilder-aws_ResourceTag___TagKey_](#amazonec2imagebuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_WorkflowExecutionMetadata.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_WorkflowExecutionMetadata.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:workflow-execution/\$1\$1WorkflowExecutionId\$1  |  | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_WorkflowStepMetadata.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_WorkflowStepMetadata.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:workflow-step-execution/\$1\$1WorkflowStepExecutionId\$1  |  | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Component.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Component.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:component/\$1\$1ComponentName\$1/\$1\$1ComponentVersion\$1/\$1  |  | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Image.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Image.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:image/\$1\$1ImageName\$1/\$1\$1ImageVersion\$1/\$1  |  | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Workflow.html](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Workflow.html)  |  arn:\$1\$1Partition\$1:imagebuilder:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1WorkflowType\$1/\$1\$1WorkflowName\$1/\$1\$1WorkflowVersion\$1/\$1  |  | 

## Condition keys for Amazon EC2 Image Builder
<a name="amazonec2imagebuilder-policy-keys"></a>

Amazon EC2 Image Builder defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-createdresourcetag](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-createdresourcetag)  | Filters access by the tag key-value pairs attached to the resource created by Image Builder | String | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-createdresourcetagkeys](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-createdresourcetagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-ec2metadatatokens](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-ec2metadatatokens)  | Filters access by the EC2 Instance Metadata HTTP Token Requirement specified in the request | String | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-lifecyclepolicyresourcetype](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-lifecyclepolicyresourcetype)  | Filters access by the Lifecycle Policy Resource Type specified in the request | String | 
|   [https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-statustopicarn](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#image-builder-security-statustopicarn)  | Filters access by the SNS Topic Arn in the request to which terminal state notifications will be published | ARN | 

# Actions, resources, and condition keys for Amazon EC2 Instance Connect
<a name="list_amazonec2instanceconnect"></a>

Amazon EC2 Instance Connect (service prefix: `ec2-instance-connect`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EC2 Instance Connect
](#amazonec2instanceconnect-actions-as-permissions)
+ [

## Resource types defined by Amazon EC2 Instance Connect
](#amazonec2instanceconnect-resources-for-iam-policies)
+ [

## Condition keys for Amazon EC2 Instance Connect
](#amazonec2instanceconnect-policy-keys)

## Actions defined by Amazon EC2 Instance Connect
<a name="amazonec2instanceconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonec2instanceconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html)

## Resource types defined by Amazon EC2 Instance Connect
<a name="amazonec2instanceconnect-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonec2instanceconnect-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#EC2_ARN_Format](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#EC2_ARN_Format)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1  |   [#amazonec2instanceconnect-aws_ResourceTag___TagKey_](#amazonec2instanceconnect-aws_ResourceTag___TagKey_)   [#amazonec2instanceconnect-ec2_ResourceTag___TagKey_](#amazonec2instanceconnect-ec2_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-CreateInstanceConnectEndpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-CreateInstanceConnectEndpoint)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:instance-connect-endpoint/\$1\$1InstanceConnectEndpointId\$1  |   [#amazonec2instanceconnect-aws_ResourceTag___TagKey_](#amazonec2instanceconnect-aws_ResourceTag___TagKey_)   [#amazonec2instanceconnect-ec2_ResourceTag___TagKey_](#amazonec2instanceconnect-ec2_ResourceTag___TagKey_)   | 

## Condition keys for Amazon EC2 Instance Connect
<a name="amazonec2instanceconnect-policy-keys"></a>

Amazon EC2 Instance Connect defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-OpenTunnel](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-OpenTunnel)  | Filters access by maximum session duration associated with the instance | Numeric | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-OpenTunnel](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-OpenTunnel)  | Filters access by private IP Address associated with the instance | IPAddress | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-OpenTunnel](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html#iam-OpenTunnel)  | Filters access by port number associated with the instance | Numeric | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html)  | Filters access by specifying the default user name for the AMI that you used to launch your instance | String | 

# Actions, resources, and condition keys for Amazon ECS MCP Service
<a name="list_amazonecsmcpservice"></a>

Amazon ECS MCP Service (service prefix: `ecs-mcp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-tool-configurations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-getting-started.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon ECS MCP Service
](#amazonecsmcpservice-actions-as-permissions)
+ [

## Resource types defined by Amazon ECS MCP Service
](#amazonecsmcpservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon ECS MCP Service
](#amazonecsmcpservice-policy-keys)

## Actions defined by Amazon ECS MCP Service
<a name="amazonecsmcpservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonecsmcpservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-getting-started.html](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-getting-started.html)  | Grants permission to call read-only tools in MCP service | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-getting-started.html](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-mcp-getting-started.html)  | Grants permission to use MCP service | Read |  |  |  | 

## Resource types defined by Amazon ECS MCP Service
<a name="amazonecsmcpservice-resources-for-iam-policies"></a>

Amazon ECS MCP Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon ECS MCP Service, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon ECS MCP Service
<a name="amazonecsmcpservice-policy-keys"></a>

ECS MCP has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon EKS Auth
<a name="list_amazoneksauth"></a>

Amazon EKS Auth (service prefix: `eks-auth`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/eks/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eks/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eks/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EKS Auth
](#amazoneksauth-actions-as-permissions)
+ [

## Resource types defined by Amazon EKS Auth
](#amazoneksauth-resources-for-iam-policies)
+ [

## Condition keys for Amazon EKS Auth
](#amazoneksauth-policy-keys)

## Actions defined by Amazon EKS Auth
<a name="amazoneksauth-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoneksauth-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html](https://docs.aws.amazon.com/eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html)  | Grants permission to exchange a Kubernetes service account token for temporary AWS credentials | Read |   [#amazoneksauth-cluster](#amazoneksauth-cluster)   |  |  | 

## Resource types defined by Amazon EKS Auth
<a name="amazoneksauth-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoneksauth-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/clusters.html](https://docs.aws.amazon.com/eks/latest/userguide/clusters.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterName\$1  |   [#amazoneksauth-aws_ResourceTag___TagKey_](#amazoneksauth-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon EKS Auth
<a name="amazoneksauth-policy-keys"></a>

Amazon EKS Auth defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by a tag key and value pair | String | 

# Actions, resources, and condition keys for Amazon EKS MCP Server
<a name="list_amazoneksmcpserver"></a>

Amazon EKS MCP Server (service prefix: `eks-mcp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EKS MCP Server
](#amazoneksmcpserver-actions-as-permissions)
+ [

## Resource types defined by Amazon EKS MCP Server
](#amazoneksmcpserver-resources-for-iam-policies)
+ [

## Condition keys for Amazon EKS MCP Server
](#amazoneksmcpserver-policy-keys)

## Actions defined by Amazon EKS MCP Server
<a name="amazoneksmcpserver-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoneksmcpserver-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html](https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html)  | Grants permission to call privileged tools in MCP service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html](https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html)  | Grants permission to call read-only tools in MCP service | Read |  |  |  | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html](https://docs.aws.amazon.com/eks/latest/userguide/eks-mcp-tool-configurations.html)  | Grants permission to use MCP service | Read |  |  |  | 

## Resource types defined by Amazon EKS MCP Server
<a name="amazoneksmcpserver-resources-for-iam-policies"></a>

Amazon EKS MCP Server does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon EKS MCP Server, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon EKS MCP Server
<a name="amazoneksmcpserver-policy-keys"></a>

EKS MCP has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Elastic Beanstalk
<a name="list_awselasticbeanstalk"></a>

AWS Elastic Beanstalk (service prefix: `elasticbeanstalk`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elasticbeanstalk/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/access_permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elastic Beanstalk
](#awselasticbeanstalk-actions-as-permissions)
+ [

## Resource types defined by AWS Elastic Beanstalk
](#awselasticbeanstalk-resources-for-iam-policies)
+ [

## Condition keys for AWS Elastic Beanstalk
](#awselasticbeanstalk-policy-keys)

## Actions defined by AWS Elastic Beanstalk
<a name="awselasticbeanstalk-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselasticbeanstalk-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html)

## Resource types defined by AWS Elastic Beanstalk
<a name="awselasticbeanstalk-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselasticbeanstalk-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html)  |  arn:\$1\$1Partition\$1:elasticbeanstalk:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationName\$1  |   [#awselasticbeanstalk-aws_ResourceTag___TagKey_](#awselasticbeanstalk-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html)  |  arn:\$1\$1Partition\$1:elasticbeanstalk:\$1\$1Region\$1:\$1\$1Account\$1:applicationversion/\$1\$1ApplicationName\$1/\$1\$1VersionLabel\$1  |   [#awselasticbeanstalk-aws_ResourceTag___TagKey_](#awselasticbeanstalk-aws_ResourceTag___TagKey_)   [#awselasticbeanstalk-elasticbeanstalk_InApplication](#awselasticbeanstalk-elasticbeanstalk_InApplication)   | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html)  |  arn:\$1\$1Partition\$1:elasticbeanstalk:\$1\$1Region\$1:\$1\$1Account\$1:configurationtemplate/\$1\$1ApplicationName\$1/\$1\$1TemplateName\$1  |   [#awselasticbeanstalk-aws_ResourceTag___TagKey_](#awselasticbeanstalk-aws_ResourceTag___TagKey_)   [#awselasticbeanstalk-elasticbeanstalk_InApplication](#awselasticbeanstalk-elasticbeanstalk_InApplication)   | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html)  |  arn:\$1\$1Partition\$1:elasticbeanstalk:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1ApplicationName\$1/\$1\$1EnvironmentName\$1  |   [#awselasticbeanstalk-aws_ResourceTag___TagKey_](#awselasticbeanstalk-aws_ResourceTag___TagKey_)   [#awselasticbeanstalk-elasticbeanstalk_InApplication](#awselasticbeanstalk-elasticbeanstalk_InApplication)   | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html)  |  arn:\$1\$1Partition\$1:elasticbeanstalk:\$1\$1Region\$1::solutionstack/\$1\$1SolutionStackName\$1  |  | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html)  |  arn:\$1\$1Partition\$1:elasticbeanstalk:\$1\$1Region\$1::platform/\$1\$1PlatformNameWithVersion\$1  |  | 

## Condition keys for AWS Elastic Beanstalk
<a name="awselasticbeanstalk-policy-keys"></a>

AWS Elastic Beanstalk defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by an application as a dependency or a constraint on an input parameter | ARN | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by an application version as a dependency or a constraint on an input parameter | ARN | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by a configuration template as a dependency or a constraint on an input parameter | ARN | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by an environment as a dependency or a constraint on an input parameter | ARN | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by a platform as a dependency or a constraint on an input parameter | ARN | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by a solution stack as a dependency or a constraint on an input parameter | ARN | 
|   [https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html#AWSHowTo.iam.policies.conditions)  | Filters access by the application that contains the resource that the action operates on | ARN | 

# Actions, resources, and condition keys for Amazon Elastic Block Store
<a name="list_amazonelasticblockstore"></a>

Amazon Elastic Block Store (service prefix: `ebs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ebs/latest/APIReference/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ebs/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-permissions) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic Block Store
](#amazonelasticblockstore-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic Block Store
](#amazonelasticblockstore-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic Block Store
](#amazonelasticblockstore-policy-keys)

## Actions defined by Amazon Elastic Block Store
<a name="amazonelasticblockstore-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticblockstore-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html)

## Resource types defined by Amazon Elastic Block Store
<a name="amazonelasticblockstore-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticblockstore-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1::snapshot/\$1\$1SnapshotId\$1  |   [#amazonelasticblockstore-aws_RequestTag___TagKey_](#amazonelasticblockstore-aws_RequestTag___TagKey_)   [#amazonelasticblockstore-aws_ResourceTag___TagKey_](#amazonelasticblockstore-aws_ResourceTag___TagKey_)   [#amazonelasticblockstore-aws_TagKeys](#amazonelasticblockstore-aws_TagKeys)   [#amazonelasticblockstore-ebs_Description](#amazonelasticblockstore-ebs_Description)   [#amazonelasticblockstore-ebs_ParentSnapshot](#amazonelasticblockstore-ebs_ParentSnapshot)   [#amazonelasticblockstore-ebs_VolumeSize](#amazonelasticblockstore-ebs_VolumeSize)   | 

## Condition keys for Amazon Elastic Block Store
<a name="amazonelasticblockstore-policy-keys"></a>

Amazon Elastic Block Store defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticblockstore.html#amazonelasticblockstore-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticblockstore.html#amazonelasticblockstore-policy-keys)  | Filters access by the description of the snapshot being created | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticblockstore.html#amazonelasticblockstore-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticblockstore.html#amazonelasticblockstore-policy-keys)  | Filters access by the ARN of the parent snapshot | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticblockstore.html#amazonelasticblockstore-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticblockstore.html#amazonelasticblockstore-policy-keys)  | Filters access by the size of the volume for the snapshot being created, in GiB | Numeric | 

# Actions, resources, and condition keys for Amazon Elastic Container Registry
<a name="list_amazonelasticcontainerregistry"></a>

Amazon Elastic Container Registry (service prefix: `ecr`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonECR/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic Container Registry
](#amazonelasticcontainerregistry-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic Container Registry
](#amazonelasticcontainerregistry-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic Container Registry
](#amazonelasticcontainerregistry-policy-keys)

## Actions defined by Amazon Elastic Container Registry
<a name="amazonelasticcontainerregistry-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticcontainerregistry-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html)

## Resource types defined by Amazon Elastic Container Registry
<a name="amazonelasticcontainerregistry-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticcontainerregistry-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html)  |  arn:\$1\$1Partition\$1:ecr:\$1\$1Region\$1:\$1\$1Account\$1:repository/\$1\$1RepositoryName\$1  |   [#amazonelasticcontainerregistry-aws_ResourceTag___TagKey_](#amazonelasticcontainerregistry-aws_ResourceTag___TagKey_)   [#amazonelasticcontainerregistry-ecr_ResourceTag___TagKey_](#amazonelasticcontainerregistry-ecr_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Elastic Container Registry
<a name="amazonelasticcontainerregistry-policy-keys"></a>

Amazon Elastic Container Registry defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ECR account setting name | String | 
|   [https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by tag-value associated with the resource | String | 

# Actions, resources, and condition keys for Amazon Elastic Container Registry Public
<a name="list_amazonelasticcontainerregistrypublic"></a>

Amazon Elastic Container Registry Public (service prefix: `ecr-public`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonECR/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR-Public_IAM_policies.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic Container Registry Public
](#amazonelasticcontainerregistrypublic-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic Container Registry Public
](#amazonelasticcontainerregistrypublic-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic Container Registry Public
](#amazonelasticcontainerregistrypublic-policy-keys)

## Actions defined by Amazon Elastic Container Registry Public
<a name="amazonelasticcontainerregistrypublic-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticcontainerregistrypublic-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html)

## Resource types defined by Amazon Elastic Container Registry Public
<a name="amazonelasticcontainerregistrypublic-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticcontainerregistrypublic-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonECR/latest/userguide/iam-policy-structure.html#ECR-Public_ARN_Format](https://docs.aws.amazon.com/AmazonECR/latest/userguide/iam-policy-structure.html#ECR-Public_ARN_Format)  |  arn:\$1\$1Partition\$1:ecr-public::\$1\$1Account\$1:repository/\$1\$1RepositoryName\$1  |   [#amazonelasticcontainerregistrypublic-aws_ResourceTag___TagKey_](#amazonelasticcontainerregistrypublic-aws_ResourceTag___TagKey_)   [#amazonelasticcontainerregistrypublic-ecr-public_ResourceTag___TagKey_](#amazonelasticcontainerregistrypublic-ecr-public_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonECR/latest/userguide/iam-policy-structure.html#ECR-Public_ARN_Format](https://docs.aws.amazon.com/AmazonECR/latest/userguide/iam-policy-structure.html#ECR-Public_ARN_Format)  |  arn:\$1\$1Partition\$1:ecr-public::\$1\$1Account\$1:registry/\$1\$1RegistryId\$1  |  | 

## Condition keys for Amazon Elastic Container Registry Public
<a name="amazonelasticcontainerregistrypublic-policy-keys"></a>

Amazon Elastic Container Registry Public defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters create requests based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters create requests based on the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters actions based on tag-value associated with the resource | String | 

# Actions, resources, and condition keys for AWS Elastic Disaster Recovery
<a name="list_awselasticdisasterrecovery"></a>

AWS Elastic Disaster Recovery (service prefix: `drs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/drs/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/drs/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/drs/latest/userguide/security_iam_authentication.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elastic Disaster Recovery
](#awselasticdisasterrecovery-actions-as-permissions)
+ [

## Resource types defined by AWS Elastic Disaster Recovery
](#awselasticdisasterrecovery-resources-for-iam-policies)
+ [

## Condition keys for AWS Elastic Disaster Recovery
](#awselasticdisasterrecovery-policy-keys)

## Actions defined by AWS Elastic Disaster Recovery
<a name="awselasticdisasterrecovery-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselasticdisasterrecovery-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticdisasterrecovery.html)

## Resource types defined by AWS Elastic Disaster Recovery
<a name="awselasticdisasterrecovery-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselasticdisasterrecovery-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/failback-overview.html](https://docs.aws.amazon.com/drs/latest/userguide/failback-overview.html)  |  arn:\$1\$1Partition\$1:drs:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1JobID\$1  |   [#awselasticdisasterrecovery-aws_ResourceTag___TagKey_](#awselasticdisasterrecovery-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/recovery-instances.html](https://docs.aws.amazon.com/drs/latest/userguide/recovery-instances.html)  |  arn:\$1\$1Partition\$1:drs:\$1\$1Region\$1:\$1\$1Account\$1:recovery-instance/\$1\$1RecoveryInstanceID\$1  |   [#awselasticdisasterrecovery-aws_ResourceTag___TagKey_](#awselasticdisasterrecovery-aws_ResourceTag___TagKey_)   [#awselasticdisasterrecovery-drs_EC2InstanceARN](#awselasticdisasterrecovery-drs_EC2InstanceARN)   | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/replication-settings-template.html](https://docs.aws.amazon.com/drs/latest/userguide/replication-settings-template.html)  |  arn:\$1\$1Partition\$1:drs:\$1\$1Region\$1:\$1\$1Account\$1:replication-configuration-template/\$1\$1ReplicationConfigurationTemplateID\$1  |   [#awselasticdisasterrecovery-aws_ResourceTag___TagKey_](#awselasticdisasterrecovery-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/default-drs-launch-settings.html](https://docs.aws.amazon.com/drs/latest/userguide/default-drs-launch-settings.html)  |  arn:\$1\$1Partition\$1:drs:\$1\$1Region\$1:\$1\$1Account\$1:launch-configuration-template/\$1\$1LaunchConfigurationTemplateID\$1  |   [#awselasticdisasterrecovery-aws_ResourceTag___TagKey_](#awselasticdisasterrecovery-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/source-servers.html](https://docs.aws.amazon.com/drs/latest/userguide/source-servers.html)  |  arn:\$1\$1Partition\$1:drs:\$1\$1Region\$1:\$1\$1Account\$1:source-server/\$1\$1SourceServerID\$1  |   [#awselasticdisasterrecovery-aws_ResourceTag___TagKey_](#awselasticdisasterrecovery-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/source-networks.html](https://docs.aws.amazon.com/drs/latest/userguide/source-networks.html)  |  arn:\$1\$1Partition\$1:drs:\$1\$1Region\$1:\$1\$1Account\$1:source-network/\$1\$1SourceNetworkID\$1  |   [#awselasticdisasterrecovery-aws_ResourceTag___TagKey_](#awselasticdisasterrecovery-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elastic Disaster Recovery
<a name="awselasticdisasterrecovery-policy-keys"></a>

AWS Elastic Disaster Recovery defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/supported-iam-actions-tagging.html](https://docs.aws.amazon.com/drs/latest/userguide/supported-iam-actions-tagging.html)  | Filters access by the name of a resource-creating API action | String | 
|   [https://docs.aws.amazon.com/drs/latest/userguide/security_iam_authentication.html](https://docs.aws.amazon.com/drs/latest/userguide/security_iam_authentication.html)  | Filters access by the EC2 instance the request originated from | ARN | 

# Actions, resources, and condition keys for Amazon Elastic File System
<a name="list_amazonelasticfilesystem"></a>

Amazon Elastic File System (service prefix: `elasticfilesystem`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/efs/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/efs/latest/ug/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic File System
](#amazonelasticfilesystem-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic File System
](#amazonelasticfilesystem-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic File System
](#amazonelasticfilesystem-policy-keys)

## Actions defined by Amazon Elastic File System
<a name="amazonelasticfilesystem-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticfilesystem-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html)

## Resource types defined by Amazon Elastic File System
<a name="amazonelasticfilesystem-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticfilesystem-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html](https://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html)  |  arn:\$1\$1Partition\$1:elasticfilesystem:\$1\$1Region\$1:\$1\$1Account\$1:file-system/\$1\$1FileSystemId\$1  |   [#amazonelasticfilesystem-aws_ResourceTag___TagKey_](#amazonelasticfilesystem-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html)  |  arn:\$1\$1Partition\$1:elasticfilesystem:\$1\$1Region\$1:\$1\$1Account\$1:access-point/\$1\$1AccessPointId\$1  |   [#amazonelasticfilesystem-aws_ResourceTag___TagKey_](#amazonelasticfilesystem-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Elastic File System
<a name="amazonelasticfilesystem-policy-keys"></a>

Amazon Elastic File System defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html)  | Filters access by the ARN of the access point used to mount the file system | ARN | 
|   [https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html](https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html)  | Filters access by whether the file system is accessed via mount targets | Bool | 
|   [https://docs.aws.amazon.com/efs/latest/ug/using-tags-efs.html](https://docs.aws.amazon.com/efs/latest/ug/using-tags-efs.html)  | Filters access by the name of a resource-creating API action | String | 
|   [https://docs.aws.amazon.com/efs/latest/ug/encryption.html](https://docs.aws.amazon.com/efs/latest/ug/encryption.html)  | Filters access by whether users can create only encrypted or unencrypted file systems | Bool | 

# Actions, resources, and condition keys for Amazon Elastic Kubernetes Service
<a name="list_amazonelastickubernetesservice"></a>

Amazon Elastic Kubernetes Service (service prefix: `eks`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/eks/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eks/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic Kubernetes Service
](#amazonelastickubernetesservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic Kubernetes Service
](#amazonelastickubernetesservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic Kubernetes Service
](#amazonelastickubernetesservice-policy-keys)

## Actions defined by Amazon Elastic Kubernetes Service
<a name="amazonelastickubernetesservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelastickubernetesservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html)

## Resource types defined by Amazon Elastic Kubernetes Service
<a name="amazonelastickubernetesservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelastickubernetesservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/clusters.html](https://docs.aws.amazon.com/eks/latest/userguide/clusters.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterName\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:nodegroup/\$1\$1ClusterName\$1/\$1\$1NodegroupName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:addon/\$1\$1ClusterName\$1/\$1\$1AddonName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html](https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:fargateprofile/\$1\$1ClusterName\$1/\$1\$1FargateProfileName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html](https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:identityproviderconfig/\$1\$1ClusterName\$1/\$1\$1IdentityProviderType\$1/\$1\$1IdentityProviderConfigName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://anywhere.eks.amazonaws.com/docs/clustermgmt/support/cluster-license/](https://anywhere.eks.amazonaws.com/docs/clustermgmt/support/cluster-license/)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:eks-anywhere-subscription/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:podidentityassociation/\$1\$1ClusterName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:access-entry/\$1\$1ClusterName\$1/\$1\$1IamIdentityType\$1/\$1\$1IamIdentityAccountID\$1/\$1\$1IamIdentityName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   [#amazonelastickubernetesservice-eks_accessEntryType](#amazonelastickubernetesservice-eks_accessEntryType)   [#amazonelastickubernetesservice-eks_clusterName](#amazonelastickubernetesservice-eks_clusterName)   [#amazonelastickubernetesservice-eks_kubernetesGroups](#amazonelastickubernetesservice-eks_kubernetesGroups)   [#amazonelastickubernetesservice-eks_principalArn](#amazonelastickubernetesservice-eks_principalArn)   [#amazonelastickubernetesservice-eks_username](#amazonelastickubernetesservice-eks_username)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html)  |  arn:\$1\$1Partition\$1:eks::aws:cluster-access-policy/\$1\$1AccessPolicyName\$1  |  | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/cluster-dashboard.html](https://docs.aws.amazon.com/eks/latest/userguide/cluster-dashboard.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:dashboard/\$1\$1DashboardName\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/capabilities.html](https://docs.aws.amazon.com/eks/latest/userguide/capabilities.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:capability/\$1\$1ClusterName\$1/\$1\$1CapabilityType\$1/\$1\$1CapabilityName\$1/\$1\$1UUID\$1  |   [#amazonelastickubernetesservice-aws_ResourceTag___TagKey_](#amazonelastickubernetesservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Elastic Kubernetes Service
<a name="amazonelastickubernetesservice-policy-keys"></a>

Amazon Elastic Kubernetes Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by a key that is present in the request the user makes to the EKS service | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by a tag key and value pair | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the list of all the tag key names present in the request the user makes to the EKS service | ArrayOfString | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the access entry type present in the access entry requests the user makes to the EKS service | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the accessScope present in the associate / disassociate access policy requests the user makes to the EKS service | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the authenticationMode present in the create / update cluster request | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the block storage enabled parameter in the create / update cluster request | Bool | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the bootstrapClusterCreatorAdminPermissions present in the create cluster request | Bool | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the bootstrapSelfManagedAddons present in the create cluster request | Bool | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the clientId present in the associateIdentityProviderConfig request the user makes to the EKS service | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the clusterName present in the access entry requests the user makes to the EKS service | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the compute config enabled parameter in the create / update cluster request | Bool | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the elastic load balancing enabled parameter in the create / update cluster request | Bool | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the issuerUrl present in the associateIdentityProviderConfig request the user makes to the EKS service | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the kubernetesGroups present in the access entry requests the user makes to the EKS service | ArrayOfString | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the cluster logging enabled and type parameter in the create / update cluster request | Bool | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the namespaces present in the associate / disassociate access policy requests the user makes to the EKS service | ArrayOfString | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the policyArn present in the access entry requests the user makes to the EKS service | ARN | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the principalArn present in the access entry requests requests the user makes to the EKS service | ARN | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the supportType present in the create / update cluster request | String | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/eks/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by the Kubernetes username present in the access entry requests the user makes to the EKS service | String | 

# Actions, resources, and condition keys for AWS Elastic Load Balancing
<a name="list_awselasticloadbalancing"></a>

AWS Elastic Load Balancing (service prefix: `elasticloadbalancing`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elastic Load Balancing
](#awselasticloadbalancing-actions-as-permissions)
+ [

## Resource types defined by AWS Elastic Load Balancing
](#awselasticloadbalancing-resources-for-iam-policies)
+ [

## Condition keys for AWS Elastic Load Balancing
](#awselasticloadbalancing-policy-keys)

## Actions defined by AWS Elastic Load Balancing
<a name="awselasticloadbalancing-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselasticloadbalancing-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticloadbalancing.html)

## Resource types defined by AWS Elastic Load Balancing
<a name="awselasticloadbalancing-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselasticloadbalancing-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/\$1\$1LoadBalancerName\$1  |   [#awselasticloadbalancing-aws_ResourceTag___TagKey_](#awselasticloadbalancing-aws_ResourceTag___TagKey_)   [#awselasticloadbalancing-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancing-elasticloadbalancing_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elastic Load Balancing
<a name="awselasticloadbalancing-policy-keys"></a>

AWS Elastic Load Balancing defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/tagging-resources-during-creation.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/tagging-resources-during-creation.html)  | Filters access by the name of a resource-creating API action | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#listenerprotocol-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#listenerprotocol-condition)  | Filters access by the listener protocols that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the preface string for a tag key and value pair that are attached to a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the preface string for a tag key and value pair that are attached to a resource | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#scheme-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#scheme-condition)  | Filters access by the load balancer scheme that are allowed in the request | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitygroup-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitygroup-condition)  | Filters access by the security-group IDs that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitypolicy-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitypolicy-condition)  | Filters access by the SSL Security Policies that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#subnet-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#subnet-condition)  | Filters access by the subnet IDs that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elastic Load Balancing V2
<a name="list_awselasticloadbalancingv2"></a>

AWS Elastic Load Balancing V2 (service prefix: `elasticloadbalancing`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elastic Load Balancing V2
](#awselasticloadbalancingv2-actions-as-permissions)
+ [

## Resource types defined by AWS Elastic Load Balancing V2
](#awselasticloadbalancingv2-resources-for-iam-policies)
+ [

## Condition keys for AWS Elastic Load Balancing V2
](#awselasticloadbalancingv2-policy-keys)

## Actions defined by AWS Elastic Load Balancing V2
<a name="awselasticloadbalancingv2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselasticloadbalancingv2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticloadbalancingv2.html)

## Resource types defined by AWS Elastic Load Balancing V2
<a name="awselasticloadbalancingv2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselasticloadbalancingv2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-listeners.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-listeners.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:listener/gwy/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1/\$1\$1ListenerId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:listener/app/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1/\$1\$1ListenerId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:listener-rule/app/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1/\$1\$1ListenerId\$1/\$1\$1ListenerRuleId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:listener/net/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1/\$1\$1ListenerId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:listener-rule/net/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1/\$1\$1ListenerId\$1/\$1\$1ListenerRuleId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/gwy/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html#application-load-balancer-overview](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html#application-load-balancer-overview)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/app/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html#network-load-balancer-overview](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html#network-load-balancer-overview)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/net/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:targetgroup/\$1\$1TargetGroupName\$1/\$1\$1TargetGroupId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/application/trust-store.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/trust-store.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:truststore/\$1\$1TrustStoreName\$1/\$1\$1TrustStoreId\$1  |   [#awselasticloadbalancingv2-aws_ResourceTag___TagKey_](#awselasticloadbalancingv2-aws_ResourceTag___TagKey_)   [#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_](#awselasticloadbalancingv2-elasticloadbalancing_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elastic Load Balancing V2
<a name="awselasticloadbalancingv2-policy-keys"></a>

AWS Elastic Load Balancing V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/tagging-resources-during-creation.html](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/tagging-resources-during-creation.html)  | Filters access by the name of a resource-creating API action | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#listenerprotocol-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#listenerprotocol-condition)  | Filters access by the listener protocol that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the preface string for a tag key and value pair that are attached to a resource | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#scheme-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#scheme-condition)  | Filters access by the load balancer scheme that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitygroup-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitygroup-condition)  | Filters access by the security-group IDs that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitypolicy-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#securitypolicy-condition)  | Filters access by the SSL Security Policies that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#subnet-condition](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html#subnet-condition)  | Filters access by the subnet IDs that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Elastic MapReduce
<a name="list_amazonelasticmapreduce"></a>

Amazon Elastic MapReduce (service prefix: `elasticmapreduce`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-what-is-emr.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/emr/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic MapReduce
](#amazonelasticmapreduce-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic MapReduce
](#amazonelasticmapreduce-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic MapReduce
](#amazonelasticmapreduce-policy-keys)

## Actions defined by Amazon Elastic MapReduce
<a name="amazonelasticmapreduce-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticmapreduce-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
The DescribeJobFlows API is deprecated and will eventually be removed. We recommend you use ListClusters, DescribeCluster, ListSteps, ListInstanceGroups and ListBootstrapActions instead


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticmapreduce.html)

## Resource types defined by Amazon Elastic MapReduce
<a name="amazonelasticmapreduce-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticmapreduce-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-overview.html](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-overview.html)  |  arn:\$1\$1Partition\$1:elasticmapreduce:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterId\$1  |   [#amazonelasticmapreduce-aws_ResourceTag___TagKey_](#amazonelasticmapreduce-aws_ResourceTag___TagKey_)   [#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_](#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-notebooks.html](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-notebooks.html)  |  arn:\$1\$1Partition\$1:elasticmapreduce:\$1\$1Region\$1:\$1\$1Account\$1:editor/\$1\$1EditorId\$1  |   [#amazonelasticmapreduce-aws_ResourceTag___TagKey_](#amazonelasticmapreduce-aws_ResourceTag___TagKey_)   [#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_](#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-notebooks-headless.html](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-notebooks-headless.html)  |  arn:\$1\$1Partition\$1:elasticmapreduce:\$1\$1Region\$1:\$1\$1Account\$1:notebook-execution/\$1\$1NotebookExecutionId\$1  |   [#amazonelasticmapreduce-aws_ResourceTag___TagKey_](#amazonelasticmapreduce-aws_ResourceTag___TagKey_)   [#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_](#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio.html](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio.html)  |  arn:\$1\$1Partition\$1:elasticmapreduce:\$1\$1Region\$1:\$1\$1Account\$1:studio/\$1\$1StudioId\$1  |   [#amazonelasticmapreduce-aws_ResourceTag___TagKey_](#amazonelasticmapreduce-aws_ResourceTag___TagKey_)   [#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_](#amazonelasticmapreduce-elasticmapreduce_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Elastic MapReduce
<a name="amazonelasticmapreduce-policy-keys"></a>

Amazon Elastic MapReduce defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access)  | Filters access by whether the tag and value pair is provided with the action | String | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access)  | Filters access by the tag and value pair associated with an Amazon EMR resource | String | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access)  | Filters access by whether the tag keys are provided with the action regardless of tag value | ArrayOfString | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-security](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-security)  | Filters access by whether the execution role ARN is provided with the action | ARN | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access)  | Filters access by whether the tag and value pair is provided with the action | String | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html#emr-fine-grained-cluster-access)  | Filters access by the tag and value pair associated with an Amazon EMR resource | String | 

# Actions, resources, and condition keys for Amazon Elastic Transcoder
<a name="list_amazonelastictranscoder"></a>

Amazon Elastic Transcoder (service prefix: `elastictranscoder`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic Transcoder
](#amazonelastictranscoder-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic Transcoder
](#amazonelastictranscoder-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic Transcoder
](#amazonelastictranscoder-policy-keys)

## Actions defined by Amazon Elastic Transcoder
<a name="amazonelastictranscoder-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelastictranscoder-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html)

## Resource types defined by Amazon Elastic Transcoder
<a name="amazonelastictranscoder-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelastictranscoder-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/operations-jobs.html](https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/operations-jobs.html)  |  arn:\$1\$1Partition\$1:elastictranscoder:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1JobId\$1  |  | 
|   [https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/operations-pipelines.html](https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/operations-pipelines.html)  |  arn:\$1\$1Partition\$1:elastictranscoder:\$1\$1Region\$1:\$1\$1Account\$1:pipeline/\$1\$1PipelineId\$1  |  | 
|   [https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/operations-presets.html](https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/operations-presets.html)  |  arn:\$1\$1Partition\$1:elastictranscoder:\$1\$1Region\$1:\$1\$1Account\$1:preset/\$1\$1PresetId\$1  |  | 

## Condition keys for Amazon Elastic Transcoder
<a name="amazonelastictranscoder-policy-keys"></a>

Elastic Transcoder has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Elastic VMware Service
<a name="list_amazonelasticvmwareservice"></a>

Amazon Elastic VMware Service (service prefix: `evs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/evs/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/evs/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/evs/latest/userguide/security-iam.html#security-iam-access-manage) permission policies.

**Topics**
+ [

## Actions defined by Amazon Elastic VMware Service
](#amazonelasticvmwareservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Elastic VMware Service
](#amazonelasticvmwareservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Elastic VMware Service
](#amazonelasticvmwareservice-policy-keys)

## Actions defined by Amazon Elastic VMware Service
<a name="amazonelasticvmwareservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticvmwareservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticvmwareservice.html)

## Resource types defined by Amazon Elastic VMware Service
<a name="amazonelasticvmwareservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticvmwareservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/evs/latest/userguide/concepts.html#concepts-evs-virt-env](https://docs.aws.amazon.com/evs/latest/userguide/concepts.html#concepts-evs-virt-env)  |  arn:\$1\$1Partition\$1:evs:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentIdentifier\$1  |   [#amazonelasticvmwareservice-aws_ResourceTag___TagKey_](#amazonelasticvmwareservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Elastic VMware Service
<a name="amazonelasticvmwareservice-policy-keys"></a>

Amazon Elastic VMware Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/evs/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/evs/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/evs/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/evs/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/evs/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies](https://docs.aws.amazon.com/evs/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon ElastiCache
<a name="list_amazonelasticache"></a>

Amazon ElastiCache (service prefix: `elasticache`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elasticache/index.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon ElastiCache
](#amazonelasticache-actions-as-permissions)
+ [

## Resource types defined by Amazon ElastiCache
](#amazonelasticache-resources-for-iam-policies)
+ [

## Condition keys for Amazon ElastiCache
](#amazonelasticache-policy-keys)

## Actions defined by Amazon ElastiCache
<a name="amazonelasticache-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonelasticache-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
When you create an ElastiCache policy in IAM you must use the "\$1" wildcard character for the Resource block. For information about using the following ElastiCache API actions in an IAM policy, see [ElastiCache Actions and IAM](https://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html#UsingIAM.ElastiCacheActions) in the *Amazon ElastiCache User Guide*.


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html)

## Resource types defined by Amazon ElastiCache
<a name="amazonelasticache-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonelasticache-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
The resource name in the ARN string should be lowercase to be effective.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.ParameterGroups](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.ParameterGroups)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:parametergroup:\$1\$1CacheParameterGroupName\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_CacheParameterGroupName](#amazonelasticache-elasticache_CacheParameterGroupName)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.SecurityGroups](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.SecurityGroups)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:securitygroup:\$1\$1CacheSecurityGroupName\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.SubnetGroups](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.SubnetGroups)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:subnetgroup:\$1\$1CacheSubnetGroupName\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.ReplicationGroups](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.ReplicationGroups)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:replicationgroup:\$1\$1ReplicationGroupId\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_AtRestEncryptionEnabled](#amazonelasticache-elasticache_AtRestEncryptionEnabled)   [#amazonelasticache-elasticache_AuthTokenEnabled](#amazonelasticache-elasticache_AuthTokenEnabled)   [#amazonelasticache-elasticache_AutomaticFailoverEnabled](#amazonelasticache-elasticache_AutomaticFailoverEnabled)   [#amazonelasticache-elasticache_CacheNodeType](#amazonelasticache-elasticache_CacheNodeType)   [#amazonelasticache-elasticache_CacheParameterGroupName](#amazonelasticache-elasticache_CacheParameterGroupName)   [#amazonelasticache-elasticache_ClusterModeEnabled](#amazonelasticache-elasticache_ClusterModeEnabled)   [#amazonelasticache-elasticache_EngineType](#amazonelasticache-elasticache_EngineType)   [#amazonelasticache-elasticache_EngineVersion](#amazonelasticache-elasticache_EngineVersion)   [#amazonelasticache-elasticache_KmsKeyId](#amazonelasticache-elasticache_KmsKeyId)   [#amazonelasticache-elasticache_MultiAZEnabled](#amazonelasticache-elasticache_MultiAZEnabled)   [#amazonelasticache-elasticache_NumNodeGroups](#amazonelasticache-elasticache_NumNodeGroups)   [#amazonelasticache-elasticache_ReplicasPerNodeGroup](#amazonelasticache-elasticache_ReplicasPerNodeGroup)   [#amazonelasticache-elasticache_SnapshotRetentionLimit](#amazonelasticache-elasticache_SnapshotRetentionLimit)   [#amazonelasticache-elasticache_TransitEncryptionEnabled](#amazonelasticache-elasticache_TransitEncryptionEnabled)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.Clusters](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.Clusters)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:cluster:\$1\$1CacheClusterId\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_AuthTokenEnabled](#amazonelasticache-elasticache_AuthTokenEnabled)   [#amazonelasticache-elasticache_CacheNodeType](#amazonelasticache-elasticache_CacheNodeType)   [#amazonelasticache-elasticache_CacheParameterGroupName](#amazonelasticache-elasticache_CacheParameterGroupName)   [#amazonelasticache-elasticache_EngineType](#amazonelasticache-elasticache_EngineType)   [#amazonelasticache-elasticache_EngineVersion](#amazonelasticache-elasticache_EngineVersion)   [#amazonelasticache-elasticache_MultiAZEnabled](#amazonelasticache-elasticache_MultiAZEnabled)   [#amazonelasticache-elasticache_SnapshotRetentionLimit](#amazonelasticache-elasticache_SnapshotRetentionLimit)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/reserved-nodes.html](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/reserved-nodes.html)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:reserved-instance:\$1\$1ReservedCacheNodeId\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.Snapshots](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.Components.html#WhatIs.Components.Snapshots)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:snapshot:\$1\$1SnapshotName\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_KmsKeyId](#amazonelasticache-elasticache_KmsKeyId)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Redis-Global-Datastore.html](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Redis-Global-Datastore.html)  |  arn:\$1\$1Partition\$1:elasticache::\$1\$1Account\$1:globalreplicationgroup:\$1\$1GlobalReplicationGroupId\$1  |   [#amazonelasticache-elasticache_AtRestEncryptionEnabled](#amazonelasticache-elasticache_AtRestEncryptionEnabled)   [#amazonelasticache-elasticache_AuthTokenEnabled](#amazonelasticache-elasticache_AuthTokenEnabled)   [#amazonelasticache-elasticache_AutomaticFailoverEnabled](#amazonelasticache-elasticache_AutomaticFailoverEnabled)   [#amazonelasticache-elasticache_CacheNodeType](#amazonelasticache-elasticache_CacheNodeType)   [#amazonelasticache-elasticache_CacheParameterGroupName](#amazonelasticache-elasticache_CacheParameterGroupName)   [#amazonelasticache-elasticache_ClusterModeEnabled](#amazonelasticache-elasticache_ClusterModeEnabled)   [#amazonelasticache-elasticache_EngineType](#amazonelasticache-elasticache_EngineType)   [#amazonelasticache-elasticache_EngineVersion](#amazonelasticache-elasticache_EngineVersion)   [#amazonelasticache-elasticache_KmsKeyId](#amazonelasticache-elasticache_KmsKeyId)   [#amazonelasticache-elasticache_MultiAZEnabled](#amazonelasticache-elasticache_MultiAZEnabled)   [#amazonelasticache-elasticache_NumNodeGroups](#amazonelasticache-elasticache_NumNodeGroups)   [#amazonelasticache-elasticache_ReplicasPerNodeGroup](#amazonelasticache-elasticache_ReplicasPerNodeGroup)   [#amazonelasticache-elasticache_SnapshotRetentionLimit](#amazonelasticache-elasticache_SnapshotRetentionLimit)   [#amazonelasticache-elasticache_TransitEncryptionEnabled](#amazonelasticache-elasticache_TransitEncryptionEnabled)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:user:\$1\$1UserId\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_UserAuthenticationMode](#amazonelasticache-elasticache_UserAuthenticationMode)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:usergroup:\$1\$1UserGroupId\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:serverlesscache:\$1\$1ServerlessCacheName\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_DataStorageUnit](#amazonelasticache-elasticache_DataStorageUnit)   [#amazonelasticache-elasticache_EngineType](#amazonelasticache-elasticache_EngineType)   [#amazonelasticache-elasticache_EngineVersion](#amazonelasticache-elasticache_EngineVersion)   [#amazonelasticache-elasticache_KmsKeyId](#amazonelasticache-elasticache_KmsKeyId)   [#amazonelasticache-elasticache_MaximumDataStorage](#amazonelasticache-elasticache_MaximumDataStorage)   [#amazonelasticache-elasticache_MaximumECPUPerSecond](#amazonelasticache-elasticache_MaximumECPUPerSecond)   [#amazonelasticache-elasticache_MinimumDataStorage](#amazonelasticache-elasticache_MinimumDataStorage)   [#amazonelasticache-elasticache_MinimumECPUPerSecond](#amazonelasticache-elasticache_MinimumECPUPerSecond)   [#amazonelasticache-elasticache_SnapshotRetentionLimit](#amazonelasticache-elasticache_SnapshotRetentionLimit)   | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html)  |  arn:\$1\$1Partition\$1:elasticache:\$1\$1Region\$1:\$1\$1Account\$1:serverlesscachesnapshot:\$1\$1ServerlessCacheSnapshotName\$1  |   [#amazonelasticache-aws_RequestTag___TagKey_](#amazonelasticache-aws_RequestTag___TagKey_)   [#amazonelasticache-aws_ResourceTag___TagKey_](#amazonelasticache-aws_ResourceTag___TagKey_)   [#amazonelasticache-aws_TagKeys](#amazonelasticache-aws_TagKeys)   [#amazonelasticache-elasticache_KmsKeyId](#amazonelasticache-elasticache_KmsKeyId)   | 

## Condition keys for Amazon ElastiCache
<a name="amazonelasticache-policy-keys"></a>

Amazon ElastiCache defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

**Note**  
To construct Condition elements using condition keys of String type, use the case insensitive condition operators StringEqualsIgnoreCase or StringNotEqualsIgnoreCase to compare a key to a string value.  
For information about conditions in an IAM policy to control access to ElastiCache, see [ElastiCache Keys](https://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/UsingIAM.html#UsingIAM.Keys) in the *Amazon ElastiCache User Guide*.


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the AtRestEncryptionEnabled parameter present in the request or default false value if parameter is not present | Bool | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the presence of non empty AuthToken parameter in the request | Bool | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the AutomaticFailoverEnabled parameter in the request | Bool | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the cacheNodeType parameter present in the request. This key can be used to restrict which cache node types can be used on cluster creation or scaling operations | String | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the CacheParameterGroupName parameter in the request | String | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the cluster mode parameter present in the request. Default value for single node group (shard) creations is false | Bool | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the CacheUsageLimits.DataStorage.Unit parameter in the CreateServerlessCache and ModifyServerlessCache request | String | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the engine type present in creation requests. For replication group creations, default engine 'redis' is used as key if parameter is not present | String | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the engineVersion parameter present in creation or cluster modification requests | String | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the Key ID of the KMS key | String | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the CacheUsageLimits.DataStorage.Maximum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the CacheUsageLimits.ECPUPerSecond.Maximum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the CacheUsageLimits.DataStorage.Minimum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the CacheUsageLimits.ECPUPerSecond.Minimum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the AZMode parameter, MultiAZEnabled parameter or the number of availability zones that the cluster or replication group can be placed in | Bool | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the NumNodeGroups or NodeGroupCount parameter specified in the request. This key can be used to restrict the number of node groups (shards) clusters can have after creation or scaling operations | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the number of replicas per node group (shards) specified in creations or scaling requests | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the SnapshotRetentionLimit parameter in the request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the TransitEncryptionEnabled parameter present in the request. For replication group creations, default value 'false' is used as key if parameter is not present | Bool | 
|   [https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the UserAuthenticationMode parameter in the request | String | 

# Actions, resources, and condition keys for AWS Elemental Appliances and Software
<a name="list_awselementalappliancesandsoftware"></a>

AWS Elemental Appliances and Software (service prefix: `elemental-appliances-software`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elemental-appliances-software/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elemental-appliances-software/latest/ug/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elemental-appliances-software/latest/ug/) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental Appliances and Software
](#awselementalappliancesandsoftware-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental Appliances and Software
](#awselementalappliancesandsoftware-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental Appliances and Software
](#awselementalappliancesandsoftware-policy-keys)

## Actions defined by AWS Elemental Appliances and Software
<a name="awselementalappliancesandsoftware-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalappliancesandsoftware-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to complete an upload of an attachment for a quote or order | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to create an order | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to create a quote | Write |   [#awselementalappliancesandsoftware-quote](#awselementalappliancesandsoftware-quote)   |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to validate an address | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to list the billing addresses in the AWS Account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to list the delivery addresses in the AWS Account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to describe an order | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to list the orders in the AWS Account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to describe a quote | Read |   [#awselementalappliancesandsoftware-quote](#awselementalappliancesandsoftware-quote)   |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to calculate taxes for an order | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to list the quotes in the AWS Account | List |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to start an upload of an attachment for a quote or order | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to submit an order | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to modify a quote | Write |   [#awselementalappliancesandsoftware-quote](#awselementalappliancesandsoftware-quote)   |  |  | 

## Resource types defined by AWS Elemental Appliances and Software
<a name="awselementalappliancesandsoftware-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalappliancesandsoftware-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software)  |  arn:\$1\$1Partition\$1:elemental-appliances-software:\$1\$1Region\$1:\$1\$1Account\$1:quote/\$1\$1ResourceId\$1  |  | 

## Condition keys for AWS Elemental Appliances and Software
<a name="awselementalappliancesandsoftware-policy-keys"></a>

Elemental Appliances and Software has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Elemental Appliances and Software Activation Service
<a name="list_awselementalappliancesandsoftwareactivationservice"></a>

AWS Elemental Appliances and Software Activation Service (service prefix: `elemental-activations`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elemental-appliances-software/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elemental-appliances-software/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elemental-appliances-software/) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental Appliances and Software Activation Service
](#awselementalappliancesandsoftwareactivationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental Appliances and Software Activation Service
](#awselementalappliancesandsoftwareactivationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental Appliances and Software Activation Service
](#awselementalappliancesandsoftwareactivationservice-policy-keys)

## Actions defined by AWS Elemental Appliances and Software Activation Service
<a name="awselementalappliancesandsoftwareactivationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalappliancesandsoftwareactivationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to complete the process of registering customer account for AWS Elemental Appliances and Software Purchases | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to complete the process of uploading a Software file for AWS Elemental Appliances and Software Purchases | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to confirm asset ownership | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to download the kickstart files for AWS Elemental Appliances and Software purchases | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to download the Software files for AWS Elemental Appliances and Software Purchases | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to generate a software license for an AWS Elemental Appliances and Software purchase | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to generate Software Licenses for AWS Elemental Appliances and Software Purchases | Write |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to describe the software version of an artifact group | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to describe an asset | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to describe assets associated to the requesting account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to get all product advisories | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to describe available software versions | Read |  |  |  | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/) [permission only] | Grants permission to start the process of uploading a Software file for AWS Elemental Appliances and Software Purchases | Write |  |  |  | 

## Resource types defined by AWS Elemental Appliances and Software Activation Service
<a name="awselementalappliancesandsoftwareactivationservice-resources-for-iam-policies"></a>

AWS Elemental Appliances and Software Activation Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Elemental Appliances and Software Activation Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Elemental Appliances and Software Activation Service
<a name="awselementalappliancesandsoftwareactivationservice-policy-keys"></a>

Elemental Activations has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Elemental Inference
<a name="list_awselementalinference"></a>

AWS Elemental Inference (service prefix: `elemental-inference`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elemental-inference/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elemental-inference/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elemental-inference/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental Inference
](#awselementalinference-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental Inference
](#awselementalinference-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental Inference
](#awselementalinference-policy-keys)

## Actions defined by AWS Elemental Inference
<a name="awselementalinference-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalinference-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalinference.html)

## Resource types defined by AWS Elemental Inference
<a name="awselementalinference-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalinference-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elemental-inference/latest/userguide/elemental-inference-configuration.html](https://docs.aws.amazon.com/elemental-inference/latest/userguide/elemental-inference-configuration.html)  |  arn:\$1\$1Partition\$1:elemental-inference:\$1\$1Region\$1:\$1\$1Account\$1:feed/\$1\$1Id\$1  |   [#awselementalinference-aws_ResourceTag___TagKey_](#awselementalinference-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental Inference
<a name="awselementalinference-policy-keys"></a>

AWS Elemental Inference defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaConnect
<a name="list_awselementalmediaconnect"></a>

AWS Elemental MediaConnect (service prefix: `mediaconnect`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediaconnect/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediaconnect/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediaconnect/latest/ug/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaConnect
](#awselementalmediaconnect-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaConnect
](#awselementalmediaconnect-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaConnect
](#awselementalmediaconnect-policy-keys)

## Actions defined by AWS Elemental MediaConnect
<a name="awselementalmediaconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediaconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconnect.html)

## Resource types defined by AWS Elemental MediaConnect
<a name="awselementalmediaconnect-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediaconnect-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/gateway-components-bridges.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/gateway-components-bridges.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:bridge:\$1\$1BridgeId\$1:\$1\$1BridgeName\$1  |  | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/entitlements.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/entitlements.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:entitlement:\$1\$1FlowId\$1:\$1\$1EntitlementName\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/flows.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/flows.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:flow:\$1\$1FlowId\$1:\$1\$1FlowName\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/gateway.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/gateway.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:gateway:\$1\$1GatewayId\$1:\$1\$1GatewayName\$1  |  | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/gateway-components-instances.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/gateway-components-instances.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:gateway:\$1\$1GatewayId\$1:\$1\$1GatewayName\$1:instance:\$1\$1InstanceId\$1  |  | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/media-streams.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/media-streams.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:flow:\$1\$1FlowId\$1:\$1\$1FlowName\$1/mediaStream/\$1\$1MediaStreamName\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/offerings.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/offerings.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:offering:\$1\$1OfferingId\$1  |  | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/outputs.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/outputs.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:output:\$1\$1OutputId\$1:\$1\$1OutputName\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/reservations.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/reservations.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:reservation:\$1\$1ReservationId\$1:\$1\$1ReservationName\$1  |  | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/managing-router-io.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/managing-router-io.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:routerInput:\$1\$1RouterInputId\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/managing-router-network-interfaces.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/managing-router-network-interfaces.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:routerNetworkInterface:\$1\$1RouterNetworkInterfaceId\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/managing-router-io.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/managing-router-io.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:routerOutput:\$1\$1RouterOutputId\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/sources.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/sources.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:source:\$1\$1SourceId\$1:\$1\$1SourceName\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconnect/latest/ug/vpc-interfaces.html](https://docs.aws.amazon.com/mediaconnect/latest/ug/vpc-interfaces.html)  |  arn:\$1\$1Partition\$1:mediaconnect:\$1\$1Region\$1:\$1\$1Account\$1:flow:\$1\$1FlowId\$1:\$1\$1FlowName\$1/vpcInterface/\$1\$1VpcInterfaceName\$1  |   [#awselementalmediaconnect-aws_ResourceTag___TagKey_](#awselementalmediaconnect-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental MediaConnect
<a name="awselementalmediaconnect-policy-keys"></a>

AWS Elemental MediaConnect defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaConvert
<a name="list_awselementalmediaconvert"></a>

AWS Elemental MediaConvert (service prefix: `mediaconvert`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediaconvert/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediaconvert/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediaconvert/latest/ug/iam-role.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaConvert
](#awselementalmediaconvert-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaConvert
](#awselementalmediaconvert-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaConvert
](#awselementalmediaconvert-policy-keys)

## Actions defined by AWS Elemental MediaConvert
<a name="awselementalmediaconvert-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediaconvert-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconvert.html)

## Resource types defined by AWS Elemental MediaConvert
<a name="awselementalmediaconvert-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediaconvert-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/jobs.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/jobs.html)  |  arn:\$1\$1Partition\$1:mediaconvert:\$1\$1Region\$1:\$1\$1Account\$1:jobs/\$1\$1JobId\$1  |   [#awselementalmediaconvert-aws_ResourceTag___TagKey_](#awselementalmediaconvert-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/queues.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/queues.html)  |  arn:\$1\$1Partition\$1:mediaconvert:\$1\$1Region\$1:\$1\$1Account\$1:queues/\$1\$1QueueName\$1  |   [#awselementalmediaconvert-aws_ResourceTag___TagKey_](#awselementalmediaconvert-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/presets.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/presets.html)  |  arn:\$1\$1Partition\$1:mediaconvert:\$1\$1Region\$1:\$1\$1Account\$1:presets/\$1\$1PresetName\$1  |   [#awselementalmediaconvert-aws_ResourceTag___TagKey_](#awselementalmediaconvert-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/jobtemplates.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/jobtemplates.html)  |  arn:\$1\$1Partition\$1:mediaconvert:\$1\$1Region\$1:\$1\$1Account\$1:jobTemplates/\$1\$1JobTemplateName\$1  |   [#awselementalmediaconvert-aws_ResourceTag___TagKey_](#awselementalmediaconvert-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/certificates.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/certificates.html)  |  arn:\$1\$1Partition\$1:mediaconvert:\$1\$1Region\$1:\$1\$1Account\$1:certificates/\$1\$1CertificateArn\$1  |  | 

## Condition keys for AWS Elemental MediaConvert
<a name="awselementalmediaconvert-policy-keys"></a>

AWS Elemental MediaConvert defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/tags.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/tags.html)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/tags.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/tags.html)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/tags.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/tags.html)  | Filters access by tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/input-policies.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/input-policies.html)  | Filters access by an HTTP input policy present in the account | Bool | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/input-policies.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/input-policies.html)  | Filters access by an HTTPS input policy present in the account | Bool | 
|   [https://docs.aws.amazon.com/mediaconvert/latest/apireference/input-policies.html](https://docs.aws.amazon.com/mediaconvert/latest/apireference/input-policies.html)  | Filters access by an S3 input policy present in the account | Bool | 

# Actions, resources, and condition keys for AWS Elemental MediaLive
<a name="list_awselementalmedialive"></a>

AWS Elemental MediaLive (service prefix: `medialive`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/medialive/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/medialive/latest/apireference/what-is.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/medialive/latest/ug/setting-up.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaLive
](#awselementalmedialive-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaLive
](#awselementalmedialive-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaLive
](#awselementalmedialive-policy-keys)

## Actions defined by AWS Elemental MediaLive
<a name="awselementalmedialive-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmedialive-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmedialive.html)

## Resource types defined by AWS Elemental MediaLive
<a name="awselementalmedialive-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmedialive-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/container-channel.html](https://docs.aws.amazon.com/medialive/latest/ug/container-channel.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:channel:\$1\$1ChannelId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/creating-input.html](https://docs.aws.amazon.com/medialive/latest/ug/creating-input.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:input:\$1\$1InputId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/eml-devices.html](https://docs.aws.amazon.com/medialive/latest/ug/eml-devices.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:inputDevice:\$1\$1DeviceId\$1  |  | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/working-with-input-security-groups.html](https://docs.aws.amazon.com/medialive/latest/ug/working-with-input-security-groups.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:inputSecurityGroup:\$1\$1InputSecurityGroupId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/eml-multiplex.html](https://docs.aws.amazon.com/medialive/latest/ug/eml-multiplex.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:multiplex:\$1\$1MultiplexId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/reservations.html](https://docs.aws.amazon.com/medialive/latest/ug/reservations.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:reservation:\$1\$1ReservationId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/input-output-reservations.html](https://docs.aws.amazon.com/medialive/latest/ug/input-output-reservations.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:offering:\$1\$1OfferingId\$1  |  | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-signal-maps-create.html](https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-signal-maps-create.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:signal-map:\$1\$1SignalMapId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-alarms-templates-create.html](https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-alarms-templates-create.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:cloudwatch-alarm-template-group:\$1\$1CloudWatchAlarmTemplateGroupId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-alarms-templates-create.html](https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-alarms-templates-create.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:cloudwatch-alarm-template:\$1\$1CloudWatchAlarmTemplateId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-notifications-template-create.html](https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-notifications-template-create.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:eventbridge-rule-template-group:\$1\$1EventBridgeRuleTemplateGroupId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-notifications-template-create.html](https://docs.aws.amazon.com/medialive/latest/ug/monitor-with-workflow-monitor-configure-notifications-template-create.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:eventbridge-rule-template:\$1\$1EventBridgeRuleTemplateId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html](https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:cluster:\$1\$1ClusterId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html](https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:node:\$1\$1ClusterId\$1/\$1\$1NodeId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html](https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:network:\$1\$1NetworkId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html](https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:channelPlacementGroup:\$1\$1ClusterId\$1/\$1\$1ChannelPlacementGroupId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html](https://docs.aws.amazon.com/medialive/latest/ug/setup-emla.html)  |  arn:\$1\$1Partition\$1:medialive:\$1\$1Region\$1:\$1\$1Account\$1:sdiSource:\$1\$1SdiSourceId\$1  |   [#awselementalmedialive-aws_ResourceTag___TagKey_](#awselementalmedialive-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental MediaLive
<a name="awselementalmedialive-policy-keys"></a>

AWS Elemental MediaLive defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/medialive/latest/ugtagging.html](https://docs.aws.amazon.com/medialive/latest/ugtagging.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/medialive/latest/ugtagging.html](https://docs.aws.amazon.com/medialive/latest/ugtagging.html)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/medialive/latest/ugtagging.html](https://docs.aws.amazon.com/medialive/latest/ugtagging.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaPackage
<a name="list_awselementalmediapackage"></a>

AWS Elemental MediaPackage (service prefix: `mediapackage`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediapackage/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediapackage/latest/apireference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up.html#setting-up-create-iam-user) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaPackage
](#awselementalmediapackage-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaPackage
](#awselementalmediapackage-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaPackage
](#awselementalmediapackage-policy-keys)

## Actions defined by AWS Elemental MediaPackage
<a name="awselementalmediapackage-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediapackage-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html)

## Resource types defined by AWS Elemental MediaPackage
<a name="awselementalmediapackage-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediapackage-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediapackage/latest/ug/channels.html](https://docs.aws.amazon.com/mediapackage/latest/ug/channels.html)  |  arn:\$1\$1Partition\$1:mediapackage:\$1\$1Region\$1:\$1\$1Account\$1:channels/\$1\$1ChannelIdentifier\$1  |   [#awselementalmediapackage-aws_ResourceTag___TagKey_](#awselementalmediapackage-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/ug/endpoints.html](https://docs.aws.amazon.com/mediapackage/latest/ug/endpoints.html)  |  arn:\$1\$1Partition\$1:mediapackage:\$1\$1Region\$1:\$1\$1Account\$1:origin\$1endpoints/\$1\$1OriginEndpointIdentifier\$1  |   [#awselementalmediapackage-aws_ResourceTag___TagKey_](#awselementalmediapackage-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/ug/harvest-jobs.html](https://docs.aws.amazon.com/mediapackage/latest/ug/harvest-jobs.html)  |  arn:\$1\$1Partition\$1:mediapackage:\$1\$1Region\$1:\$1\$1Account\$1:harvest\$1jobs/\$1\$1HarvestJobIdentifier\$1  |   [#awselementalmediapackage-aws_ResourceTag___TagKey_](#awselementalmediapackage-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental MediaPackage
<a name="awselementalmediapackage-policy-keys"></a>

AWS Elemental MediaPackage defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag for a MediaPackage request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag for a MediaPackage resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys for a MediaPackage resource or request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaPackage V2
<a name="list_awselementalmediapackagev2"></a>

AWS Elemental MediaPackage V2 (service prefix: `mediapackagev2`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediapackage/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediapackage/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediapackage/latest/userguide/setting-up-iam-permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaPackage V2
](#awselementalmediapackagev2-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaPackage V2
](#awselementalmediapackagev2-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaPackage V2
](#awselementalmediapackagev2-policy-keys)

## Actions defined by AWS Elemental MediaPackage V2
<a name="awselementalmediapackagev2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediapackagev2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagev2.html)

## Resource types defined by AWS Elemental MediaPackage V2
<a name="awselementalmediapackagev2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediapackagev2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediapackage/latest/userguide/channel-groups.html](https://docs.aws.amazon.com/mediapackage/latest/userguide/channel-groups.html)  |  arn:\$1\$1Partition\$1:mediapackagev2:\$1\$1Region\$1:\$1\$1Account\$1:channelGroup/\$1\$1ChannelGroupName\$1  |   [#awselementalmediapackagev2-aws_ResourceTag___TagKey_](#awselementalmediapackagev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/userguide/API_GetChannelPolicy.html](https://docs.aws.amazon.com/mediapackage/latest/userguide/API_GetChannelPolicy.html)  |  arn:\$1\$1Partition\$1:mediapackagev2:\$1\$1Region\$1:\$1\$1Account\$1:channelGroup/\$1\$1ChannelGroupName\$1/channel/\$1\$1ChannelName\$1  |  | 
|   [https://docs.aws.amazon.com/mediapackage/latest/userguide/channels.html](https://docs.aws.amazon.com/mediapackage/latest/userguide/channels.html)  |  arn:\$1\$1Partition\$1:mediapackagev2:\$1\$1Region\$1:\$1\$1Account\$1:channelGroup/\$1\$1ChannelGroupName\$1/channel/\$1\$1ChannelName\$1  |   [#awselementalmediapackagev2-aws_ResourceTag___TagKey_](#awselementalmediapackagev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/userguide/API_GetOriginEndpointPolicy.html](https://docs.aws.amazon.com/mediapackage/latest/userguide/API_GetOriginEndpointPolicy.html)  |  arn:\$1\$1Partition\$1:mediapackagev2:\$1\$1Region\$1:\$1\$1Account\$1:channelGroup/\$1\$1ChannelGroupName\$1/channel/\$1\$1ChannelName\$1/originEndpoint/\$1\$1OriginEndpointName\$1  |  | 
|   [https://docs.aws.amazon.com/mediapackage/latest/userguide/endpoints.html](https://docs.aws.amazon.com/mediapackage/latest/userguide/endpoints.html)  |  arn:\$1\$1Partition\$1:mediapackagev2:\$1\$1Region\$1:\$1\$1Account\$1:channelGroup/\$1\$1ChannelGroupName\$1/channel/\$1\$1ChannelName\$1/originEndpoint/\$1\$1OriginEndpointName\$1  |   [#awselementalmediapackagev2-aws_ResourceTag___TagKey_](#awselementalmediapackagev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/userguide/API_HarvestJobListConfiguration.html](https://docs.aws.amazon.com/mediapackage/latest/userguide/API_HarvestJobListConfiguration.html)  |  arn:\$1\$1Partition\$1:mediapackagev2:\$1\$1Region\$1:\$1\$1Account\$1:channelGroup/\$1\$1ChannelGroupName\$1/channel/\$1\$1ChannelName\$1/originEndpoint/\$1\$1OriginEndpointName\$1/harvestJob/\$1\$1HarvestJobName\$1  |   [#awselementalmediapackagev2-aws_ResourceTag___TagKey_](#awselementalmediapackagev2-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental MediaPackage V2
<a name="awselementalmediapackagev2-policy-keys"></a>

AWS Elemental MediaPackage V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaPackage VOD
<a name="list_awselementalmediapackagevod"></a>

AWS Elemental MediaPackage VOD (service prefix: `mediapackage-vod`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediapackage/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediapackage-vod/latest/apireference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up.html#setting-up-create-iam-user) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaPackage VOD
](#awselementalmediapackagevod-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaPackage VOD
](#awselementalmediapackagevod-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaPackage VOD
](#awselementalmediapackagevod-policy-keys)

## Actions defined by AWS Elemental MediaPackage VOD
<a name="awselementalmediapackagevod-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediapackagevod-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html)

## Resource types defined by AWS Elemental MediaPackage VOD
<a name="awselementalmediapackagevod-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediapackagevod-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediapackage/latest/ug/asset.html](https://docs.aws.amazon.com/mediapackage/latest/ug/asset.html)  |  arn:\$1\$1Partition\$1:mediapackage-vod:\$1\$1Region\$1:\$1\$1Account\$1:assets/\$1\$1AssetIdentifier\$1  |   [#awselementalmediapackagevod-aws_ResourceTag___TagKey_](#awselementalmediapackagevod-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/ug/pkg-cfig.html](https://docs.aws.amazon.com/mediapackage/latest/ug/pkg-cfig.html)  |  arn:\$1\$1Partition\$1:mediapackage-vod:\$1\$1Region\$1:\$1\$1Account\$1:packaging-configurations/\$1\$1PackagingConfigurationIdentifier\$1  |   [#awselementalmediapackagevod-aws_ResourceTag___TagKey_](#awselementalmediapackagevod-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediapackage/latest/ug/pkg-group.html](https://docs.aws.amazon.com/mediapackage/latest/ug/pkg-group.html)  |  arn:\$1\$1Partition\$1:mediapackage-vod:\$1\$1Region\$1:\$1\$1Account\$1:packaging-groups/\$1\$1PackagingGroupIdentifier\$1  |   [#awselementalmediapackagevod-aws_ResourceTag___TagKey_](#awselementalmediapackagevod-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental MediaPackage VOD
<a name="awselementalmediapackagevod-policy-keys"></a>

AWS Elemental MediaPackage VOD defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaStore
<a name="list_awselementalmediastore"></a>

AWS Elemental MediaStore (service prefix: `mediastore`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediastore/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediastore/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediastore/latest/ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaStore
](#awselementalmediastore-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaStore
](#awselementalmediastore-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaStore
](#awselementalmediastore-policy-keys)

## Actions defined by AWS Elemental MediaStore
<a name="awselementalmediastore-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediastore-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html)

## Resource types defined by AWS Elemental MediaStore
<a name="awselementalmediastore-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediastore-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediastore/latest/ug/containers.html](https://docs.aws.amazon.com/mediastore/latest/ug/containers.html)  |  arn:\$1\$1Partition\$1:mediastore:\$1\$1Region\$1:\$1\$1Account\$1:container/\$1\$1ContainerName\$1  |   [#awselementalmediastore-aws_ResourceTag___TagKey_](#awselementalmediastore-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediastore/latest/ug/objects.html](https://docs.aws.amazon.com/mediastore/latest/ug/objects.html)  |  arn:\$1\$1Partition\$1:mediastore:\$1\$1Region\$1:\$1\$1Account\$1:container/\$1\$1ContainerName\$1/\$1\$1ObjectPath\$1  |  | 
|   [https://docs.aws.amazon.com/mediastore/latest/ug/folders.html](https://docs.aws.amazon.com/mediastore/latest/ug/folders.html)  |  arn:\$1\$1Partition\$1:mediastore:\$1\$1Region\$1:\$1\$1Account\$1:container/\$1\$1ContainerName\$1/\$1\$1FolderPath\$1  |  | 

## Condition keys for AWS Elemental MediaStore
<a name="awselementalmediastore-policy-keys"></a>

AWS Elemental MediaStore defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental MediaTailor
<a name="list_awselementalmediatailor"></a>

AWS Elemental MediaTailor (service prefix: `mediatailor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mediatailor/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mediatailor/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mediatailor/latest/ug/setting-up-non-admin-policies.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental MediaTailor
](#awselementalmediatailor-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental MediaTailor
](#awselementalmediatailor-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental MediaTailor
](#awselementalmediatailor-policy-keys)

## Actions defined by AWS Elemental MediaTailor
<a name="awselementalmediatailor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalmediatailor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html)

## Resource types defined by AWS Elemental MediaTailor
<a name="awselementalmediatailor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalmediatailor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/playbackconfiguration.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/playbackconfiguration.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:playbackConfiguration/\$1\$1ResourceId\$1  |   [#awselementalmediatailor-aws_ResourceTag___TagKey_](#awselementalmediatailor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/prefetchschedule-playbackconfigurationname-name.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/prefetchschedule-playbackconfigurationname-name.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:prefetchSchedule/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/channel-channelname.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/channel-channelname.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:channel/\$1\$1ChannelName\$1  |   [#awselementalmediatailor-aws_ResourceTag___TagKey_](#awselementalmediatailor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/channel-channelname-program-programname.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/channel-channelname-program-programname.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:program/\$1\$1ChannelName\$1/\$1\$1ProgramName\$1  |  | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/sourcelocation-sourcelocationname.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/sourcelocation-sourcelocationname.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:sourceLocation/\$1\$1SourceLocationName\$1  |   [#awselementalmediatailor-aws_ResourceTag___TagKey_](#awselementalmediatailor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/sourcelocation-sourcelocationname-vodsource-vodsourcename.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/sourcelocation-sourcelocationname-vodsource-vodsourcename.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:vodSource/\$1\$1SourceLocationName\$1/\$1\$1VodSourceName\$1  |   [#awselementalmediatailor-aws_ResourceTag___TagKey_](#awselementalmediatailor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mediatailor/latest/apireference/sourcelocation-sourcelocationname-livesource-livesourcename.html](https://docs.aws.amazon.com/mediatailor/latest/apireference/sourcelocation-sourcelocationname-livesource-livesourcename.html)  |  arn:\$1\$1Partition\$1:mediatailor:\$1\$1Region\$1:\$1\$1Account\$1:liveSource/\$1\$1SourceLocationName\$1/\$1\$1LiveSourceName\$1  |   [#awselementalmediatailor-aws_ResourceTag___TagKey_](#awselementalmediatailor-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental MediaTailor
<a name="awselementalmediatailor-policy-keys"></a>

AWS Elemental MediaTailor defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental Support Cases
<a name="list_awselementalsupportcases"></a>

AWS Elemental Support Cases (service prefix: `elemental-support-cases`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elemental-appliances-software/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elemental-appliances-software/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elemental-appliances-software/) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental Support Cases
](#awselementalsupportcases-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental Support Cases
](#awselementalsupportcases-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental Support Cases
](#awselementalsupportcases-policy-keys)

## Actions defined by AWS Elemental Support Cases
<a name="awselementalsupportcases-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalsupportcases-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalsupportcases.html)

## Resource types defined by AWS Elemental Support Cases
<a name="awselementalsupportcases-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awselementalsupportcases-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/elemental-appliances-software/](https://docs.aws.amazon.com/elemental-appliances-software/)  |  arn:\$1\$1Partition\$1:elemental-support-cases::\$1\$1Account\$1:case/\$1\$1ResourceId\$1  |   [#awselementalsupportcases-aws_ResourceTag___TagKey_](#awselementalsupportcases-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Elemental Support Cases
<a name="awselementalsupportcases-policy-keys"></a>

AWS Elemental Support Cases defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Elemental Support Content
<a name="list_awselementalsupportcontent"></a>

AWS Elemental Support Content (service prefix: `elemental-support-content`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/elemental-appliances-software/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/elemental-appliances-software/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/elemental-appliances-software/) permission policies.

**Topics**
+ [

## Actions defined by AWS Elemental Support Content
](#awselementalsupportcontent-actions-as-permissions)
+ [

## Resource types defined by AWS Elemental Support Content
](#awselementalsupportcontent-resources-for-iam-policies)
+ [

## Condition keys for AWS Elemental Support Content
](#awselementalsupportcontent-policy-keys)

## Actions defined by AWS Elemental Support Content
<a name="awselementalsupportcontent-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awselementalsupportcontent-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/elemental-appliances-software](https://docs.aws.amazon.com/elemental-appliances-software) [permission only] | Grants permission to search support content | Read |  |  |  | 

## Resource types defined by AWS Elemental Support Content
<a name="awselementalsupportcontent-resources-for-iam-policies"></a>

AWS Elemental Support Content does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Elemental Support Content, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Elemental Support Content
<a name="awselementalsupportcontent-policy-keys"></a>

Elemental Support Content has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon EMR on EKS (EMR Containers)
<a name="list_amazonemroneksemrcontainers"></a>

Amazon EMR on EKS (EMR Containers) (service prefix: `emr-containers`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/emr-on-eks/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EMR on EKS (EMR Containers)
](#amazonemroneksemrcontainers-actions-as-permissions)
+ [

## Resource types defined by Amazon EMR on EKS (EMR Containers)
](#amazonemroneksemrcontainers-resources-for-iam-policies)
+ [

## Condition keys for Amazon EMR on EKS (EMR Containers)
](#amazonemroneksemrcontainers-policy-keys)

## Actions defined by Amazon EMR on EKS (EMR Containers)
<a name="amazonemroneksemrcontainers-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonemroneksemrcontainers-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html)

## Resource types defined by Amazon EMR on EKS (EMR Containers)
<a name="amazonemroneksemrcontainers-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonemroneksemrcontainers-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/virtual-cluster.html](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/virtual-cluster.html)  |  arn:\$1\$1Partition\$1:emr-containers:\$1\$1Region\$1:\$1\$1Account\$1:/virtualclusters/\$1\$1VirtualClusterId\$1  |   [#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_](#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/job-runs.html](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/job-runs.html)  |  arn:\$1\$1Partition\$1:emr-containers:\$1\$1Region\$1:\$1\$1Account\$1:/virtualclusters/\$1\$1VirtualClusterId\$1/jobruns/\$1\$1JobRunId\$1  |   [#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_](#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/job-templates.html](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/job-templates.html)  |  arn:\$1\$1Partition\$1:emr-containers:\$1\$1Region\$1:\$1\$1Account\$1:/jobtemplates/\$1\$1JobTemplateId\$1  |   [#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_](#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio-create-eks-cluster.html#emr-studio-create-managed-endpoint](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio-create-eks-cluster.html#emr-studio-create-managed-endpoint)  |  arn:\$1\$1Partition\$1:emr-containers:\$1\$1Region\$1:\$1\$1Account\$1:/virtualclusters/\$1\$1VirtualClusterId\$1/endpoints/\$1\$1EndpointId\$1  |   [#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_](#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.html#security_iam_fgac-lf-security-config](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.html#security_iam_fgac-lf-security-config)  |  arn:\$1\$1Partition\$1:emr-containers:\$1\$1Region\$1:\$1\$1Account\$1:/securityconfigurations/\$1\$1SecurityConfigurationId\$1  |   [#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_](#amazonemroneksemrcontainers-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon EMR on EKS (EMR Containers)
<a name="amazonemroneksemrcontainers-policy-keys"></a>

Amazon EMR on EKS (EMR Containers) defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs present in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys present in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.html](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.html)  | Filters access by the execution role arn present in the request | ARN | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-job-template.html](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-job-template.html)  | Filters access by the job template arn present in the request | ARN | 

# Actions, resources, and condition keys for Amazon EMR Serverless
<a name="list_amazonemrserverless"></a>

Amazon EMR Serverless (service prefix: `emr-serverless`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/emr-serverless/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EMR Serverless
](#amazonemrserverless-actions-as-permissions)
+ [

## Resource types defined by Amazon EMR Serverless
](#amazonemrserverless-resources-for-iam-policies)
+ [

## Condition keys for Amazon EMR Serverless
](#amazonemrserverless-policy-keys)

## Actions defined by Amazon EMR Serverless
<a name="amazonemrserverless-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonemrserverless-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrserverless.html)

## Resource types defined by Amazon EMR Serverless
<a name="amazonemrserverless-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonemrserverless-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/emr-serverless.html](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/emr-serverless.html)  |  arn:\$1\$1Partition\$1:emr-serverless:\$1\$1Region\$1:\$1\$1Account\$1:/applications/\$1\$1ApplicationId\$1  |   [#amazonemrserverless-aws_ResourceTag___TagKey_](#amazonemrserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/emr-serverless.html](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/emr-serverless.html)  |  arn:\$1\$1Partition\$1:emr-serverless:\$1\$1Region\$1:\$1\$1Account\$1:/applications/\$1\$1ApplicationId\$1/jobruns/\$1\$1JobRunId\$1  |   [#amazonemrserverless-aws_ResourceTag___TagKey_](#amazonemrserverless-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon EMR Serverless
<a name="amazonemrserverless-policy-keys"></a>

Amazon EMR Serverless defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS End User Messaging SMS and Voice V2
<a name="list_awsendusermessagingsmsandvoicev2"></a>

AWS End User Messaging SMS and Voice V2 (service prefix: `sms-voice`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/pinpoint/latest/userguide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/pinpoint/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS End User Messaging SMS and Voice V2
](#awsendusermessagingsmsandvoicev2-actions-as-permissions)
+ [

## Resource types defined by AWS End User Messaging SMS and Voice V2
](#awsendusermessagingsmsandvoicev2-resources-for-iam-policies)
+ [

## Condition keys for AWS End User Messaging SMS and Voice V2
](#awsendusermessagingsmsandvoicev2-policy-keys)

## Actions defined by AWS End User Messaging SMS and Voice V2
<a name="awsendusermessagingsmsandvoicev2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsendusermessagingsmsandvoicev2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsendusermessagingsmsandvoicev2.html)

## Resource types defined by AWS End User Messaging SMS and Voice V2
<a name="awsendusermessagingsmsandvoicev2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsendusermessagingsmsandvoicev2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreateConfigurationSet.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreateConfigurationSet.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:configuration-set/\$1\$1ConfigurationSetName\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreateOptOutList.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreateOptOutList.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:opt-out-list/\$1\$1OptOutListName\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_RequestPhoneNumber.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_RequestPhoneNumber.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:phone-number/\$1\$1PhoneNumberId\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreatePool.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreatePool.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:pool/\$1\$1PoolId\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreateProtectConfiguration.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_CreateProtectConfiguration.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:protect-configuration/\$1\$1ProtectConfigurationId\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeSenderIds.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeSenderIds.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:sender-id/\$1\$1SenderId\$1/\$1\$1IsoCountryCode\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeRegistrations.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeRegistrations.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:registration/\$1\$1RegistrationId\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeRegistrationAttachments.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeRegistrationAttachments.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:registration-attachment/\$1\$1RegistrationAttachmentId\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeVerifiedDestinationNumbers.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_DescribeVerifiedDestinationNumbers.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:verified-destination-number/\$1\$1VerifiedDestinationNumberId\$1  |   [#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_](#awsendusermessagingsmsandvoicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_PutMessageFeedback.html](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/API_PutMessageFeedback.html)  |  arn:\$1\$1Partition\$1:sms-voice:\$1\$1Region\$1:\$1\$1Account\$1:message/\$1\$1MessageId\$1  |  | 

## Condition keys for AWS End User Messaging SMS and Voice V2
<a name="awsendusermessagingsmsandvoicev2-policy-keys"></a>

AWS End User Messaging SMS and Voice V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS End User Messaging Social
<a name="list_awsendusermessagingsocial"></a>

AWS End User Messaging Social (service prefix: `social-messaging`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/social-messaging/latest/userguide/what-is-service.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/social-messaging/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/social-messaging/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS End User Messaging Social
](#awsendusermessagingsocial-actions-as-permissions)
+ [

## Resource types defined by AWS End User Messaging Social
](#awsendusermessagingsocial-resources-for-iam-policies)
+ [

## Condition keys for AWS End User Messaging Social
](#awsendusermessagingsocial-policy-keys)

## Actions defined by AWS End User Messaging Social
<a name="awsendusermessagingsocial-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsendusermessagingsocial-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsendusermessagingsocial.html)

## Resource types defined by AWS End User Messaging Social
<a name="awsendusermessagingsocial-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsendusermessagingsocial-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/social-messaging/latest/APIReference/API_WhatsAppPhoneNumberDetail.html](https://docs.aws.amazon.com/social-messaging/latest/APIReference/API_WhatsAppPhoneNumberDetail.html)  |  arn:\$1\$1Partition\$1:social-messaging:\$1\$1Region\$1:\$1\$1Account\$1:phone-number-id/\$1\$1OriginationPhoneNumberId\$1  |   [#awsendusermessagingsocial-aws_ResourceTag___TagKey_](#awsendusermessagingsocial-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/social-messaging/latest/APIReference/API_LinkedWhatsAppBusinessAccountSummary.html](https://docs.aws.amazon.com/social-messaging/latest/APIReference/API_LinkedWhatsAppBusinessAccountSummary.html)  |  arn:\$1\$1Partition\$1:social-messaging:\$1\$1Region\$1:\$1\$1Account\$1:waba/\$1\$1WabaId\$1  |   [#awsendusermessagingsocial-aws_ResourceTag___TagKey_](#awsendusermessagingsocial-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS End User Messaging Social
<a name="awsendusermessagingsocial-policy-keys"></a>

AWS End User Messaging Social defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Entity Resolution
<a name="list_awsentityresolution"></a>

AWS Entity Resolution (service prefix: `entityresolution`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/entityresolution/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/entityresolution/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/entityresolution/latest/userguide/what-is-service.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Entity Resolution
](#awsentityresolution-actions-as-permissions)
+ [

## Resource types defined by AWS Entity Resolution
](#awsentityresolution-resources-for-iam-policies)
+ [

## Condition keys for AWS Entity Resolution
](#awsentityresolution-policy-keys)

## Actions defined by AWS Entity Resolution
<a name="awsentityresolution-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsentityresolution-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsentityresolution.html)

## Resource types defined by AWS Entity Resolution
<a name="awsentityresolution-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsentityresolution-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/entityresolution/latest/userguide/](https://docs.aws.amazon.com/entityresolution/latest/userguide/)  |  arn:\$1\$1Partition\$1:entityresolution:\$1\$1Region\$1:\$1\$1Account\$1:matchingworkflow/\$1\$1WorkflowName\$1  |   [#awsentityresolution-aws_ResourceTag___TagKey_](#awsentityresolution-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/entityresolution/latest/userguide/](https://docs.aws.amazon.com/entityresolution/latest/userguide/)  |  arn:\$1\$1Partition\$1:entityresolution:\$1\$1Region\$1:\$1\$1Account\$1:schemamapping/\$1\$1SchemaName\$1  |   [#awsentityresolution-aws_ResourceTag___TagKey_](#awsentityresolution-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/entityresolution/latest/userguide/](https://docs.aws.amazon.com/entityresolution/latest/userguide/)  |  arn:\$1\$1Partition\$1:entityresolution:\$1\$1Region\$1:\$1\$1Account\$1:idmappingworkflow/\$1\$1WorkflowName\$1  |   [#awsentityresolution-aws_ResourceTag___TagKey_](#awsentityresolution-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/entityresolution/latest/userguide/](https://docs.aws.amazon.com/entityresolution/latest/userguide/)  |  arn:\$1\$1Partition\$1:entityresolution:\$1\$1Region\$1:\$1\$1Account\$1:providerservice/\$1\$1ProviderName\$1/\$1\$1ProviderServiceName\$1  |   [#awsentityresolution-aws_ResourceTag___TagKey_](#awsentityresolution-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/entityresolution/latest/userguide/](https://docs.aws.amazon.com/entityresolution/latest/userguide/)  |  arn:\$1\$1Partition\$1:entityresolution:\$1\$1Region\$1:\$1\$1Account\$1:idnamespace/\$1\$1IdNamespaceName\$1  |   [#awsentityresolution-aws_ResourceTag___TagKey_](#awsentityresolution-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Entity Resolution
<a name="awsentityresolution-policy-keys"></a>

AWS Entity Resolution defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by a key that is present in the request the user makes to the entity resolution service | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by a tag key and value pair | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by the list of all the tag key names present in the request the user makes to the entity resolution service | ArrayOfString | 

# Actions, resources, and condition keys for Amazon EventBridge
<a name="list_amazoneventbridge"></a>

Amazon EventBridge (service prefix: `events`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eventbridge/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EventBridge
](#amazoneventbridge-actions-as-permissions)
+ [

## Resource types defined by Amazon EventBridge
](#amazoneventbridge-resources-for-iam-policies)
+ [

## Condition keys for Amazon EventBridge
](#amazoneventbridge-policy-keys)

## Actions defined by Amazon EventBridge
<a name="amazoneventbridge-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoneventbridge-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html)

## Resource types defined by Amazon EventBridge
<a name="amazoneventbridge-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoneventbridge-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1::event-source/\$1\$1EventSourceName\$1  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:event-bus/\$1\$1EventBusName\$1  |   [#amazoneventbridge-aws_ResourceTag___TagKey_](#amazoneventbridge-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:rule/\$1\$1RuleName\$1  |   [#amazoneventbridge-aws_ResourceTag___TagKey_](#amazoneventbridge-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:rule/\$1\$1EventBusName\$1/\$1\$1RuleName\$1  |   [#amazoneventbridge-aws_ResourceTag___TagKey_](#amazoneventbridge-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:archive/\$1\$1ArchiveName\$1  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:replay/\$1\$1ReplayName\$1  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1ConnectionName\$1  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:api-destination/\$1\$1ApiDestinationName\$1  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:endpoint/\$1\$1EndpointName\$1  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:target/create-snapshot  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:target/reboot-instance  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:target/stop-instance  |  | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html#eventbridge-arn-format)  |  arn:\$1\$1Partition\$1:events:\$1\$1Region\$1:\$1\$1Account\$1:target/terminate-instance  |  | 
|   [https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html)  |  arn:\$1\$1Partition\$1:kms:\$1\$1Region\$1:\$1\$1Account\$1:alias/\$1\$1Alias\$1  |  | 
|   [https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)  |  arn:\$1\$1Partition\$1:kms:\$1\$1Region\$1:\$1\$1Account\$1:key/\$1\$1KeyId\$1  |  | 

## Condition keys for Amazon EventBridge
<a name="amazoneventbridge-policy-keys"></a>

Amazon EventBridge defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags to event bus and rule actions | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource to event bus and rule actions | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tags in the request to event bus and rule actions | ArrayOfString | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limiting-access-to-event-buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limiting-access-to-event-buses)  | Filters access by the ARN of the event buses that can be associated with an endpoint to CreateEndpoint and UpdateEndpoint actions | ArrayOfARN | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html)  | Filters access by AWS services. If a rule is created by an AWS service on your behalf, the value is the principal name of the service that created the rule | String | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limiting-access-to-targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limiting-access-to-targets)  | Filters access by the ARN of a target that can be put to a rule to PutTargets actions. TargetARN doesn't include DeadLetterConfigArn | ArrayOfARN | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-creator-account](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-creator-account)  | Filters access by the account the rule was created in to rule actions | String | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-pattern-detail-type](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-pattern-detail-type)  | Filters access by the literal string of the detail-type of the event to PutEvents and PutRule actions | ArrayOfString | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limit-rule-by-type-code](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limit-rule-by-type-code)  | Filters access by the literal string for the detail.eventTypeCode field of the event to PutRule actions | String | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limit-rule-by-service](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#limit-rule-by-service)  | Filters access by the literal string for the detail.service field of the event to PutRule actions | String | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#consume-specific-events](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#consume-specific-events)  | Filters access by the literal string for the detail.useridentity.principalid field of the event to PutRule actions | String | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-bus-invocation](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-bus-invocation)  | Filters access by whether the event was generated via API or cross-account bus invocation to PutEvents actions | String | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-limit-access-control](https://docs.aws.amazon.com/eventbridge/latest/userguide/policy-keys-eventbridge.html#events-limit-access-control)  | Filters access by the AWS service or AWS partner event source that generated the event to PutEvents and PutRule actions. Matches the literal string of the source field of the event | ArrayOfString | 

# Actions, resources, and condition keys for Amazon EventBridge Pipes
<a name="list_amazoneventbridgepipes"></a>

Amazon EventBridge Pipes (service prefix: `pipes`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eventbridge/latest/pipes-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-security.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EventBridge Pipes
](#amazoneventbridgepipes-actions-as-permissions)
+ [

## Resource types defined by Amazon EventBridge Pipes
](#amazoneventbridgepipes-resources-for-iam-policies)
+ [

## Condition keys for Amazon EventBridge Pipes
](#amazoneventbridgepipes-policy-keys)

## Actions defined by Amazon EventBridge Pipes
<a name="amazoneventbridgepipes-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoneventbridgepipes-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgepipes.html)

## Resource types defined by Amazon EventBridge Pipes
<a name="amazoneventbridgepipes-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoneventbridgepipes-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes.html](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes.html)  |  arn:\$1\$1Partition\$1:pipes:\$1\$1Region\$1:\$1\$1Account\$1:pipe/\$1\$1Name\$1  |   [#amazoneventbridgepipes-aws_ResourceTag___TagKey_](#amazoneventbridgepipes-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon EventBridge Pipes
<a name="amazoneventbridgepipes-policy-keys"></a>

Amazon EventBridge Pipes defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon EventBridge Scheduler
<a name="list_amazoneventbridgescheduler"></a>

Amazon EventBridge Scheduler (service prefix: `scheduler`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/scheduler/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/scheduler/latest/UserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EventBridge Scheduler
](#amazoneventbridgescheduler-actions-as-permissions)
+ [

## Resource types defined by Amazon EventBridge Scheduler
](#amazoneventbridgescheduler-resources-for-iam-policies)
+ [

## Condition keys for Amazon EventBridge Scheduler
](#amazoneventbridgescheduler-policy-keys)

## Actions defined by Amazon EventBridge Scheduler
<a name="amazoneventbridgescheduler-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoneventbridgescheduler-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html)

## Resource types defined by Amazon EventBridge Scheduler
<a name="amazoneventbridgescheduler-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoneventbridgescheduler-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-schedule-group.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-schedule-group.html)  |  arn:\$1\$1Partition\$1:scheduler:\$1\$1Region\$1:\$1\$1Account\$1:schedule-group/\$1\$1GroupName\$1  |   [#amazoneventbridgescheduler-aws_ResourceTag___TagKey_](#amazoneventbridgescheduler-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-schedule.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-schedule.html)  |  arn:\$1\$1Partition\$1:scheduler:\$1\$1Region\$1:\$1\$1Account\$1:schedule/\$1\$1GroupName\$1/\$1\$1ScheduleName\$1  |  | 

## Condition keys for Amazon EventBridge Scheduler
<a name="amazoneventbridgescheduler-policy-keys"></a>

Amazon EventBridge Scheduler defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon EventBridge Schemas
<a name="list_amazoneventbridgeschemas"></a>

Amazon EventBridge Schemas (service prefix: `schemas`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-security.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon EventBridge Schemas
](#amazoneventbridgeschemas-actions-as-permissions)
+ [

## Resource types defined by Amazon EventBridge Schemas
](#amazoneventbridgeschemas-resources-for-iam-policies)
+ [

## Condition keys for Amazon EventBridge Schemas
](#amazoneventbridgeschemas-policy-keys)

## Actions defined by Amazon EventBridge Schemas
<a name="amazoneventbridgeschemas-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoneventbridgeschemas-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html)

## Resource types defined by Amazon EventBridge Schemas
<a name="amazoneventbridgeschemas-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoneventbridgeschemas-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html)  |  arn:\$1\$1Partition\$1:schemas:\$1\$1Region\$1:\$1\$1Account\$1:discoverer/\$1\$1DiscovererId\$1  |   [#amazoneventbridgeschemas-aws_ResourceTag___TagKey_](#amazoneventbridgeschemas-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html)  |  arn:\$1\$1Partition\$1:schemas:\$1\$1Region\$1:\$1\$1Account\$1:registry/\$1\$1RegistryName\$1  |   [#amazoneventbridgeschemas-aws_ResourceTag___TagKey_](#amazoneventbridgeschemas-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html)  |  arn:\$1\$1Partition\$1:schemas:\$1\$1Region\$1:\$1\$1Account\$1:schema/\$1\$1RegistryName\$1/\$1\$1SchemaName\$1  |   [#amazoneventbridgeschemas-aws_ResourceTag___TagKey_](#amazoneventbridgeschemas-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon EventBridge Schemas
<a name="amazoneventbridgeschemas-policy-keys"></a>

Amazon EventBridge Schemas defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Fault Injection Service
<a name="list_awsfaultinjectionservice"></a>

AWS Fault Injection Service (service prefix: `fis`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/fis/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/fis/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Fault Injection Service
](#awsfaultinjectionservice-actions-as-permissions)
+ [

## Resource types defined by AWS Fault Injection Service
](#awsfaultinjectionservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Fault Injection Service
](#awsfaultinjectionservice-policy-keys)

## Actions defined by AWS Fault Injection Service
<a name="awsfaultinjectionservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsfaultinjectionservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionservice.html)

## Resource types defined by AWS Fault Injection Service
<a name="awsfaultinjectionservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsfaultinjectionservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/actions.html](https://docs.aws.amazon.com/fis/latest/userguide/actions.html)  |  arn:\$1\$1Partition\$1:fis:\$1\$1Region\$1:\$1\$1Account\$1:action/\$1\$1Id\$1  |   [#awsfaultinjectionservice-aws_ResourceTag___TagKey_](#awsfaultinjectionservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/experiments.html](https://docs.aws.amazon.com/fis/latest/userguide/experiments.html)  |  arn:\$1\$1Partition\$1:fis:\$1\$1Region\$1:\$1\$1Account\$1:experiment/\$1\$1Id\$1  |   [#awsfaultinjectionservice-aws_ResourceTag___TagKey_](#awsfaultinjectionservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/working-with-templates.html](https://docs.aws.amazon.com/fis/latest/userguide/working-with-templates.html)  |  arn:\$1\$1Partition\$1:fis:\$1\$1Region\$1:\$1\$1Account\$1:experiment-template/\$1\$1Id\$1  |   [#awsfaultinjectionservice-aws_ResourceTag___TagKey_](#awsfaultinjectionservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/safety-lever.html](https://docs.aws.amazon.com/fis/latest/userguide/safety-lever.html)  |  arn:\$1\$1Partition\$1:fis:\$1\$1Region\$1:\$1\$1Account\$1:safety-lever/\$1\$1Id\$1  |  | 

## Condition keys for AWS Fault Injection Service
<a name="awsfaultinjectionservice-policy-keys"></a>

AWS Fault Injection Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html)  | Filters access by the list of operations on the AWS service that is being affected by the AWS FIS action | ArrayOfString | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html)  | Filters access by the percentage of calls being affected by the AWS FIS action | Numeric | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html)  | Filters access by the AWS service that is being affected by the AWS FIS action | String | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/fis/latest/userguide/security_iam_service-with-iam.html)  | Filters access by the list of resource ARNs being targeted by the AWS FIS action | ArrayOfString | 

# Actions, resources, and condition keys for Amazon FinSpace
<a name="list_amazonfinspace"></a>

Amazon FinSpace (service prefix: `finspace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/finspace/latest/management-api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/finspace/latest/userguide/access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon FinSpace
](#amazonfinspace-actions-as-permissions)
+ [

## Resource types defined by Amazon FinSpace
](#amazonfinspace-resources-for-iam-policies)
+ [

## Condition keys for Amazon FinSpace
](#amazonfinspace-policy-keys)

## Actions defined by Amazon FinSpace
<a name="amazonfinspace-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonfinspace-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfinspace.html)

## Resource types defined by Amazon FinSpace
<a name="amazonfinspace-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonfinspace-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1UserId\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1/kxUser/\$1\$1UserName\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1/kxCluster/\$1\$1KxCluster\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1/kxDatabase/\$1\$1KxDatabase\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1/kxScalingGroup/\$1\$1KxScalingGroup\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1/kxDatabase/\$1\$1KxDatabase\$1/kxDataview/\$1\$1KxDataview\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace:\$1\$1Region\$1:\$1\$1Account\$1:kxEnvironment/\$1\$1EnvironmentId\$1/kxVolume/\$1\$1KxVolume\$1  |   [#amazonfinspace-aws_ResourceTag___TagKey_](#amazonfinspace-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon FinSpace
<a name="amazonfinspace-policy-keys"></a>

Amazon FinSpace defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon FinSpace API
<a name="list_amazonfinspaceapi"></a>

Amazon FinSpace API (service prefix: `finspace-api`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/finspace/latest/data-api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/finspace/latest/userguide/temporary-credentials.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon FinSpace API
](#amazonfinspaceapi-actions-as-permissions)
+ [

## Resource types defined by Amazon FinSpace API
](#amazonfinspaceapi-resources-for-iam-policies)
+ [

## Condition keys for Amazon FinSpace API
](#amazonfinspaceapi-policy-keys)

## Actions defined by Amazon FinSpace API
<a name="amazonfinspaceapi-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonfinspaceapi-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/finspace/latest/data-api/API_GetProgrammaticAccessCredentials.html](https://docs.aws.amazon.com/finspace/latest/data-api/API_GetProgrammaticAccessCredentials.html)  | Grants permission to retrieve FinSpace programmatic access credentials | Read |   [#amazonfinspaceapi-credential](#amazonfinspaceapi-credential)   |  |  | 

## Resource types defined by Amazon FinSpace API
<a name="amazonfinspaceapi-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonfinspaceapi-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-example-policies.html)  |  arn:\$1\$1Partition\$1:finspace-api:\$1\$1Region\$1:\$1\$1Account\$1:/credentials/programmatic  |  | 

## Condition keys for Amazon FinSpace API
<a name="amazonfinspaceapi-policy-keys"></a>

FinSpace API has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Firewall Manager
<a name="list_awsfirewallmanager"></a>

AWS Firewall Manager (service prefix: `fms`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/waf/latest/developerguide/fms-auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Firewall Manager
](#awsfirewallmanager-actions-as-permissions)
+ [

## Resource types defined by AWS Firewall Manager
](#awsfirewallmanager-resources-for-iam-policies)
+ [

## Condition keys for AWS Firewall Manager
](#awsfirewallmanager-policy-keys)

## Actions defined by AWS Firewall Manager
<a name="awsfirewallmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsfirewallmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html)

## Resource types defined by AWS Firewall Manager
<a name="awsfirewallmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsfirewallmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_Policy.html](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_Policy.html)  |  arn:\$1\$1Partition\$1:fms:\$1\$1Region\$1:\$1\$1Account\$1:policy/\$1\$1Id\$1  |   [#awsfirewallmanager-aws_ResourceTag___TagKey_](#awsfirewallmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_AppsListData.html](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_AppsListData.html)  |  arn:\$1\$1Partition\$1:fms:\$1\$1Region\$1:\$1\$1Account\$1:applications-list/\$1\$1Id\$1  |   [#awsfirewallmanager-aws_ResourceTag___TagKey_](#awsfirewallmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_ProtocolsListData.html](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_ProtocolsListData.html)  |  arn:\$1\$1Partition\$1:fms:\$1\$1Region\$1:\$1\$1Account\$1:protocols-list/\$1\$1Id\$1  |   [#awsfirewallmanager-aws_ResourceTag___TagKey_](#awsfirewallmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_ResourceSet.html](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_ResourceSet.html)  |  arn:\$1\$1Partition\$1:fms:\$1\$1Region\$1:\$1\$1Account\$1:resource-set/\$1\$1Id\$1  |   [#awsfirewallmanager-aws_ResourceTag___TagKey_](#awsfirewallmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Firewall Manager
<a name="awsfirewallmanager-policy-keys"></a>

AWS Firewall Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Forecast
<a name="list_amazonforecast"></a>

Amazon Forecast (service prefix: `forecast`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/forecast/latest/dg/what-is-forecast.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/forecast/latest/dg/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/forecast/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Forecast
](#amazonforecast-actions-as-permissions)
+ [

## Resource types defined by Amazon Forecast
](#amazonforecast-resources-for-iam-policies)
+ [

## Condition keys for Amazon Forecast
](#amazonforecast-policy-keys)

## Actions defined by Amazon Forecast
<a name="amazonforecast-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonforecast-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonforecast.html)

## Resource types defined by Amazon Forecast
<a name="amazonforecast-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonforecast-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDataset.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDataset.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDatasetGroup.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDatasetGroup.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:dataset-group/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDatasetImportJob.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDatasetImportJob.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:dataset-import-job/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/aws-forecast-choosing-recipes.html](https://docs.aws.amazon.com/forecast/latest/dg/aws-forecast-choosing-recipes.html)  |  arn:\$1\$1Partition\$1:forecast:::algorithm/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreatePredictor.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreatePredictor.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:predictor/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreatePredictorBacktestExportJob.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreatePredictorBacktestExportJob.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:predictor-backtest-export-job/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateForecast.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateForecast.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:forecast/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateForecastExportJob.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateForecastExportJob.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:forecast-export-job/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateExplainability.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateExplainability.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:explainability/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateExplainabilityExport.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateExplainabilityExport.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:explainability-export/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateMonitor.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateMonitor.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:monitor/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateWhatIfAnalysis.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateWhatIfAnalysis.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:what-if-analysis/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateWhatIfForecast.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateWhatIfForecast.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:what-if-forecast/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/API_CreateWhatIfForecastExport.html](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateWhatIfForecastExport.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:what-if-forecast-export/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/forecast/latest/dg/what-is-forecast.html](https://docs.aws.amazon.com/forecast/latest/dg/what-is-forecast.html)  |  arn:\$1\$1Partition\$1:forecast:\$1\$1Region\$1:\$1\$1Account\$1:forecast-endpoint/\$1\$1ResourceId\$1  |   [#amazonforecast-aws_ResourceTag___TagKey_](#amazonforecast-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Forecast
<a name="amazonforecast-policy-keys"></a>

Amazon Forecast defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Fraud Detector
<a name="list_amazonfrauddetector"></a>

Amazon Fraud Detector (service prefix: `frauddetector`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/frauddetector/latest/ug/what-is-frauddetector.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/frauddetector/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/frauddetector/latest/ug/assets.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Fraud Detector
](#amazonfrauddetector-actions-as-permissions)
+ [

## Resource types defined by Amazon Fraud Detector
](#amazonfrauddetector-resources-for-iam-policies)
+ [

## Condition keys for Amazon Fraud Detector
](#amazonfrauddetector-policy-keys)

## Actions defined by Amazon Fraud Detector
<a name="amazonfrauddetector-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonfrauddetector-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html)

## Resource types defined by Amazon Fraud Detector
<a name="amazonfrauddetector-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonfrauddetector-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:batch-prediction/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:detector-version/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:entity-type/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:external-model/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:event-type/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:label/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:model/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:model-version/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:outcome/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:rule/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:variable/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:batch-import/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html#amazonfrauddetector-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:frauddetector:\$1\$1Region\$1:\$1\$1Account\$1:list/\$1\$1ResourcePath\$1  |   [#amazonfrauddetector-aws_ResourceTag___TagKey_](#amazonfrauddetector-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Fraud Detector
<a name="amazonfrauddetector-policy-keys"></a>

Amazon Fraud Detector defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Free Tier
<a name="list_awsfreetier"></a>

AWS Free Tier (service prefix: `freetier`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/) permission policies.

**Topics**
+ [

## Actions defined by AWS Free Tier
](#awsfreetier-actions-as-permissions)
+ [

## Resource types defined by AWS Free Tier
](#awsfreetier-resources-for-iam-policies)
+ [

## Condition keys for AWS Free Tier
](#awsfreetier-policy-keys)

## Actions defined by AWS Free Tier
<a name="awsfreetier-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsfreetier-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_GetAccountActivity.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_GetAccountActivity.html)  | Grants permission to get a specific activity record | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_GetAccountPlanState.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_GetAccountPlanState.html)  | Grants permission to get all of the information related to the state of the account plan related to Free Tier | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html) [permission only] | Grants permission to get free tier alert preference (email address) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html)  | Grants permission to get free tier usage limits and MTD usage status | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_ListAccountActivities.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_ListAccountActivities.html)  | Grants permission to list available activities | List |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/tracking-free-tier-usage.html) [permission only] | Grants permission to set free tier alert preference (email address) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_UpgradeAccountPlan.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_freetier_UpgradeAccountPlan.html)  | Grants permission to trigger an upgrade of account plan | Write |  |  |  | 

## Resource types defined by AWS Free Tier
<a name="awsfreetier-resources-for-iam-policies"></a>

AWS Free Tier does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Free Tier, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Free Tier
<a name="awsfreetier-policy-keys"></a>

Free Tier has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon FreeRTOS
<a name="list_amazonfreertos"></a>

Amazon FreeRTOS (service prefix: `freertos`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/freertos/latest/userguide/what-is-freertos.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/freertos/latest/userguide/what-is-freertos.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/freertos/latest/userguide/) permission policies.

**Topics**
+ [

## Actions defined by Amazon FreeRTOS
](#amazonfreertos-actions-as-permissions)
+ [

## Resource types defined by Amazon FreeRTOS
](#amazonfreertos-resources-for-iam-policies)
+ [

## Condition keys for Amazon FreeRTOS
](#amazonfreertos-policy-keys)

## Actions defined by Amazon FreeRTOS
<a name="amazonfreertos-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonfreertos-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfreertos.html)

## Resource types defined by Amazon FreeRTOS
<a name="amazonfreertos-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonfreertos-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/freertos-ocw.html](https://docs.aws.amazon.com/freertos/latest/userguide/freertos-ocw.html)  |  arn:\$1\$1Partition\$1:freertos:\$1\$1Region\$1:\$1\$1Account\$1:configuration/\$1\$1ConfigurationName\$1  |   [#amazonfreertos-aws_ResourceTag___TagKey_](#amazonfreertos-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/freertos-getting-started-emp.html](https://docs.aws.amazon.com/freertos/latest/userguide/freertos-getting-started-emp.html)  |  arn:\$1\$1Partition\$1:freertos:\$1\$1Region\$1:\$1\$1Account\$1:subscription/\$1\$1SubscriptionID\$1  |   [#amazonfreertos-aws_ResourceTag___TagKey_](#amazonfreertos-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon FreeRTOS
<a name="amazonfreertos-policy-keys"></a>

Amazon FreeRTOS defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key present in the request that the user makes to Amazon FreeRTOS | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key component attached to an Amazon FreeRTOS resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the list of all the tag key names associated with the resource in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon FSx
<a name="list_amazonfsx"></a>

Amazon FSx (service prefix: `fsx`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/fsx/latest/APIReference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon FSx
](#amazonfsx-actions-as-permissions)
+ [

## Resource types defined by Amazon FSx
](#amazonfsx-resources-for-iam-policies)
+ [

## Condition keys for Amazon FSx
](#amazonfsx-policy-keys)

## Actions defined by Amazon FSx
<a name="amazonfsx-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonfsx-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html)

## Resource types defined by Amazon FSx
<a name="amazonfsx-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonfsx-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
Amazon FSx for Windows File Server, Lustre, and Ontap share some of the same resource types, with the same ARN format for each.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/fsx/latest/WindowsGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:file-system/\$1\$1FileSystemId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/FileCacheGuide/security-iam.html](https://docs.aws.amazon.com/fsx/latest/FileCacheGuide/security-iam.html)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:file-cache/\$1\$1FileCacheId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/WindowsGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:backup/\$1\$1BackupId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/security-iam.html](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/security-iam.html)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:storage-virtual-machine/\$1\$1FileSystemId\$1/\$1\$1StorageVirtualMachineId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/LustreGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/fsx/latest/LustreGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:task/\$1\$1TaskId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/LustreGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/fsx/latest/LustreGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:association/\$1\$1FileSystemIdOrFileCacheId\$1/\$1\$1DataRepositoryAssociationId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/security-iam.html](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/security-iam.html)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:volume/\$1\$1FileSystemId\$1/\$1\$1VolumeId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:fsx:\$1\$1Region\$1:\$1\$1Account\$1:snapshot/\$1\$1VolumeId\$1/\$1\$1SnapshotId\$1  |   [#amazonfsx-aws_ResourceTag___TagKey_](#amazonfsx-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon FSx
<a name="amazonfsx-policy-keys"></a>

Amazon FSx defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-backups.html#copy-backups](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-backups.html#copy-backups)  | Filters access by whether the backup is a destination backup for a CopyBackup operation | Bool | 
|   [https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-backups.html#copy-backups](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-backups.html#copy-backups)  | Filters access by whether the backup is a source backup for a CopyBackup operation | Bool | 
|   [https://docs.aws.amazon.com/fsx/latest/FileCacheGuide/encryption-in-transit.html](https://docs.aws.amazon.com/fsx/latest/FileCacheGuide/encryption-in-transit.html)  | Filters access by NFS data repositories which support authentication | Bool | 
|   [https://docs.aws.amazon.com/fsx/latest/FileCacheGuide/encryption-in-transit.html](https://docs.aws.amazon.com/fsx/latest/FileCacheGuide/encryption-in-transit.html)  | Filters access by NFS data repositories which support encryption-in-transit | Bool | 
|   [https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/creating-volumes.html](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/creating-volumes.html)  | Filters access by the containing parent volume for mutating volume operations | String | 
|   [https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/creating-volumes.html](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/creating-volumes.html)  | Filters access by the containing storage virtual machine for a volume for mutating volume operations | String | 

# Actions, resources, and condition keys for Amazon GameLift Servers
<a name="list_amazongameliftservers"></a>

Amazon GameLift Servers (service prefix: `gamelift`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-intro.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/gameliftservers/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon GameLift Servers
](#amazongameliftservers-actions-as-permissions)
+ [

## Resource types defined by Amazon GameLift Servers
](#amazongameliftservers-resources-for-iam-policies)
+ [

## Condition keys for Amazon GameLift Servers
](#amazongameliftservers-policy-keys)

## Actions defined by Amazon GameLift Servers
<a name="amazongameliftservers-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazongameliftservers-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongameliftservers.html)

## Resource types defined by Amazon GameLift Servers
<a name="amazongameliftservers-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazongameliftservers-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-console-aliases.html](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-console-aliases.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1::alias/\$1\$1AliasId\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-console-builds.html](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-console-builds.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:build/\$1\$1BuildId\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/containers-intro.html](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/containers-intro.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:containergroupdefinition/\$1\$1Name\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/containers-intro.html](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/containers-intro.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:containerfleet/\$1\$1FleetId\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-console-fleets.html](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/gamelift-console-fleets.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:fleet/\$1\$1FleetId\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-integrate-gameservergroup.html](https://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-integrate-gameservergroup.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:gameservergroup/\$1\$1GameServerGroupName\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/queues-console.html](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/queues-console.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:gamesessionqueue/\$1\$1GameSessionQueueName\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/developerguide/fleets-creating-anywhere.html#fleet-anywhere-location](https://docs.aws.amazon.com/gameliftservers/latest/developerguide/fleets-creating-anywhere.html#fleet-anywhere-location)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:location/\$1\$1LocationId\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/flexmatchguide/match-create-configuration.html](https://docs.aws.amazon.com/gameliftservers/latest/flexmatchguide/match-create-configuration.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:matchmakingconfiguration/\$1\$1MatchmakingConfigurationName\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/flexmatchguide/match-rulesets.html](https://docs.aws.amazon.com/gameliftservers/latest/flexmatchguide/match-rulesets.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:matchmakingruleset/\$1\$1MatchmakingRuleSetName\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftservers/latest/realtimeguide/realtime-intro.html](https://docs.aws.amazon.com/gameliftservers/latest/realtimeguide/realtime-intro.html)  |  arn:\$1\$1Partition\$1:gamelift:\$1\$1Region\$1:\$1\$1Account\$1:script/\$1\$1ScriptId\$1  |   [#amazongameliftservers-aws_ResourceTag___TagKey_](#amazongameliftservers-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon GameLift Servers
<a name="amazongameliftservers-policy-keys"></a>

Amazon GameLift Servers defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon GameLift Streams
<a name="list_amazongameliftstreams"></a>

Amazon GameLift Streams (service prefix: `gameliftstreams`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/gameliftstreams/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon GameLift Streams
](#amazongameliftstreams-actions-as-permissions)
+ [

## Resource types defined by Amazon GameLift Streams
](#amazongameliftstreams-resources-for-iam-policies)
+ [

## Condition keys for Amazon GameLift Streams
](#amazongameliftstreams-policy-keys)

## Actions defined by Amazon GameLift Streams
<a name="amazongameliftstreams-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazongameliftstreams-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongameliftstreams.html)

## Resource types defined by Amazon GameLift Streams
<a name="amazongameliftstreams-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazongameliftstreams-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/applications.html](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/applications.html)  |  arn:\$1\$1Partition\$1:gameliftstreams:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |   [#amazongameliftstreams-aws_ResourceTag___TagKey_](#amazongameliftstreams-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/stream-groups.html](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/stream-groups.html)  |  arn:\$1\$1Partition\$1:gameliftstreams:\$1\$1Region\$1:\$1\$1Account\$1:streamgroup/\$1\$1StreamGroupId\$1  |   [#amazongameliftstreams-aws_ResourceTag___TagKey_](#amazongameliftstreams-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon GameLift Streams
<a name="amazongameliftstreams-policy-keys"></a>

Amazon GameLift Streams defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Global Accelerator
<a name="list_awsglobalaccelerator"></a>

AWS Global Accelerator (service prefix: `globalaccelerator`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/global-accelerator/latest/dg/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Global Accelerator
](#awsglobalaccelerator-actions-as-permissions)
+ [

## Resource types defined by AWS Global Accelerator
](#awsglobalaccelerator-resources-for-iam-policies)
+ [

## Condition keys for AWS Global Accelerator
](#awsglobalaccelerator-policy-keys)

## Actions defined by AWS Global Accelerator
<a name="awsglobalaccelerator-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsglobalaccelerator-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglobalaccelerator.html)

## Resource types defined by AWS Global Accelerator
<a name="awsglobalaccelerator-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsglobalaccelerator-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/global-accelerator/latest/api/API_Accelerator.html](https://docs.aws.amazon.com/global-accelerator/latest/api/API_Accelerator.html)  |  arn:\$1\$1Partition\$1:globalaccelerator::\$1\$1Account\$1:accelerator/\$1\$1ResourceId\$1  |   [#awsglobalaccelerator-aws_ResourceTag___TagKey_](#awsglobalaccelerator-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/global-accelerator/latest/api/API_Listener.html](https://docs.aws.amazon.com/global-accelerator/latest/api/API_Listener.html)  |  arn:\$1\$1Partition\$1:globalaccelerator::\$1\$1Account\$1:accelerator/\$1\$1ResourceId\$1/listener/\$1\$1ListenerId\$1  |   [#awsglobalaccelerator-aws_ResourceTag___TagKey_](#awsglobalaccelerator-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/global-accelerator/latest/api/API_EndpointGroup.html](https://docs.aws.amazon.com/global-accelerator/latest/api/API_EndpointGroup.html)  |  arn:\$1\$1Partition\$1:globalaccelerator::\$1\$1Account\$1:accelerator/\$1\$1ResourceId\$1/listener/\$1\$1ListenerId\$1/endpoint-group/\$1\$1EndpointGroupId\$1  |   [#awsglobalaccelerator-aws_ResourceTag___TagKey_](#awsglobalaccelerator-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/global-accelerator/latest/api/API_CrossAccountAttachment.html](https://docs.aws.amazon.com/global-accelerator/latest/api/API_CrossAccountAttachment.html)  |  arn:\$1\$1Partition\$1:globalaccelerator::\$1\$1Account\$1:attachment/\$1\$1ResourceId\$1  |   [#awsglobalaccelerator-aws_ResourceTag___TagKey_](#awsglobalaccelerator-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Global Accelerator
<a name="awsglobalaccelerator-policy-keys"></a>

AWS Global Accelerator defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Glue
<a name="list_awsglue"></a>

AWS Glue (service prefix: `glue`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/glue/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/glue/latest/dg/aws-glue-api.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/glue/latest/dg/authentication-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Glue
](#awsglue-actions-as-permissions)
+ [

## Resource types defined by AWS Glue
](#awsglue-resources-for-iam-policies)
+ [

## Condition keys for AWS Glue
](#awsglue-policy-keys)

## Actions defined by AWS Glue
<a name="awsglue-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsglue-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html)

## Resource types defined by AWS Glue
<a name="awsglue-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsglue-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:catalog  |  | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1CatalogName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:database/\$1\$1DatabaseName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1DatabaseName\$1/\$1\$1TableName\$1  |  | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:tableVersion/\$1\$1DatabaseName\$1/\$1\$1TableName\$1/\$1\$1TableVersionName\$1  |  | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1ConnectionName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:userDefinedFunction/\$1\$1DatabaseName\$1/\$1\$1UserDefinedFunctionName\$1  |  | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:devEndpoint/\$1\$1DevEndpointName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1JobName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:trigger/\$1\$1TriggerName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:crawler/\$1\$1CrawlerName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1WorkflowName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:blueprint/\$1\$1BlueprintName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:mlTransform/\$1\$1TransformId\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:registry/\$1\$1RegistryName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:schema/\$1\$1SchemaName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:session/\$1\$1SessionId\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:usageProfile/\$1\$1UsageProfileId\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:dataQualityRuleset/\$1\$1RulesetName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:customEntityType/\$1\$1CustomEntityTypeId\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:completion/\$1\$1CompletionId\$1  |  | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:integration:\$1\$1IntegrationId\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:connectionType:\$1\$1ConnectionTypeName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html](https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html)  |  arn:\$1\$1Partition\$1:glue:\$1\$1Region\$1:\$1\$1Account\$1:integrationresourceproperty/\$1\$1ResourceType\$1/\$1\$1ResourceName\$1  |   [#awsglue-aws_ResourceTag___TagKey_](#awsglue-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Glue
<a name="awsglue-policy-keys"></a>

AWS Glue defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by the service from which the credentials of the request is issued | String | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by the presence of the key configured for role's identity-based policy | Bool | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by whether the resource belongs to federated authorization | String | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by whether Lake Formation permission checks will be performed for a given caller and the Glue resource | String | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by the service from which the credentials of the request is obtained by assuming the customer role | String | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by the ID of security groups configured for the Glue job | ArrayOfString | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by the ID of subnets configured for the Glue job | ArrayOfString | 
|   [https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys](https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html#glue-identity-based-policy-condition-keys)  | Filters access by the ID of the VPC configured for the Glue job | ArrayOfString | 

# Actions, resources, and condition keys for AWS Glue DataBrew
<a name="list_awsgluedatabrew"></a>

AWS Glue DataBrew (service prefix: `databrew`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/databrew/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/databrew/latest/dg/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/databrew/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Glue DataBrew
](#awsgluedatabrew-actions-as-permissions)
+ [

## Resource types defined by AWS Glue DataBrew
](#awsgluedatabrew-resources-for-iam-policies)
+ [

## Condition keys for AWS Glue DataBrew
](#awsgluedatabrew-policy-keys)

## Actions defined by AWS Glue DataBrew
<a name="awsgluedatabrew-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsgluedatabrew-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html)

## Resource types defined by AWS Glue DataBrew
<a name="awsgluedatabrew-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsgluedatabrew-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/databrew/latest/dg/projects.html](https://docs.aws.amazon.com/databrew/latest/dg/projects.html)  |  arn:\$1\$1Partition\$1:databrew:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ResourceId\$1  |   [#awsgluedatabrew-aws_ResourceTag___TagKey_](#awsgluedatabrew-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/databrew/latest/dg/datasets.html](https://docs.aws.amazon.com/databrew/latest/dg/datasets.html)  |  arn:\$1\$1Partition\$1:databrew:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1ResourceId\$1  |   [#awsgluedatabrew-aws_ResourceTag___TagKey_](#awsgluedatabrew-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/databrew/latest/dg/rulesets.html](https://docs.aws.amazon.com/databrew/latest/dg/rulesets.html)  |  arn:\$1\$1Partition\$1:databrew:\$1\$1Region\$1:\$1\$1Account\$1:ruleset/\$1\$1ResourceId\$1  |   [#awsgluedatabrew-aws_ResourceTag___TagKey_](#awsgluedatabrew-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/databrew/latest/dg/recipes.html](https://docs.aws.amazon.com/databrew/latest/dg/recipes.html)  |  arn:\$1\$1Partition\$1:databrew:\$1\$1Region\$1:\$1\$1Account\$1:recipe/\$1\$1ResourceId\$1  |   [#awsgluedatabrew-aws_ResourceTag___TagKey_](#awsgluedatabrew-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/databrew/latest/dg/jobs.html](https://docs.aws.amazon.com/databrew/latest/dg/jobs.html)  |  arn:\$1\$1Partition\$1:databrew:\$1\$1Region\$1:\$1\$1Account\$1:job/\$1\$1ResourceId\$1  |   [#awsgluedatabrew-aws_ResourceTag___TagKey_](#awsgluedatabrew-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/databrew/latest/dg/jobs.html#jobs.scheduling](https://docs.aws.amazon.com/databrew/latest/dg/jobs.html#jobs.scheduling)  |  arn:\$1\$1Partition\$1:databrew:\$1\$1Region\$1:\$1\$1Account\$1:schedule/\$1\$1ResourceId\$1  |   [#awsgluedatabrew-aws_ResourceTag___TagKey_](#awsgluedatabrew-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Glue DataBrew
<a name="awsgluedatabrew-policy-keys"></a>

AWS Glue DataBrew defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Ground Station
<a name="list_awsgroundstation"></a>

AWS Ground Station (service prefix: `groundstation`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ground-station/latest/ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ground-station/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ground-station/latest/ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Ground Station
](#awsgroundstation-actions-as-permissions)
+ [

## Resource types defined by AWS Ground Station
](#awsgroundstation-resources-for-iam-policies)
+ [

## Condition keys for AWS Ground Station
](#awsgroundstation-policy-keys)

## Actions defined by AWS Ground Station
<a name="awsgroundstation-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsgroundstation-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html)

## Resource types defined by AWS Ground Station
<a name="awsgroundstation-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsgroundstation-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_ConfigListItem.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_ConfigListItem.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:config/\$1\$1ConfigType\$1/\$1\$1ConfigId\$1  |   [#awsgroundstation-aws_ResourceTag___TagKey_](#awsgroundstation-aws_ResourceTag___TagKey_)   [#awsgroundstation-groundstation_ConfigId](#awsgroundstation-groundstation_ConfigId)   [#awsgroundstation-groundstation_ConfigType](#awsgroundstation-groundstation_ConfigType)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_ContactData.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_ContactData.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:contact/\$1\$1ContactId\$1  |   [#awsgroundstation-aws_ResourceTag___TagKey_](#awsgroundstation-aws_ResourceTag___TagKey_)   [#awsgroundstation-groundstation_ContactId](#awsgroundstation-groundstation_ContactId)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_DataflowEndpoint.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_DataflowEndpoint.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:dataflow-endpoint-group/\$1\$1DataflowEndpointGroupId\$1  |   [#awsgroundstation-aws_ResourceTag___TagKey_](#awsgroundstation-aws_ResourceTag___TagKey_)   [#awsgroundstation-groundstation_DataflowEndpointGroupId](#awsgroundstation-groundstation_DataflowEndpointGroupId)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_EphemerisItem.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_EphemerisItem.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:ephemeris/\$1\$1EphemerisId\$1  |   [#awsgroundstation-aws_ResourceTag___TagKey_](#awsgroundstation-aws_ResourceTag___TagKey_)   [#awsgroundstation-groundstation_EphemerisId](#awsgroundstation-groundstation_EphemerisId)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_GroundStationData.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_GroundStationData.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:groundstation:\$1\$1GroundStationId\$1  |   [#awsgroundstation-groundstation_GroundStationId](#awsgroundstation-groundstation_GroundStationId)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_MissionProfileListItem.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_MissionProfileListItem.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:mission-profile/\$1\$1MissionProfileId\$1  |   [#awsgroundstation-aws_ResourceTag___TagKey_](#awsgroundstation-aws_ResourceTag___TagKey_)   [#awsgroundstation-groundstation_MissionProfileId](#awsgroundstation-groundstation_MissionProfileId)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_SatelliteListItem.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_SatelliteListItem.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:satellite/\$1\$1SatelliteId\$1  |   [#awsgroundstation-groundstation_SatelliteId](#awsgroundstation-groundstation_SatelliteId)   | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_AgentDetails.html](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_AgentDetails.html)  |  arn:\$1\$1Partition\$1:groundstation:\$1\$1Region\$1:\$1\$1Account\$1:agent/\$1\$1AgentId\$1  |   [#awsgroundstation-groundstation_AgentId](#awsgroundstation-groundstation_AgentId)   | 

## Condition keys for AWS Ground Station
<a name="awsgroundstation-policy-keys"></a>

AWS Ground Station defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_RegisterAgent.html#groundstation-RegisterAgent-response-agentId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_RegisterAgent.html#groundstation-RegisterAgent-response-agentId)  | Filters access by the ID of an agent | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateConfig.html#groundstation-CreateConfig-response-configId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateConfig.html#groundstation-CreateConfig-response-configId)  | Filters access by the ID of a config | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateConfig.html#groundstation-CreateConfig-response-configType](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateConfig.html#groundstation-CreateConfig-response-configType)  | Filters access by the type of a config | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_ReserveContact.html#groundstation-ReserveContact-response-contactId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_ReserveContact.html#groundstation-ReserveContact-response-contactId)  | Filters access by the ID of a contact | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateDataflowEndpointGroup.html#groundstation-CreateDataflowEndpointGroup-response-dataflowEndpointGroupId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateDataflowEndpointGroup.html#groundstation-CreateDataflowEndpointGroup-response-dataflowEndpointGroupId)  | Filters access by the ID of a dataflow endpoint group | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateEphemeris.html#groundstation-CreateEphemeris-response-ephemerisId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateEphemeris.html#groundstation-CreateEphemeris-response-ephemerisId)  | Filters access by the ID of an ephemeris | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_GroundStationData.html#groundstation-Type-GroundStationData-groundStationId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_GroundStationData.html#groundstation-Type-GroundStationData-groundStationId)  | Filters access by the ID of a ground station | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateMissionProfile.html#groundstation-CreateMissionProfile-response-missionProfileId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_CreateMissionProfile.html#groundstation-CreateMissionProfile-response-missionProfileId)  | Filters access by the ID of a mission profile | String | 
|   [https://docs.aws.amazon.com/ground-station/latest/APIReference/API_SatelliteListItem.html#groundstation-Type-SatelliteListItem-satelliteId](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_SatelliteListItem.html#groundstation-Type-SatelliteListItem-satelliteId)  | Filters access by the ID of a satellite | String | 

# Actions, resources, and condition keys for Amazon GroundTruth Labeling
<a name="list_amazongroundtruthlabeling"></a>

Amazon GroundTruth Labeling (service prefix: `groundtruthlabeling`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon GroundTruth Labeling
](#amazongroundtruthlabeling-actions-as-permissions)
+ [

## Resource types defined by Amazon GroundTruth Labeling
](#amazongroundtruthlabeling-resources-for-iam-policies)
+ [

## Condition keys for Amazon GroundTruth Labeling
](#amazongroundtruthlabeling-policy-keys)

## Actions defined by Amazon GroundTruth Labeling
<a name="amazongroundtruthlabeling-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazongroundtruthlabeling-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to associate a patch file with the manifest file to update the manifest file | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to create a GT\$1 Batch | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to create intake form | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to create a GT\$1 Project | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to create a GT\$1 Workflow Definition | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to get status of GroundTruthLabeling Jobs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to generate LiDAR Preview Task | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to get a GT\$1 Batch | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to get a intake forms | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to list a GT\$1 Batchs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to list dataset objects in a manifest file | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to list a GT\$1 Projects | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-data-filtering](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-data-filtering) [permission only] | Grants permission to filter records from a manifest file using S3 select. Get sample entries based on random sampling | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to list a S3 prefix and create manifest files from objects in that location | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to generate metrics from objects in manifest | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-data-input.html#sms-console-create-manifest-file) [permission only] | Grants permission to update a GT\$1 Batch | Write |  |  |  | 

## Resource types defined by Amazon GroundTruth Labeling
<a name="amazongroundtruthlabeling-resources-for-iam-policies"></a>

Amazon GroundTruth Labeling does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon GroundTruth Labeling, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon GroundTruth Labeling
<a name="amazongroundtruthlabeling-policy-keys"></a>

GroundTruth Labeling has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon GuardDuty
<a name="list_amazonguardduty"></a>

Amazon GuardDuty (service prefix: `guardduty`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/guardduty/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon GuardDuty
](#amazonguardduty-actions-as-permissions)
+ [

## Resource types defined by Amazon GuardDuty
](#amazonguardduty-resources-for-iam-policies)
+ [

## Condition keys for Amazon GuardDuty
](#amazonguardduty-policy-keys)

## Actions defined by Amazon GuardDuty
<a name="amazonguardduty-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonguardduty-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html)

## Resource types defined by Amazon GuardDuty
<a name="amazonguardduty-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonguardduty-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1/filter/\$1\$1FilterName\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1/ipset/\$1\$1IPSetId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1/threatintelset/\$1\$1ThreatIntelSetId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1/trustedentityset/\$1\$1TrustedEntitySetId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1/threatentityset/\$1\$1ThreatEntitySetId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:detector/\$1\$1DetectorId\$1/publishingdestination/\$1\$1PublishingDestinationId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html#guardduty-resources)  |  arn:\$1\$1Partition\$1:guardduty:\$1\$1Region\$1:\$1\$1Account\$1:malware-protection-plan/\$1\$1MalwareProtectionPlanId\$1  |   [#amazonguardduty-aws_ResourceTag___TagKey_](#amazonguardduty-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon GuardDuty
<a name="amazonguardduty-policy-keys"></a>

Amazon GuardDuty defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Health APIs and Notifications
<a name="list_awshealthapisandnotifications"></a>

AWS Health APIs and Notifications (service prefix: `health`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/health/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/health/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/health/latest/ug/controlling-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Health APIs and Notifications
](#awshealthapisandnotifications-actions-as-permissions)
+ [

## Resource types defined by AWS Health APIs and Notifications
](#awshealthapisandnotifications-resources-for-iam-policies)
+ [

## Condition keys for AWS Health APIs and Notifications
](#awshealthapisandnotifications-policy-keys)

## Actions defined by AWS Health APIs and Notifications
<a name="awshealthapisandnotifications-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awshealthapisandnotifications-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthapisandnotifications.html)

## Resource types defined by AWS Health APIs and Notifications
<a name="awshealthapisandnotifications-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awshealthapisandnotifications-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/health/latest/ug/supported-operations.html](https://docs.aws.amazon.com/health/latest/ug/supported-operations.html)  |  arn:\$1\$1Partition\$1:health:\$1::event/\$1\$1Service\$1/\$1\$1EventTypeCode\$1/\$1  |  | 

## Condition keys for AWS Health APIs and Notifications
<a name="awshealthapisandnotifications-policy-keys"></a>

AWS Health APIs and Notifications defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/health/latest/ug/controlling-access.html](https://docs.aws.amazon.com/health/latest/ug/controlling-access.html)  | Filters access by event type | String | 
|   [https://docs.aws.amazon.com/health/latest/ug/controlling-access.html](https://docs.aws.amazon.com/health/latest/ug/controlling-access.html)  | Filters access by impacted service | String | 

# Actions, resources, and condition keys for AWS HealthImaging
<a name="list_awshealthimaging"></a>

AWS HealthImaging (service prefix: `medical-imaging`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/healthimaging/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/healthimaging/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/healthimaging/latest/devguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS HealthImaging
](#awshealthimaging-actions-as-permissions)
+ [

## Resource types defined by AWS HealthImaging
](#awshealthimaging-resources-for-iam-policies)
+ [

## Condition keys for AWS HealthImaging
](#awshealthimaging-policy-keys)

## Actions defined by AWS HealthImaging
<a name="awshealthimaging-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awshealthimaging-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html)

## Resource types defined by AWS HealthImaging
<a name="awshealthimaging-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awshealthimaging-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/healthimaging/latest/devguide/API_DatastoreProperties.html](https://docs.aws.amazon.com/healthimaging/latest/devguide/API_DatastoreProperties.html)  |  arn:\$1\$1Partition\$1:medical-imaging:\$1\$1Region\$1:\$1\$1Account\$1:datastore/\$1\$1DatastoreId\$1  |   [#awshealthimaging-aws_ResourceTag___TagKey_](#awshealthimaging-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/healthimaging/latest/devguide/API_ImageSetProperties.html](https://docs.aws.amazon.com/healthimaging/latest/devguide/API_ImageSetProperties.html)  |  arn:\$1\$1Partition\$1:medical-imaging:\$1\$1Region\$1:\$1\$1Account\$1:datastore/\$1\$1DatastoreId\$1/imageset/\$1\$1ImageSetId\$1  |   [#awshealthimaging-aws_ResourceTag___TagKey_](#awshealthimaging-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS HealthImaging
<a name="awshealthimaging-policy-keys"></a>

AWS HealthImaging defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html#awshealthimaging-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html#awshealthimaging-policy-keys)  | Filters access by the SeriesInstanceUID parameter in the request | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html#awshealthimaging-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html#awshealthimaging-policy-keys)  | Filters access by the StudyInstanceUID parameter in the request | String | 

# Actions, resources, and condition keys for AWS HealthLake
<a name="list_awshealthlake"></a>

AWS HealthLake (service prefix: `healthlake`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/healthlake/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/healthlake/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/healthlake/latest/devguide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS HealthLake
](#awshealthlake-actions-as-permissions)
+ [

## Resource types defined by AWS HealthLake
](#awshealthlake-resources-for-iam-policies)
+ [

## Condition keys for AWS HealthLake
](#awshealthlake-policy-keys)

## Actions defined by AWS HealthLake
<a name="awshealthlake-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awshealthlake-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html)

## Resource types defined by AWS HealthLake
<a name="awshealthlake-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awshealthlake-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/healthlake/latest/APIReference/API_DatastoreProperties.html](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_DatastoreProperties.html)  |  arn:\$1\$1Partition\$1:healthlake:\$1\$1Region\$1:\$1\$1Account\$1:datastore/fhir/\$1\$1DatastoreId\$1  |   [#awshealthlake-aws_ResourceTag___TagKey_](#awshealthlake-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS HealthLake
<a name="awshealthlake-policy-keys"></a>

AWS HealthLake defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS HealthOmics
<a name="list_awshealthomics"></a>

AWS HealthOmics (service prefix: `omics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/omics/latest/dev/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/omics/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/omics/latest/dev/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS HealthOmics
](#awshealthomics-actions-as-permissions)
+ [

## Resource types defined by AWS HealthOmics
](#awshealthomics-resources-for-iam-policies)
+ [

## Condition keys for AWS HealthOmics
](#awshealthomics-policy-keys)

## Actions defined by AWS HealthOmics
<a name="awshealthomics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awshealthomics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html)

## Resource types defined by AWS HealthOmics
<a name="awshealthomics-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awshealthomics-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_AnnotationStoreItem.html](https://docs.aws.amazon.com/omics/latest/api/API_AnnotationStoreItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:annotationStore/\$1\$1AnnotationStoreName\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_AnnotationStoreVersionItem.html](https://docs.aws.amazon.com/omics/latest/api/API_AnnotationStoreVersionItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:annotationStore/\$1\$1AnnotationStoreName\$1/version/\$1\$1AnnotationStoreVersionName\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_ConfigurationListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_ConfigurationListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:configuration/\$1\$1Name\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_ReadSetFiles.html](https://docs.aws.amazon.com/omics/latest/api/API_ReadSetFiles.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:sequenceStore/\$1\$1SequenceStoreId\$1/readSet/\$1\$1ReadSetId\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_ReferenceFiles.html](https://docs.aws.amazon.com/omics/latest/api/API_ReferenceFiles.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:referenceStore/\$1\$1ReferenceStoreId\$1/reference/\$1\$1ReferenceId\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_ReferenceStoreDetail.html](https://docs.aws.amazon.com/omics/latest/api/API_ReferenceStoreDetail.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:referenceStore/\$1\$1ReferenceStoreId\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_RunListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_RunListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:run/\$1\$1Id\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_BatchListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_BatchListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:runBatch/\$1\$1BatchId\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_RunCacheListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_RunCacheListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:runCache/\$1\$1Id\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_RunGroupListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_RunGroupListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:runGroup/\$1\$1Id\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_SequenceStoreDetail.html](https://docs.aws.amazon.com/omics/latest/api/API_SequenceStoreDetail.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:sequenceStore/\$1\$1SequenceStoreId\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_TaskListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_TaskListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:task/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_VariantStoreItem.html](https://docs.aws.amazon.com/omics/latest/api/API_VariantStoreItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:variantStore/\$1\$1VariantStoreName\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_WorkflowListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_WorkflowListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1Id\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/omics/latest/api/API_WorkflowVersionListItem.html](https://docs.aws.amazon.com/omics/latest/api/API_WorkflowVersionListItem.html)  |  arn:\$1\$1Partition\$1:omics:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1Id\$1/version/\$1\$1VersionName\$1  |   [#awshealthomics-aws_ResourceTag___TagKey_](#awshealthomics-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS HealthOmics
<a name="awshealthomics-policy-keys"></a>

AWS HealthOmics defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Honeycode
<a name="list_amazonhoneycode"></a>

Amazon Honeycode (service prefix: `honeycode`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/honeycode/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/honeycode/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/honeycode/latest/UserGuide/getting-started-authorization.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Honeycode
](#amazonhoneycode-actions-as-permissions)
+ [

## Resource types defined by Amazon Honeycode
](#amazonhoneycode-resources-for-iam-policies)
+ [

## Condition keys for Amazon Honeycode
](#amazonhoneycode-policy-keys)

## Actions defined by Amazon Honeycode
<a name="amazonhoneycode-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonhoneycode-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/team-association.html#approve-team-association](https://docs.aws.amazon.com/honeycode/latest/UserGuide/team-association.html#approve-team-association) [permission only] | Grants permission to approve a team association request for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchCreateTableRows.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchCreateTableRows.html)  | Grants permission to create new rows in a table | Write |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchDeleteTableRows.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchDeleteTableRows.html)  | Grants permission to delete rows from a table | Write |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchUpdateTableRows.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchUpdateTableRows.html)  | Grants permission to update rows in a table | Write |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchUpsertTableRows.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_BatchUpsertTableRows.html)  | Grants permission to upsert rows in a table | Write |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/team.html#create-team](https://docs.aws.amazon.com/honeycode/latest/UserGuide/team.html#create-team) [permission only] | Grants permission to create a new Amazon Honeycode team for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/tenant.html#create-tenant](https://docs.aws.amazon.com/honeycode/latest/UserGuide/tenant.html#create-tenant) [permission only] | Grants permission to create a new tenant within Amazon Honeycode for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#delete-domains](https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#delete-domains) [permission only] | Grants permission to delete Amazon Honeycode domains for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/group.html#deregister-groups](https://docs.aws.amazon.com/honeycode/latest/UserGuide/group.html#deregister-groups) [permission only] | Grants permission to remove groups from an Amazon Honeycode team for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_DescribeTableDataImportJob.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_DescribeTableDataImportJob.html)  | Grants permission to get details about a table data import job | Read |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/team.html#describe-team](https://docs.aws.amazon.com/honeycode/latest/UserGuide/team.html#describe-team) [permission only] | Grants permission to get details about Amazon Honeycode teams for your AWS Account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_GetScreenData.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_GetScreenData.html)  | Grants permission to load the data from a screen | Read |   [#amazonhoneycode-screen](#amazonhoneycode-screen)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_InvokeScreenAutomation.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_InvokeScreenAutomation.html)  | Grants permission to invoke a screen automation | Write |   [#amazonhoneycode-screen-automation](#amazonhoneycode-screen-automation)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#list-domains](https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#list-domains) [permission only] | Grants permission to list all Amazon Honeycode domains and their verification status for your AWS Account | List |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/group.html#list-groups](https://docs.aws.amazon.com/honeycode/latest/UserGuide/group.html#list-groups) [permission only] | Grants permission to list all groups in an Amazon Honeycode team for your AWS Account | List |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTableColumns.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTableColumns.html)  | Grants permission to list the columns in a table | List |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTableRows.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTableRows.html)  | Grants permission to list the rows in a table | List |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTables.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTables.html)  | Grants permission to list the tables in a workbook | List |   [#amazonhoneycode-workbook](#amazonhoneycode-workbook)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTagsForResource.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_ListTagsForResource.html)  | Grants permission to list all tags for a resource | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/team-association.html#list-team-associations](https://docs.aws.amazon.com/honeycode/latest/UserGuide/team-association.html#list-team-associations) [permission only] | Grants permission to list all pending and approved team associations with your AWS Account | List |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/tenant.html#list-tenants](https://docs.aws.amazon.com/honeycode/latest/UserGuide/tenant.html#list-tenants) [permission only] | Grants permission to list all tenants of Amazon Honeycode for your AWS Account | List |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_QueryTableRows.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_QueryTableRows.html)  | Grants permission to query the rows of a table using a filter | Read |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#register-domain-for-verification](https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#register-domain-for-verification) [permission only] | Grants permission to request verification of the Amazon Honeycode domains for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/group.html#register-groups](https://docs.aws.amazon.com/honeycode/latest/UserGuide/group.html#register-groups) [permission only] | Grants permission to add groups to an Amazon Honeycode team for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/team-association.html#reject-team-association](https://docs.aws.amazon.com/honeycode/latest/UserGuide/team-association.html#reject-team-association) [permission only] | Grants permission to reject a team association request for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#restart-domain-verification](https://docs.aws.amazon.com/honeycode/latest/UserGuide/domain.html#restart-domain-verification) [permission only] | Grants permission to restart verification of the Amazon Honeycode domains for your AWS Account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_StartTableDataImportJob.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_StartTableDataImportJob.html)  | Grants permission to start a table data import job | Write |   [#amazonhoneycode-table](#amazonhoneycode-table)   |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_TagResource.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_TagResource.html)  | Grants permission to tag a resource | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_UntagResource.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/API_UntagResource.html)  | Grants permission to untag a resource | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/team.html#update-team](https://docs.aws.amazon.com/honeycode/latest/UserGuide/team.html#update-team) [permission only] | Grants permission to update an Amazon Honeycode team for your AWS Account | Write |  |  |  | 

## Resource types defined by Amazon Honeycode
<a name="amazonhoneycode-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonhoneycode-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-workbook.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-workbook.html)  |  arn:\$1\$1Partition\$1:honeycode:\$1\$1Region\$1:\$1\$1Account\$1:workbook:workbook/\$1\$1WorkbookId\$1  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-table.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-table.html)  |  arn:\$1\$1Partition\$1:honeycode:\$1\$1Region\$1:\$1\$1Account\$1:table:workbook/\$1\$1WorkbookId\$1/table/\$1\$1TableId\$1  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-screen.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-screen.html)  |  arn:\$1\$1Partition\$1:honeycode:\$1\$1Region\$1:\$1\$1Account\$1:screen:workbook/\$1\$1WorkbookId\$1/app/\$1\$1AppId\$1/screen/\$1\$1ScreenId\$1  |  | 
|   [https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-screen-automation.html](https://docs.aws.amazon.com/honeycode/latest/UserGuide/resource-screen-automation.html)  |  arn:\$1\$1Partition\$1:honeycode:\$1\$1Region\$1:\$1\$1Account\$1:screen-automation:workbook/\$1\$1WorkbookId\$1/app/\$1\$1AppId\$1/screen/\$1\$1ScreenId\$1/automation/\$1\$1AutomationId\$1  |  | 

## Condition keys for Amazon Honeycode
<a name="amazonhoneycode-policy-keys"></a>

Honeycode has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS IAM Access Analyzer
<a name="list_awsiamaccessanalyzer"></a>

AWS IAM Access Analyzer (service prefix: `access-analyzer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-permissions) permission policies.

**Topics**
+ [

## Actions defined by AWS IAM Access Analyzer
](#awsiamaccessanalyzer-actions-as-permissions)
+ [

## Resource types defined by AWS IAM Access Analyzer
](#awsiamaccessanalyzer-resources-for-iam-policies)
+ [

## Condition keys for AWS IAM Access Analyzer
](#awsiamaccessanalyzer-policy-keys)

## Actions defined by AWS IAM Access Analyzer
<a name="awsiamaccessanalyzer-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiamaccessanalyzer-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html)

## Resource types defined by AWS IAM Access Analyzer
<a name="awsiamaccessanalyzer-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiamaccessanalyzer-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources)  |  arn:\$1\$1Partition\$1:access-analyzer:\$1\$1Region\$1:\$1\$1Account\$1:analyzer/\$1\$1AnalyzerName\$1  |   [#awsiamaccessanalyzer-aws_ResourceTag___TagKey_](#awsiamaccessanalyzer-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources)  |  arn:\$1\$1Partition\$1:access-analyzer:\$1\$1Region\$1:\$1\$1Account\$1:analyzer/\$1\$1AnalyzerName\$1/archive-rule/\$1\$1RuleName\$1  |  | 

## Condition keys for AWS IAM Access Analyzer
<a name="awsiamaccessanalyzer-policy-keys"></a>

AWS IAM Access Analyzer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS IAM Identity Center
<a name="list_awsiamidentitycenter"></a>

AWS IAM Identity Center (service prefix: `sso`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IAM Identity Center
](#awsiamidentitycenter-actions-as-permissions)
+ [

## Resource types defined by AWS IAM Identity Center
](#awsiamidentitycenter-resources-for-iam-policies)
+ [

## Condition keys for AWS IAM Identity Center
](#awsiamidentitycenter-policy-keys)

## Actions defined by AWS IAM Identity Center
<a name="awsiamidentitycenter-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiamidentitycenter-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycenter.html)

## Resource types defined by AWS IAM Identity Center
<a name="awsiamidentitycenter-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiamidentitycenter-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html)  |  arn:\$1\$1Partition\$1:sso:::permissionSet/\$1\$1InstanceId\$1/\$1\$1PermissionSetId\$1  |   [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)   [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html)  |  arn:\$1\$1Partition\$1:sso:::account/\$1\$1AccountId\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html)  |  arn:\$1\$1Partition\$1:sso:::instance/\$1\$1InstanceId\$1  |   [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)   [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Application.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Application.html)  |  arn:\$1\$1Partition\$1:sso::\$1\$1AccountId\$1:application/\$1\$1InstanceId\$1/\$1\$1ApplicationId\$1  |   [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)   [#awsiamidentitycenter-sso_ApplicationAccount](#awsiamidentitycenter-sso_ApplicationAccount)   [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TrustedTokenIssuerMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TrustedTokenIssuerMetadata.html)  |  arn:\$1\$1Partition\$1:sso::\$1\$1AccountId\$1:trustedTokenIssuer/\$1\$1InstanceId\$1/\$1\$1TrustedTokenIssuerId\$1  |   [#awsiamidentitycenter-aws_ResourceTag___TagKey_](#awsiamidentitycenter-aws_ResourceTag___TagKey_)   [#awsiamidentitycenter-sso_PrimaryRegion](#awsiamidentitycenter-sso_PrimaryRegion)   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ApplicationProvider.html](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ApplicationProvider.html)  |  arn:\$1\$1Partition\$1:sso::aws:applicationProvider/\$1\$1ApplicationProviderId\$1  |  | 

## Condition keys for AWS IAM Identity Center
<a name="awsiamidentitycenter-policy-keys"></a>

AWS IAM Identity Center defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html)  | Filters access by the ARN of the IAM Identity Center application | ARN | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html)  | Filters access by the ARN of the IAM Identity Center instance | ARN | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html)  | Filters access by the account which creates the application. This condition key is not supported for customer managed SAML applications | String | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/API_InstanceMetadata.html)  | Filters access by the primary region of the IAM Identity Center instance | String | 

# Actions, resources, and condition keys for AWS IAM Identity Center directory
<a name="list_awsiamidentitycenterdirectory"></a>

AWS IAM Identity Center directory (service prefix: `sso-directory`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IAM Identity Center directory
](#awsiamidentitycenterdirectory-actions-as-permissions)
+ [

## Resource types defined by AWS IAM Identity Center directory
](#awsiamidentitycenterdirectory-resources-for-iam-policies)
+ [

## Condition keys for AWS IAM Identity Center directory
](#awsiamidentitycenterdirectory-policy-keys)

## Actions defined by AWS IAM Identity Center directory
<a name="awsiamidentitycenterdirectory-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiamidentitycenterdirectory-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html)  | Grants permission to add a member to a group in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to complete the creation process of a virtual MFA device | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to complete the registration process of a WebAuthn device | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to create an alias for the directory that AWS IAM Identity Center provides by default | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to create a bearer token for a given provisioning tenant | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to create an External Identity Provider configuration for the directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html)  | Grants permission to create a group in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to create a provisioning tenant for a given directory | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html)  | Grants permission to create a user in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to delete a bearer token | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to delete the given external IdP certificate | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to delete an External Identity Provider configuration associated with the directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroup.html)  | Grants permission to delete a group from the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to delete a MFA device by device name for a given user | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to delete the provisioning tenant | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteUser.html)  | Grants permission to delete a user from the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to retrieve information about the directory that AWS IAM Identity Center provides by default | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html)  | Grants permission to query the group data, not including user and group members | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html)  | Grants permission to retrieve information about groups from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to describes the provisioning tenant | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html)  | Grants permission to retrieve information about a user from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to describe user with a valid unique attribute represented for the user | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html)  | Grants permission to retrieve information about user from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to disable authentication of end users with an External Identity Provider | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to deactivate a user in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to enable authentication of end users with an External Identity Provider | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to activate user in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to retrieve the AWS IAM Identity Center Service Provider configurations for the directory | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupId.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupId.html)  | Grants permission to retrieve ID information about group from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html)  | Grants permission to retrieve ID information about user from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | (Deprecated) Grants permission to get UserPool Info | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to import the IdP certificate used for verifying external IdP responses | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html)  | Grants permission to check if a member is a part of the group in the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html)  | Grants permission to check if a member is a part of multiple groups in the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to list bearer tokens for a given provisioning tenant | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to list the external IdP certificates of a given directory and IdP | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to list all the External Identity Provider configurations created for the directory | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.html)  | Grants permission to list groups from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html)  | Grants permission to list groups of the target member | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html)  | Grants permission to list groups for a user from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMemberships.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMemberships.html)  | Grants permission to retrieve all members that are part of a group in the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to list all active MFA devices and their MFA device metadata for a user | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to list provisioning tenants for a given directory | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html)  | Grants permission to list users from the directory that AWS IAM Identity Center provides by default | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html)  | Grants permission to remove a member that is part of a group in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to search for groups within the associated directory | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to search for users within the associated directory | Read |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to begin the creation process of virtual mfa device | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to begin the registration process of a WebAuthn device | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to update an External Identity Provider configuration associated with the directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateGroup.html)  | Grants permission to update information about a group in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to update group display name update group display name response | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to update MFA device information | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to update a password by sending password reset link via email or generating one time password for a user in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html)  | Grants permission to update user information in the directory that AWS IAM Identity Center provides by default | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to update user name update user name response | Write |  |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample)  | Grants permission to verify an email address of an User | Write |  |  |  | 

## Resource types defined by AWS IAM Identity Center directory
<a name="awsiamidentitycenterdirectory-resources-for-iam-policies"></a>

AWS IAM Identity Center directory does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS IAM Identity Center directory, specify `"Resource": "*"` in your policy.

## Condition keys for AWS IAM Identity Center directory
<a name="awsiamidentitycenterdirectory-policy-keys"></a>

IAM Identity Center directory has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS IAM Identity Center OIDC service
<a name="list_awsiamidentitycenteroidcservice"></a>

AWS IAM Identity Center OIDC service (service prefix: `sso-oauth`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IAM Identity Center OIDC service
](#awsiamidentitycenteroidcservice-actions-as-permissions)
+ [

## Resource types defined by AWS IAM Identity Center OIDC service
](#awsiamidentitycenteroidcservice-resources-for-iam-policies)
+ [

## Condition keys for AWS IAM Identity Center OIDC service
](#awsiamidentitycenteroidcservice-policy-keys)

## Actions defined by AWS IAM Identity Center OIDC service
<a name="awsiamidentitycenteroidcservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiamidentitycenteroidcservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html)  | Grants permission to create and return OAuth 2.0 access tokens and refresh tokens for authorized client applications. These tokens might contain defined scopes that specify permissions such as `read:profile` or `write:data` | Write |   [#awsiamidentitycenteroidcservice-Application](#awsiamidentitycenteroidcservice-Application)   |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-resource-based-policies.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-resource-based-policies.html) [permission only] | Grants permission to validate and retrieve information about active OAuth 2.0 access tokens and refresh tokens, including their associated scopes and permissions. This permission is used only by AWS managed applications and is not documented in the IAM Identity Center OIDC API Reference | Write |   [#awsiamidentitycenteroidcservice-Application](#awsiamidentitycenteroidcservice-Application)   |  |   kms:Decrypt   | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-resource-based-policies.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-resource-based-policies.html) [permission only] | Grants permission to revoke OAuth 2.0 access tokens and refresh tokens, invalidating them before their normal expiration. This permission is used only by AWS managed applications and is not documented in the IAM Identity Center OIDC API Reference | Write |   [#awsiamidentitycenteroidcservice-Application](#awsiamidentitycenteroidcservice-Application)   |  |   kms:Decrypt   | 

## Resource types defined by AWS IAM Identity Center OIDC service
<a name="awsiamidentitycenteroidcservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiamidentitycenteroidcservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-enable-identity-center.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-enable-identity-center.html)  |  arn:\$1\$1Partition\$1:sso::\$1\$1AccountId\$1:application/\$1\$1InstanceId\$1/\$1\$1ApplicationId\$1  |  | 

## Condition keys for AWS IAM Identity Center OIDC service
<a name="awsiamidentitycenteroidcservice-policy-keys"></a>

OIDC service has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Identity and Access Management Roles Anywhere
<a name="list_awsidentityandaccessmanagementrolesanywhere"></a>

AWS Identity and Access Management Roles Anywhere (service prefix: `rolesanywhere`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Identity and Access Management Roles Anywhere
](#awsidentityandaccessmanagementrolesanywhere-actions-as-permissions)
+ [

## Resource types defined by AWS Identity and Access Management Roles Anywhere
](#awsidentityandaccessmanagementrolesanywhere-resources-for-iam-policies)
+ [

## Condition keys for AWS Identity and Access Management Roles Anywhere
](#awsidentityandaccessmanagementrolesanywhere-policy-keys)

## Actions defined by AWS Identity and Access Management Roles Anywhere
<a name="awsidentityandaccessmanagementrolesanywhere-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsidentityandaccessmanagementrolesanywhere-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementrolesanywhere.html)

## Resource types defined by AWS Identity and Access Management Roles Anywhere
<a name="awsidentityandaccessmanagementrolesanywhere-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsidentityandaccessmanagementrolesanywhere-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user)  |  arn:\$1\$1Partition\$1:rolesanywhere:\$1\$1Region\$1:\$1\$1Account\$1:trust-anchor/\$1\$1TrustAnchorId\$1  |   [#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_](#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user)  |  arn:\$1\$1Partition\$1:rolesanywhere:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1ProfileId\$1  |   [#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_](#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user)  |  arn:\$1\$1Partition\$1:rolesanywhere:\$1\$1Region\$1:\$1\$1Account\$1:subject/\$1\$1SubjectId\$1  |   [#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_](#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#first-time-user)  |  arn:\$1\$1Partition\$1:rolesanywhere:\$1\$1Region\$1:\$1\$1Account\$1:crl/\$1\$1CrlId\$1  |   [#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_](#awsidentityandaccessmanagementrolesanywhere-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Identity and Access Management Roles Anywhere
<a name="awsidentityandaccessmanagementrolesanywhere-policy-keys"></a>

AWS Identity and Access Management Roles Anywhere defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Identity Store
<a name="list_awsidentitystore"></a>

AWS Identity Store (service prefix: `identitystore`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Identity Store
](#awsidentitystore-actions-as-permissions)
+ [

## Resource types defined by AWS Identity Store
](#awsidentitystore-resources-for-iam-policies)
+ [

## Condition keys for AWS Identity Store
](#awsidentitystore-policy-keys)

## Actions defined by AWS Identity Store
<a name="awsidentitystore-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsidentitystore-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html)

## Resource types defined by AWS Identity Store
<a name="awsidentitystore-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsidentitystore-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/)  |  arn:\$1\$1Partition\$1:identitystore::\$1\$1Account\$1:identitystore/\$1\$1IdentityStoreId\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html)  |  arn:\$1\$1Partition\$1:identitystore:::user/\$1\$1UserId\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html)  |  arn:\$1\$1Partition\$1:identitystore:::group/\$1\$1GroupId\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GroupMembership.html)  |  arn:\$1\$1Partition\$1:identitystore:::membership/\$1\$1MembershipId\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html)  |  arn:\$1\$1Partition\$1:identitystore:::user/\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html)  |  arn:\$1\$1Partition\$1:identitystore:::group/\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GroupMembership.html)  |  arn:\$1\$1Partition\$1:identitystore:::membership/\$1  |  | 

## Condition keys for AWS Identity Store
<a name="awsidentitystore-policy-keys"></a>

AWS Identity Store defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [list_awsidentitystore.html#awsidentitystore-policy-keys](list_awsidentitystore.html#awsidentitystore-policy-keys)  | Filters access by Issuer present in ExternalIds for Group resources | ArrayOfARN | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-arn](https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-arn)  | Filters access by Identity Store ARN | ARN | 
|   [list_awsidentitystore.html#awsidentitystore-policy-keys](list_awsidentitystore.html#awsidentitystore-policy-keys)  | Filters access by Primary Region of Identity Store | String | 
|   [list_awsidentitystore.html#awsidentitystore-policy-keys](list_awsidentitystore.html#awsidentitystore-policy-keys)  | Filters access by a previously reserved User ID for CreateUser operation | String | 
|   [list_awsidentitystore.html#awsidentitystore-policy-keys](list_awsidentitystore.html#awsidentitystore-policy-keys)  | Filters access by Issuer present in ExternalIds for User resources | ArrayOfARN | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-user-id](https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-user-id)  | Filters access by Identity Store User ID | String | 

# Actions, resources, and condition keys for AWS Identity Store Auth
<a name="list_awsidentitystoreauth"></a>

AWS Identity Store Auth (service prefix: `identitystore-auth`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Identity Store Auth
](#awsidentitystoreauth-actions-as-permissions)
+ [

## Resource types defined by AWS Identity Store Auth
](#awsidentitystoreauth-resources-for-iam-policies)
+ [

## Condition keys for AWS Identity Store Auth
](#awsidentitystoreauth-policy-keys)

## Actions defined by AWS Identity Store Auth
<a name="awsidentitystoreauth-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsidentitystoreauth-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-app-session.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-app-session.html) [permission only] | Grants permission to delete a batch of specified sessions | Write |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-app-session.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-app-session.html) [permission only] | Grants permission to return session attributes for a batch of specified sessions | Read |  |  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-app-session.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-app-session.html) [permission only] | Grants permission to retrieve a list of active sessions for the specified user | List |  |  |  | 

## Resource types defined by AWS Identity Store Auth
<a name="awsidentitystoreauth-resources-for-iam-policies"></a>

AWS Identity Store Auth does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Identity Store Auth, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Identity Store Auth
<a name="awsidentitystoreauth-policy-keys"></a>

Identity Store Auth has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Identity Sync
<a name="list_awsidentitysync"></a>

AWS Identity Sync (service prefix: `identity-sync`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Identity Sync
](#awsidentitysync-actions-as-permissions)
+ [

## Resource types defined by AWS Identity Sync
](#awsidentitysync-resources-for-iam-policies)
+ [

## Condition keys for AWS Identity Sync
](#awsidentitysync-policy-keys)

## Actions defined by AWS Identity Sync
<a name="awsidentitysync-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsidentitysync-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitysync.html)

## Resource types defined by AWS Identity Sync
<a name="awsidentitysync-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsidentitysync-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html)  |  arn:\$1\$1Partition\$1:identity-sync:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1SyncProfileName\$1  |  | 
|   [https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html)  |  arn:\$1\$1Partition\$1:identity-sync:\$1\$1Region\$1:\$1\$1Account\$1:target/\$1\$1SyncProfileName\$1/\$1\$1SyncTargetName\$1  |  | 

## Condition keys for AWS Identity Sync
<a name="awsidentitysync-policy-keys"></a>

Identity Sync has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Import Export Disk Service
<a name="list_awsimportexportdiskservice"></a>

AWS Import Export Disk Service (service prefix: `importexport`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AWSImportExport/latest/DG/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSImportExport/latest/DG/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSImportExport/latest/DG/using-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Import Export Disk Service
](#awsimportexportdiskservice-actions-as-permissions)
+ [

## Resource types defined by AWS Import Export Disk Service
](#awsimportexportdiskservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Import Export Disk Service
](#awsimportexportdiskservice-policy-keys)

## Actions defined by AWS Import Export Disk Service
<a name="awsimportexportdiskservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsimportexportdiskservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebCancelJob.html](https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebCancelJob.html)  | This action cancels a specified job. Only the job owner can cancel it. The action fails if the job has already started or is complete. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebCreateJob.html](https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebCreateJob.html)  | This action initiates the process of scheduling an upload or download of your data. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebGetShippingLabel.html](https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebGetShippingLabel.html)  | This action generates a pre-paid shipping label that you will use to ship your device to AWS for processing. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebGetStatus.html](https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebGetStatus.html)  | This action returns information about a job, including where the job is in the processing pipeline, the status of the results, and the signature value associated with the job. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebListJobs.html](https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebListJobs.html)  | This action returns the jobs associated with the requester. | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebUpdateJob.html](https://docs.aws.amazon.com/AWSImportExport/latest/DG/WebUpdateJob.html)  | You use this action to change the parameters specified in the original manifest file by supplying a new manifest file. | Write |  |  |  | 

## Resource types defined by AWS Import Export Disk Service
<a name="awsimportexportdiskservice-resources-for-iam-policies"></a>

AWS Import Export Disk Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Import Export Disk Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Import Export Disk Service
<a name="awsimportexportdiskservice-policy-keys"></a>

Import/Export has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Inspector
<a name="list_amazoninspector"></a>

Amazon Inspector (service prefix: `inspector`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/inspector/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/inspector/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/inspector/latest/userguide/access_permissions.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Inspector
](#amazoninspector-actions-as-permissions)
+ [

## Resource types defined by Amazon Inspector
](#amazoninspector-resources-for-iam-policies)
+ [

## Condition keys for Amazon Inspector
](#amazoninspector-policy-keys)

## Actions defined by Amazon Inspector
<a name="amazoninspector-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoninspector-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_AddAttributesToFindings.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_AddAttributesToFindings.html)  | Grants permission to assign attributes (key and value pairs) to the findings that are specified by the ARNs of the findings | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTarget.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTarget.html)  | Grants permission to create a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTemplate.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTemplate.html)  | Grants permission to create an assessment template for the assessment target that is specified by the ARN of the assessment target | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateExclusionsPreview.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateExclusionsPreview.html)  | Grants permission to start the generation of an exclusions preview for the specified assessment template | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateResourceGroup.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateResourceGroup.html)  | Grants permission to create a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentRun.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentRun.html)  | Grants permission to delete the assessment run that is specified by the ARN of the assessment run | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentTarget.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentTarget.html)  | Grants permission to delete the assessment target that is specified by the ARN of the assessment target | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentTemplate.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentTemplate.html)  | Grants permission to delete the assessment template that is specified by the ARN of the assessment template | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentRuns.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentRuns.html)  | Grants permission to describe the assessment runs that are specified by the ARNs of the assessment runs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTargets.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTargets.html)  | Grants permission to describe the assessment targets that are specified by the ARNs of the assessment targets | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTemplates.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTemplates.html)  | Grants permission to describe the assessment templates that are specified by the ARNs of the assessment templates | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeCrossAccountAccessRole.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeCrossAccountAccessRole.html)  | Grants permission to describe the IAM role that enables Amazon Inspector to access your AWS account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeExclusions.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeExclusions.html)  | Grants permission to describe the exclusions that are specified by the exclusions' ARNs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeFindings.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeFindings.html)  | Grants permission to describe the findings that are specified by the ARNs of the findings | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeResourceGroups.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeResourceGroups.html)  | Grants permission to describe the resource groups that are specified by the ARNs of the resource groups | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeRulesPackages.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeRulesPackages.html)  | Grants permission to describe the rules packages that are specified by the ARNs of the rules packages | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_GetAssessmentReport.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_GetAssessmentReport.html)  | Grants permission to produce an assessment report that includes detailed and comprehensive results of a specified assessment run | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_GetExclusionsPreview.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_GetExclusionsPreview.html)  | Grants permission to retrieve the exclusions preview (a list of ExclusionPreview objects) specified by the preview token | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_GetTelemetryMetadata.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_GetTelemetryMetadata.html)  | Grants permission to get information about the data that is collected for the specified assessment run | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentRunAgents.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentRunAgents.html)  | Grants permission to list the agents of the assessment runs that are specified by the ARNs of the assessment runs | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentRuns.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentRuns.html)  | Grants permission to list the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentTargets.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentTargets.html)  | Grants permission to list the ARNs of the assessment targets within this AWS account | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentTemplates.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListAssessmentTemplates.html)  | Grants permission to list the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListEventSubscriptions.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListEventSubscriptions.html)  | Grants permission to list all the event subscriptions for the assessment template that is specified by the ARN of the assessment template | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListExclusions.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListExclusions.html)  | Grants permission to list exclusions that are generated by the assessment run | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListFindings.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListFindings.html)  | Grants permission to list findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListRulesPackages.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListRulesPackages.html)  | Grants permission to list all available Amazon Inspector rules packages | List |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_ListTagsForResource.html)  | Grants permission to list all tags associated with an assessment template | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_PreviewAgents.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_PreviewAgents.html)  | Grants permission to preview the agents installed on the EC2 instances that are part of the specified assessment target | Read |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_RegisterCrossAccountAccessRole.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_RegisterCrossAccountAccessRole.html)  | Grants permission to register the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_RemoveAttributesFromFindings.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_RemoveAttributesFromFindings.html)  | Grants permission to remove entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_SetTagsForResource.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_SetTagsForResource.html)  | Grants permission to set tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_StartAssessmentRun.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_StartAssessmentRun.html)  | Grants permission to start the assessment run specified by the ARN of the assessment template | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_StopAssessmentRun.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_StopAssessmentRun.html)  | Grants permission to stop the assessment run that is specified by the ARN of the assessment run | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_SubscribeToEvent.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_SubscribeToEvent.html)  | Grants permission to enable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_UnsubscribeFromEvent.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_UnsubscribeFromEvent.html)  | Grants permission to disable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/APIReference/API_UpdateAssessmentTarget.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_UpdateAssessmentTarget.html)  | Grants permission to update the assessment target that is specified by the ARN of the assessment target | Write |  |  |  | 

## Resource types defined by Amazon Inspector
<a name="amazoninspector-resources-for-iam-policies"></a>

Amazon Inspector does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Inspector, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Inspector
<a name="amazoninspector-policy-keys"></a>

Inspector has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Inspector2
<a name="list_amazoninspector2"></a>

Amazon Inspector2 (service prefix: `inspector2`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/inspector/v2/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/inspector/latest/user/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Inspector2
](#amazoninspector2-actions-as-permissions)
+ [

## Resource types defined by Amazon Inspector2
](#amazoninspector2-resources-for-iam-policies)
+ [

## Condition keys for Amazon Inspector2
](#amazoninspector2-policy-keys)

## Actions defined by Amazon Inspector2
<a name="amazoninspector2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoninspector2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html)

## Resource types defined by Amazon Inspector2
<a name="amazoninspector2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoninspector2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)  |  arn:\$1\$1Partition\$1:inspector2:\$1\$1Region\$1:\$1\$1Account\$1:owner/\$1\$1OwnerId\$1/filter/\$1\$1FilterId\$1  |   [#amazoninspector2-aws_ResourceTag___TagKey_](#amazoninspector2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)  |  arn:\$1\$1Partition\$1:inspector2:\$1\$1Region\$1:\$1\$1Account\$1:finding/\$1\$1FindingId\$1  |  | 
|   [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)  |  arn:\$1\$1Partition\$1:inspector2:\$1\$1Region\$1:\$1\$1Account\$1:owner/\$1\$1OwnerId\$1/cis-configuration/\$1\$1CISScanConfigurationId\$1  |   [#amazoninspector2-aws_ResourceTag___TagKey_](#amazoninspector2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)  |  arn:\$1\$1Partition\$1:inspector2:\$1\$1Region\$1:\$1\$1Account\$1:owner/\$1\$1OwnerId\$1/codesecurity-configuration/\$1\$1CodeSecurityScanConfigurationId\$1  |   [#amazoninspector2-aws_ResourceTag___TagKey_](#amazoninspector2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)  |  arn:\$1\$1Partition\$1:inspector2:\$1\$1Region\$1:\$1\$1Account\$1:codesecurity-integration/\$1\$1CodeSecurityIntegrationId\$1  |   [#amazoninspector2-aws_ResourceTag___TagKey_](#amazoninspector2-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Inspector2
<a name="amazoninspector2-policy-keys"></a>

Amazon Inspector2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Inspector2 Telemetry Channel
<a name="list_amazoninspector2telemetrychannel"></a>

Amazon Inspector2 Telemetry Channel (service prefix: `inspector2-telemetry`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/inspector/v2/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/inspector/latest/user/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Inspector2 Telemetry Channel
](#amazoninspector2telemetrychannel-actions-as-permissions)
+ [

## Resource types defined by Amazon Inspector2 Telemetry Channel
](#amazoninspector2telemetrychannel-resources-for-iam-policies)
+ [

## Condition keys for Amazon Inspector2 Telemetry Channel
](#amazoninspector2telemetrychannel-policy-keys)

## Actions defined by Amazon Inspector2 Telemetry Channel
<a name="amazoninspector2telemetrychannel-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoninspector2telemetrychannel-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/inspector/v2/APIReference/API_NotifyHeartbeat.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_NotifyHeartbeat.html)  | Grants permission to notify heartbeat for an active telemetry session | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/v2/APIReference/API_SendTelemetry.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_SendTelemetry.html)  | Grants permission to send telemetry for an active telemetry session | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/v2/APIReference/API_StartSession.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_StartSession.html)  | Grants permission to start a telemetry session | Write |  |  |  | 
|   [https://docs.aws.amazon.com/inspector/v2/APIReference/API_StopSession.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_StopSession.html)  | Grants permission to stop a telemetry session | Write |  |  |  | 

## Resource types defined by Amazon Inspector2 Telemetry Channel
<a name="amazoninspector2telemetrychannel-resources-for-iam-policies"></a>

Amazon Inspector2 Telemetry Channel does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Inspector2 Telemetry Channel, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Inspector2 Telemetry Channel
<a name="amazoninspector2telemetrychannel-policy-keys"></a>

Inspector2Telemtry has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon InspectorScan
<a name="list_amazoninspectorscan"></a>

Amazon InspectorScan (service prefix: `inspector-scan`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/inspector/latest/user/scanning-cicd.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/inspector/v2/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/inspector/latest/user/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon InspectorScan
](#amazoninspectorscan-actions-as-permissions)
+ [

## Resource types defined by Amazon InspectorScan
](#amazoninspectorscan-resources-for-iam-policies)
+ [

## Condition keys for Amazon InspectorScan
](#amazoninspectorscan-policy-keys)

## Actions defined by Amazon InspectorScan
<a name="amazoninspectorscan-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoninspectorscan-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/inspector/v2/APIReference/API_ScanSbom.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ScanSbom.html)  | Grants permission to scan the customer provided SBOM and return vulnerabilities detected within | Read |  |  |  | 

## Resource types defined by Amazon InspectorScan
<a name="amazoninspectorscan-resources-for-iam-policies"></a>

Amazon InspectorScan does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon InspectorScan, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon InspectorScan
<a name="amazoninspectorscan-policy-keys"></a>

InspectorScan has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Interactive Video Service
<a name="list_amazoninteractivevideoservice"></a>

Amazon Interactive Video Service (service prefix: `ivs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ivs/latest/LowLatencyUserGuide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ivs/latest/LowLatencyUserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Interactive Video Service
](#amazoninteractivevideoservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Interactive Video Service
](#amazoninteractivevideoservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Interactive Video Service
](#amazoninteractivevideoservice-policy-keys)

## Actions defined by Amazon Interactive Video Service
<a name="amazoninteractivevideoservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoninteractivevideoservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html)

## Resource types defined by Amazon Interactive Video Service
<a name="amazoninteractivevideoservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoninteractivevideoservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_Channel.html](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_Channel.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:channel/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_StreamKey.html](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_StreamKey.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:stream-key/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_PlaybackKeyPair.html](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_PlaybackKeyPair.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:playback-key/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_PlaybackRestrictionPolicy.html](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_PlaybackRestrictionPolicy.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:playback-restriction-policy/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_RecordingConfiguration.html](https://docs.aws.amazon.com/ivs/latest/LowLatencyAPIReference/API_RecordingConfiguration.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:recording-configuration/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_Stage.html](https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_Stage.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:stage/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_Composition.html](https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_Composition.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:composition/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_EncoderConfiguration.html](https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_EncoderConfiguration.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:encoder-configuration/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_StorageConfiguration.html](https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_StorageConfiguration.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:storage-configuration/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_PublicKey.html](https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_PublicKey.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:public-key/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_IngestConfiguration.html](https://docs.aws.amazon.com/ivs/latest/RealTimeAPIReference/API_IngestConfiguration.html)  |  arn:\$1\$1Partition\$1:ivs:\$1\$1Region\$1:\$1\$1Account\$1:ingest-configuration/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservice-aws_ResourceTag___TagKey_](#amazoninteractivevideoservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Interactive Video Service
<a name="amazoninteractivevideoservice-policy-keys"></a>

Amazon Interactive Video Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags associated with the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Interactive Video Service Chat
<a name="list_amazoninteractivevideoservicechat"></a>

Amazon Interactive Video Service Chat (service prefix: `ivschat`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ivs/latest/ChatUserGuide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ivs/latest/ChatAPIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ivs/latest/ChatUserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Interactive Video Service Chat
](#amazoninteractivevideoservicechat-actions-as-permissions)
+ [

## Resource types defined by Amazon Interactive Video Service Chat
](#amazoninteractivevideoservicechat-resources-for-iam-policies)
+ [

## Condition keys for Amazon Interactive Video Service Chat
](#amazoninteractivevideoservicechat-policy-keys)

## Actions defined by Amazon Interactive Video Service Chat
<a name="amazoninteractivevideoservicechat-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazoninteractivevideoservicechat-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservicechat.html)

## Resource types defined by Amazon Interactive Video Service Chat
<a name="amazoninteractivevideoservicechat-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoninteractivevideoservicechat-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ivs/latest/ChatAPIReference/API_Room.html](https://docs.aws.amazon.com/ivs/latest/ChatAPIReference/API_Room.html)  |  arn:\$1\$1Partition\$1:ivschat:\$1\$1Region\$1:\$1\$1Account\$1:room/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservicechat-aws_ResourceTag___TagKey_](#amazoninteractivevideoservicechat-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ivs/latest/ChatAPIReference/API_LoggingConfiguration.html](https://docs.aws.amazon.com/ivs/latest/ChatAPIReference/API_LoggingConfiguration.html)  |  arn:\$1\$1Partition\$1:ivschat:\$1\$1Region\$1:\$1\$1Account\$1:logging-configuration/\$1\$1ResourceId\$1  |   [#amazoninteractivevideoservicechat-aws_ResourceTag___TagKey_](#amazoninteractivevideoservicechat-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Interactive Video Service Chat
<a name="amazoninteractivevideoservicechat-policy-keys"></a>

Amazon Interactive Video Service Chat defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags associated with the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Interconnect
<a name="list_awsinterconnect"></a>

AWS Interconnect (service prefix: `interconnect`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/interconnect/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/interconnect/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/interconnect/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Interconnect
](#awsinterconnect-actions-as-permissions)
+ [

## Resource types defined by AWS Interconnect
](#awsinterconnect-resources-for-iam-policies)
+ [

## Condition keys for AWS Interconnect
](#awsinterconnect-policy-keys)

## Actions defined by AWS Interconnect
<a name="awsinterconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsinterconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinterconnect.html)

## Resource types defined by AWS Interconnect
<a name="awsinterconnect-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsinterconnect-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/interconnect/latest/api/Connection.html](https://docs.aws.amazon.com/interconnect/latest/api/Connection.html)  |  arn:\$1\$1Partition\$1:interconnect:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1Id\$1  |   [#awsinterconnect-aws_ResourceTag___TagKey_](#awsinterconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/interconnect/latest/api/Environment.html](https://docs.aws.amazon.com/interconnect/latest/api/Environment.html)  |  arn:\$1\$1Partition\$1:interconnect:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1Id\$1  |  | 

## Condition keys for AWS Interconnect
<a name="awsinterconnect-policy-keys"></a>

AWS Interconnect defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Invoicing Service
<a name="list_awsinvoicingservice"></a>

AWS Invoicing Service (service prefix: `invoicing`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security_iam_id-based-policy-examples.html#billing-permissions-ref).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Invoicing Service
](#awsinvoicingservice-actions-as-permissions)
+ [

## Resource types defined by AWS Invoicing Service
](#awsinvoicingservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Invoicing Service
](#awsinvoicingservice-policy-keys)

## Actions defined by AWS Invoicing Service
<a name="awsinvoicingservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsinvoicingservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsinvoicingservice.html)

## Resource types defined by AWS Invoicing Service
<a name="awsinvoicingservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsinvoicingservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_invoicing_InvoiceUnit.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_invoicing_InvoiceUnit.html)  |  arn:\$1\$1Partition\$1:invoicing::\$1\$1Account\$1:invoice-unit/\$1\$1Identifier\$1  |   [#awsinvoicingservice-aws_ResourceTag___TagKey_](#awsinvoicingservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_invoicing_ProcurementPortalPreference.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_invoicing_ProcurementPortalPreference.html)  |  arn:\$1\$1Partition\$1:invoicing::\$1\$1Account\$1:procurement-portal-preference/\$1\$1Identifier\$1  |   [#awsinvoicingservice-aws_ResourceTag___TagKey_](#awsinvoicingservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Invoicing Service
<a name="awsinvoicingservice-policy-keys"></a>

AWS Invoicing Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS IoT Analytics
<a name="list_awsiotanalytics"></a>

AWS IoT Analytics (service prefix: `iotanalytics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iotanalytics/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iotanalytics/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iotanalytics/latest/userguide/getting-started.html#aws-iot-analytics-step-create-role) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Analytics
](#awsiotanalytics-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Analytics
](#awsiotanalytics-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Analytics
](#awsiotanalytics-policy-keys)

## Actions defined by AWS IoT Analytics
<a name="awsiotanalytics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotanalytics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html)

## Resource types defined by AWS IoT Analytics
<a name="awsiotanalytics-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotanalytics-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how)  |  arn:\$1\$1Partition\$1:iotanalytics:\$1\$1Region\$1:\$1\$1Account\$1:channel/\$1\$1ChannelName\$1  |   [#awsiotanalytics-aws_RequestTag___TagKey_](#awsiotanalytics-aws_RequestTag___TagKey_)   [#awsiotanalytics-aws_TagKeys](#awsiotanalytics-aws_TagKeys)   [#awsiotanalytics-iotanalytics_ResourceTag___TagKey_](#awsiotanalytics-iotanalytics_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how)  |  arn:\$1\$1Partition\$1:iotanalytics:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1DatasetName\$1  |   [#awsiotanalytics-aws_RequestTag___TagKey_](#awsiotanalytics-aws_RequestTag___TagKey_)   [#awsiotanalytics-aws_TagKeys](#awsiotanalytics-aws_TagKeys)   [#awsiotanalytics-iotanalytics_ResourceTag___TagKey_](#awsiotanalytics-iotanalytics_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how)  |  arn:\$1\$1Partition\$1:iotanalytics:\$1\$1Region\$1:\$1\$1Account\$1:datastore/\$1\$1DatastoreName\$1  |   [#awsiotanalytics-aws_RequestTag___TagKey_](#awsiotanalytics-aws_RequestTag___TagKey_)   [#awsiotanalytics-aws_TagKeys](#awsiotanalytics-aws_TagKeys)   [#awsiotanalytics-iotanalytics_ResourceTag___TagKey_](#awsiotanalytics-iotanalytics_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how)  |  arn:\$1\$1Partition\$1:iotanalytics:\$1\$1Region\$1:\$1\$1Account\$1:pipeline/\$1\$1PipelineName\$1  |   [#awsiotanalytics-aws_RequestTag___TagKey_](#awsiotanalytics-aws_RequestTag___TagKey_)   [#awsiotanalytics-aws_TagKeys](#awsiotanalytics-aws_TagKeys)   [#awsiotanalytics-iotanalytics_ResourceTag___TagKey_](#awsiotanalytics-iotanalytics_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Analytics
<a name="awsiotanalytics-policy-keys"></a>

AWS IoT Analytics defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/iotanalytics/latest/userguide/tagging.html#tagging-iam](https://docs.aws.amazon.com/iotanalytics/latest/userguide/tagging.html#tagging-iam)  | Filters access by the tag key-value pairs attached to the resource | String | 

# Actions, resources, and condition keys for AWS IoT Core Device Advisor
<a name="list_awsiotcoredeviceadvisor"></a>

AWS IoT Core Device Advisor (service prefix: `iotdeviceadvisor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot/latest/apireference/API_Operations_AWS_IoT_Core_Device_Advisor.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot/latest/developerguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Core Device Advisor
](#awsiotcoredeviceadvisor-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Core Device Advisor
](#awsiotcoredeviceadvisor-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Core Device Advisor
](#awsiotcoredeviceadvisor-policy-keys)

## Actions defined by AWS IoT Core Device Advisor
<a name="awsiotcoredeviceadvisor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotcoredeviceadvisor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html)

## Resource types defined by AWS IoT Core Device Advisor
<a name="awsiotcoredeviceadvisor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotcoredeviceadvisor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-workflow.html#device-advisor-workflow-create-suite-definition](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-workflow.html#device-advisor-workflow-create-suite-definition)  |  arn:\$1\$1Partition\$1:iotdeviceadvisor:\$1\$1Region\$1:\$1\$1Account\$1:suitedefinition/\$1\$1SuiteDefinitionId\$1  |   [#awsiotcoredeviceadvisor-aws_ResourceTag___TagKey_](#awsiotcoredeviceadvisor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-workflow.html#device-advisor-workflow-start-suite-run](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-workflow.html#device-advisor-workflow-start-suite-run)  |  arn:\$1\$1Partition\$1:iotdeviceadvisor:\$1\$1Region\$1:\$1\$1Account\$1:suiterun/\$1\$1SuiteDefinitionId\$1/\$1\$1SuiteRunId\$1  |   [#awsiotcoredeviceadvisor-aws_ResourceTag___TagKey_](#awsiotcoredeviceadvisor-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Core Device Advisor
<a name="awsiotcoredeviceadvisor-policy-keys"></a>

AWS IoT Core Device Advisor defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS IoT Device Tester
<a name="list_awsiotdevicetester"></a>

AWS IoT Device Tester (service prefix: `iot-device-tester`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/freertos/latest/userguide/device-tester-for-freertos-ug.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Device Tester
](#awsiotdevicetester-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Device Tester
](#awsiotdevicetester-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Device Tester
](#awsiotdevicetester-policy-keys)

## Actions defined by AWS IoT Device Tester
<a name="awsiotdevicetester-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotdevicetester-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html)  | Grants permission to IoT Device Tester to check if a given set of product, test suite and device tester version are compatible | Read |  |  |  | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html)  | Grants permission to IoT Device Tester to download compatible test suite versions | Read |  |  |  | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html)  | Grants permission to IoT Device Tester to get information on latest version of device tester available | Read |  |  |  | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html)  | Grants permission to IoT Device Tester to send usage metrics on your behalf | Write |  |  |  | 
|   [https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html](https://docs.aws.amazon.com/freertos/latest/userguide/dev-tester-prereqs.html)  | Grants permission to IoT Device Tester to get list of supported products and test suite versions | Read |  |  |  | 

## Resource types defined by AWS IoT Device Tester
<a name="awsiotdevicetester-resources-for-iam-policies"></a>

AWS IoT Device Tester does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS IoT Device Tester, specify `"Resource": "*"` in your policy.

## Condition keys for AWS IoT Device Tester
<a name="awsiotdevicetester-policy-keys"></a>

IoT Device Tester has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS IoT Events
<a name="list_awsiotevents"></a>

AWS IoT Events (service prefix: `iotevents`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iotevents/index.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iotevents/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iotevents/latest/developerguide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Events
](#awsiotevents-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Events
](#awsiotevents-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Events
](#awsiotevents-policy-keys)

## Actions defined by AWS IoT Events
<a name="awsiotevents-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotevents-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html)

## Resource types defined by AWS IoT Events
<a name="awsiotevents-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotevents-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-getting-started.html](https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-getting-started.html)  |  arn:\$1\$1Partition\$1:iotevents:\$1\$1Region\$1:\$1\$1Account\$1:detectorModel/\$1\$1DetectorModelName\$1  |   [#awsiotevents-aws_ResourceTag___TagKey_](#awsiotevents-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-getting-started.html](https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-getting-started.html)  |  arn:\$1\$1Partition\$1:iotevents:\$1\$1Region\$1:\$1\$1Account\$1:alarmModel/\$1\$1AlarmModelName\$1  |   [#awsiotevents-aws_ResourceTag___TagKey_](#awsiotevents-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-getting-started.html](https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-getting-started.html)  |  arn:\$1\$1Partition\$1:iotevents:\$1\$1Region\$1:\$1\$1Account\$1:input/\$1\$1InputName\$1  |   [#awsiotevents-aws_ResourceTag___TagKey_](#awsiotevents-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Events
<a name="awsiotevents-policy-keys"></a>

AWS IoT Events defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions by the tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/iotevents/latest/developerguide/security_iam_id-based-policy-examples.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iotevents/latest/developerguide/security_iam_id-based-policy-examples.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the instanceId (key-value) of the message | String | 

# Actions, resources, and condition keys for AWS IoT Fleet Hub for Device Management
<a name="list_awsiotfleethubfordevicemanagement"></a>

AWS IoT Fleet Hub for Device Management (service prefix: `iotfleethub`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot/latest/fleethubuserguide).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot/latest/apireference/API_Operations_AWS_IoT_Fleet_Hub.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot/latest/fleethubuserguide/aws-iot-monitor-security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Fleet Hub for Device Management
](#awsiotfleethubfordevicemanagement-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Fleet Hub for Device Management
](#awsiotfleethubfordevicemanagement-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Fleet Hub for Device Management
](#awsiotfleethubfordevicemanagement-policy-keys)

## Actions defined by AWS IoT Fleet Hub for Device Management
<a name="awsiotfleethubfordevicemanagement-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotfleethubfordevicemanagement-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleethubfordevicemanagement.html)

## Resource types defined by AWS IoT Fleet Hub for Device Management
<a name="awsiotfleethubfordevicemanagement-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotfleethubfordevicemanagement-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot/latest/apireference/API_iotfleethub_ApplicationSummary.html](https://docs.aws.amazon.com/iot/latest/apireference/API_iotfleethub_ApplicationSummary.html)  |  arn:\$1\$1Partition\$1:iotfleethub:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |   [#awsiotfleethubfordevicemanagement-aws_ResourceTag___TagKey_](#awsiotfleethubfordevicemanagement-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Fleet Hub for Device Management
<a name="awsiotfleethubfordevicemanagement-policy-keys"></a>

AWS IoT Fleet Hub for Device Management defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions by the tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS IoT FleetWise
<a name="list_awsiotfleetwise"></a>

AWS IoT FleetWise (service prefix: `iotfleetwise`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot-fleetwise/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT FleetWise
](#awsiotfleetwise-actions-as-permissions)
+ [

## Resource types defined by AWS IoT FleetWise
](#awsiotfleetwise-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT FleetWise
](#awsiotfleetwise-policy-keys)

## Actions defined by AWS IoT FleetWise
<a name="awsiotfleetwise-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotfleetwise-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html)

## Resource types defined by AWS IoT FleetWise
<a name="awsiotfleetwise-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotfleetwise-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/campaigns.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/campaigns.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:campaign/\$1\$1CampaignName\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/decoder-manifests.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/decoder-manifests.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:decoder-manifest/\$1\$1Name\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/fleets.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/fleets.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:fleet/\$1\$1FleetId\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/vehicle-models.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/vehicle-models.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:model-manifest/\$1\$1Name\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/signal-catalogs.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/signal-catalogs.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:signal-catalog/\$1\$1Name\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/vehicles.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/vehicles.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:vehicle/\$1\$1VehicleId\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/last-known-state.html](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/last-known-state.html)  |  arn:\$1\$1Partition\$1:iotfleetwise:\$1\$1Region\$1:\$1\$1Account\$1:state-template/\$1\$1StateTemplateId\$1  |   [#awsiotfleetwise-aws_ResourceTag___TagKey_](#awsiotfleetwise-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT FleetWise
<a name="awsiotfleetwise-policy-keys"></a>

AWS IoT FleetWise defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html)  | Filters access by campaign destination ARN, eg. an S3 bucket ARN or a Timestream ARN | ARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html)  | Filters access by fully qualified signal names | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html)  | Filters access by a list of IoT FleetWise Decoder Manifest ARNs | ARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html)  | Filters access by a list of IoT FleetWise Model Manifest ARNs | ARN | 

# Actions, resources, and condition keys for AWS IoT Greengrass
<a name="list_awsiotgreengrass"></a>

AWS IoT Greengrass (service prefix: `greengrass`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/greengrass/v1/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/greengrass/v1/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/greengrass/v1/developerguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Greengrass
](#awsiotgreengrass-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Greengrass
](#awsiotgreengrass-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Greengrass
](#awsiotgreengrass-policy-keys)

## Actions defined by AWS IoT Greengrass
<a name="awsiotgreengrass-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotgreengrass-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrass.html)

## Resource types defined by AWS IoT Greengrass
<a name="awsiotgreengrass-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotgreengrass-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-connectivityinfo.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-connectivityinfo.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/things/\$1\$1ThingName\$1/connectivityInfo  |  | 
|   [https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-sec.html](https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-sec.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/groups/\$1\$1GroupId\$1/certificateauthorities/\$1\$1CertificateAuthorityId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-createdeploymentrequest.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-createdeploymentrequest.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/groups/\$1\$1GroupId\$1/deployments/\$1\$1DeploymentId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/latest/developerguide/bulk-deploy-cli.html](https://docs.aws.amazon.com/greengrass/latest/developerguide/bulk-deploy-cli.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/bulk/deployments/\$1\$1BulkDeploymentId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-groupinformation.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-groupinformation.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/groups/\$1\$1GroupId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-groupversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-groupversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/groups/\$1\$1GroupId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-core.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-core.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/cores/\$1\$1CoreDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-coredefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-coredefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/cores/\$1\$1CoreDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-device.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-device.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/devices/\$1\$1DeviceDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-devicedefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-devicedefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/devices/\$1\$1DeviceDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-function.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-function.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/functions/\$1\$1FunctionDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-functiondefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-functiondefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/functions/\$1\$1FunctionDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-subscription.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-subscription.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/subscriptions/\$1\$1SubscriptionDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-subscriptiondefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-subscriptiondefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/subscriptions/\$1\$1SubscriptionDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-logger.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-logger.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/loggers/\$1\$1LoggerDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-loggerdefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-loggerdefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/loggers/\$1\$1LoggerDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-resource.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-resource.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/resources/\$1\$1ResourceDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-resourcedefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-resourcedefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/resources/\$1\$1ResourceDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-connector.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-connector.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/connectors/\$1\$1ConnectorDefinitionId\$1  |   [#awsiotgreengrass-aws_ResourceTag___TagKey_](#awsiotgreengrass-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-connectordefinitionversion.html](https://docs.aws.amazon.com/greengrass/v1/apireference/definitions-connectordefinitionversion.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/definition/connectors/\$1\$1ConnectorDefinitionId\$1/versions/\$1\$1VersionId\$1  |  | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html](https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html)  |  arn:\$1\$1Partition\$1:iot:\$1\$1Region\$1:\$1\$1Account\$1:thing/\$1\$1ThingName\$1  |  | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html](https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/things/\$1\$1ThingName\$1/runtimeconfig  |  | 

## Condition keys for AWS IoT Greengrass
<a name="awsiotgreengrass-policy-keys"></a>

AWS IoT Greengrass defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the mandatory tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS IoT Greengrass V2
<a name="list_awsiotgreengrassv2"></a>

AWS IoT Greengrass V2 (service prefix: `greengrass`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/greengrass/v2/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/greengrass/v2/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/greengrass/v2/developerguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Greengrass V2
](#awsiotgreengrassv2-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Greengrass V2
](#awsiotgreengrassv2-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Greengrass V2
](#awsiotgreengrassv2-policy-keys)

## Actions defined by AWS IoT Greengrass V2
<a name="awsiotgreengrassv2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotgreengrassv2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrassv2.html)

## Resource types defined by AWS IoT Greengrass V2
<a name="awsiotgreengrassv2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotgreengrassv2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/greengrass/v2/APIReference/API_ConnectivityInfo.html](https://docs.aws.amazon.com/greengrass/v2/APIReference/API_ConnectivityInfo.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:/greengrass/things/\$1\$1ThingName\$1/connectivityInfo  |  | 
|   [https://docs.aws.amazon.com/greengrass/v2/APIReference/API_Component.html](https://docs.aws.amazon.com/greengrass/v2/APIReference/API_Component.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:components:\$1\$1ComponentName\$1  |   [#awsiotgreengrassv2-aws_ResourceTag___TagKey_](#awsiotgreengrassv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v2/APIReference/API_Component.html](https://docs.aws.amazon.com/greengrass/v2/APIReference/API_Component.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:components:\$1\$1ComponentName\$1:versions:\$1\$1ComponentVersion\$1  |   [#awsiotgreengrassv2-aws_ResourceTag___TagKey_](#awsiotgreengrassv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v2/APIReference/API_CoreDevice.html](https://docs.aws.amazon.com/greengrass/v2/APIReference/API_CoreDevice.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:coreDevices:\$1\$1CoreDeviceThingName\$1  |   [#awsiotgreengrassv2-aws_ResourceTag___TagKey_](#awsiotgreengrassv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/greengrass/v2/APIReference/API_Deployment.html](https://docs.aws.amazon.com/greengrass/v2/APIReference/API_Deployment.html)  |  arn:\$1\$1Partition\$1:greengrass:\$1\$1Region\$1:\$1\$1Account\$1:deployments:\$1\$1DeploymentId\$1  |   [#awsiotgreengrassv2-aws_ResourceTag___TagKey_](#awsiotgreengrassv2-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Greengrass V2
<a name="awsiotgreengrassv2-policy-keys"></a>

AWS IoT Greengrass V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by checking tag key/value pairs included in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by checking tag key/value pairs associated with a specific resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by checking tag keys passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS IoT Jobs DataPlane
<a name="list_awsiotjobsdataplane"></a>

AWS IoT Jobs DataPlane (service prefix: `iotjobsdata`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot/latest/developerguide/authorization.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Jobs DataPlane
](#awsiotjobsdataplane-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Jobs DataPlane
](#awsiotjobsdataplane-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Jobs DataPlane
](#awsiotjobsdataplane-policy-keys)

## Actions defined by AWS IoT Jobs DataPlane
<a name="awsiotjobsdataplane-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotjobsdataplane-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotjobsdataplane.html)

## Resource types defined by AWS IoT Jobs DataPlane
<a name="awsiotjobsdataplane-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotjobsdataplane-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html](https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html)  |  arn:\$1\$1Partition\$1:iot:\$1\$1Region\$1:\$1\$1Account\$1:thing/\$1\$1ThingName\$1  |  | 

## Condition keys for AWS IoT Jobs DataPlane
<a name="awsiotjobsdataplane-policy-keys"></a>

AWS IoT Jobs DataPlane defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html)  | Filters access by jobId for iotjobsdata:DescribeJobExecution and iotjobsdata:UpdateJobExecution APIs | String | 

# Actions, resources, and condition keys for AWS IoT Managed Integrations
<a name="list_awsiotmanagedintegrations"></a>

AWS IoT Managed Integrations (service prefix: `iotmanagedintegrations`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iotmanagedintegrations/latest/devguide/what-is-managedintegrations.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iotmanagedintegrations/latest/devguide/what-is-managedintegrations.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Managed Integrations
](#awsiotmanagedintegrations-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Managed Integrations
](#awsiotmanagedintegrations-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Managed Integrations
](#awsiotmanagedintegrations-policy-keys)

## Actions defined by AWS IoT Managed Integrations
<a name="awsiotmanagedintegrations-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotmanagedintegrations-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html)

## Resource types defined by AWS IoT Managed Integrations
<a name="awsiotmanagedintegrations-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotmanagedintegrations-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/](https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/)  |  arn:\$1\$1Partition\$1:iotmanagedintegrations:\$1\$1Region\$1:\$1\$1Account\$1:account-association/\$1\$1AccountAssociationId\$1  |   [#awsiotmanagedintegrations-aws_ResourceTag___TagKey_](#awsiotmanagedintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/](https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/)  |  arn:\$1\$1Partition\$1:iotmanagedintegrations:\$1\$1Region\$1:\$1\$1Account\$1:credential-locker/\$1\$1Identifier\$1  |   [#awsiotmanagedintegrations-aws_ResourceTag___TagKey_](#awsiotmanagedintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/](https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/)  |  arn:\$1\$1Partition\$1:iotmanagedintegrations:\$1\$1Region\$1:\$1\$1Account\$1:managed-thing/\$1\$1Identifier\$1  |   [#awsiotmanagedintegrations-aws_ResourceTag___TagKey_](#awsiotmanagedintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/](https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/)  |  arn:\$1\$1Partition\$1:iotmanagedintegrations:\$1\$1Region\$1:\$1\$1Account\$1:ota-task/\$1\$1Identifier\$1  |   [#awsiotmanagedintegrations-aws_ResourceTag___TagKey_](#awsiotmanagedintegrations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/](https://docs.aws.amazon.com/iotmanagedintegrations/latest/APIReference/)  |  arn:\$1\$1Partition\$1:iotmanagedintegrations:\$1\$1Region\$1:\$1\$1Account\$1:provisioning-profile/\$1\$1Identifier\$1  |   [#awsiotmanagedintegrations-aws_ResourceTag___TagKey_](#awsiotmanagedintegrations-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Managed Integrations
<a name="awsiotmanagedintegrations-policy-keys"></a>

AWS IoT Managed Integrations defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html#awsiotmanagedintegrations-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html#awsiotmanagedintegrations-policy-keys)  | Filters access by the CloudConnectorId | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html#awsiotmanagedintegrations-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotmanagedintegrations.html#awsiotmanagedintegrations-policy-keys)  | Filters access by the ConnectorDestinationId | String | 

# Actions, resources, and condition keys for AWS IoT SiteWise
<a name="list_awsiotsitewise"></a>

AWS IoT SiteWise (service prefix: `iotsitewise`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT SiteWise
](#awsiotsitewise-actions-as-permissions)
+ [

## Resource types defined by AWS IoT SiteWise
](#awsiotsitewise-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT SiteWise
](#awsiotsitewise-policy-keys)

## Actions defined by AWS IoT SiteWise
<a name="awsiotsitewise-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotsitewise-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html)

## Resource types defined by AWS IoT SiteWise
<a name="awsiotsitewise-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotsitewise-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAsset.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAsset.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:asset/\$1\$1AssetId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAssetModel.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAssetModel.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:asset-model/\$1\$1AssetModelId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeTimeSeries.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeTimeSeries.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:time-series/\$1\$1TimeSeriesId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateGateway.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateGateway.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreatePortal.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreatePortal.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:portal/\$1\$1PortalId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateProject.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateProject.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateDashboard.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateDashboard.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:dashboard/\$1\$1DashboardId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAccessPolicy.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAccessPolicy.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:access-policy/\$1\$1AccessPolicyId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateDataset.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateDataset.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1DatasetId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateComputationModel.html](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateComputationModel.html)  |  arn:\$1\$1Partition\$1:iotsitewise:\$1\$1Region\$1:\$1\$1Account\$1:computation-model/\$1\$1ComputationModelId\$1  |   [#awsiotsitewise-aws_ResourceTag___TagKey_](#awsiotsitewise-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT SiteWise
<a name="awsiotsitewise-policy-keys"></a>

AWS IoT SiteWise defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by an asset hierarchy path, which is the string of asset IDs in the asset's hierarchy, each separated by a forward slash | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of a child asset being associated whith a parent asset | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of an AWS Single Sign-On group | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of an AWS IAM identity | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by data streams associated with or not associated with asset properties | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of a portal | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of a project | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the property alias | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of an asset property | String | 
|   [https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the ID of an AWS Single Sign-On user | String | 

# Actions, resources, and condition keys for AWS IoT TwinMaker
<a name="list_awsiottwinmaker"></a>

AWS IoT TwinMaker (service prefix: `iottwinmaker`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot-twinmaker/latest/guide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot-twinmaker/latest/guide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT TwinMaker
](#awsiottwinmaker-actions-as-permissions)
+ [

## Resource types defined by AWS IoT TwinMaker
](#awsiottwinmaker-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT TwinMaker
](#awsiottwinmaker-policy-keys)

## Actions defined by AWS IoT TwinMaker
<a name="awsiottwinmaker-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiottwinmaker-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html)

## Resource types defined by AWS IoT TwinMaker
<a name="awsiottwinmaker-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiottwinmaker-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateWorkspace.html](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateWorkspace.html)  |  arn:\$1\$1Partition\$1:iottwinmaker:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1  |   [#awsiottwinmaker-aws_ResourceTag___TagKey_](#awsiottwinmaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateEntity.html](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateEntity.html)  |  arn:\$1\$1Partition\$1:iottwinmaker:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1/entity/\$1\$1EntityId\$1  |   [#awsiottwinmaker-aws_ResourceTag___TagKey_](#awsiottwinmaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateComponentType.html](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateComponentType.html)  |  arn:\$1\$1Partition\$1:iottwinmaker:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1/component-type/\$1\$1ComponentTypeId\$1  |   [#awsiottwinmaker-aws_ResourceTag___TagKey_](#awsiottwinmaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateScene.html](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateScene.html)  |  arn:\$1\$1Partition\$1:iottwinmaker:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1/scene/\$1\$1SceneId\$1  |   [#awsiottwinmaker-aws_ResourceTag___TagKey_](#awsiottwinmaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateSyncJob.html](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateSyncJob.html)  |  arn:\$1\$1Partition\$1:iottwinmaker:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1/sync-job/\$1\$1SyncJobId\$1  |   [#awsiottwinmaker-aws_ResourceTag___TagKey_](#awsiottwinmaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateMetadataTransferJob.html](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateMetadataTransferJob.html)  |  arn:\$1\$1Partition\$1:iottwinmaker:\$1\$1Region\$1:\$1\$1Account\$1:metadata-transfer-job/\$1\$1MetadataTransferJobId\$1  |  | 

## Condition keys for AWS IoT TwinMaker
<a name="awsiottwinmaker-policy-keys"></a>

AWS IoT TwinMaker defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html#awsiottwinmaker-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html#awsiottwinmaker-policy-keys)  | Filters access by destination type of metadata transfer job | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html#awsiottwinmaker-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html#awsiottwinmaker-policy-keys)  | Filters access by workspace linked to services | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html#awsiottwinmaker-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html#awsiottwinmaker-policy-keys)  | Filters access by source type of metadata transfer job | ArrayOfString | 

# Actions, resources, and condition keys for AWS IoT Wireless
<a name="list_awsiotwireless"></a>

AWS IoT Wireless (service prefix: `iotwireless`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/iot-wireless/latest/apireference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/iot/latest/developerguide/iot-authorization.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IoT Wireless
](#awsiotwireless-actions-as-permissions)
+ [

## Resource types defined by AWS IoT Wireless
](#awsiotwireless-resources-for-iam-policies)
+ [

## Condition keys for AWS IoT Wireless
](#awsiotwireless-policy-keys)

## Actions defined by AWS IoT Wireless
<a name="awsiotwireless-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiotwireless-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html)

## Resource types defined by AWS IoT Wireless
<a name="awsiotwireless-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiotwireless-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateWirelessDevice.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateWirelessDevice.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:WirelessDevice/\$1\$1WirelessDeviceId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateWirelessGateway.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateWirelessGateway.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:WirelessGateway/\$1\$1WirelessGatewayId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateDeviceProfile.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateDeviceProfile.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:DeviceProfile/\$1\$1DeviceProfileId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateServiceProfile.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateServiceProfile.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:ServiceProfile/\$1\$1ServiceProfileId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateDestination.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateDestination.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:Destination/\$1\$1DestinationName\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_AssociateAwsAccountWithPartnerAccount.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_AssociateAwsAccountWithPartnerAccount.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:SidewalkAccount/\$1\$1SidewalkAccountId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateWirelessGatewayTaskDefinition.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateWirelessGatewayTaskDefinition.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:WirelessGatewayTaskDefinition/\$1\$1WirelessGatewayTaskDefinitionId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateFuotaTask.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateFuotaTask.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:FuotaTask/\$1\$1FuotaTaskId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateMulticastGroup.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateMulticastGroup.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:MulticastGroup/\$1\$1MulticastGroupId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateNetworkAnalyzerConfiguration.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_CreateNetworkAnalyzerConfiguration.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:NetworkAnalyzerConfiguration/\$1\$1NetworkAnalyzerConfigurationName\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html](https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html)  |  arn:\$1\$1Partition\$1:iot:\$1\$1Region\$1:\$1\$1Account\$1:thing/\$1\$1ThingName\$1  |  | 
|   [https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html](https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html)  |  arn:\$1\$1Partition\$1:iot:\$1\$1Region\$1:\$1\$1Account\$1:cert/\$1\$1Certificate\$1  |  | 
|   [https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_StartWirelessDeviceImportTask.html](https://docs.aws.amazon.com/iot-wireless/latest/apireference/API_StartWirelessDeviceImportTask.html)  |  arn:\$1\$1Partition\$1:iotwireless:\$1\$1Region\$1:\$1\$1Account\$1:ImportTask/\$1\$1ImportTaskId\$1  |   [#awsiotwireless-aws_ResourceTag___TagKey_](#awsiotwireless-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS IoT Wireless
<a name="awsiotwireless-policy-keys"></a>

AWS IoT Wireless defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key that is present in the request that the user makes to IoT Wireless | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key component of a tag attached to an IoT Wireless resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the list of all the tag key names associated with the resource in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html)  | Filters access by destination name associated with the IoT Wireless resource | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html)  | Filters access by device profile id associated with the IoT Wireless resource | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html)  | Filters access by service profile id associated with the IoT Wireless resource | String | 

# Actions, resources, and condition keys for AWS IQ
<a name="list_awsiq"></a>

AWS IQ (service prefix: `iq`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-iq/latest/user-guide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-iq/latest/user-guide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-iq/latest/experts-user-guide/set-up-expert-account-permissions-to-use-aws-iq.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IQ
](#awsiq-actions-as-permissions)
+ [

## Resource types defined by AWS IQ
](#awsiq-resources-for-iam-policies)
+ [

## Condition keys for AWS IQ
](#awsiq-policy-keys)

## Actions defined by AWS IQ
<a name="awsiq-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiq-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiq.html)

## Resource types defined by AWS IQ
<a name="awsiq-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiq-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::conversation/\$1\$1ConversationId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::buyer/\$1\$1BuyerId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::expert/\$1\$1ExpertId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::call/\$1\$1CallId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::token/\$1\$1TokenId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::proposal/\$1\$1ConversationId\$1/\$1\$1ProposalId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::paymentRequest/\$1\$1ConversationId\$1/\$1\$1ProposalId\$1/\$1\$1PaymentRequestId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::paymentSchedule/\$1\$1ConversationId\$1/\$1\$1ProposalId\$1/\$1\$1VersionId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::seller/\$1\$1SellerAwsAccountId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::company/\$1\$1CompanyId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::request/\$1\$1RequestId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::listing/\$1\$1ListingId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq:\$1\$1Region\$1::attachment/\$1\$1AttachmentId\$1  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq-permission:\$1\$1Region\$1::permission/\$1\$1PermissionRequestId\$1  |  | 

## Condition keys for AWS IQ
<a name="awsiq-policy-keys"></a>

IQ has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS IQ Permissions
<a name="list_awsiqpermissions"></a>

AWS IQ Permissions (service prefix: `iq-permission`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-iq/latest/experts-user-guide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-iq/latest/experts-user-guide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-iq/latest/experts-user-guide/set-up-expert-account-permissions-to-use-aws-iq.html) permission policies.

**Topics**
+ [

## Actions defined by AWS IQ Permissions
](#awsiqpermissions-actions-as-permissions)
+ [

## Resource types defined by AWS IQ Permissions
](#awsiqpermissions-resources-for-iam-policies)
+ [

## Condition keys for AWS IQ Permissions
](#awsiqpermissions-policy-keys)

## Actions defined by AWS IQ Permissions
<a name="awsiqpermissions-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsiqpermissions-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to approve a permission request | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to approve a permission request | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to obtain a set of temporary security credentials for experts which they can use to access buyers' AWS resources | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to create a permission request | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to get a permission request | Read |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to list permission requests | Read |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to reject a permission request | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to revoke a permission request which was previously approved | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  | Grants permission to withdraw a permission request that has not been approved or declined | Write |   [#awsiqpermissions-permission](#awsiqpermissions-permission)   |  |  | 

## Resource types defined by AWS IQ Permissions
<a name="awsiqpermissions-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsiqpermissions-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://aws.amazon.com/iq/](https://aws.amazon.com/iq/)  |  arn:\$1\$1Partition\$1:iq-permission:\$1\$1Region\$1::permission/\$1\$1PermissionRequestId\$1  |  | 

## Condition keys for AWS IQ Permissions
<a name="awsiqpermissions-policy-keys"></a>

IQ Permission has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Kendra
<a name="list_amazonkendra"></a>

Amazon Kendra (service prefix: `kendra`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/kendra/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kendra/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kendra/latest/dg/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kendra
](#amazonkendra-actions-as-permissions)
+ [

## Resource types defined by Amazon Kendra
](#amazonkendra-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kendra
](#amazonkendra-policy-keys)

## Actions defined by Amazon Kendra
<a name="amazonkendra-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkendra-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html)

## Resource types defined by Amazon Kendra
<a name="amazonkendra-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkendra-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/index.html](https://docs.aws.amazon.com/kendra/latest/dg/index.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1  |   [#amazonkendra-aws_ResourceTag___TagKey_](#amazonkendra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/data-source.html](https://docs.aws.amazon.com/kendra/latest/dg/data-source.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/data-source/\$1\$1DataSourceId\$1  |   [#amazonkendra-aws_ResourceTag___TagKey_](#amazonkendra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/faq.html](https://docs.aws.amazon.com/kendra/latest/dg/faq.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/faq/\$1\$1FaqId\$1  |   [#amazonkendra-aws_ResourceTag___TagKey_](#amazonkendra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/deploying-search-experience-no-code.html](https://docs.aws.amazon.com/kendra/latest/dg/deploying-search-experience-no-code.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/experience/\$1\$1ExperienceId\$1  |  | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/thesaurus.html](https://docs.aws.amazon.com/kendra/latest/dg/thesaurus.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/thesaurus/\$1\$1ThesaurusId\$1  |   [#amazonkendra-aws_ResourceTag___TagKey_](#amazonkendra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/query-suggestions-block-list.html](https://docs.aws.amazon.com/kendra/latest/dg/query-suggestions-block-list.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/query-suggestions-block-list/\$1\$1QuerySuggestionsBlockListId\$1  |   [#amazonkendra-aws_ResourceTag___TagKey_](#amazonkendra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/featured-results.html](https://docs.aws.amazon.com/kendra/latest/dg/featured-results.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/featured-results-set/\$1\$1FeaturedResultsSetId\$1  |   [#amazonkendra-aws_ResourceTag___TagKey_](#amazonkendra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/API_CreateAccessControlConfiguration.html](https://docs.aws.amazon.com/kendra/latest/dg/API_CreateAccessControlConfiguration.html)  |  arn:\$1\$1Partition\$1:kendra:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexId\$1/access-control-configuration/\$1\$1AccessControlConfigurationId\$1  |  | 

## Condition keys for Amazon Kendra
<a name="amazonkendra-policy-keys"></a>

Amazon Kendra defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Kendra Intelligent Ranking
<a name="list_amazonkendraintelligentranking"></a>

Amazon Kendra Intelligent Ranking (service prefix: `kendra-ranking`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/kendra/latest/dg/intelligent-rerank.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kendra/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kendra/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kendra Intelligent Ranking
](#amazonkendraintelligentranking-actions-as-permissions)
+ [

## Resource types defined by Amazon Kendra Intelligent Ranking
](#amazonkendraintelligentranking-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kendra Intelligent Ranking
](#amazonkendraintelligentranking-policy-keys)

## Actions defined by Amazon Kendra Intelligent Ranking
<a name="amazonkendraintelligentranking-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkendraintelligentranking-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendraintelligentranking.html)

## Resource types defined by Amazon Kendra Intelligent Ranking
<a name="amazonkendraintelligentranking-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkendraintelligentranking-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/kendra/latest/dg/search-service-rerank.html](https://docs.aws.amazon.com/kendra/latest/dg/search-service-rerank.html)  |  arn:\$1\$1Partition\$1:kendra-ranking:\$1\$1Region\$1:\$1\$1Account\$1:rescore-execution-plan/\$1\$1RescoreExecutionPlanId\$1  |   [#amazonkendraintelligentranking-aws_ResourceTag___TagKey_](#amazonkendraintelligentranking-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Kendra Intelligent Ranking
<a name="amazonkendraintelligentranking-policy-keys"></a>

Amazon Kendra Intelligent Ranking defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Keyspaces (for Apache Cassandra)
<a name="list_amazonkeyspacesforapachecassandra"></a>

Amazon Keyspaces (for Apache Cassandra) (service prefix: `cassandra`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/keyspaces/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/keyspaces/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/keyspaces/latest/devguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Keyspaces (for Apache Cassandra)
](#amazonkeyspacesforapachecassandra-actions-as-permissions)
+ [

## Resource types defined by Amazon Keyspaces (for Apache Cassandra)
](#amazonkeyspacesforapachecassandra-resources-for-iam-policies)
+ [

## Condition keys for Amazon Keyspaces (for Apache Cassandra)
](#amazonkeyspacesforapachecassandra-policy-keys)

## Actions defined by Amazon Keyspaces (for Apache Cassandra)
<a name="amazonkeyspacesforapachecassandra-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkeyspacesforapachecassandra-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkeyspacesforapachecassandra.html)

## Resource types defined by Amazon Keyspaces (for Apache Cassandra)
<a name="amazonkeyspacesforapachecassandra-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkeyspacesforapachecassandra-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/keyspaces/latest/devguide/what-is.html](https://docs.aws.amazon.com/keyspaces/latest/devguide/what-is.html)  |  arn:\$1\$1Partition\$1:cassandra:\$1\$1Region\$1:\$1\$1Account\$1:/keyspace/\$1\$1KeyspaceName\$1/  |   [#amazonkeyspacesforapachecassandra-aws_ResourceTag___TagKey_](#amazonkeyspacesforapachecassandra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/keyspaces/latest/devguide/what-is.html](https://docs.aws.amazon.com/keyspaces/latest/devguide/what-is.html)  |  arn:\$1\$1Partition\$1:cassandra:\$1\$1Region\$1:\$1\$1Account\$1:/keyspace/\$1\$1KeyspaceName\$1/table/\$1\$1TableName\$1  |   [#amazonkeyspacesforapachecassandra-aws_ResourceTag___TagKey_](#amazonkeyspacesforapachecassandra-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/keyspaces/latest/devguide/what-is.html](https://docs.aws.amazon.com/keyspaces/latest/devguide/what-is.html)  |  arn:\$1\$1Partition\$1:cassandra:\$1\$1Region\$1:\$1\$1Account\$1:/keyspace/\$1\$1KeyspaceName\$1/table/\$1\$1TableName\$1/stream/\$1\$1StreamLabel\$1  |   [#amazonkeyspacesforapachecassandra-aws_ResourceTag___TagKey_](#amazonkeyspacesforapachecassandra-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Keyspaces (for Apache Cassandra)
<a name="amazonkeyspacesforapachecassandra-policy-keys"></a>

Amazon Keyspaces (for Apache Cassandra) defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/keyspaces/latest/devguide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/keyspaces/latest/devguide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/keyspaces/latest/devguide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/keyspaces/latest/devguide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/keyspaces/latest/devguide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/keyspaces/latest/devguide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Kinesis Analytics
<a name="list_amazonkinesisanalytics"></a>

Amazon Kinesis Analytics (service prefix: `kinesisanalytics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/kinesisanalytics/latest/dev/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kinesisanalytics/latest/dev/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kinesisanalytics/latest/dev/authentication-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kinesis Analytics
](#amazonkinesisanalytics-actions-as-permissions)
+ [

## Resource types defined by Amazon Kinesis Analytics
](#amazonkinesisanalytics-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kinesis Analytics
](#amazonkinesisanalytics-policy-keys)

## Actions defined by Amazon Kinesis Analytics
<a name="amazonkinesisanalytics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkinesisanalytics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html)

## Resource types defined by Amazon Kinesis Analytics
<a name="amazonkinesisanalytics-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkinesisanalytics-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/kinesisanalytics/latest/dev/how-it-works.html](https://docs.aws.amazon.com/kinesisanalytics/latest/dev/how-it-works.html)  |  arn:\$1\$1Partition\$1:kinesisanalytics:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationName\$1  |   [#amazonkinesisanalytics-aws_ResourceTag___TagKey_](#amazonkinesisanalytics-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Kinesis Analytics
<a name="amazonkinesisanalytics-policy-keys"></a>

Amazon Kinesis Analytics defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value assoicated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Kinesis Analytics V2
<a name="list_amazonkinesisanalyticsv2"></a>

Amazon Kinesis Analytics V2 (service prefix: `kinesisanalytics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/managed-flink/latest/apiv2/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/managed-flink/latest/apiv2/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kinesisanalytics/latest/dev/authentication-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kinesis Analytics V2
](#amazonkinesisanalyticsv2-actions-as-permissions)
+ [

## Resource types defined by Amazon Kinesis Analytics V2
](#amazonkinesisanalyticsv2-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kinesis Analytics V2
](#amazonkinesisanalyticsv2-policy-keys)

## Actions defined by Amazon Kinesis Analytics V2
<a name="amazonkinesisanalyticsv2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkinesisanalyticsv2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html)

## Resource types defined by Amazon Kinesis Analytics V2
<a name="amazonkinesisanalyticsv2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkinesisanalyticsv2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/kinesisanalytics/latest/java/how-it-works.html](https://docs.aws.amazon.com/kinesisanalytics/latest/java/how-it-works.html)  |  arn:\$1\$1Partition\$1:kinesisanalytics:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationName\$1  |   [#amazonkinesisanalyticsv2-aws_ResourceTag___TagKey_](#amazonkinesisanalyticsv2-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Kinesis Analytics V2
<a name="amazonkinesisanalyticsv2-policy-keys"></a>

Amazon Kinesis Analytics V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value assoicated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Kinesis Data Streams
<a name="list_amazonkinesisdatastreams"></a>

Amazon Kinesis Data Streams (service prefix: `kinesis`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/kinesis/latest/dev/introduction.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kinesis/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kinesis/latest/dev/controlling-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kinesis Data Streams
](#amazonkinesisdatastreams-actions-as-permissions)
+ [

## Resource types defined by Amazon Kinesis Data Streams
](#amazonkinesisdatastreams-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kinesis Data Streams
](#amazonkinesisdatastreams-policy-keys)

## Actions defined by Amazon Kinesis Data Streams
<a name="amazonkinesisdatastreams-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkinesisdatastreams-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisdatastreams.html)

## Resource types defined by Amazon Kinesis Data Streams
<a name="amazonkinesisdatastreams-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkinesisdatastreams-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/kinesis/latest/dev/amazon-kinesis-streams.html](https://docs.aws.amazon.com/kinesis/latest/dev/amazon-kinesis-streams.html)  |  arn:\$1\$1Partition\$1:kinesis:\$1\$1Region\$1:\$1\$1Account\$1:stream/\$1\$1StreamName\$1  |   [#amazonkinesisdatastreams-aws_ResourceTag___TagKey_](#amazonkinesisdatastreams-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kinesis/latest/dev/amazon-kinesis-consumers.html](https://docs.aws.amazon.com/kinesis/latest/dev/amazon-kinesis-consumers.html)  |  arn:\$1\$1Partition\$1:kinesis:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1StreamType\$1/\$1\$1StreamName\$1/consumer/\$1\$1ConsumerName\$1:\$1\$1ConsumerCreationTimpstamp\$1  |   [#amazonkinesisdatastreams-aws_ResourceTag___TagKey_](#amazonkinesisdatastreams-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kinesis/latest/dev/concepts.html#kms_keys](https://docs.aws.amazon.com/kinesis/latest/dev/concepts.html#kms_keys)  |  arn:\$1\$1Partition\$1:kms:\$1\$1Region\$1:\$1\$1Account\$1:key/\$1\$1KeyId\$1  |  | 

## Condition keys for Amazon Kinesis Data Streams
<a name="amazonkinesisdatastreams-policy-keys"></a>

Amazon Kinesis Data Streams defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html)  | Filters access by the ID of an AWS FIS action | String | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html)  | Filters access by the percentage of calls being affected by an AWS FIS action | Numeric | 
|   [https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html](https://docs.aws.amazon.com/fis/latest/userguide/fis-actions-reference.html)  | Filters access by the ARN of an AWS FIS target | ArrayOfARN | 

# Actions, resources, and condition keys for Amazon Kinesis Firehose
<a name="list_amazonkinesisfirehose"></a>

Amazon Kinesis Firehose (service prefix: `firehose`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/firehose/latest/dev/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/firehose/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kinesis Firehose
](#amazonkinesisfirehose-actions-as-permissions)
+ [

## Resource types defined by Amazon Kinesis Firehose
](#amazonkinesisfirehose-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kinesis Firehose
](#amazonkinesisfirehose-policy-keys)

## Actions defined by Amazon Kinesis Firehose
<a name="amazonkinesisfirehose-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkinesisfirehose-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html)

## Resource types defined by Amazon Kinesis Firehose
<a name="amazonkinesisfirehose-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkinesisfirehose-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html](https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html)  |  arn:\$1\$1Partition\$1:firehose:\$1\$1Region\$1:\$1\$1Account\$1:deliverystream/\$1\$1DeliveryStreamName\$1  |   [#amazonkinesisfirehose-aws_ResourceTag___TagKey_](#amazonkinesisfirehose-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Kinesis Firehose
<a name="amazonkinesisfirehose-policy-keys"></a>

Amazon Kinesis Firehose defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Kinesis Video Streams
<a name="list_amazonkinesisvideostreams"></a>

Amazon Kinesis Video Streams (service prefix: `kinesisvideo`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/what-is-kinesis-video.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/how-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Kinesis Video Streams
](#amazonkinesisvideostreams-actions-as-permissions)
+ [

## Resource types defined by Amazon Kinesis Video Streams
](#amazonkinesisvideostreams-resources-for-iam-policies)
+ [

## Condition keys for Amazon Kinesis Video Streams
](#amazonkinesisvideostreams-policy-keys)

## Actions defined by Amazon Kinesis Video Streams
<a name="amazonkinesisvideostreams-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonkinesisvideostreams-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisvideostreams.html)

## Resource types defined by Amazon Kinesis Video Streams
<a name="amazonkinesisvideostreams-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonkinesisvideostreams-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/how-it-works.html](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/how-it-works.html)  |  arn:\$1\$1Partition\$1:kinesisvideo:\$1\$1Region\$1:\$1\$1Account\$1:stream/\$1\$1StreamName\$1/\$1\$1CreationTime\$1  |   [#amazonkinesisvideostreams-aws_ResourceTag___TagKey_](#amazonkinesisvideostreams-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/kinesisvideostreams-webrtc-dg/latest/devguide/kvswebrtc-how-it-works.html](https://docs.aws.amazon.com/kinesisvideostreams-webrtc-dg/latest/devguide/kvswebrtc-how-it-works.html)  |  arn:\$1\$1Partition\$1:kinesisvideo:\$1\$1Region\$1:\$1\$1Account\$1:channel/\$1\$1ChannelName\$1/\$1\$1CreationTime\$1  |   [#amazonkinesisvideostreams-aws_ResourceTag___TagKey_](#amazonkinesisvideostreams-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Kinesis Video Streams
<a name="amazonkinesisvideostreams-policy-keys"></a>

Amazon Kinesis Video Streams defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters requests based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value assoicated with the stream | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters requests based on the presence of mandatory tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Lake Formation
<a name="list_awslakeformation"></a>

AWS Lake Formation (service prefix: `lakeformation`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lake-formation/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lake-formation/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lake-formation/latest/dg/permissions-reference.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Lake Formation
](#awslakeformation-actions-as-permissions)
+ [

## Resource types defined by AWS Lake Formation
](#awslakeformation-resources-for-iam-policies)
+ [

## Condition keys for AWS Lake Formation
](#awslakeformation-policy-keys)

## Actions defined by AWS Lake Formation
<a name="awslakeformation-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awslakeformation-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_AddLFTagsToResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_AddLFTagsToResource.html)  | Grants permission to attach Lake Formation tags to catalog resources | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_BatchGrantPermissions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_BatchGrantPermissions.html)  | Grants permission to data lake permissions to one or more principals in a batch | Permissions management |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_BatchRevokePermissions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_BatchRevokePermissions.html)  | Grants permission to revoke data lake permissions from one or more principals in a batch | Permissions management |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CancelTransaction.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CancelTransaction.html)  | Grants permission to cancel the given transaction | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CommitTransaction.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CommitTransaction.html)  | Grants permission to commit the given transaction | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateDataCellsFilter.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateDataCellsFilter.html)  | Grants permission to create a Lake Formation data cell filter | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLFTag.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLFTag.html)  | Grants permission to create a Lake Formation tag | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLFTagExpression.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLFTagExpression.html)  | Grants permission to create a Lake Formation tag expression | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLakeFormationIdentityCenterConfiguration.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLakeFormationIdentityCenterConfiguration.html)  | Grants permission to create an IAM Identity Center connection with Lake Formation to allow IAM Identity Center users and groups to access Data Catalog resources | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLakeFormationOptIn.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLakeFormationOptIn.html)  | Grants permission to enforce Lake Formation permissions for the given databases, tables, and principals | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteDataCellsFilter.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteDataCellsFilter.html)  | Grants permission to delete a Lake Formation data cell filter | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLFTag.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLFTag.html)  | Grants permission to delete a Lake Formation tag | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLFTagExpression.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLFTagExpression.html)  | Grants permission to delete a Lake Formation expression | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLakeFormationIdentityCenterConfiguration.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLakeFormationIdentityCenterConfiguration.html)  | Grants permission to delete an IAM Identity Center connection with Lake Formation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLakeFormationOptIn.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLakeFormationOptIn.html)  | Grants permission to remove the Lake Formation permissions enforcement of the given databases, tables, and principals | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteObjectsOnCancel.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteObjectsOnCancel.html)  | Grants permission to delete the specified objects if the transaction is canceled | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeregisterResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeregisterResource.html)  | Grants permission to deregister a registered location | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DescribeLakeFormationIdentityCenterConfiguration.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DescribeLakeFormationIdentityCenterConfiguration.html)  | Grants permission to describe the IAM Identity Center connection with Lake Formation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DescribeResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DescribeResource.html)  | Grants permission to describe a registered location | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DescribeTransaction.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DescribeTransaction.html)  | Grants permission to get status of the given transaction | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ExtendTransaction.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ExtendTransaction.html)  | Grants permission to extend the timeout of the given transaction | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html](https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html)  | Grants permission to virtual data lake access | Write |  |   [#awslakeformation-lakeformation_EnabledOnlyForMetaDataAccess](#awslakeformation-lakeformation_EnabledOnlyForMetaDataAccess)   |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetDataCellsFilter.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetDataCellsFilter.html)  | Grants permission to retrieve a Lake Formation data cell filter | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetDataLakePrincipal.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetDataLakePrincipal.html)  | Grants permission to retrieve the identity of the invoking principal | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetDataLakeSettings.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetDataLakeSettings.html)  | Grants permission to retrieve data lake settings such as the list of data lake administrators and database and table default permissions | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetEffectivePermissionsForPath.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetEffectivePermissionsForPath.html)  | Grants permission to retrieve permissions attached to resources in the given path | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetLFTag.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetLFTag.html)  | Grants permission to retrieve a Lake Formation tag | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetLFTagExpression.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetLFTagExpression.html)  | Grants permission to retrieve a Lake Formation tag expression | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetQueryState.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetQueryState.html)  | Grants permission to retrieve the state of the given query | Read |  |  |   lakeformation:StartQueryPlanning   | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetQueryStatistics.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetQueryStatistics.html)  | Grants permission to retrieve the statistics for the given query | Read |  |  |   lakeformation:StartQueryPlanning   | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetResourceLFTags.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetResourceLFTags.html)  | Grants permission to retrieve lakeformation tags on a catalog resource | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetTableObjects.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetTableObjects.html)  | Grants permission to retrieve objects from a table | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetTemporaryGluePartitionCredentials.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetTemporaryGluePartitionCredentials.html)  | Grants permission to get temporary credentials to access Glue partition data through Lake Formation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetTemporaryGlueTableCredentials.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetTemporaryGlueTableCredentials.html)  | Grants permission to get temporary credentials to access Glue table data through Lake Formation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetWorkUnitResults.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetWorkUnitResults.html)  | Grants permission to retrieve the results for the given work units | Read |  |  |   lakeformation:GetWorkUnits   lakeformation:StartQueryPlanning   | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetWorkUnits.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GetWorkUnits.html)  | Grants permission to retrieve the work units for the given query | Read |  |  |   lakeformation:StartQueryPlanning   | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GrantPermissions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_GrantPermissions.html)  | Grants permission to data lake permissions to a principal | Permissions management |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListDataCellsFilter.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListDataCellsFilter.html)  | Grants permission to list cell filters | List |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListLFTagExpressions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListLFTagExpressions.html)  | Grants permission to list Lake Foramtion tag expressions | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListLFTags.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListLFTags.html)  | Grants permission to list Lake Formation tags | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListLakeFormationOptIns.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListLakeFormationOptIns.html)  | Grants permission to retrieve the current list of resources and principals that are opt in to enforce Lake Formation permissions | List |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListPermissions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListPermissions.html)  | Grants permission to list permissions filtered by principal or resource | List |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListResources.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListResources.html)  | Grants permission to List registered locations | List |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListTableStorageOptimizers.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListTableStorageOptimizers.html)  | Grants permission to list all the storage optimizers for the Governed table | List |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListTransactions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_ListTransactions.html)  | Grants permission to list all transactions in the system | List |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_PutDataLakeSettings.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_PutDataLakeSettings.html)  | Grants permission to overwrite data lake settings such as the list of data lake administrators and database and table default permissions | Permissions management |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RegisterResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RegisterResource.html)  | Grants permission to register a new location to be managed by Lake Formation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RegisterResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RegisterResource.html)  | Grants permission to register a new location to be managed by Lake Formation, with privileged access | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RemoveLFTagsFromResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RemoveLFTagsFromResource.html)  | Grants permission to remove lakeformation tags from catalog resources | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RevokePermissions.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RevokePermissions.html)  | Grants permission to revoke data lake permissions from a principal | Permissions management |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_SearchTablesByLFTags.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_SearchTablesByLFTags.html)  | Grants permission to list catalog databases with Lake Formation tags | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_SearchTablesByLFTags.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_SearchTablesByLFTags.html)  | Grants permission to list catalog tables with Lake Formation tags | Read |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_StartQueryPlanning.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_StartQueryPlanning.html)  | Grants permission to initiate the planning of the given query | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_StartTransaction.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_StartTransaction.html)  | Grants permission to start a new transaction | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateDataCellsFilter.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateDataCellsFilter.html)  | Grants permission to update a Lake Formation data cell filter | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLFTag.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLFTag.html)  | Grants permission to update a Lake Formation tag | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLFTagExpression.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLFTagExpression.html)  | Grants permission to update a Lake Formation expression | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLakeFormationIdentityCenterConfiguration.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLakeFormationIdentityCenterConfiguration.html)  | Grants permission to update the IAM Identity Center connection parameters | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateResource.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateResource.html)  | Grants permission to update a registered location | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateTableObjects.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateTableObjects.html)  | Grants permission to add or delete the specified objects to or from a table | Write |  |  |  | 
|   [https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateTableStorageOptimizer.html](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateTableStorageOptimizer.html)  | Grants permission to update the configuration of the storage optimizer for the Governed table | Write |  |  |  | 

## Resource types defined by AWS Lake Formation
<a name="awslakeformation-resources-for-iam-policies"></a>

AWS Lake Formation does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Lake Formation, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Lake Formation
<a name="awslakeformation-policy-keys"></a>

AWS Lake Formation defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslakeformation.html#awslakeformation-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslakeformation.html#awslakeformation-policy-keys)  | Filters access by the presence of the key configured for role's identity-based policy | Bool | 

# Actions, resources, and condition keys for AWS Lambda
<a name="list_awslambda"></a>

AWS Lambda (service prefix: `lambda`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lambda/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lambda/latest/dg/lambda-auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Lambda
](#awslambda-actions-as-permissions)
+ [

## Resource types defined by AWS Lambda
](#awslambda-resources-for-iam-policies)
+ [

## Condition keys for AWS Lambda
](#awslambda-policy-keys)

## Actions defined by AWS Lambda
<a name="awslambda-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awslambda-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html)

## Resource types defined by AWS Lambda
<a name="awslambda-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awslambda-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:capacity-provider:\$1\$1CapacityProviderName\$1  |   [#awslambda-aws_ResourceTag___TagKey_](#awslambda-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:code-signing-config:\$1\$1CodeSigningConfigId\$1  |   [#awslambda-aws_ResourceTag___TagKey_](#awslambda-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:function:\$1\$1FunctionName\$1:\$1\$1Version\$1/durable-execution/\$1\$1ExecutionName\$1/\$1\$1ExecutionId\$1  |  | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:event-source-mapping:\$1\$1UUID\$1  |   [#awslambda-aws_ResourceTag___TagKey_](#awslambda-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:function:\$1\$1FunctionName\$1  |   [#awslambda-aws_ResourceTag___TagKey_](#awslambda-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:function:\$1\$1FunctionName\$1:\$1\$1Alias\$1  |   [#awslambda-aws_ResourceTag___TagKey_](#awslambda-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:function:\$1\$1FunctionName\$1:\$1\$1Version\$1  |   [#awslambda-aws_ResourceTag___TagKey_](#awslambda-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:layer:\$1\$1LayerName\$1  |  | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  |  arn:\$1\$1Partition\$1:lambda:\$1\$1Region\$1:\$1\$1Account\$1:layer:\$1\$1LayerName\$1:\$1\$1LayerVersion\$1  |  | 

## Condition keys for AWS Lambda
<a name="awslambda-policy-keys"></a>

AWS Lambda defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ARN of an AWS Lambda code signing config | ARN | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ID from a non-AWS event source configured for the AWS Lambda function | String | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ARN of an AWS Lambda function | ARN | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by authorization type specified in request. Available during CreateFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, GetFunctionUrlConfig, ListFunctionUrlConfig, AddPermission and RemovePermission operations | String | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Limits the scope of lambda:InvokeFunction action to Function URLs only. Available during AddPermission operation | Bool | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ARN of a version of an AWS Lambda layer | ArrayOfString | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by restricting the AWS service or account that can invoke a function | String | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ID of security groups configured for the AWS Lambda function | ArrayOfString | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ARN of the AWS Lambda function from which the request originated | ARN | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ID of subnets configured for the AWS Lambda function | ArrayOfString | 
|   [https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html)  | Filters access by the ID of the VPC configured for the AWS Lambda function | String | 

# Actions, resources, and condition keys for AWS Launch Wizard
<a name="list_awslaunchwizard"></a>

AWS Launch Wizard (service prefix: `launchwizard`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/launchwizard/latest/userguide/what-is-launch-wizard.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/launchwizard/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Launch Wizard
](#awslaunchwizard-actions-as-permissions)
+ [

## Resource types defined by AWS Launch Wizard
](#awslaunchwizard-resources-for-iam-policies)
+ [

## Condition keys for AWS Launch Wizard
](#awslaunchwizard-policy-keys)

## Actions defined by AWS Launch Wizard
<a name="awslaunchwizard-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awslaunchwizard-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to create an additional node | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html)  | Grants permission to create a deployment | Write |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_RequestTag___TagKey_](#awslaunchwizard-aws_RequestTag___TagKey_)   [#awslaunchwizard-aws_TagKeys](#awslaunchwizard-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to create an application settings set | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to delete an additional node | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to delete an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_DeleteDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_DeleteDeployment.html)  | Grants permission to delete a deployment | Write |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_ResourceTag___TagKey_](#awslaunchwizard-aws_ResourceTag___TagKey_)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to delete a settings set | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to describe an additional node | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to describe provisioning applications | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to describe provisioning events | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to describe an application settings set | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetDeployment.html)  | Grants permission to get a deployment | Read |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_ResourceTag___TagKey_](#awslaunchwizard-aws_ResourceTag___TagKey_)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetDeploymentPatternVersion.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetDeploymentPatternVersion.html)  | Grants permission to get a version of a deployment pattern | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get infrastructure suggestion | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get customer's ip address | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get resource cost estimate | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get recommendation for a resource | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get a settings set | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkload.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkload.html)  | Grants permission to get a workload | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get a workload's asset | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to get workload assets | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html)  | Grants permission to get a deployment pattern | Read |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to list additional nodes | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to list the allowed resources | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListDeploymentEvents.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListDeploymentEvents.html)  | Grants permission to list the events that occured during a deployment | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListDeploymentPatternVersions.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListDeploymentPatternVersions.html)  | Grants permission to list the versions of a deployment pattern | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListDeployments.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListDeployments.html)  | Grants permission to list deployments | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to list provisioning applications | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to list the cost estimates of resources | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to list settings sets | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListTagsForResource.html)  | Grants permission to list tags for a LaunchWizard resource | Read |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_ResourceTag___TagKey_](#awslaunchwizard-aws_ResourceTag___TagKey_)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to list deployment options of a given workload | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html)  | Grants permission to list the deployment patterns of a workload | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html)  | Grants permission to list workloads | List |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to create a settings set | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to start a provisioning | Write |  |  |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_TagResource.html)  | Grants permission to tag a LaunchWizard resource | Tagging |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_TagKeys](#awslaunchwizard-aws_TagKeys)   [#awslaunchwizard-aws_RequestTag___TagKey_](#awslaunchwizard-aws_RequestTag___TagKey_)   [#awslaunchwizard-aws_ResourceTag___TagKey_](#awslaunchwizard-aws_ResourceTag___TagKey_)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_UntagResource.html)  | Grants permission to untag a LaunchWizard resource | Tagging |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_TagKeys](#awslaunchwizard-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_UpdateDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_UpdateDeployment.html)  | Grants permission to update a deployment | Write |   [#awslaunchwizard-deployment](#awslaunchwizard-deployment)   |   [#awslaunchwizard-aws_ResourceTag___TagKey_](#awslaunchwizard-aws_ResourceTag___TagKey_)   |  | 
|   [https://docs.aws.amazon.com/launchwizard/](https://docs.aws.amazon.com/launchwizard/) [permission only] | Grants permission to update an application settings set | Write |  |  |  | 

## Resource types defined by AWS Launch Wizard
<a name="awslaunchwizard-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awslaunchwizard-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/launchwizard/Resources/Deployment.html](https://docs.aws.amazon.com/launchwizard/Resources/Deployment.html)  |  arn:\$1\$1Partition\$1:launchwizard:\$1\$1Region\$1:\$1\$1Account\$1:deployment/\$1\$1DeploymentId\$1  |   [#awslaunchwizard-aws_ResourceTag___TagKey_](#awslaunchwizard-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Launch Wizard
<a name="awslaunchwizard-policy-keys"></a>

AWS Launch Wizard defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Lex
<a name="list_amazonlex"></a>

Amazon Lex (service prefix: `lex`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lex/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lex/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lex/latest/dg/access_permissions.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Lex
](#amazonlex-actions-as-permissions)
+ [

## Resource types defined by Amazon Lex
](#amazonlex-resources-for-iam-policies)
+ [

## Condition keys for Amazon Lex
](#amazonlex-policy-keys)

## Actions defined by Amazon Lex
<a name="amazonlex-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlex-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlex.html)

## Resource types defined by Amazon Lex
<a name="amazonlex-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlex-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lex/latest/dg/API_BotMetadata.html](https://docs.aws.amazon.com/lex/latest/dg/API_BotMetadata.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:bot:\$1\$1BotName\$1  |   [#amazonlex-aws_ResourceTag___TagKey_](#amazonlex-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lex/latest/dg/API_BotMetadata.html](https://docs.aws.amazon.com/lex/latest/dg/API_BotMetadata.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:bot:\$1\$1BotName\$1:\$1\$1BotVersion\$1  |   [#amazonlex-aws_ResourceTag___TagKey_](#amazonlex-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lex/latest/dg/API_BotAliasMetadata.html](https://docs.aws.amazon.com/lex/latest/dg/API_BotAliasMetadata.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:bot:\$1\$1BotName\$1:\$1\$1BotAlias\$1  |   [#amazonlex-aws_ResourceTag___TagKey_](#amazonlex-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lex/latest/dg/API_BotChannelAssociation.html](https://docs.aws.amazon.com/lex/latest/dg/API_BotChannelAssociation.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:bot-channel:\$1\$1BotName\$1:\$1\$1BotAlias\$1:\$1\$1ChannelName\$1  |   [#amazonlex-aws_ResourceTag___TagKey_](#amazonlex-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lex/latest/dg/API_Intent.html](https://docs.aws.amazon.com/lex/latest/dg/API_Intent.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:intent:\$1\$1IntentName\$1:\$1\$1IntentVersion\$1  |  | 
|   [https://docs.aws.amazon.com/lex/latest/dg/API_SlotTypeMetadata.html](https://docs.aws.amazon.com/lex/latest/dg/API_SlotTypeMetadata.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:slottype:\$1\$1SlotName\$1:\$1\$1SlotVersion\$1  |  | 

## Condition keys for Amazon Lex
<a name="amazonlex-policy-keys"></a>

Amazon Lex defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to a Lex resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the set of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/lex/latest/dg/security_iam_service-with-iam.html](https://docs.aws.amazon.com/lex/latest/dg/security_iam_service-with-iam.html)  | Enables you to control access based on the intents included in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/lex/latest/dg/security_iam_service-with-iam.html](https://docs.aws.amazon.com/lex/latest/dg/security_iam_service-with-iam.html)  | Enables you to control access based on the slot types included in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/lex/latest/dg/security_iam_service-with-iam.html](https://docs.aws.amazon.com/lex/latest/dg/security_iam_service-with-iam.html)  | Enables you to control access based on the channel type included in the request | String | 

# Actions, resources, and condition keys for Amazon Lex V2
<a name="list_amazonlexv2"></a>

Amazon Lex V2 (service prefix: `lex`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lexv2/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lexv2/latest/APIReference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lexv2/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Lex V2
](#amazonlexv2-actions-as-permissions)
+ [

## Resource types defined by Amazon Lex V2
](#amazonlexv2-resources-for-iam-policies)
+ [

## Condition keys for Amazon Lex V2
](#amazonlexv2-policy-keys)

## Actions defined by Amazon Lex V2
<a name="amazonlexv2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlexv2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html)

## Resource types defined by Amazon Lex V2
<a name="amazonlexv2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlexv2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lexv2/latest/dg/how-it-works.html](https://docs.aws.amazon.com/lexv2/latest/dg/how-it-works.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:bot/\$1\$1BotId\$1  |   [#amazonlexv2-aws_ResourceTag___TagKey_](#amazonlexv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lexv2/latest/dg/how-it-works.html](https://docs.aws.amazon.com/lexv2/latest/dg/how-it-works.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:bot-alias/\$1\$1BotId\$1/\$1\$1BotAliasId\$1  |   [#amazonlexv2-aws_ResourceTag___TagKey_](#amazonlexv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lexv2/latest/dg/test-workbench.html](https://docs.aws.amazon.com/lexv2/latest/dg/test-workbench.html)  |  arn:\$1\$1Partition\$1:lex:\$1\$1Region\$1:\$1\$1Account\$1:test-set/\$1\$1TestSetId\$1  |   [#amazonlexv2-aws_ResourceTag___TagKey_](#amazonlexv2-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Lex V2
<a name="amazonlexv2-policy-keys"></a>

Amazon Lex V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to a Lex resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the set of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS License Manager
<a name="list_awslicensemanager"></a>

AWS License Manager (service prefix: `license-manager`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/license-manager/latest/userguide/license-manager.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/license-manager/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/license-manager/latest/userguide/using-service-linked-roles.html) permission policies.

**Topics**
+ [

## Actions defined by AWS License Manager
](#awslicensemanager-actions-as-permissions)
+ [

## Resource types defined by AWS License Manager
](#awslicensemanager-resources-for-iam-policies)
+ [

## Condition keys for AWS License Manager
](#awslicensemanager-policy-keys)

## Actions defined by AWS License Manager
<a name="awslicensemanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awslicensemanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html)

## Resource types defined by AWS License Manager
<a name="awslicensemanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awslicensemanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/license-configurations.html](https://docs.aws.amazon.com/license-manager/latest/userguide/license-configurations.html)  |  arn:\$1\$1Partition\$1:license-manager:\$1\$1Region\$1:\$1\$1Account\$1:license-configuration:\$1\$1LicenseConfigurationId\$1  |   [#awslicensemanager-aws_ResourceTag___TagKey_](#awslicensemanager-aws_ResourceTag___TagKey_)   [#awslicensemanager-license-manager_ResourceTag___TagKey_](#awslicensemanager-license-manager_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/seller-issued-licenses.html](https://docs.aws.amazon.com/license-manager/latest/userguide/seller-issued-licenses.html)  |  arn:\$1\$1Partition\$1:license-manager::\$1\$1Account\$1:license:\$1\$1LicenseId\$1  |   [#awslicensemanager-aws_ResourceTag___TagKey_](#awslicensemanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/granted-licenses.html](https://docs.aws.amazon.com/license-manager/latest/userguide/granted-licenses.html)  |  arn:\$1\$1Partition\$1:license-manager::\$1\$1Account\$1:grant:\$1\$1GrantId\$1  |   [#awslicensemanager-aws_ResourceTag___TagKey_](#awslicensemanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/license-reporting.html](https://docs.aws.amazon.com/license-manager/latest/userguide/license-reporting.html)  |  arn:\$1\$1Partition\$1:license-manager:\$1\$1Region\$1:\$1\$1Account\$1:report-generator:\$1\$1ReportGeneratorId\$1  |   [#awslicensemanager-aws_ResourceTag___TagKey_](#awslicensemanager-aws_ResourceTag___TagKey_)   [#awslicensemanager-license-manager_ResourceTag___TagKey_](#awslicensemanager-license-manager_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/license-asset-ruleset.html](https://docs.aws.amazon.com/license-manager/latest/userguide/license-asset-ruleset.html)  |  arn:\$1\$1Partition\$1:license-manager:\$1\$1Region\$1:\$1\$1Account\$1:license-asset-ruleset:\$1\$1LicenseAssetRulesetId\$1  |   [#awslicensemanager-aws_ResourceTag___TagKey_](#awslicensemanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/license-asset-group.html](https://docs.aws.amazon.com/license-manager/latest/userguide/license-asset-group.html)  |  arn:\$1\$1Partition\$1:license-manager:\$1\$1Region\$1:\$1\$1Account\$1:license-asset-group:\$1\$1LicenseAssetGroupId\$1  |   [#awslicensemanager-aws_ResourceTag___TagKey_](#awslicensemanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS License Manager
<a name="awslicensemanager-policy-keys"></a>

AWS License Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by the tags that are passed in the request | String | 
|   [identity-access-management.html](identity-access-management.html)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by the tag key-value pairs attached to the resource | String | 

# Actions, resources, and condition keys for AWS License Manager Linux Subscriptions Manager
<a name="list_awslicensemanagerlinuxsubscriptionsmanager"></a>

AWS License Manager Linux Subscriptions Manager (service prefix: `license-manager-linux-subscriptions`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/license-manager/latest/userguide/linux-subscriptions.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/license-manager-linux-subscriptions/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/license-manager/latest/userguide/using-service-linked-roles.html) permission policies.

**Topics**
+ [

## Actions defined by AWS License Manager Linux Subscriptions Manager
](#awslicensemanagerlinuxsubscriptionsmanager-actions-as-permissions)
+ [

## Resource types defined by AWS License Manager Linux Subscriptions Manager
](#awslicensemanagerlinuxsubscriptionsmanager-resources-for-iam-policies)
+ [

## Condition keys for AWS License Manager Linux Subscriptions Manager
](#awslicensemanagerlinuxsubscriptionsmanager-policy-keys)

## Actions defined by AWS License Manager Linux Subscriptions Manager
<a name="awslicensemanagerlinuxsubscriptionsmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awslicensemanagerlinuxsubscriptionsmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanagerlinuxsubscriptionsmanager.html)

## Resource types defined by AWS License Manager Linux Subscriptions Manager
<a name="awslicensemanagerlinuxsubscriptionsmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awslicensemanagerlinuxsubscriptionsmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/subscription-providers.html](https://docs.aws.amazon.com/license-manager/latest/userguide/subscription-providers.html)  |  arn:\$1\$1Partition\$1:license-manager-linux-subscriptions:\$1\$1Region\$1:\$1\$1Account\$1:subscription-provider/\$1\$1SubscriptionProviderId\$1  |   [#awslicensemanagerlinuxsubscriptionsmanager-aws_ResourceTag___TagKey_](#awslicensemanagerlinuxsubscriptionsmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS License Manager Linux Subscriptions Manager
<a name="awslicensemanagerlinuxsubscriptionsmanager-policy-keys"></a>

AWS License Manager Linux Subscriptions Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by the tags that are passed in the request | String | 
|   [identity-access-management.html](identity-access-management.html)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS License Manager User Subscriptions
<a name="list_awslicensemanagerusersubscriptions"></a>

AWS License Manager User Subscriptions (service prefix: `license-manager-user-subscriptions`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/license-manager/latest/userguide/license-manager.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/license-manager-user-subscriptions/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/license-manager/latest/userguide/using-service-linked-roles.html) permission policies.

**Topics**
+ [

## Actions defined by AWS License Manager User Subscriptions
](#awslicensemanagerusersubscriptions-actions-as-permissions)
+ [

## Resource types defined by AWS License Manager User Subscriptions
](#awslicensemanagerusersubscriptions-resources-for-iam-policies)
+ [

## Condition keys for AWS License Manager User Subscriptions
](#awslicensemanagerusersubscriptions-policy-keys)

## Actions defined by AWS License Manager User Subscriptions
<a name="awslicensemanagerusersubscriptions-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awslicensemanagerusersubscriptions-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanagerusersubscriptions.html)

## Resource types defined by AWS License Manager User Subscriptions
<a name="awslicensemanagerusersubscriptions-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awslicensemanagerusersubscriptions-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-provider.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-provider.html)  |  arn:\$1\$1Partition\$1:license-manager-user-subscriptions:\$1\$1Region\$1:\$1\$1Account\$1:identity-provider/\$1\$1IdentityProviderId\$1  |   [#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_](#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/product-subscription.html](https://docs.aws.amazon.com/license-manager/latest/userguide/product-subscription.html)  |  arn:\$1\$1Partition\$1:license-manager-user-subscriptions:\$1\$1Region\$1:\$1\$1Account\$1:product-subscription/\$1\$1ProductSubscriptionId\$1  |   [#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_](#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/instance-user.html](https://docs.aws.amazon.com/license-manager/latest/userguide/instance-user.html)  |  arn:\$1\$1Partition\$1:license-manager-user-subscriptions:\$1\$1Region\$1:\$1\$1Account\$1:instance-user/\$1\$1InstanceUserId\$1  |   [#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_](#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/license-server-endpoint.html](https://docs.aws.amazon.com/license-manager/latest/userguide/license-server-endpoint.html)  |  arn:\$1\$1Partition\$1:license-manager-user-subscriptions:\$1\$1Region\$1:\$1\$1Account\$1:license-server-endpoint/\$1\$1LicenseServerEndpointId\$1  |   [#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_](#awslicensemanagerusersubscriptions-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS License Manager User Subscriptions
<a name="awslicensemanagerusersubscriptions-policy-keys"></a>

AWS License Manager User Subscriptions defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/license-manager/latest/userguide/identity-access-management.html)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Lightsail
<a name="list_amazonlightsail"></a>

Amazon Lightsail (service prefix: `lightsail`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://lightsail.aws.amazon.com/ls/docs/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://lightsail.aws.amazon.com/ls/docs/how-to/article/security_iam) permission policies.

**Topics**
+ [

## Actions defined by Amazon Lightsail
](#amazonlightsail-actions-as-permissions)
+ [

## Resource types defined by Amazon Lightsail
](#amazonlightsail-resources-for-iam-policies)
+ [

## Condition keys for Amazon Lightsail
](#amazonlightsail-policy-keys)

## Actions defined by Amazon Lightsail
<a name="amazonlightsail-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlightsail-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html)

## Resource types defined by Amazon Lightsail
<a name="amazonlightsail-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlightsail-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Domain.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Domain.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Domain/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Instance.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Instance.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Instance/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_InstanceSnapshot.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_InstanceSnapshot.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:InstanceSnapshot/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_KeyPair.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_KeyPair.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:KeyPair/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_StaticIp.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_StaticIp.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:StaticIp/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Disk.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Disk.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Disk/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_DiskSnapshot.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_DiskSnapshot.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:DiskSnapshot/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_LoadBalancer.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_LoadBalancer.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:LoadBalancer/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_LoadBalancerTlsCertificate.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_LoadBalancerTlsCertificate.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:LoadBalancerTlsCertificate/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ExportSnapshotRecord.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ExportSnapshotRecord.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:ExportSnapshotRecord/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CloudFormationStackRecord.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CloudFormationStackRecord.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:CloudFormationStackRecord/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_RelationalDatabase.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_RelationalDatabase.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:RelationalDatabase/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_RelationalDatabaseSnapshot.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_RelationalDatabaseSnapshot.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:RelationalDatabaseSnapshot/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Alarm.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Alarm.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Alarm/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Certificate.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Certificate.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Certificate/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ContactMethod.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ContactMethod.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:ContactMethod/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ContainerService.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ContainerService.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:ContainerService/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_LightsailDistribution.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_LightsailDistribution.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Distribution/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Bucket.html](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Bucket.html)  |  arn:\$1\$1Partition\$1:lightsail:\$1\$1Region\$1:\$1\$1Account\$1:Bucket/\$1\$1Id\$1  |   [#amazonlightsail-aws_ResourceTag___TagKey_](#amazonlightsail-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Lightsail
<a name="amazonlightsail-policy-keys"></a>

Amazon Lightsail defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Location
<a name="list_amazonlocation"></a>

Amazon Location (service prefix: `geo`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/location/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/location/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/location/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Location
](#amazonlocation-actions-as-permissions)
+ [

## Resource types defined by Amazon Location
](#amazonlocation-resources-for-iam-policies)
+ [

## Condition keys for Amazon Location
](#amazonlocation-policy-keys)

## Actions defined by Amazon Location
<a name="amazonlocation-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlocation-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html)

## Resource types defined by Amazon Location
<a name="amazonlocation-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlocation-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/using-apikeys.html](https://docs.aws.amazon.com/location/latest/developerguide/using-apikeys.html)  |  arn:\$1\$1Partition\$1:geo:\$1\$1Region\$1:\$1\$1Account\$1:api-key/\$1\$1KeyName\$1  |   [#amazonlocation-aws_ResourceTag___TagKey_](#amazonlocation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/geofence-tracker-concepts.html](https://docs.aws.amazon.com/location/latest/developerguide/geofence-tracker-concepts.html)  |  arn:\$1\$1Partition\$1:geo:\$1\$1Region\$1:\$1\$1Account\$1:geofence-collection/\$1\$1GeofenceCollectionName\$1  |   [#amazonlocation-aws_ResourceTag___TagKey_](#amazonlocation-aws_ResourceTag___TagKey_)   [#amazonlocation-geo_GeofenceIds](#amazonlocation-geo_GeofenceIds)   | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/map-concepts.html](https://docs.aws.amazon.com/location/latest/developerguide/map-concepts.html)  |  arn:\$1\$1Partition\$1:geo:\$1\$1Region\$1:\$1\$1Account\$1:map/\$1\$1MapName\$1  |   [#amazonlocation-aws_ResourceTag___TagKey_](#amazonlocation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/places-concepts.html](https://docs.aws.amazon.com/location/latest/developerguide/places-concepts.html)  |  arn:\$1\$1Partition\$1:geo:\$1\$1Region\$1:\$1\$1Account\$1:place-index/\$1\$1IndexName\$1  |   [#amazonlocation-aws_ResourceTag___TagKey_](#amazonlocation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/route-concepts.html](https://docs.aws.amazon.com/location/latest/developerguide/route-concepts.html)  |  arn:\$1\$1Partition\$1:geo:\$1\$1Region\$1:\$1\$1Account\$1:route-calculator/\$1\$1CalculatorName\$1  |   [#amazonlocation-aws_ResourceTag___TagKey_](#amazonlocation-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/geofence-tracker-concepts.html](https://docs.aws.amazon.com/location/latest/developerguide/geofence-tracker-concepts.html)  |  arn:\$1\$1Partition\$1:geo:\$1\$1Region\$1:\$1\$1Account\$1:tracker/\$1\$1TrackerName\$1  |   [#amazonlocation-aws_ResourceTag___TagKey_](#amazonlocation-aws_ResourceTag___TagKey_)   [#amazonlocation-geo_DeviceIds](#amazonlocation-geo_DeviceIds)   | 

## Condition keys for Amazon Location
<a name="amazonlocation-policy-keys"></a>

Amazon Location defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/location/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the presence of device ids in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/location/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the presence of geofence ids in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Location Service Maps
<a name="list_amazonlocationservicemaps"></a>

Amazon Location Service Maps (service prefix: `geo-maps`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/location/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/location/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/location/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Location Service Maps
](#amazonlocationservicemaps-actions-as-permissions)
+ [

## Resource types defined by Amazon Location Service Maps
](#amazonlocationservicemaps-resources-for-iam-policies)
+ [

## Condition keys for Amazon Location Service Maps
](#amazonlocationservicemaps-policy-keys)

## Actions defined by Amazon Location Service Maps
<a name="amazonlocationservicemaps-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlocationservicemaps-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geomaps_GetStaticMap.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geomaps_GetStaticMap.html)  | Grants permission to retrieve the static map | Read |   [#amazonlocationservicemaps-provider](#amazonlocationservicemaps-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geomaps_GetTile.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geomaps_GetTile.html)  | Grants permission to retrieve the map tile | Read |   [#amazonlocationservicemaps-provider](#amazonlocationservicemaps-provider)   |  |  | 

## Resource types defined by Amazon Location Service Maps
<a name="amazonlocationservicemaps-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlocationservicemaps-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/Welcome.html](https://docs.aws.amazon.com/location/latest/developerguide/Welcome.html)  |  arn:\$1\$1Partition\$1:geo-maps:\$1\$1Region\$1::provider/default  |  | 

## Condition keys for Amazon Location Service Maps
<a name="amazonlocationservicemaps-policy-keys"></a>

Geo Maps has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Location Service Places
<a name="list_amazonlocationserviceplaces"></a>

Amazon Location Service Places (service prefix: `geo-places`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/location/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/location/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/location/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Location Service Places
](#amazonlocationserviceplaces-actions-as-permissions)
+ [

## Resource types defined by Amazon Location Service Places
](#amazonlocationserviceplaces-resources-for-iam-policies)
+ [

## Condition keys for Amazon Location Service Places
](#amazonlocationserviceplaces-policy-keys)

## Actions defined by Amazon Location Service Places
<a name="amazonlocationserviceplaces-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlocationserviceplaces-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_Autocomplete.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_Autocomplete.html)  | Grants permission to autocomplete text input with potential places and addresses as the user types | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_Geocode.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_Geocode.html)  | Grants permission to geocode a textual address or place into geographic coordinates | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_GetPlace.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_GetPlace.html)  | Grants permission to query a place by it's unqiue place ID | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_ReverseGeocode.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_ReverseGeocode.html)  | Grants permission to convert geographic coordinates into a human-readable address or place | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_SearchNearby.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_SearchNearby.html)  | Grants permission to retrieve places near a position which match to a set of user defined restrictions such as category or food type offered by the place | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_SearchText.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_SearchText.html)  | Grants permission to query for places using a single free-form text input | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_Suggest.html](https://docs.aws.amazon.com/location/latest/APIReference/API_geoplaces_Suggest.html)  | Grants permission to suggest potential places based on the user's input | Read |   [#amazonlocationserviceplaces-provider](#amazonlocationserviceplaces-provider)   |  |  | 

## Resource types defined by Amazon Location Service Places
<a name="amazonlocationserviceplaces-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlocationserviceplaces-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/Welcome.html](https://docs.aws.amazon.com/location/latest/developerguide/Welcome.html)  |  arn:\$1\$1Partition\$1:geo-places:\$1\$1Region\$1::provider/default  |  | 

## Condition keys for Amazon Location Service Places
<a name="amazonlocationserviceplaces-policy-keys"></a>

Geo Places has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Location Service Routes
<a name="list_amazonlocationserviceroutes"></a>

Amazon Location Service Routes (service prefix: `geo-routes`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/location/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/location/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/location/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Location Service Routes
](#amazonlocationserviceroutes-actions-as-permissions)
+ [

## Resource types defined by Amazon Location Service Routes
](#amazonlocationserviceroutes-resources-for-iam-policies)
+ [

## Condition keys for Amazon Location Service Routes
](#amazonlocationserviceroutes-policy-keys)

## Actions defined by Amazon Location Service Routes
<a name="amazonlocationserviceroutes-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlocationserviceroutes-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_CalculateIsolines.html](https://docs.aws.amazon.com/location/latest/APIReference/API_CalculateIsolines.html)  | Grants permission to determine destinations or service areas reachable within a specified time | Read |   [#amazonlocationserviceroutes-provider](#amazonlocationserviceroutes-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_CalculateRouteMatrix.html](https://docs.aws.amazon.com/location/latest/APIReference/API_CalculateRouteMatrix.html)  | Grants permission to calculate routing matrice which providing travel time and distances between sets of origins and destinations | Read |   [#amazonlocationserviceroutes-provider](#amazonlocationserviceroutes-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_CalculateRoutes.html](https://docs.aws.amazon.com/location/latest/APIReference/API_CalculateRoutes.html)  | Grants permission to calculates routes between two or more locations | Read |   [#amazonlocationserviceroutes-provider](#amazonlocationserviceroutes-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_OptimizeWaypoints.html](https://docs.aws.amazon.com/location/latest/APIReference/API_OptimizeWaypoints.html)  | Grants permission to calculate the most efficient sequence for visiting multiple waypoints or locations along a route | Read |   [#amazonlocationserviceroutes-provider](#amazonlocationserviceroutes-provider)   |  |  | 
|   [https://docs.aws.amazon.com/location/latest/APIReference/API_SnapToRoads.html](https://docs.aws.amazon.com/location/latest/APIReference/API_SnapToRoads.html)  | Grants permission to enhances the accuracy of geographic positioning by aligning GPS coordinates to the nearest road segments on a digital map | Read |   [#amazonlocationserviceroutes-provider](#amazonlocationserviceroutes-provider)   |  |  | 

## Resource types defined by Amazon Location Service Routes
<a name="amazonlocationserviceroutes-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlocationserviceroutes-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/location/latest/developerguide/Welcome.html](https://docs.aws.amazon.com/location/latest/developerguide/Welcome.html)  |  arn:\$1\$1Partition\$1:geo-routes:\$1\$1Region\$1::provider/default  |  | 

## Condition keys for Amazon Location Service Routes
<a name="amazonlocationserviceroutes-policy-keys"></a>

Geo Routes has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Lookout for Equipment
<a name="list_amazonlookoutforequipment"></a>

Amazon Lookout for Equipment (service prefix: `lookoutequipment`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Lookout for Equipment
](#amazonlookoutforequipment-actions-as-permissions)
+ [

## Resource types defined by Amazon Lookout for Equipment
](#amazonlookoutforequipment-resources-for-iam-policies)
+ [

## Condition keys for Amazon Lookout for Equipment
](#amazonlookoutforequipment-policy-keys)

## Actions defined by Amazon Lookout for Equipment
<a name="amazonlookoutforequipment-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlookoutforequipment-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html)

## Resource types defined by Amazon Lookout for Equipment
<a name="amazonlookoutforequipment-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlookoutforequipment-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/dataset.html](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/dataset.html)  |  arn:\$1\$1Partition\$1:lookoutequipment:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1DatasetName\$1/\$1\$1DatasetId\$1  |   [#amazonlookoutforequipment-aws_ResourceTag___TagKey_](#amazonlookoutforequipment-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/model.html](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/model.html)  |  arn:\$1\$1Partition\$1:lookoutequipment:\$1\$1Region\$1:\$1\$1Account\$1:model/\$1\$1ModelName\$1/\$1\$1ModelId\$1  |   [#amazonlookoutforequipment-aws_ResourceTag___TagKey_](#amazonlookoutforequipment-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/model-version.html](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/model-version.html)  |  arn:\$1\$1Partition\$1:lookoutequipment:\$1\$1Region\$1:\$1\$1Account\$1:model/\$1\$1ModelName\$1/\$1\$1ModelId\$1/model-version/\$1\$1ModelVersionNumber\$1  |   [#amazonlookoutforequipment-aws_ResourceTag___TagKey_](#amazonlookoutforequipment-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/inference-scheduler.html](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/inference-scheduler.html)  |  arn:\$1\$1Partition\$1:lookoutequipment:\$1\$1Region\$1:\$1\$1Account\$1:inference-scheduler/\$1\$1InferenceSchedulerName\$1/\$1\$1InferenceSchedulerId\$1  |   [#amazonlookoutforequipment-aws_ResourceTag___TagKey_](#amazonlookoutforequipment-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/label-group.html](https://docs.aws.amazon.com/lookout-for-equipment/latest/ug/label-group.html)  |  arn:\$1\$1Partition\$1:lookoutequipment:\$1\$1Region\$1:\$1\$1Account\$1:label-group/\$1\$1LabelGroupName\$1/\$1\$1LabelGroupId\$1  |   [#amazonlookoutforequipment-aws_ResourceTag___TagKey_](#amazonlookoutforequipment-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Lookout for Equipment
<a name="amazonlookoutforequipment-policy-keys"></a>

Amazon Lookout for Equipment defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-isimportingdata](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-isimportingdata)  | Filters access by the import strategy of underlying data | Bool | 

# Actions, resources, and condition keys for Amazon Lookout for Metrics
<a name="list_amazonlookoutformetrics"></a>

Amazon Lookout for Metrics (service prefix: `lookoutmetrics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lookoutmetrics/latest/dev/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lookoutmetrics/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lookoutmetrics/latest/dev/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Lookout for Metrics
](#amazonlookoutformetrics-actions-as-permissions)
+ [

## Resource types defined by Amazon Lookout for Metrics
](#amazonlookoutformetrics-resources-for-iam-policies)
+ [

## Condition keys for Amazon Lookout for Metrics
](#amazonlookoutformetrics-policy-keys)

## Actions defined by Amazon Lookout for Metrics
<a name="amazonlookoutformetrics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlookoutformetrics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html)

## Resource types defined by Amazon Lookout for Metrics
<a name="amazonlookoutformetrics-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlookoutformetrics-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lookoutmetrics/latest/api/API_AnomalyDetectorSummary.html](https://docs.aws.amazon.com/lookoutmetrics/latest/api/API_AnomalyDetectorSummary.html)  |  arn:\$1\$1Partition\$1:lookoutmetrics:\$1\$1Region\$1:\$1\$1Account\$1:AnomalyDetector:\$1\$1AnomalyDetectorName\$1  |   [#amazonlookoutformetrics-aws_ResourceTag___TagKey_](#amazonlookoutformetrics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookoutmetrics/latest/api/API_MetricSetSummary.html](https://docs.aws.amazon.com/lookoutmetrics/latest/api/API_MetricSetSummary.html)  |  arn:\$1\$1Partition\$1:lookoutmetrics:\$1\$1Region\$1:\$1\$1Account\$1:MetricSet/\$1\$1AnomalyDetectorName\$1/\$1\$1MetricSetName\$1  |   [#amazonlookoutformetrics-aws_ResourceTag___TagKey_](#amazonlookoutformetrics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookoutmetrics/latest/api/API_AlertSummary.html](https://docs.aws.amazon.com/lookoutmetrics/latest/api/API_AlertSummary.html)  |  arn:\$1\$1Partition\$1:lookoutmetrics:\$1\$1Region\$1:\$1\$1Account\$1:Alert:\$1\$1AlertName\$1  |   [#amazonlookoutformetrics-aws_ResourceTag___TagKey_](#amazonlookoutformetrics-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Lookout for Metrics
<a name="amazonlookoutformetrics-policy-keys"></a>

Amazon Lookout for Metrics defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Lookout for Vision
<a name="list_amazonlookoutforvision"></a>

Amazon Lookout for Vision (service prefix: `lookoutvision`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/lookout-for-vision/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Lookout for Vision
](#amazonlookoutforvision-actions-as-permissions)
+ [

## Resource types defined by Amazon Lookout for Vision
](#amazonlookoutforvision-resources-for-iam-policies)
+ [

## Condition keys for Amazon Lookout for Vision
](#amazonlookoutforvision-policy-keys)

## Actions defined by Amazon Lookout for Vision
<a name="amazonlookoutforvision-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonlookoutforvision-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html)

## Resource types defined by Amazon Lookout for Vision
<a name="amazonlookoutforvision-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonlookoutforvision-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/model-create-project.html](https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/model-create-project.html)  |  arn:\$1\$1Partition\$1:lookoutvision:\$1\$1Region\$1:\$1\$1Account\$1:model/\$1\$1ProjectName\$1/\$1\$1ModelVersion\$1  |   [#amazonlookoutforvision-aws_ResourceTag___TagKey_](#amazonlookoutforvision-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/model-create-project.html](https://docs.aws.amazon.com/lookout-for-vision/latest/developer-guide/model-create-project.html)  |  arn:\$1\$1Partition\$1:lookoutvision:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1  |  | 

## Condition keys for Amazon Lookout for Vision
<a name="amazonlookoutforvision-policy-keys"></a>

Amazon Lookout for Vision defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Machine Learning
<a name="list_amazonmachinelearning"></a>

Amazon Machine Learning (service prefix: `machinelearning`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/machine-learning/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/machine-learning/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/machine-learning/latest/dg/controlling-access-to-amazon-ml-resources-by-using-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Machine Learning
](#amazonmachinelearning-actions-as-permissions)
+ [

## Resource types defined by Amazon Machine Learning
](#amazonmachinelearning-resources-for-iam-policies)
+ [

## Condition keys for Amazon Machine Learning
](#amazonmachinelearning-policy-keys)

## Actions defined by Amazon Machine Learning
<a name="amazonmachinelearning-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmachinelearning-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmachinelearning.html)

## Resource types defined by Amazon Machine Learning
<a name="amazonmachinelearning-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmachinelearning-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#batch-predictions](https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#batch-predictions)  |  arn:\$1\$1Partition\$1:machinelearning:\$1\$1Region\$1:\$1\$1Account\$1:batchprediction/\$1\$1BatchPredictionId\$1  |  | 
|   [https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#datasources](https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#datasources)  |  arn:\$1\$1Partition\$1:machinelearning:\$1\$1Region\$1:\$1\$1Account\$1:datasource/\$1\$1DatasourceId\$1  |  | 
|   [https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#evaluations](https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#evaluations)  |  arn:\$1\$1Partition\$1:machinelearning:\$1\$1Region\$1:\$1\$1Account\$1:evaluation/\$1\$1EvaluationId\$1  |  | 
|   [https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#ml-models](https://docs.aws.amazon.com/machine-learning/latest/dg/amazon-machine-learning-key-concepts.html#ml-models)  |  arn:\$1\$1Partition\$1:machinelearning:\$1\$1Region\$1:\$1\$1Account\$1:mlmodel/\$1\$1MlModelId\$1  |  | 

## Condition keys for Amazon Machine Learning
<a name="amazonmachinelearning-policy-keys"></a>

Machine Learning has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Macie
<a name="list_amazonmacie"></a>

Amazon Macie (service prefix: `macie2`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/macie/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/macie/latest/APIReference/operations.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Macie
](#amazonmacie-actions-as-permissions)
+ [

## Resource types defined by Amazon Macie
](#amazonmacie-resources-for-iam-policies)
+ [

## Condition keys for Amazon Macie
](#amazonmacie-policy-keys)

## Actions defined by Amazon Macie
<a name="amazonmacie-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmacie-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
The DisassociateFromMasterAccount and GetMasterAccount actions have been deprecated. We recommend that you specify the DisassociateFromAdministratorAccount and GetAdministratorAccount actions respectively instead.


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacie.html)

## Resource types defined by Amazon Macie
<a name="amazonmacie-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmacie-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)  |  arn:\$1\$1Partition\$1:macie2:\$1\$1Region\$1:\$1\$1Account\$1:allow-list/\$1\$1ResourceId\$1  |   [#amazonmacie-aws_ResourceTag___TagKey_](#amazonmacie-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)  |  arn:\$1\$1Partition\$1:macie2:\$1\$1Region\$1:\$1\$1Account\$1:classification-job/\$1\$1ResourceId\$1  |   [#amazonmacie-aws_ResourceTag___TagKey_](#amazonmacie-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html.html](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html.html)  |  arn:\$1\$1Partition\$1:macie2:\$1\$1Region\$1:\$1\$1Account\$1:custom-data-identifier/\$1\$1ResourceId\$1  |   [#amazonmacie-aws_ResourceTag___TagKey_](#amazonmacie-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)  |  arn:\$1\$1Partition\$1:macie2:\$1\$1Region\$1:\$1\$1Account\$1:findings-filter/\$1\$1ResourceId\$1  |   [#amazonmacie-aws_ResourceTag___TagKey_](#amazonmacie-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)  |  arn:\$1\$1Partition\$1:macie2:\$1\$1Region\$1:\$1\$1Account\$1:member/\$1\$1ResourceId\$1  |   [#amazonmacie-aws_ResourceTag___TagKey_](#amazonmacie-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Macie
<a name="amazonmacie-policy-keys"></a>

Amazon Macie defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Mainframe Modernization Application Testing
<a name="list_awsmainframemodernizationapplicationtesting"></a>

AWS Mainframe Modernization Application Testing (service prefix: `apptest`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/m2/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/apptest/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/m2/latest/userguide/apptest-security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Mainframe Modernization Application Testing
](#awsmainframemodernizationapplicationtesting-actions-as-permissions)
+ [

## Resource types defined by AWS Mainframe Modernization Application Testing
](#awsmainframemodernizationapplicationtesting-resources-for-iam-policies)
+ [

## Condition keys for AWS Mainframe Modernization Application Testing
](#awsmainframemodernizationapplicationtesting-policy-keys)

## Actions defined by AWS Mainframe Modernization Application Testing
<a name="awsmainframemodernizationapplicationtesting-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmainframemodernizationapplicationtesting-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmainframemodernizationapplicationtesting.html)

## Resource types defined by AWS Mainframe Modernization Application Testing
<a name="awsmainframemodernizationapplicationtesting-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmainframemodernizationapplicationtesting-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestCase-concept](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestCase-concept)  |  arn:\$1\$1Partition\$1:apptest:\$1\$1Region\$1:\$1\$1Account\$1:testcase/\$1\$1TestCaseId\$1  |   [#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_](#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestConfiguration-concept](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestConfiguration-concept)  |  arn:\$1\$1Partition\$1:apptest:\$1\$1Region\$1:\$1\$1Account\$1:testconfiguration/\$1\$1TestConfigurationId\$1  |   [#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_](#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestRun-concept](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestRun-concept)  |  arn:\$1\$1Partition\$1:apptest:\$1\$1Region\$1:\$1\$1Account\$1:testrun/\$1\$1TestRunId\$1  |   [#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_](#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestSuite-concept](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html#TestSuite-concept)  |  arn:\$1\$1Partition\$1:apptest:\$1\$1Region\$1:\$1\$1Account\$1:testsuite/\$1\$1TestSuiteId\$1  |   [#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_](#awsmainframemodernizationapplicationtesting-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Mainframe Modernization Application Testing
<a name="awsmainframemodernizationapplicationtesting-policy-keys"></a>

AWS Mainframe Modernization Application Testing defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Mainframe Modernization Service
<a name="list_awsmainframemodernizationservice"></a>

AWS Mainframe Modernization Service (service prefix: `m2`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/m2/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/m2/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/m2/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Mainframe Modernization Service
](#awsmainframemodernizationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Mainframe Modernization Service
](#awsmainframemodernizationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Mainframe Modernization Service
](#awsmainframemodernizationservice-policy-keys)

## Actions defined by AWS Mainframe Modernization Service
<a name="awsmainframemodernizationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmainframemodernizationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmainframemodernizationservice.html)

## Resource types defined by AWS Mainframe Modernization Service
<a name="awsmainframemodernizationservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmainframemodernizationservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/m2/latest/userguide/concept-m2.html#application-concept](https://docs.aws.amazon.com/m2/latest/userguide/concept-m2.html#application-concept)  |  arn:\$1\$1Partition\$1:m2:\$1\$1Region\$1:\$1\$1Account\$1:app/\$1\$1ApplicationId\$1  |   [#awsmainframemodernizationservice-aws_ResourceTag___TagKey_](#awsmainframemodernizationservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/m2/latest/userguide/concept-m2.html#environment-concept](https://docs.aws.amazon.com/m2/latest/userguide/concept-m2.html#environment-concept)  |  arn:\$1\$1Partition\$1:m2:\$1\$1Region\$1:\$1\$1Account\$1:env/\$1\$1EnvironmentId\$1  |   [#awsmainframemodernizationservice-aws_ResourceTag___TagKey_](#awsmainframemodernizationservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Mainframe Modernization Service
<a name="awsmainframemodernizationservice-policy-keys"></a>

AWS Mainframe Modernization Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Managed Blockchain
<a name="list_amazonmanagedblockchain"></a>

Amazon Managed Blockchain (service prefix: `managedblockchain`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/managed-blockchain/latest/managementguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/managed-blockchain/latest/managementguide/) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Blockchain
](#amazonmanagedblockchain-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Blockchain
](#amazonmanagedblockchain-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Blockchain
](#amazonmanagedblockchain-policy-keys)

## Actions defined by Amazon Managed Blockchain
<a name="amazonmanagedblockchain-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedblockchain-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html)

## Resource types defined by Amazon Managed Blockchain
<a name="amazonmanagedblockchain-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmanagedblockchain-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Network.html](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Network.html)  |  arn:\$1\$1Partition\$1:managedblockchain:\$1\$1Region\$1::networks/\$1\$1NetworkId\$1  |   [#amazonmanagedblockchain-aws_ResourceTag___TagKey_](#amazonmanagedblockchain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Member.html](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Member.html)  |  arn:\$1\$1Partition\$1:managedblockchain:\$1\$1Region\$1:\$1\$1Account\$1:members/\$1\$1MemberId\$1  |   [#amazonmanagedblockchain-aws_ResourceTag___TagKey_](#amazonmanagedblockchain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Node.html](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Node.html)  |  arn:\$1\$1Partition\$1:managedblockchain:\$1\$1Region\$1:\$1\$1Account\$1:nodes/\$1\$1NodeId\$1  |   [#amazonmanagedblockchain-aws_ResourceTag___TagKey_](#amazonmanagedblockchain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Proposal.html](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Proposal.html)  |  arn:\$1\$1Partition\$1:managedblockchain:\$1\$1Region\$1::proposals/\$1\$1ProposalId\$1  |   [#amazonmanagedblockchain-aws_ResourceTag___TagKey_](#amazonmanagedblockchain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Invitation.html](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Invitation.html)  |  arn:\$1\$1Partition\$1:managedblockchain:\$1\$1Region\$1:\$1\$1Account\$1:invitations/\$1\$1InvitationId\$1  |   [#amazonmanagedblockchain-aws_ResourceTag___TagKey_](#amazonmanagedblockchain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Accessor.html](https://docs.aws.amazon.com/managed-blockchain/latest/APIReference/API_Accessor.html)  |  arn:\$1\$1Partition\$1:managedblockchain:\$1\$1Region\$1:\$1\$1Account\$1:accessors/\$1\$1AccessorId\$1  |   [#amazonmanagedblockchain-aws_ResourceTag___TagKey_](#amazonmanagedblockchain-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Managed Blockchain
<a name="amazonmanagedblockchain-policy-keys"></a>

Amazon Managed Blockchain defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on the tags associated with an Amazon Managed Blockchain resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Managed Blockchain Query
<a name="list_amazonmanagedblockchainquery"></a>

Amazon Managed Blockchain Query (service prefix: `managedblockchain-query`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/managed-blockchain/latest/ambq-dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/managed-blockchain/latest/AMBQ-APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/managed-blockchain/latest/ambq-dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Blockchain Query
](#amazonmanagedblockchainquery-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Blockchain Query
](#amazonmanagedblockchainquery-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Blockchain Query
](#amazonmanagedblockchainquery-policy-keys)

## Actions defined by Amazon Managed Blockchain Query
<a name="amazonmanagedblockchainquery-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedblockchainquery-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [${APIReferenceDocPage}API_BatchGetTokenBalance.html](${APIReferenceDocPage}API_BatchGetTokenBalance.html)  | Grants permission to batch calls for GetTokenBalance API | Read |  |  |  | 
|   [${APIReferenceDocPage}API_GetAssetContract.html](${APIReferenceDocPage}API_GetAssetContract.html)  | Grants permission to fetch information about a contract on the blockchain | Read |  |  |  | 
|   [${APIReferenceDocPage}API_GetTokenBalance.html](${APIReferenceDocPage}API_GetTokenBalance.html)  | Grants permission to retrieve balance of a token for an address on the blockchain | Read |  |  |  | 
|   [${APIReferenceDocPage}API_GetTransaction.html](${APIReferenceDocPage}API_GetTransaction.html)  | Grants permission to retrieve a transaction on the blockchain | Read |  |  |  | 
|   [${APIReferenceDocPage}API_ListAssetContracts.html](${APIReferenceDocPage}API_ListAssetContracts.html)  | Grants permission to fetch multiple contracts on the blockchain | List |  |  |  | 
|   [${APIReferenceDocPage}API_ListFilteredTransactionEvents.html](${APIReferenceDocPage}API_ListFilteredTransactionEvents.html)  | Grants permission to retrieve events on the blockchain with additional filters | List |  |  |  | 
|   [${APIReferenceDocPage}API_ListTokenBalances.html](${APIReferenceDocPage}API_ListTokenBalances.html)  | Grants permission to retrieve multiple balances on the blockchain | List |  |  |  | 
|   [${APIReferenceDocPage}API_ListTransactionEvents.html](${APIReferenceDocPage}API_ListTransactionEvents.html)  | Grants permission to retrieve events in a transaction on the blockchain | List |  |  |  | 
|   [${APIReferenceDocPage}API_ListTransactions.html](${APIReferenceDocPage}API_ListTransactions.html)  | Grants permission to retrieve a multiple transactions on a blockchain | List |  |  |  | 

## Resource types defined by Amazon Managed Blockchain Query
<a name="amazonmanagedblockchainquery-resources-for-iam-policies"></a>

Amazon Managed Blockchain Query does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Managed Blockchain Query, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Managed Blockchain Query
<a name="amazonmanagedblockchainquery-policy-keys"></a>

Managed Blockchain Query has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Managed Grafana
<a name="list_amazonmanagedgrafana"></a>

Amazon Managed Grafana (service prefix: `grafana`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/grafana/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/grafana/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/grafana/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Grafana
](#amazonmanagedgrafana-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Grafana
](#amazonmanagedgrafana-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Grafana
](#amazonmanagedgrafana-policy-keys)

## Actions defined by Amazon Managed Grafana
<a name="amazonmanagedgrafana-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedgrafana-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html)

## Resource types defined by Amazon Managed Grafana
<a name="amazonmanagedgrafana-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmanagedgrafana-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/grafana/latest/userguide/security-iam.html](https://docs.aws.amazon.com/grafana/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:grafana:\$1\$1Region\$1:\$1\$1Account\$1:/workspaces/\$1\$1ResourceId\$1  |   [#amazonmanagedgrafana-aws_ResourceTag___TagKey_](#amazonmanagedgrafana-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Managed Grafana
<a name="amazonmanagedgrafana-policy-keys"></a>

Amazon Managed Grafana defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Managed Service for Prometheus
<a name="list_amazonmanagedserviceforprometheus"></a>

Amazon Managed Service for Prometheus (service prefix: `aps`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/prometheus/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Service for Prometheus
](#amazonmanagedserviceforprometheus-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Service for Prometheus
](#amazonmanagedserviceforprometheus-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Service for Prometheus
](#amazonmanagedserviceforprometheus-policy-keys)

## Actions defined by Amazon Managed Service for Prometheus
<a name="amazonmanagedserviceforprometheus-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedserviceforprometheus-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html)

## Resource types defined by Amazon Managed Service for Prometheus
<a name="amazonmanagedserviceforprometheus-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmanagedserviceforprometheus-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html](https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:aps:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1  |   [#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_](#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_](#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_TagKeys](#amazonmanagedserviceforprometheus-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html](https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:aps:\$1\$1Region\$1:\$1\$1Account\$1:rulegroupsnamespace/\$1\$1WorkspaceId\$1/\$1\$1Namespace\$1  |   [#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_](#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_](#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_TagKeys](#amazonmanagedserviceforprometheus-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html](https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:aps:\$1\$1Region\$1:\$1\$1Account\$1:anomalydetector/\$1\$1WorkspaceId\$1/\$1\$1AnomalyDetectorId\$1  |   [#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_](#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_](#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_TagKeys](#amazonmanagedserviceforprometheus-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html](https://docs.aws.amazon.com/prometheus/latest/userguide/security-iam.html)  |  arn:\$1\$1Partition\$1:aps:\$1\$1Region\$1:\$1\$1Account\$1:scraper/\$1\$1ScraperId\$1  |   [#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_](#amazonmanagedserviceforprometheus-aws_RequestTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_](#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_)   [#amazonmanagedserviceforprometheus-aws_TagKeys](#amazonmanagedserviceforprometheus-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/eks/latest/userguide/clusters.html](https://docs.aws.amazon.com/eks/latest/userguide/clusters.html)  |  arn:\$1\$1Partition\$1:eks:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterName\$1  |   [#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_](#amazonmanagedserviceforprometheus-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Managed Service for Prometheus
<a name="amazonmanagedserviceforprometheus-policy-keys"></a>

Amazon Managed Service for Prometheus defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Managed Streaming for Apache Kafka
<a name="list_amazonmanagedstreamingforapachekafka"></a>

Amazon Managed Streaming for Apache Kafka (service prefix: `kafka`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/msk/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/msk/1.0/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/msk/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Streaming for Apache Kafka
](#amazonmanagedstreamingforapachekafka-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Streaming for Apache Kafka
](#amazonmanagedstreamingforapachekafka-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Streaming for Apache Kafka
](#amazonmanagedstreamingforapachekafka-policy-keys)

## Actions defined by Amazon Managed Streaming for Apache Kafka
<a name="amazonmanagedstreamingforapachekafka-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedstreamingforapachekafka-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforapachekafka.html)

## Resource types defined by Amazon Managed Streaming for Apache Kafka
<a name="amazonmanagedstreamingforapachekafka-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmanagedstreamingforapachekafka-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn.html](https://docs.aws.amazon.com/msk/1.0/apireference/clusters-clusterarn.html)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterName\$1/\$1\$1Uuid\$1  |   [#amazonmanagedstreamingforapachekafka-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforapachekafka-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/msk/1.0/apireference/configurations-arn.html](https://docs.aws.amazon.com/msk/1.0/apireference/configurations-arn.html)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:configuration/\$1\$1ConfigurationName\$1/\$1\$1Uuid\$1  |  | 
|   [https://docs.aws.amazon.com/msk/1.0/apireference/vpc-connections-arn.html](https://docs.aws.amazon.com/msk/1.0/apireference/vpc-connections-arn.html)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1VpcOwnerAccount\$1:vpc-connection/\$1\$1ClusterOwnerAccount\$1/\$1\$1ClusterName\$1/\$1\$1Uuid\$1  |   [#amazonmanagedstreamingforapachekafka-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforapachekafka-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/v1-replicators.html](https://docs.aws.amazon.com/msk/latest/developerguide/v1-replicators.html)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:replicator/\$1\$1ReplicatorName\$1/\$1\$1Uuid\$1  |   [#amazonmanagedstreamingforapachekafka-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforapachekafka-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:topic/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1/\$1\$1TopicName\$1  |  | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1/\$1\$1GroupName\$1  |  | 
|   [https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html#msk-iam-resources)  |  arn:\$1\$1Partition\$1:kafka:\$1\$1Region\$1:\$1\$1Account\$1:transactional-id/\$1\$1ClusterName\$1/\$1\$1ClusterUuid\$1/\$1\$1TransactionalId\$1  |  | 

## Condition keys for Amazon Managed Streaming for Apache Kafka
<a name="amazonmanagedstreamingforapachekafka-policy-keys"></a>

Amazon Managed Streaming for Apache Kafka defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html#apachekafkaapisforamazonmskclusters-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html#apachekafkaapisforamazonmskclusters-policy-keys)  | Filters access by the presence of public access enabled in the request | Bool | 

# Actions, resources, and condition keys for Amazon Managed Streaming for Kafka Connect
<a name="list_amazonmanagedstreamingforkafkaconnect"></a>

Amazon Managed Streaming for Kafka Connect (service prefix: `kafkaconnect`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/MSKC/latest/mskc/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Streaming for Kafka Connect
](#amazonmanagedstreamingforkafkaconnect-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Streaming for Kafka Connect
](#amazonmanagedstreamingforkafkaconnect-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Streaming for Kafka Connect
](#amazonmanagedstreamingforkafkaconnect-policy-keys)

## Actions defined by Amazon Managed Streaming for Kafka Connect
<a name="amazonmanagedstreamingforkafkaconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedstreamingforkafkaconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforkafkaconnect.html)

## Resource types defined by Amazon Managed Streaming for Kafka Connect
<a name="amazonmanagedstreamingforkafkaconnect-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmanagedstreamingforkafkaconnect-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/MSKC/latest/mskc/API_ConnectorSummary.html](https://docs.aws.amazon.com/MSKC/latest/mskc/API_ConnectorSummary.html)  |  arn:\$1\$1Partition\$1:kafkaconnect:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorName\$1/\$1\$1UUID\$1  |   [#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/MSKC/latest/mskc/API_CustomPlugin.html](https://docs.aws.amazon.com/MSKC/latest/mskc/API_CustomPlugin.html)  |  arn:\$1\$1Partition\$1:kafkaconnect:\$1\$1Region\$1:\$1\$1Account\$1:custom-plugin/\$1\$1CustomPluginName\$1/\$1\$1UUID\$1  |   [#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/MSKC/latest/mskc/API_WorkerConfiguration.html](https://docs.aws.amazon.com/MSKC/latest/mskc/API_WorkerConfiguration.html)  |  arn:\$1\$1Partition\$1:kafkaconnect:\$1\$1Region\$1:\$1\$1Account\$1:worker-configuration/\$1\$1WorkerConfigurationName\$1/\$1\$1UUID\$1  |   [#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/MSKC/latest/mskc/API_ConnectorOperation.html](https://docs.aws.amazon.com/MSKC/latest/mskc/API_ConnectorOperation.html)  |  arn:\$1\$1Partition\$1:kafkaconnect:\$1\$1Region\$1:\$1\$1Account\$1:connector-operation/\$1\$1ConnectorName\$1/\$1\$1ConnectorUUID\$1/\$1\$1UUID\$1  |   [#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_](#amazonmanagedstreamingforkafkaconnect-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Managed Streaming for Kafka Connect
<a name="amazonmanagedstreamingforkafkaconnect-policy-keys"></a>

Amazon Managed Streaming for Kafka Connect defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Managed Workflows for Apache Airflow
<a name="list_amazonmanagedworkflowsforapacheairflow"></a>

Amazon Managed Workflows for Apache Airflow (service prefix: `airflow`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mwaa/latest/userguide/what-is-mwaa.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mwaa/latest/API/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mwaa/latest/userguide/manage-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Managed Workflows for Apache Airflow
](#amazonmanagedworkflowsforapacheairflow-actions-as-permissions)
+ [

## Resource types defined by Amazon Managed Workflows for Apache Airflow
](#amazonmanagedworkflowsforapacheairflow-resources-for-iam-policies)
+ [

## Condition keys for Amazon Managed Workflows for Apache Airflow
](#amazonmanagedworkflowsforapacheairflow-policy-keys)

## Actions defined by Amazon Managed Workflows for Apache Airflow
<a name="amazonmanagedworkflowsforapacheairflow-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmanagedworkflowsforapacheairflow-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html)

## Resource types defined by Amazon Managed Workflows for Apache Airflow
<a name="amazonmanagedworkflowsforapacheairflow-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmanagedworkflowsforapacheairflow-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mwaa/latest/userguide/using-mwaa.html](https://docs.aws.amazon.com/mwaa/latest/userguide/using-mwaa.html)  |  arn:\$1\$1Partition\$1:airflow:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentName\$1  |  | 
|   [https://docs.aws.amazon.com/mwaa/latest/userguide/access-policies.html](https://docs.aws.amazon.com/mwaa/latest/userguide/access-policies.html)  |  arn:\$1\$1Partition\$1:airflow:\$1\$1Region\$1:\$1\$1Account\$1:role/\$1\$1EnvironmentName\$1/\$1\$1RoleName\$1  |  | 

## Condition keys for Amazon Managed Workflows for Apache Airflow
<a name="amazonmanagedworkflowsforapacheairflow-policy-keys"></a>

Amazon Managed Workflows for Apache Airflow defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Marketplace
<a name="list_awsmarketplace"></a>

AWS Marketplace (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace
](#awsmarketplace-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace
](#awsmarketplace-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace
](#awsmarketplace-policy-keys)

## Actions defined by AWS Marketplace
<a name="awsmarketplace-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplace-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to approve an incoming subscription request (for providers who provide products that require subscription verification) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to accept an agreement cancellation request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to accept a payment request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to accept their agreement requests | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to create a billing adjustment request against an agreement | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to cancel their agreements | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to withdraw a pending agreement cancellation request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to cancel a payment request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to cancel pending subscription requests for products that require subscription verification | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to create an agreement request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to describe the metadata about the agreement | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view the details of their incoming subscription requests (for providers who provide products that require subscription verification) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view the details of an agreement cancellation request | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view the entitlements associated with an agreement | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view details for a payment request | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view the details of their subscription requests for data products that require subscription verification | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to get a list of terms for an agreement | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view the details of a billing adjustment request | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to list their incoming subscription requests (for providers who provide products that require subscription verification) | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to list agreement cancellation requests | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view charges associated with their agreements | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to list invoice line items for an agreement | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to list payment requests for an agreement | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to list their subscription requests for products that require subscription verification | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to list billing adjustment requests | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to view details of the entitlements associated with an agreement. Note that this action is not applicable to Marketplace purchases | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to decline an incoming subscription requests (for providers who provide products that require subscription verification) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to reject an agreement cancellation request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to reject a payment request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to search their agreements | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to send an agreement cancellation request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to send payment request | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to subscribe to AWS Marketplace products. Includes the ability to send a subscription request for products that require subscription verification. Includes the ability to enable auto-renewal for an existing subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to remove subscriptions to AWS Marketplace products. Includes the ability to disable auto-renewal for an existing subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to make changes to an incoming subscription request, including the ability to delete the prospective subscriber's information (for providers who provide products that require subscription verification) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to update purchase orders for charges associated with their agreements | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Grants permission to users to see their account's subscriptions | List |  |  |  | 

## Resource types defined by AWS Marketplace
<a name="awsmarketplace-resources-for-iam-policies"></a>

AWS Marketplace does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace
<a name="awsmarketplace-policy-keys"></a>

AWS Marketplace defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Filters access by the type of the agreement | ArrayOfString | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Filters access by the party type of the agreement | String | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html)  | Filters access by product id for AWS Marketplace RedHat OpenShift and Bedrock Products. Note: Using this condition key will not restrict access to products in AWS Marketplace | ArrayOfString | 

# Actions, resources, and condition keys for AWS Marketplace Catalog
<a name="list_awsmarketplacecatalog"></a>

AWS Marketplace Catalog (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/api-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Catalog
](#awsmarketplacecatalog-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Catalog
](#awsmarketplacecatalog-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Catalog
](#awsmarketplacecatalog-policy-keys)

## Actions defined by AWS Marketplace Catalog
<a name="awsmarketplacecatalog-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacecatalog-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecatalog.html)

## Resource types defined by AWS Marketplace Catalog
<a name="awsmarketplacecatalog-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmarketplacecatalog-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/API_DescribeEntity.html#API_DescribeEntity_ResponseSyntax](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/API_DescribeEntity.html#API_DescribeEntity_ResponseSyntax)  |  arn:\$1\$1Partition\$1:aws-marketplace:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Catalog\$1/\$1\$1EntityType\$1/\$1\$1ResourceId\$1  |   [#awsmarketplacecatalog-aws_ResourceTag___TagKey_](#awsmarketplacecatalog-aws_ResourceTag___TagKey_)   [#awsmarketplacecatalog-catalog_ChangeType](#awsmarketplacecatalog-catalog_ChangeType)   | 
|   [https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/API_StartChangeSet.html#API_StartChangeSet_ResponseSyntax](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/API_StartChangeSet.html#API_StartChangeSet_ResponseSyntax)  |  arn:\$1\$1Partition\$1:aws-marketplace:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Catalog\$1/ChangeSet/\$1\$1ResourceId\$1  |   [#awsmarketplacecatalog-aws_ResourceTag___TagKey_](#awsmarketplacecatalog-aws_ResourceTag___TagKey_)   [#awsmarketplacecatalog-catalog_ChangeType](#awsmarketplacecatalog-catalog_ChangeType)   | 
|   [https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/API_DescribeAssessment.html#API_DescribeAssessment_ResponseSyntax](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/API_DescribeAssessment.html#API_DescribeAssessment_ResponseSyntax)  |  arn:\$1\$1Partition\$1:aws-marketplace:\$1\$1Region\$1::\$1\$1Catalog\$1/Assessment/\$1\$1ResourceId\$1  |  | 

## Condition keys for AWS Marketplace Catalog
<a name="awsmarketplacecatalog-policy-keys"></a>

AWS Marketplace Catalog defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/api-access-control.html](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/api-access-control.html)  | Filters access by the Intent parameter in the StartChangeSet request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/api-access-control.html](https://docs.aws.amazon.com/marketplace-catalog/latest/api-reference/api-access-control.html)  | Filters access by the change type in the StartChangeSet request | String | 

# Actions, resources, and condition keys for AWS Marketplace Commerce Analytics Service
<a name="list_awsmarketplacecommerceanalyticsservice"></a>

AWS Marketplace Commerce Analytics Service (service prefix: `marketplacecommerceanalytics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://s3.amazonaws.com/awsmp-loadforms/AWS-Marketplace-Commerce-Analytics-Service-Onboarding-and-Technical-Guide.pdf).

**Topics**
+ [

## Actions defined by AWS Marketplace Commerce Analytics Service
](#awsmarketplacecommerceanalyticsservice-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Commerce Analytics Service
](#awsmarketplacecommerceanalyticsservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Commerce Analytics Service
](#awsmarketplacecommerceanalyticsservice-policy-keys)

## Actions defined by AWS Marketplace Commerce Analytics Service
<a name="awsmarketplacecommerceanalyticsservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacecommerceanalyticsservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   GenerateDataSet  | Request a data set to be published to your Amazon S3 bucket. | Write |  |  |  | 
|   StartSupportDataExport  | Request a support data set to be published to your Amazon S3 bucket. | Write |  |  |  | 

## Resource types defined by AWS Marketplace Commerce Analytics Service
<a name="awsmarketplacecommerceanalyticsservice-resources-for-iam-policies"></a>

AWS Marketplace Commerce Analytics Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Commerce Analytics Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Commerce Analytics Service
<a name="awsmarketplacecommerceanalyticsservice-policy-keys"></a>

CAS has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Deployment Service
<a name="list_awsmarketplacedeploymentservice"></a>

AWS Marketplace Deployment Service (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace-deployment/latest/api-reference/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace-deployment/latest/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Deployment Service
](#awsmarketplacedeploymentservice-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Deployment Service
](#awsmarketplacedeploymentservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Deployment Service
](#awsmarketplacedeploymentservice-policy-keys)

## Actions defined by AWS Marketplace Deployment Service
<a name="awsmarketplacedeploymentservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacedeploymentservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacedeploymentservice.html)

## Resource types defined by AWS Marketplace Deployment Service
<a name="awsmarketplacedeploymentservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmarketplacedeploymentservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace-deployment/latest/api-reference/API_DeploymentParameterInput.html](https://docs.aws.amazon.com/marketplace-deployment/latest/api-reference/API_DeploymentParameterInput.html)  |  arn:\$1\$1Partition\$1:aws-marketplace:\$1\$1Region\$1:\$1\$1Account\$1:DeploymentParameter:catalogs/\$1\$1CatalogName\$1/products/\$1\$1ProductId\$1/\$1\$1ResourceId\$1  |   [#awsmarketplacedeploymentservice-aws_RequestTag___TagKey_](#awsmarketplacedeploymentservice-aws_RequestTag___TagKey_)   [#awsmarketplacedeploymentservice-aws_ResourceTag___TagKey_](#awsmarketplacedeploymentservice-aws_ResourceTag___TagKey_)   [#awsmarketplacedeploymentservice-aws_TagKeys](#awsmarketplacedeploymentservice-aws_TagKeys)   | 

## Condition keys for AWS Marketplace Deployment Service
<a name="awsmarketplacedeploymentservice-policy-keys"></a>

AWS Marketplace Deployment Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Marketplace Discovery
<a name="list_awsmarketplacediscovery"></a>

AWS Marketplace Discovery (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-apis.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Discovery
](#awsmarketplacediscovery-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Discovery
](#awsmarketplacediscovery-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Discovery
](#awsmarketplacediscovery-policy-keys)

## Actions defined by AWS Marketplace Discovery
<a name="awsmarketplacediscovery-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacediscovery-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to retrieve information about a listing | Read |   [#awsmarketplacediscovery-Listing](#awsmarketplacediscovery-Listing)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to retrieve information about an offer | Read |   [#awsmarketplacediscovery-Offer](#awsmarketplacediscovery-Offer)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to retrieve information about an offer set | Read |   [#awsmarketplacediscovery-OfferSet](#awsmarketplacediscovery-OfferSet)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to retrieve terms for an offer | Read |   [#awsmarketplacediscovery-Offer](#awsmarketplacediscovery-Offer)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to retrieve information about a product | Read |   [#awsmarketplacediscovery-Product](#awsmarketplacediscovery-Product)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to list fulfillment options for a product | List |   [#awsmarketplacediscovery-Product](#awsmarketplacediscovery-Product)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-offers-page.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-offers-page.html)  | Grants permission to users to list their private offers | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to list purchase options available to the buyer | List |   [#awsmarketplacediscovery-PurchaseOption](#awsmarketplacediscovery-PurchaseOption)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to retrieve facet values for filtering listings | List |   [#awsmarketplacediscovery-Listing](#awsmarketplacediscovery-Listing)   |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  | Grants permission to search for product listings | List |   [#awsmarketplacediscovery-Listing](#awsmarketplacediscovery-Listing)   |  |  | 

## Resource types defined by AWS Marketplace Discovery
<a name="awsmarketplacediscovery-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmarketplacediscovery-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  |  arn:\$1\$1Partition\$1:aws-marketplace:::catalog/\$1\$1CatalogName\$1/product/\$1\$1ProductId\$1  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  |  arn:\$1\$1Partition\$1:aws-marketplace:::catalog/\$1\$1CatalogName\$1/listing/\$1\$1ListingId\$1  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  |  arn:\$1\$1Partition\$1:aws-marketplace:::catalog/\$1\$1CatalogName\$1/offer/\$1\$1OfferId\$1  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  |  arn:\$1\$1Partition\$1:aws-marketplace:::catalog/\$1\$1CatalogName\$1/offerSet/\$1\$1OfferSetId\$1  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/discovery-api-access-control.html)  |  arn:\$1\$1Partition\$1:aws-marketplace:::catalog/\$1\$1CatalogName\$1/purchaseOption/\$1\$1PurchaseOptionId\$1  |  | 

## Condition keys for AWS Marketplace Discovery
<a name="awsmarketplacediscovery-policy-keys"></a>

Marketplace Discovery has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Entitlement Service
<a name="list_awsmarketplaceentitlementservice"></a>

AWS Marketplace Entitlement Service (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Entitlement Service
](#awsmarketplaceentitlementservice-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Entitlement Service
](#awsmarketplaceentitlementservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Entitlement Service
](#awsmarketplaceentitlementservice-policy-keys)

## Actions defined by AWS Marketplace Entitlement Service
<a name="awsmarketplaceentitlementservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplaceentitlementservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-entitlements_GetEntitlements.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-entitlements_GetEntitlements.html)  | Grants permission to retrieve entitlement values for a given product. The results can be filtered based on customer identifier or product dimensions | Read |  |  |  | 

## Resource types defined by AWS Marketplace Entitlement Service
<a name="awsmarketplaceentitlementservice-resources-for-iam-policies"></a>

AWS Marketplace Entitlement Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Entitlement Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Entitlement Service
<a name="awsmarketplaceentitlementservice-policy-keys"></a>

Marketplace Entitlement has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Image Building Service
<a name="list_awsmarketplaceimagebuildingservice"></a>

AWS Marketplace Image Building Service (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-private-image-build.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-private-image-build.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/buyerguide/completing-prerequisite-steps.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Image Building Service
](#awsmarketplaceimagebuildingservice-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Image Building Service
](#awsmarketplaceimagebuildingservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Image Building Service
](#awsmarketplaceimagebuildingservice-policy-keys)

## Actions defined by AWS Marketplace Image Building Service
<a name="awsmarketplaceimagebuildingservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplaceimagebuildingservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/api-reference.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/api-reference.html) [permission only] | Describes Image Builds identified by a build Id | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/api-reference.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/api-reference.html) [permission only] | Lists Image Builds. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/api-reference.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/api-reference.html) [permission only] | Starts an Image Build | Write |  |  |  | 

## Resource types defined by AWS Marketplace Image Building Service
<a name="awsmarketplaceimagebuildingservice-resources-for-iam-policies"></a>

AWS Marketplace Image Building Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Image Building Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Image Building Service
<a name="awsmarketplaceimagebuildingservice-policy-keys"></a>

Marketplace Image Build has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Management Portal
<a name="list_awsmarketplacemanagementportal"></a>

AWS Marketplace Management Portal (service prefix: `aws-marketplace-management`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/userguide/marketplace-management-portal-user-access.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/userguide/marketplace-management-portal-user-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Management Portal
](#awsmarketplacemanagementportal-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Management Portal
](#awsmarketplacemanagementportal-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Management Portal
](#awsmarketplacemanagementportal-policy-keys)

## Actions defined by AWS Marketplace Management Portal
<a name="awsmarketplacemanagementportal-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacemanagementportal-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to view additional seller notification recipients | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to view bank account verification status | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to view secondary user account verification status | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to view account verification status | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to update additional seller notification recipients | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to update bank account verification status | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to update secondary user account verification status | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Grants permission to update account verification status | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Allows access to the File Upload page inside the AWS Marketplace Management Portal | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Allows access to the Marketing page inside the AWS Marketplace Management Portal | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Allows access to the Reports page inside the AWS Marketplace Management Portal | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Allows access to the Settings page inside the AWS Marketplace Management Portal | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html#seller-ammp-permissions) [permission only] | Allows access to the Customer Support Eligibility page inside the AWS Marketplace Management Portal | List |  |  |  | 

## Resource types defined by AWS Marketplace Management Portal
<a name="awsmarketplacemanagementportal-resources-for-iam-policies"></a>

AWS Marketplace Management Portal does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Management Portal, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Management Portal
<a name="awsmarketplacemanagementportal-policy-keys"></a>

Marketplace Portal has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Metering Service
<a name="list_awsmarketplacemeteringservice"></a>

AWS Marketplace Metering Service (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/APIReference/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/userguide/iam-user-policy-for-aws-marketplace-actions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Metering Service
](#awsmarketplacemeteringservice-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Metering Service
](#awsmarketplacemeteringservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Metering Service
](#awsmarketplacemeteringservice-policy-keys)

## Actions defined by AWS Marketplace Metering Service
<a name="awsmarketplacemeteringservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacemeteringservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_BatchMeterUsage.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_BatchMeterUsage.html)  | Grants permission to post metering records for a set of customers for SaaS applications | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_MeterUsage.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_MeterUsage.html)  | Grants permission to emit metering records | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_RegisterUsage.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_RegisterUsage.html)  | Grants permission to to verify that the customer running your paid software is subscribed to your product on AWS Marketplace, enabling you to guard against unauthorized use. Meters software use per ECS task, per hour, with usage prorated to the second | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_ResolveCustomer.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-metering_ResolveCustomer.html)  | Grants permission to resolve a registration token to obtain a CustomerIdentifier and product code | Write |  |  |  | 

## Resource types defined by AWS Marketplace Metering Service
<a name="awsmarketplacemeteringservice-resources-for-iam-policies"></a>

AWS Marketplace Metering Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Metering Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Metering Service
<a name="awsmarketplacemeteringservice-policy-keys"></a>

Marketplace Metering has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Private Marketplace
<a name="list_awsmarketplaceprivatemarketplace"></a>

AWS Marketplace Private Marketplace (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Private Marketplace
](#awsmarketplaceprivatemarketplace-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Private Marketplace
](#awsmarketplaceprivatemarketplace-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Private Marketplace
](#awsmarketplaceprivatemarketplace-policy-keys)

## Actions defined by AWS Marketplace Private Marketplace
<a name="awsmarketplaceprivatemarketplace-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplaceprivatemarketplace-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html) [permission only] | Grants permission to approve a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html) [permission only] | Grants permission to create a new request for a product or products to be associated with the Private Marketplace. This action can be performed by any account in an in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html) [permission only] | Grants permission to describe requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it | List |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html) [permission only] | Grants permission to decline a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-marketplace.html) [permission only] | Grants permission to get a queryable list for requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it | List |  |  |  | 

## Resource types defined by AWS Marketplace Private Marketplace
<a name="awsmarketplaceprivatemarketplace-resources-for-iam-policies"></a>

AWS Marketplace Private Marketplace does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Private Marketplace, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Private Marketplace
<a name="awsmarketplaceprivatemarketplace-policy-keys"></a>

Private Marketplace has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Procurement Systems Integration
<a name="list_awsmarketplaceprocurementsystemsintegration"></a>

AWS Marketplace Procurement Systems Integration (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-systems-integration.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Procurement Systems Integration
](#awsmarketplaceprocurementsystemsintegration-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Procurement Systems Integration
](#awsmarketplaceprocurementsystemsintegration-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Procurement Systems Integration
](#awsmarketplaceprocurementsystemsintegration-policy-keys)

## Actions defined by AWS Marketplace Procurement Systems Integration
<a name="awsmarketplaceprocurementsystemsintegration-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplaceprocurementsystemsintegration-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-systems-integration.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-systems-integration.html) [permission only] | Grants permission to describe the Procurement System integration configuration (e.g. Coupa) for the individual account, or for the entire AWS Organization if one exists. This action can only be performed by the master account if using an AWS Organization | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-systems-integration.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-systems-integration.html) [permission only] | Grants permission to create or update the Procurement System integration configuration (e.g. Coupa) for the individual account, or for the entire AWS Organization if one exists. This action can only be performed by the master account if using an AWS Organization | Write |  |  |  | 

## Resource types defined by AWS Marketplace Procurement Systems Integration
<a name="awsmarketplaceprocurementsystemsintegration-resources-for-iam-policies"></a>

AWS Marketplace Procurement Systems Integration does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Marketplace Procurement Systems Integration, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Marketplace Procurement Systems Integration
<a name="awsmarketplaceprocurementsystemsintegration-policy-keys"></a>

Marketplace Procurement Integration has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Reporting
<a name="list_awsmarketplacereporting"></a>

AWS Marketplace Reporting (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-insights.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/APIReference/reporting-apis.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/APIReference/permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Reporting
](#awsmarketplacereporting-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Reporting
](#awsmarketplacereporting-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Reporting
](#awsmarketplacereporting-policy-keys)

## Actions defined by AWS Marketplace Reporting
<a name="awsmarketplacereporting-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacereporting-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html)  | Grants permission to view a dashboard that shows a buyer's AWS Marketplace purchase data | Read |   [#awsmarketplacereporting-Dashboard](#awsmarketplacereporting-Dashboard)   |  |  | 

## Resource types defined by AWS Marketplace Reporting
<a name="awsmarketplacereporting-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmarketplacereporting-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html#API_marketplace-reporting_GetBuyerDashboard_RequestBody](https://docs.aws.amazon.com/marketplace/latest/APIReference/API_marketplace-reporting_GetBuyerDashboard.html#API_marketplace-reporting_GetBuyerDashboard_RequestBody)  |  arn:\$1\$1Partition\$1:aws-marketplace::\$1\$1Account\$1:\$1\$1Catalog\$1/ReportingData/\$1\$1FactTable\$1/Dashboard/\$1\$1DashboardName\$1  |  | 

## Condition keys for AWS Marketplace Reporting
<a name="awsmarketplacereporting-policy-keys"></a>

Marketplace Reporting has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Seller Reporting
<a name="list_awsmarketplacesellerreporting"></a>

AWS Marketplace Seller Reporting (service prefix: `aws-marketplace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/latest/userguide/reports-and-data-feed.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/latest/userguide/reports-and-data-feed.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/latest/userguide/reports-and-data-feed.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Seller Reporting
](#awsmarketplacesellerreporting-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Seller Reporting
](#awsmarketplacesellerreporting-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Seller Reporting
](#awsmarketplacesellerreporting-policy-keys)

## Actions defined by AWS Marketplace Seller Reporting
<a name="awsmarketplacesellerreporting-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacesellerreporting-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/dashboards.html#reports-accessing](https://docs.aws.amazon.com/marketplace/latest/userguide/dashboards.html#reports-accessing)  | Grants permission to view a seller dashboard | Read |   [#awsmarketplacesellerreporting-SellerDashboard](#awsmarketplacesellerreporting-SellerDashboard)   |  |  | 

## Resource types defined by AWS Marketplace Seller Reporting
<a name="awsmarketplacesellerreporting-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmarketplacesellerreporting-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/dashboards.html#reports-accessing](https://docs.aws.amazon.com/marketplace/latest/userguide/dashboards.html#reports-accessing)  |  arn:\$1\$1Partition\$1:aws-marketplace::\$1\$1Account\$1:\$1\$1Catalog\$1/ReportingData/\$1\$1FactTable\$1/Dashboard/\$1\$1DashboardName\$1  |  | 

## Condition keys for AWS Marketplace Seller Reporting
<a name="awsmarketplacesellerreporting-policy-keys"></a>

Marketplace Seller Reporting has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Marketplace Vendor Insights
<a name="list_awsmarketplacevendorinsights"></a>

AWS Marketplace Vendor Insights (service prefix: `vendor-insights`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/marketplace/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/marketplace/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/marketplace/) permission policies.

**Topics**
+ [

## Actions defined by AWS Marketplace Vendor Insights
](#awsmarketplacevendorinsights-actions-as-permissions)
+ [

## Resource types defined by AWS Marketplace Vendor Insights
](#awsmarketplacevendorinsights-resources-for-iam-policies)
+ [

## Condition keys for AWS Marketplace Vendor Insights
](#awsmarketplacevendorinsights-policy-keys)

## Actions defined by AWS Marketplace Vendor Insights
<a name="awsmarketplacevendorinsights-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmarketplacevendorinsights-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html)

## Resource types defined by AWS Marketplace Vendor Insights
<a name="awsmarketplacevendorinsights-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmarketplacevendorinsights-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html#awsmarketplacevendorinsights-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html#awsmarketplacevendorinsights-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:vendor-insights:::data-source:\$1\$1ResourceId\$1  |   [#awsmarketplacevendorinsights-aws_RequestTag___TagKey_](#awsmarketplacevendorinsights-aws_RequestTag___TagKey_)   [#awsmarketplacevendorinsights-aws_ResourceTag___TagKey_](#awsmarketplacevendorinsights-aws_ResourceTag___TagKey_)   [#awsmarketplacevendorinsights-aws_TagKeys](#awsmarketplacevendorinsights-aws_TagKeys)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html#awsmarketplacevendorinsights-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html#awsmarketplacevendorinsights-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:vendor-insights:::security-profile:\$1\$1ResourceId\$1  |   [#awsmarketplacevendorinsights-aws_RequestTag___TagKey_](#awsmarketplacevendorinsights-aws_RequestTag___TagKey_)   [#awsmarketplacevendorinsights-aws_ResourceTag___TagKey_](#awsmarketplacevendorinsights-aws_ResourceTag___TagKey_)   [#awsmarketplacevendorinsights-aws_TagKeys](#awsmarketplacevendorinsights-aws_TagKeys)   | 

## Condition keys for AWS Marketplace Vendor Insights
<a name="awsmarketplacevendorinsights-policy-keys"></a>

AWS Marketplace Vendor Insights defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS MCP Server
<a name="list_awsmcpserver"></a>

AWS MCP Server (service prefix: `aws-mcp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-mcp/latest/userguide/what-is-mcp-server.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-mcp/latest/userguide/understanding-mcp-server-tools.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS MCP Server
](#awsmcpserver-actions-as-permissions)
+ [

## Resource types defined by AWS MCP Server
](#awsmcpserver-resources-for-iam-policies)
+ [

## Condition keys for AWS MCP Server
](#awsmcpserver-policy-keys)

## Actions defined by AWS MCP Server
<a name="awsmcpserver-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmcpserver-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html](https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html)  | Grants permission to call read-only tools in MCP service | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html](https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html)  | Grants permission to call AWS Read and Write apis in MCP Service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html](https://docs.aws.amazon.com/aws-mcp/latest/userguide/security-iam.html)  | Grants permission to use MCP service | List |  |  |  | 

## Resource types defined by AWS MCP Server
<a name="awsmcpserver-resources-for-iam-policies"></a>

AWS MCP Server does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS MCP Server, specify `"Resource": "*"` in your policy.

## Condition keys for AWS MCP Server
<a name="awsmcpserver-policy-keys"></a>

AWS MCP has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Mechanical Turk
<a name="list_amazonmechanicalturk"></a>

Amazon Mechanical Turk (service prefix: `mechanicalturk`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMechanicalTurkRequester/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMechanicalTurkRequester/SetUp.html#create-iam-user-or-role) permission policies.

**Topics**
+ [

## Actions defined by Amazon Mechanical Turk
](#amazonmechanicalturk-actions-as-permissions)
+ [

## Resource types defined by Amazon Mechanical Turk
](#amazonmechanicalturk-resources-for-iam-policies)
+ [

## Condition keys for Amazon Mechanical Turk
](#amazonmechanicalturk-policy-keys)

## Actions defined by Amazon Mechanical Turk
<a name="amazonmechanicalturk-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmechanicalturk-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_AcceptQualificationRequestOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_AcceptQualificationRequestOperation.html)  | The AcceptQualificationRequest operation grants a Worker's request for a Qualification | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ApproveAssignmentOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ApproveAssignmentOperation.html)  | The ApproveAssignment operation approves the results of a completed assignment | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_AssociateQualificationWithWorkerOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_AssociateQualificationWithWorkerOperation.html)  | The AssociateQualificationWithWorker operation gives a Worker a Qualification | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateAdditionalAssignmentsForHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateAdditionalAssignmentsForHITOperation.html)  | The CreateAdditionalAssignmentsForHIT operation increases the maximum number of assignments of an existing HIT | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateHITOperation.html)  | The CreateHIT operation creates a new HIT (Human Intelligence Task) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateHITTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateHITTypeOperation.html)  | The CreateHITType operation creates a new HIT type | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateHITWithHITTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateHITWithHITTypeOperation.html)  | The CreateHITWithHITType operation creates a new Human Intelligence Task (HIT) using an existing HITTypeID generated by the CreateHITType operation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateQualificationTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateQualificationTypeOperation.html)  | The CreateQualificationType operation creates a new Qualification type, which is represented by a QualificationType data structure | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateWorkerBlockOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_CreateWorkerBlockOperation.html)  | The CreateWorkerBlock operation allows you to prevent a Worker from working on your HITs | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DeleteHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DeleteHITOperation.html)  | The DeleteHIT operation disposes of a HIT that is no longer needed | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DeleteQualificationTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DeleteQualificationTypeOperation.html)  | The DeleteQualificationType disposes a Qualification type and disposes any HIT types that are associated with the Qualification type | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DeleteWorkerBlockOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DeleteWorkerBlockOperation.html)  | The DeleteWorkerBlock operation allows you to reinstate a blocked Worker to work on your HITs | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DisassociateQualificationFromWorkerOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_DisassociateQualificationFromWorkerOperation.html)  | The DisassociateQualificationFromWorker revokes a previously granted Qualification from a user | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetAccountBalanceOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetAccountBalanceOperation.html)  | The GetAccountBalance operation retrieves the amount of money in your Amazon Mechanical Turk account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetAssignmentOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetAssignmentOperation.html)  | The GetAssignment retrieves an assignment with an AssignmentStatus value of Submitted, Approved, or Rejected, using the assignment's ID | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetFileUploadURLOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetFileUploadURLOperation.html)  | The GetFileUploadURL operation generates and returns a temporary URL | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetHITOperation.html)  | The GetHIT operation retrieves the details of the specified HIT | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetQualificationScoreOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetQualificationScoreOperation.html)  | The GetQualificationScore operation returns the value of a Worker's Qualification for a given Qualification type | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetQualificationTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_GetQualificationTypeOperation.html)  | The GetQualificationType operation retrieves information about a Qualification type using its ID | Read |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListAssignmentsForHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListAssignmentsForHITOperation.html)  | The ListAssignmentsForHIT operation retrieves completed assignments for a HIT | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListBonusPaymentsOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListBonusPaymentsOperation.html)  | The ListBonusPayments operation retrieves the amounts of bonuses you have paid to Workers for a given HIT or assignment | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListHITsOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListHITsOperation.html)  | The ListHITs operation returns all of a Requester's HITs | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListHITsForQualificationTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListHITsForQualificationTypeOperation.html)  | The ListHITsForQualificationType operation returns the HITs that use the given QualififcationType for a QualificationRequirement | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListQualificationRequestsOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListQualificationRequestsOperation.html)  | The ListQualificationRequests operation retrieves requests for Qualifications of a particular Qualification type | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListQualificationTypesOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListQualificationTypesOperation.html)  | The ListQualificationTypes operation searches for Qualification types using the specified search query, and returns a list of Qualification types | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListReviewPolicyResultsForHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListReviewPolicyResultsForHITOperation.html)  | The ListReviewPolicyResultsForHIT operation retrieves the computed results and the actions taken in the course of executing your Review Policies during a CreateHIT operation | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListReviewableHITsOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListReviewableHITsOperation.html)  | The ListReviewableHITs operation returns all of a Requester's HITs that have not been approved or rejected | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListWorkerBlocksOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListWorkerBlocksOperation.html)  | The ListWorkersBlocks operation retrieves a list of Workers who are blocked from working on your HITs | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListWorkersWithQualificationTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_ListWorkersWithQualificationTypeOperation.html)  | The ListWorkersWithQualificationType operation returns all of the Workers with a given Qualification type | List |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_NotifyWorkersOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_NotifyWorkersOperation.html)  | The NotifyWorkers operation sends an email to one or more Workers that you specify with the Worker ID | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_RejectAssignmentOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_RejectAssignmentOperation.html)  | The RejectAssignment operation rejects the results of a completed assignment | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_RejectQualificationRequestOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_RejectQualificationRequestOperation.html)  | The RejectQualificationRequest operation rejects a user's request for a Qualification | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_SendBonusOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_SendBonusOperation.html)  | The SendBonus operation issues a payment of money from your account to a Worker | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_SendTestEventNotificationOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_SendTestEventNotificationOperation.html)  | The SendTestEventNotification operation causes Amazon Mechanical Turk to send a notification message as if a HIT event occurred, according to the provided notification specification | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateExpirationForHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateExpirationForHITOperation.html)  | The UpdateExpirationForHIT operation allows you extend the expiration time of a HIT beyond is current expiration or expire a HIT immediately | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateHITReviewStatusOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateHITReviewStatusOperation.html)  | The UpdateHITReviewStatus operation toggles the status of a HIT | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateHITTypeOfHITOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateHITTypeOfHITOperation.html)  | The UpdateHITTypeOfHIT operation allows you to change the HITType properties of a HIT | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateNotificationSettingsOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateNotificationSettingsOperation.html)  | The UpdateNotificationSettings operation creates, updates, disables or re-enables notifications for a HIT type | Write |  |  |  | 
|   [https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateQualificationTypeOperation.html](https://docs.aws.amazon.com/AWSMechTurk/latest/AWSMturkAPI/ApiReference_UpdateQualificationTypeOperation.html)  | The UpdateQualificationType operation modifies the attributes of an existing Qualification type, which is represented by a QualificationType data structure | Write |  |  |  | 

## Resource types defined by Amazon Mechanical Turk
<a name="amazonmechanicalturk-resources-for-iam-policies"></a>

Amazon Mechanical Turk does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Mechanical Turk, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Mechanical Turk
<a name="amazonmechanicalturk-policy-keys"></a>

MechanicalTurk has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon MemoryDB
<a name="list_amazonmemorydb"></a>

Amazon MemoryDB (service prefix: `memorydb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/memorydb/index.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/memorydb/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/memorydb/latest/devguide/iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon MemoryDB
](#amazonmemorydb-actions-as-permissions)
+ [

## Resource types defined by Amazon MemoryDB
](#amazonmemorydb-resources-for-iam-policies)
+ [

## Condition keys for Amazon MemoryDB
](#amazonmemorydb-policy-keys)

## Actions defined by Amazon MemoryDB
<a name="amazonmemorydb-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmemorydb-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
When you create a MemoryDB for Redis policy in IAM you must use the "\$1" wildcard character for the Resource block. For information about using the following MemoryDB for Redis API actions in an IAM policy, see [MemoryDB Actions and IAM](https://docs.aws.amazon.com/memorydb/latest/devguide/iam.APIRefrence.html).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmemorydb.html)

## Resource types defined by Amazon MemoryDB
<a name="amazonmemorydb-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmemorydb-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
The resource name in the ARN string should be lowercase to be effective.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb::\$1\$1Account\$1:multiregionparametergroup/\$1\$1MultiRegionParameterGroupName\$1  |  | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:parametergroup/\$1\$1ParameterGroupName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:subnetgroup/\$1\$1SubnetGroupName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb::\$1\$1Account\$1:multiregioncluster/\$1\$1ClusterName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   [#amazonmemorydb-memorydb_TLSEnabled](#amazonmemorydb-memorydb_TLSEnabled)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:snapshot/\$1\$1SnapshotName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1UserName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:acl/\$1\$1AclName\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html](https://docs.aws.amazon.com/memorydb/latest/devguide/WhatIs.Components.html)  |  arn:\$1\$1Partition\$1:memorydb:\$1\$1Region\$1:\$1\$1Account\$1:reservednode/\$1\$1ReservationID\$1  |   [#amazonmemorydb-aws_ResourceTag___TagKey_](#amazonmemorydb-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon MemoryDB
<a name="amazonmemorydb-policy-keys"></a>

Amazon MemoryDB defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/memorydb/latest/devguide/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the TLSEnabled parameter present in the request or defaults to true value if parameter is not present | Bool | 
|   [https://docs.aws.amazon.com/memorydb/latest/devguide/IAM.ConditionKeys.html#IAM.SpecifyingConditions](https://docs.aws.amazon.com/memorydb/latest/devguide/IAM.ConditionKeys.html#IAM.SpecifyingConditions)  | Filters access by the UserAuthenticationMode.Type parameter in the request | String | 

# Actions, resources, and condition keys for Amazon Message Delivery Service
<a name="list_amazonmessagedeliveryservice"></a>

Amazon Message Delivery Service (service prefix: `ec2messages`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/systems-manager/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Message Delivery Service
](#amazonmessagedeliveryservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Message Delivery Service
](#amazonmessagedeliveryservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Message Delivery Service
](#amazonmessagedeliveryservice-policy-keys)

## Actions defined by Amazon Message Delivery Service
<a name="amazonmessagedeliveryservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmessagedeliveryservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html)  | Grants permission to acknowledge a message, ensuring it will not be delivered again | Write |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html)  | Grants permission to delete a message | Write |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html)  | Grants permission to fail a message, signifying the message could not be processed successfully, ensuring it cannot be replied to or delivered again | Write |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html)  | Grants permission to route traffic to the correct endpoint based on the given destination for the messages | Read |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html)  | Grants permission to deliver messages to clients/instances using long polling | Read |  |   [#amazonmessagedeliveryservice-ssm_SourceInstanceARN](#amazonmessagedeliveryservice-ssm_SourceInstanceARN)   [#amazonmessagedeliveryservice-ec2_SourceInstanceARN](#amazonmessagedeliveryservice-ec2_SourceInstanceARN)   |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html)  | Grants permission to send replies from clients/instances to upstream service | Write |  |   [#amazonmessagedeliveryservice-ssm_SourceInstanceARN](#amazonmessagedeliveryservice-ssm_SourceInstanceARN)   [#amazonmessagedeliveryservice-ec2_SourceInstanceARN](#amazonmessagedeliveryservice-ec2_SourceInstanceARN)   |  | 

## Resource types defined by Amazon Message Delivery Service
<a name="amazonmessagedeliveryservice-resources-for-iam-policies"></a>

Amazon Message Delivery Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Message Delivery Service, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Message Delivery Service
<a name="amazonmessagedeliveryservice-policy-keys"></a>

Amazon Message Delivery Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#amazon-ec2-keys](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#amazon-ec2-keys)  | Filters access by the ARN of the instance from which the request originated | ARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys)  | Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile | ARN | 

# Actions, resources, and condition keys for Amazon Message Gateway Service
<a name="list_amazonmessagegatewayservice"></a>

Amazon Message Gateway Service (service prefix: `ssmmessages`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Message Gateway Service
](#amazonmessagegatewayservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Message Gateway Service
](#amazonmessagegatewayservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Message Gateway Service
](#amazonmessagegatewayservice-policy-keys)

## Actions defined by Amazon Message Gateway Service
<a name="amazonmessagegatewayservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmessagegatewayservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html)  | Grants permission to register a control channel for an instance to send control messages to Systems Manager service | Write |  |   [#amazonmessagegatewayservice-ssm_SourceInstanceARN](#amazonmessagegatewayservice-ssm_SourceInstanceARN)   [#amazonmessagegatewayservice-ec2_SourceInstanceARN](#amazonmessagegatewayservice-ec2_SourceInstanceARN)   |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html)  | Grants permission to register a data channel for an instance to send data messages to Systems Manager service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html)  | Grants permission to open a websocket connection for a registered control channel stream from an instance to Systems Manager service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html)  | Grants permission to open a websocket connection for a registered data channel stream from an instance to Systems Manager service | Write |  |  |  | 

## Resource types defined by Amazon Message Gateway Service
<a name="amazonmessagegatewayservice-resources-for-iam-policies"></a>

Amazon Message Gateway Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Message Gateway Service, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Message Gateway Service
<a name="amazonmessagegatewayservice-policy-keys"></a>

Amazon Message Gateway Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#amazon-ec2-keys](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#amazon-ec2-keys)  | Filters access by the ARN of the instance from which the request originated | ARN | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#policy-conditions](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#policy-conditions)  | Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile | ARN | 

# Actions, resources, and condition keys for AWS Microservice Extractor for .NET
<a name="list_awsmicroserviceextractorfor.net"></a>

AWS Microservice Extractor for .NET (service prefix: `serviceextract`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Microservice Extractor for .NET
](#awsmicroserviceextractorfor.net-actions-as-permissions)
+ [

## Resource types defined by AWS Microservice Extractor for .NET
](#awsmicroserviceextractorfor.net-resources-for-iam-policies)
+ [

## Condition keys for AWS Microservice Extractor for .NET
](#awsmicroserviceextractorfor.net-policy-keys)

## Actions defined by AWS Microservice Extractor for .NET
<a name="awsmicroserviceextractorfor.net-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmicroserviceextractorfor.net-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html](https://docs.aws.amazon.com/microservice-extractor/latest/userguide/what-is-microservice-extractor.html) [permission only] | Grants permission to get required configuration for the AWS Microservice Extractor for .NET desktop client | Read |  |  |  | 

## Resource types defined by AWS Microservice Extractor for .NET
<a name="awsmicroserviceextractorfor.net-resources-for-iam-policies"></a>

AWS Microservice Extractor for .NET does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Microservice Extractor for .NET, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Microservice Extractor for .NET
<a name="awsmicroserviceextractorfor.net-policy-keys"></a>

Microservice Extractor for .NET has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Migration Acceleration Program Credits
<a name="list_awsmigrationaccelerationprogramcredits"></a>

AWS Migration Acceleration Program Credits (service prefix: `mapcredits`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Migration Acceleration Program Credits
](#awsmigrationaccelerationprogramcredits-actions-as-permissions)
+ [

## Resource types defined by AWS Migration Acceleration Program Credits
](#awsmigrationaccelerationprogramcredits-resources-for-iam-policies)
+ [

## Condition keys for AWS Migration Acceleration Program Credits
](#awsmigrationaccelerationprogramcredits-policy-keys)

## Actions defined by AWS Migration Acceleration Program Credits
<a name="awsmigrationaccelerationprogramcredits-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmigrationaccelerationprogramcredits-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) [permission only] | Grants permission to view the user's associated Migration Acceleration Program agreements | List |   [#awsmigrationaccelerationprogramcredits-agreement](#awsmigrationaccelerationprogramcredits-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) [permission only] | Grants permission to view Migration Acceleration Program agreements credits associated with the user's payer account | List |   [#awsmigrationaccelerationprogramcredits-agreement](#awsmigrationaccelerationprogramcredits-agreement)   |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) [permission only] | Grants permission to view Migration Acceleration Program agreements eligible spend associated with the user's payer account | List |   [#awsmigrationaccelerationprogramcredits-agreement](#awsmigrationaccelerationprogramcredits-agreement)   |  |  | 

## Resource types defined by AWS Migration Acceleration Program Credits
<a name="awsmigrationaccelerationprogramcredits-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmigrationaccelerationprogramcredits-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  |  arn:\$1\$1Partition\$1:mapcredits:::\$1\$1Agreement\$1/\$1\$1AgreementId\$1  |  | 

## Condition keys for AWS Migration Acceleration Program Credits
<a name="awsmigrationaccelerationprogramcredits-policy-keys"></a>

MapCredits has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Migration Hub
<a name="list_awsmigrationhub"></a>

AWS Migration Hub (service prefix: `mgh`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/migrationhub/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/migrationhub/latest/ug/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/migrationhub/latest/ug/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Migration Hub
](#awsmigrationhub-actions-as-permissions)
+ [

## Resource types defined by AWS Migration Hub
](#awsmigrationhub-resources-for-iam-policies)
+ [

## Condition keys for AWS Migration Hub
](#awsmigrationhub-policy-keys)

## Actions defined by AWS Migration Hub
<a name="awsmigrationhub-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmigrationhub-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html)

## Resource types defined by AWS Migration Hub
<a name="awsmigrationhub-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmigrationhub-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/API_ProgressUpdateStreamSummary.html](https://docs.aws.amazon.com/migrationhub/latest/ug/API_ProgressUpdateStreamSummary.html)  |  arn:\$1\$1Partition\$1:mgh:\$1\$1Region\$1:\$1\$1Account\$1:progressUpdateStream/\$1\$1Stream\$1  |  | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/API_MigrationTask.html](https://docs.aws.amazon.com/migrationhub/latest/ug/API_MigrationTask.html)  |  arn:\$1\$1Partition\$1:mgh:\$1\$1Region\$1:\$1\$1Account\$1:progressUpdateStream/\$1\$1Stream\$1/migrationTask/\$1\$1Task\$1  |  | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/API_AutomationRunResource.html](https://docs.aws.amazon.com/migrationhub/latest/ug/API_AutomationRunResource.html)  |  arn:\$1\$1Partition\$1:mgh:\$1\$1Region\$1:\$1\$1Account\$1:automation-run/\$1\$1RunID\$1  |   [#awsmigrationhub-mgh_AutomationRunResourceRunID](#awsmigrationhub-mgh_AutomationRunResourceRunID)   | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/API_AutomationUnitResource.html](https://docs.aws.amazon.com/migrationhub/latest/ug/API_AutomationUnitResource.html)  |  arn:\$1\$1Partition\$1:mgh:\$1\$1Region\$1:\$1\$1Account\$1:automation-unit/\$1\$1AutomationUnitId\$1  |   [#awsmigrationhub-mgh_AutomationUnitResourceAutomationUnitArn](#awsmigrationhub-mgh_AutomationUnitResourceAutomationUnitArn)   | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/API_ConnectionResource.html](https://docs.aws.amazon.com/migrationhub/latest/ug/API_ConnectionResource.html)  |  arn:\$1\$1Partition\$1:mgh:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ConnectionArn\$1  |   [#awsmigrationhub-aws_ResourceTag___TagKey_](#awsmigrationhub-aws_ResourceTag___TagKey_)   [#awsmigrationhub-mgh_ConnectionResourceConnectionArn](#awsmigrationhub-mgh_ConnectionResourceConnectionArn)   | 

## Condition keys for AWS Migration Hub
<a name="awsmigrationhub-policy-keys"></a>

AWS Migration Hub defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/ContextKeys_AutomationRunResourceRunID.html](https://docs.aws.amazon.com/migrationhub/latest/ug/ContextKeys_AutomationRunResourceRunID.html)  | AutomationRunResource resource runID identifier | String | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/ContextKeys_AutomationUnitResourceAutomationUnitArn.html](https://docs.aws.amazon.com/migrationhub/latest/ug/ContextKeys_AutomationUnitResourceAutomationUnitArn.html)  | AutomationUnitResource resource automationUnitArn identifier | ARN | 
|   [https://docs.aws.amazon.com/migrationhub/latest/ug/security_iam_service-with-iam-id-based-policies-conditionkeys.html#condition-connectionresourceconnectionarn](https://docs.aws.amazon.com/migrationhub/latest/ug/security_iam_service-with-iam-id-based-policies-conditionkeys.html#condition-connectionresourceconnectionarn)  | ConnectionResource resource connectionArn identifier | String | 

# Actions, resources, and condition keys for AWS Migration Hub Orchestrator
<a name="list_awsmigrationhuborchestrator"></a>

AWS Migration Hub Orchestrator (service prefix: `migrationhub-orchestrator`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/migrationhub-orchestrator/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/migrationhub-orchestrator/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/migrationhub-orchestrator/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Migration Hub Orchestrator
](#awsmigrationhuborchestrator-actions-as-permissions)
+ [

## Resource types defined by AWS Migration Hub Orchestrator
](#awsmigrationhuborchestrator-resources-for-iam-policies)
+ [

## Condition keys for AWS Migration Hub Orchestrator
](#awsmigrationhuborchestrator-policy-keys)

## Actions defined by AWS Migration Hub Orchestrator
<a name="awsmigrationhuborchestrator-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmigrationhuborchestrator-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhuborchestrator.html)

## Resource types defined by AWS Migration Hub Orchestrator
<a name="awsmigrationhuborchestrator-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmigrationhuborchestrator-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/migrationhub-orchestrator/latest/userguide/workflow.html](https://docs.aws.amazon.com/migrationhub-orchestrator/latest/userguide/workflow.html)  |  arn:\$1\$1Partition\$1:migrationhub-orchestrator:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1ResourceId\$1  |   [#awsmigrationhuborchestrator-aws_ResourceTag___TagKey_](#awsmigrationhuborchestrator-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/migrationhub-orchestrator/latest/userguide/templates.html](https://docs.aws.amazon.com/migrationhub-orchestrator/latest/userguide/templates.html)  |  arn:\$1\$1Partition\$1:migrationhub-orchestrator:\$1\$1Region\$1:\$1\$1Account\$1:template/\$1\$1ResourceId\$1  |   [#awsmigrationhuborchestrator-aws_ResourceTag___TagKey_](#awsmigrationhuborchestrator-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Migration Hub Orchestrator
<a name="awsmigrationhuborchestrator-policy-keys"></a>

AWS Migration Hub Orchestrator defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Migration Hub Refactor Spaces
<a name="list_awsmigrationhubrefactorspaces"></a>

AWS Migration Hub Refactor Spaces (service prefix: `refactor-spaces`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Migration Hub Refactor Spaces
](#awsmigrationhubrefactorspaces-actions-as-permissions)
+ [

## Resource types defined by AWS Migration Hub Refactor Spaces
](#awsmigrationhubrefactorspaces-resources-for-iam-policies)
+ [

## Condition keys for AWS Migration Hub Refactor Spaces
](#awsmigrationhubrefactorspaces-policy-keys)

## Actions defined by AWS Migration Hub Refactor Spaces
<a name="awsmigrationhubrefactorspaces-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmigrationhubrefactorspaces-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhubrefactorspaces.html)

## Resource types defined by AWS Migration Hub Refactor Spaces
<a name="awsmigrationhubrefactorspaces-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmigrationhubrefactorspaces-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:refactor-spaces:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1  |   [#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_](#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:refactor-spaces:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1/application/\$1\$1ApplicationId\$1  |   [#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_](#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_)   [#awsmigrationhubrefactorspaces-refactor-spaces_ApplicationCreatedByAccount](#awsmigrationhubrefactorspaces-refactor-spaces_ApplicationCreatedByAccount)   [#awsmigrationhubrefactorspaces-refactor-spaces_CreatedByAccountIds](#awsmigrationhubrefactorspaces-refactor-spaces_CreatedByAccountIds)   | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:refactor-spaces:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1/application/\$1\$1ApplicationId\$1/service/\$1\$1ServiceId\$1  |   [#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_](#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_)   [#awsmigrationhubrefactorspaces-refactor-spaces_ApplicationCreatedByAccount](#awsmigrationhubrefactorspaces-refactor-spaces_ApplicationCreatedByAccount)   [#awsmigrationhubrefactorspaces-refactor-spaces_CreatedByAccountIds](#awsmigrationhubrefactorspaces-refactor-spaces_CreatedByAccountIds)   [#awsmigrationhubrefactorspaces-refactor-spaces_ServiceCreatedByAccount](#awsmigrationhubrefactorspaces-refactor-spaces_ServiceCreatedByAccount)   | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources)  |  arn:\$1\$1Partition\$1:refactor-spaces:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1/application/\$1\$1ApplicationId\$1/route/\$1\$1RouteId\$1  |   [#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_](#awsmigrationhubrefactorspaces-aws_ResourceTag___TagKey_)   [#awsmigrationhubrefactorspaces-refactor-spaces_ApplicationCreatedByAccount](#awsmigrationhubrefactorspaces-refactor-spaces_ApplicationCreatedByAccount)   [#awsmigrationhubrefactorspaces-refactor-spaces_CreatedByAccountIds](#awsmigrationhubrefactorspaces-refactor-spaces_CreatedByAccountIds)   [#awsmigrationhubrefactorspaces-refactor-spaces_RouteCreatedByAccount](#awsmigrationhubrefactorspaces-refactor-spaces_RouteCreatedByAccount)   [#awsmigrationhubrefactorspaces-refactor-spaces_ServiceCreatedByAccount](#awsmigrationhubrefactorspaces-refactor-spaces_ServiceCreatedByAccount)   [#awsmigrationhubrefactorspaces-refactor-spaces_SourcePath](#awsmigrationhubrefactorspaces-refactor-spaces_SourcePath)   | 

## Condition keys for AWS Migration Hub Refactor Spaces
<a name="awsmigrationhubrefactorspaces-policy-keys"></a>

AWS Migration Hub Refactor Spaces defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by restricting the action to only those accounts that created the application within an environment | String | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the accounts that created the resource | ArrayOfString | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by restricting the action to only those accounts that created the route within an application | String | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by restricting the action to only those accounts that created the service within an application | String | 
|   [https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by the path of the route | String | 

# Actions, resources, and condition keys for AWS Migration Hub Strategy Recommendations
<a name="list_awsmigrationhubstrategyrecommendations"></a>

AWS Migration Hub Strategy Recommendations (service prefix: `migrationhub-strategy`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/migrationhub-strategy/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/migrationhub-strategy/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Migration Hub Strategy Recommendations
](#awsmigrationhubstrategyrecommendations-actions-as-permissions)
+ [

## Resource types defined by AWS Migration Hub Strategy Recommendations
](#awsmigrationhubstrategyrecommendations-resources-for-iam-policies)
+ [

## Condition keys for AWS Migration Hub Strategy Recommendations
](#awsmigrationhubstrategyrecommendations-policy-keys)

## Actions defined by AWS Migration Hub Strategy Recommendations
<a name="awsmigrationhubstrategyrecommendations-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmigrationhubstrategyrecommendations-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetAntiPattern.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetAntiPattern.html)  | Grants permission to get details of each anti pattern that collector should look at in a customer's environment | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetApplicationComponentDetails.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetApplicationComponentDetails.html)  | Grants permission to get details of an application | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetApplicationComponentStrategies.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetApplicationComponentStrategies.html)  | Grants permission to get a list of all recommended strategies and tools for an application running in a server | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetAssessment.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetAssessment.html)  | Grants permission to retrieve status of an on-going assessment | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetImportFileTask.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetImportFileTask.html)  | Grants permission to get details of a specific import task | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetLatestAssessmentId.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetLatestAssessmentId.html)  | Grants permission to retrieve the latest assessment id | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetMessage.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetMessage.html)  | Grants permission to the collector to receive information from the service | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetPortfolioPreferences.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetPortfolioPreferences.html)  | Grants permission to retrieve customer migration/Modernization preferences | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetPortfolioSummary.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetPortfolioSummary.html)  | Grants permission to retrieve overall summary (number-of servers to rehost etc as well as overall number of anti patterns) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetRecommendationReportDetails.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetRecommendationReportDetails.html)  | Grants permission to retrieve detailed information about a recommendation report | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetServerDetails.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetServerDetails.html)  | Grants permission to get info about a specific server | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetServerStrategies.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_GetServerStrategies.html)  | Grants permission to get recommended strategies and tools for a specific server | Read |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListAnalyzableServers.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListAnalyzableServers.html)  | Grants permission to get a list of all analyzable servers in a customer's vcenter environment | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListAntiPatterns.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListAntiPatterns.html)  | Grants permission to get a list of all anti patterns that collector should look for in a customer's environment | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListApplicationComponents.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListApplicationComponents.html)  | Grants permission to get a list of all applications running on servers on customer's servers | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListCollectors.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListCollectors.html)  | Grants permission to get a list of all collectors installed by the customer | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListImportFileTask.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListImportFileTask.html)  | Grants permission to get list of all imports performed by the customer | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListJarArtifacts.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListJarArtifacts.html)  | Grants permission to get a list of binaries that collector should assess | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListServers.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_ListServers.html)  | Grants permission to get a list of all servers in a customer's environment | List |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_PutLogData.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_PutLogData.html)  | Grants permission to the collector to send logs to the service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_PutMetricData.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_PutMetricData.html)  | Grants permission to the collector to send metrics to the service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_PutPortfolioPreferences.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_PutPortfolioPreferences.html)  | Grants permission to save customer's Migration/Modernization preferences | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_RegisterCollector.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_RegisterCollector.html)  | Grants permission to register the collector to receive an ID and to start receiving messages from the service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_SendMessage.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_SendMessage.html)  | Grants permission to the collector to send information to the service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StartAssessment.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StartAssessment.html)  | Grants permission to start assessment in a customer's environment (collect data from all servers and provide recommendations) | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StartImportFileTask.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StartImportFileTask.html)  | Grants permission to start importing data from a file provided by customer | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StartRecommendationReportGeneration.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StartRecommendationReportGeneration.html)  | Grants permission to start generating a recommendation report | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StopAssessment.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_StopAssessment.html)  | Grants permission to stop an on-going assessment | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_UpdateApplicationComponentConfig.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_UpdateApplicationComponentConfig.html)  | Grants permission to update details for an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_UpdateCollectorConfiguration.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_UpdateCollectorConfiguration.html)  | Grants permission to the collector to send configuration information to the service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_UpdateServerConfig.html](https://docs.aws.amazon.com/migrationhub-strategy/latest/APIReference/API_UpdateServerConfig.html)  | Grants permission to update info on a server along with the recommended strategy | Write |  |  |  | 

## Resource types defined by AWS Migration Hub Strategy Recommendations
<a name="awsmigrationhubstrategyrecommendations-resources-for-iam-policies"></a>

AWS Migration Hub Strategy Recommendations does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Migration Hub Strategy Recommendations, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Migration Hub Strategy Recommendations
<a name="awsmigrationhubstrategyrecommendations-policy-keys"></a>

Migration Hub Strategy Recommendations has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Mobile Analytics
<a name="list_amazonmobileanalytics"></a>

Amazon Mobile Analytics (service prefix: `mobileanalytics`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mobileanalytics/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mobileanalytics/latest/ug/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mobileanalytics/latest/ug/access_permissions.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Mobile Analytics
](#amazonmobileanalytics-actions-as-permissions)
+ [

## Resource types defined by Amazon Mobile Analytics
](#amazonmobileanalytics-resources-for-iam-policies)
+ [

## Condition keys for Amazon Mobile Analytics
](#amazonmobileanalytics-policy-keys)

## Actions defined by Amazon Mobile Analytics
<a name="amazonmobileanalytics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmobileanalytics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   GetFinancialReports  | Grant access to financial metrics for an app | Read |  |  |  | 
|   GetReports  | Grant access to standard metrics for an app | Read |  |  |  | 
|   [https://docs.aws.amazon.com/mobileanalytics/latest/ug/PutEvents.html](https://docs.aws.amazon.com/mobileanalytics/latest/ug/PutEvents.html)  | The PutEvents operation records one or more events | Write |  |  |  | 

## Resource types defined by Amazon Mobile Analytics
<a name="amazonmobileanalytics-resources-for-iam-policies"></a>

Amazon Mobile Analytics does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Mobile Analytics, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Mobile Analytics
<a name="amazonmobileanalytics-policy-keys"></a>

Mobile Analytics has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Monitron
<a name="list_amazonmonitron"></a>

Amazon Monitron (service prefix: `monitron`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/Monitron/latest/user-guide/what-is-monitron.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/Monitron/latest/user-guide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/Monitron/latest/user-guide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Monitron
](#amazonmonitron-actions-as-permissions)
+ [

## Resource types defined by Amazon Monitron
](#amazonmonitron-resources-for-iam-policies)
+ [

## Condition keys for Amazon Monitron
](#amazonmonitron-policy-keys)

## Actions defined by Amazon Monitron
<a name="amazonmonitron-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmonitron-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmonitron.html)

## Resource types defined by Amazon Monitron
<a name="amazonmonitron-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmonitron-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/Monitron/latest/user-guide/projects-chapter.html](https://docs.aws.amazon.com/Monitron/latest/user-guide/projects-chapter.html)  |  arn:\$1\$1Partition\$1:monitron:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ResourceId\$1  |   [#amazonmonitron-aws_ResourceTag___TagKey_](#amazonmonitron-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Monitron
<a name="amazonmonitron-policy-keys"></a>

Amazon Monitron defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon MQ
<a name="list_amazonmq"></a>

Amazon MQ (service prefix: `mq`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-api-authentication-authorization.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon MQ
](#amazonmq-actions-as-permissions)
+ [

## Resource types defined by Amazon MQ
](#amazonmq-resources-for-iam-policies)
+ [

## Condition keys for Amazon MQ
](#amazonmq-policy-keys)

## Actions defined by Amazon MQ
<a name="amazonmq-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonmq-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html)

## Resource types defined by Amazon MQ
<a name="amazonmq-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonmq-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-how-it-works.html](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-how-it-works.html)  |  arn:\$1\$1Partition\$1:mq:\$1\$1Region\$1:\$1\$1Account\$1:broker:\$1\$1BrokerName\$1:\$1\$1BrokerId\$1  |   [#amazonmq-aws_ResourceTag___TagKey_](#amazonmq-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-how-it-works.html](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-how-it-works.html)  |  arn:\$1\$1Partition\$1:mq:\$1\$1Region\$1:\$1\$1Account\$1:configuration:\$1\$1ConfigurationId\$1  |   [#amazonmq-aws_ResourceTag___TagKey_](#amazonmq-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon MQ
<a name="amazonmq-policy-keys"></a>

Amazon MQ defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Multi-party approval
<a name="list_multi-partyapproval"></a>

Multi-party approval (service prefix: `mpa`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mpa/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mpa/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mpa/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Multi-party approval
](#multi-partyapproval-actions-as-permissions)
+ [

## Resource types defined by Multi-party approval
](#multi-partyapproval-resources-for-iam-policies)
+ [

## Condition keys for Multi-party approval
](#multi-partyapproval-policy-keys)

## Actions defined by Multi-party approval
<a name="multi-partyapproval-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#multi-partyapproval-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_multi-partyapproval.html)

## Resource types defined by Multi-party approval
<a name="multi-partyapproval-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#multi-partyapproval-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html)  |  arn:\$1\$1Partition\$1:mpa:\$1\$1Region\$1:\$1\$1Account\$1:approval-team/\$1\$1ApprovalTeamId\$1  |   [#multi-partyapproval-aws_ResourceTag___TagKey_](#multi-partyapproval-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html)  |  arn:\$1\$1Partition\$1:mpa:\$1\$1Region\$1:\$1\$1Account\$1:identity-source/\$1\$1IdentitySourceId\$1  |   [#multi-partyapproval-aws_ResourceTag___TagKey_](#multi-partyapproval-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html)  |  arn:\$1\$1Partition\$1:mpa:\$1\$1Region\$1:\$1\$1Account\$1:session/\$1\$1SessionId\$1  |   [#multi-partyapproval-aws_ResourceTag___TagKey_](#multi-partyapproval-aws_ResourceTag___TagKey_)   | 

## Condition keys for Multi-party approval
<a name="multi-partyapproval-policy-keys"></a>

Multi-party approval defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html)  | Filters access by the account that owns the resource that is the target of the operation that requires approval | String | 
|   [https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html)  | Filters access by a requested operation that requires team approval before it can be executed | String | 

# Actions, resources, and condition keys for AWS MWAA Serverless
<a name="list_awsmwaaserverless"></a>

AWS MWAA Serverless (service prefix: `airflow-serverless`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/mwaa/latest/mwaa-serverless-userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mwaa-serverless/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mwaa/latest/mwaa-serverless-userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS MWAA Serverless
](#awsmwaaserverless-actions-as-permissions)
+ [

## Resource types defined by AWS MWAA Serverless
](#awsmwaaserverless-resources-for-iam-policies)
+ [

## Condition keys for AWS MWAA Serverless
](#awsmwaaserverless-policy-keys)

## Actions defined by AWS MWAA Serverless
<a name="awsmwaaserverless-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsmwaaserverless-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmwaaserverless.html)

## Resource types defined by AWS MWAA Serverless
<a name="awsmwaaserverless-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsmwaaserverless-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/mwaa/latest/mwaa-serverless-userguide/workflows.html](https://docs.aws.amazon.com/mwaa/latest/mwaa-serverless-userguide/workflows.html)  |  arn:\$1\$1Partition\$1:airflow-serverless:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1WorkflowId\$1  |   [#awsmwaaserverless-aws_ResourceTag___TagKey_](#awsmwaaserverless-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS MWAA Serverless
<a name="awsmwaaserverless-policy-keys"></a>

AWS MWAA Serverless defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs that are attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Neptune
<a name="list_amazonneptune"></a>

Amazon Neptune (service prefix: `neptune-db`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/neptune/latest/userguide/intro.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/neptune/latest/userguide/api.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Neptune
](#amazonneptune-actions-as-permissions)
+ [

## Resource types defined by Amazon Neptune
](#amazonneptune-resources-for-iam-policies)
+ [

## Condition keys for Amazon Neptune
](#amazonneptune-policy-keys)

## Actions defined by Amazon Neptune
<a name="amazonneptune-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonneptune-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html)

## Resource types defined by Amazon Neptune
<a name="amazonneptune-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonneptune-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-resources.html](https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-resources.html)  |  arn:\$1\$1Partition\$1:neptune-db:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ClusterResourceId\$1/\$1  |  | 

## Condition keys for Amazon Neptune
<a name="amazonneptune-policy-keys"></a>

Amazon Neptune defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-condition-keys.html#iam-neptune-condition-keys](https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-condition-keys.html#iam-neptune-condition-keys)  | Filters access by graph model | String | 

# Actions, resources, and condition keys for Amazon Neptune Analytics
<a name="list_amazonneptuneanalytics"></a>

Amazon Neptune Analytics (service prefix: `neptune-graph`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/neptune-analytics/latest/apiref/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Neptune Analytics
](#amazonneptuneanalytics-actions-as-permissions)
+ [

## Resource types defined by Amazon Neptune Analytics
](#amazonneptuneanalytics-resources-for-iam-policies)
+ [

## Condition keys for Amazon Neptune Analytics
](#amazonneptuneanalytics-policy-keys)

## Actions defined by Amazon Neptune Analytics
<a name="amazonneptuneanalytics-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonneptuneanalytics-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
All IAM actions except 'ReadDataViaQuery', 'WriteDataViaQuery' and 'DeleteDataViaQuery' have a corresponding API operation


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptuneanalytics.html)

## Resource types defined by Amazon Neptune Analytics
<a name="amazonneptuneanalytics-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonneptuneanalytics-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#graph](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#graph)  |  arn:\$1\$1Partition\$1:neptune-graph:\$1\$1Region\$1:\$1\$1Account\$1:graph/\$1\$1ResourceId\$1  |   [#amazonneptuneanalytics-aws_ResourceTag___TagKey_](#amazonneptuneanalytics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#graph-snapshot](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#graph-snapshot)  |  arn:\$1\$1Partition\$1:neptune-graph:\$1\$1Region\$1:\$1\$1Account\$1:graph-snapshot/\$1\$1ResourceId\$1  |   [#amazonneptuneanalytics-aws_ResourceTag___TagKey_](#amazonneptuneanalytics-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#import-task](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#import-task)  |  arn:\$1\$1Partition\$1:neptune-graph:\$1\$1Region\$1:\$1\$1Account\$1:import-task/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#export-task](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-resources.html#export-task)  |  arn:\$1\$1Partition\$1:neptune-graph:\$1\$1Region\$1:\$1\$1Account\$1:export-task/\$1\$1ResourceId\$1  |  | 

## Condition keys for Amazon Neptune Analytics
<a name="amazonneptuneanalytics-policy-keys"></a>

Amazon Neptune Analytics defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 
|   [https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-condition-keys.html#publicconnectivity](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/iam-condition-keys.html#publicconnectivity)  | Filters access by the value of the public connectivity parameter provided in the request or its default value, if unspecified. All access to graphs is IAM authenticated | Bool | 

# Actions, resources, and condition keys for AWS Network Firewall
<a name="list_awsnetworkfirewall"></a>

AWS Network Firewall (service prefix: `network-firewall`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/network-firewall/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/network-firewall/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Network Firewall
](#awsnetworkfirewall-actions-as-permissions)
+ [

## Resource types defined by AWS Network Firewall
](#awsnetworkfirewall-resources-for-iam-policies)
+ [

## Condition keys for AWS Network Firewall
](#awsnetworkfirewall-policy-keys)

## Actions defined by AWS Network Firewall
<a name="awsnetworkfirewall-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsnetworkfirewall-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html)

## Resource types defined by AWS Network Firewall
<a name="awsnetworkfirewall-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsnetworkfirewall-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_Firewall.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_Firewall.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:firewall/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_FirewallPolicyResponse.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_FirewallPolicyResponse.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:firewall-policy/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_RuleGroupResponse.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_RuleGroupResponse.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:stateful-rulegroup/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_RuleGroupResponse.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_RuleGroupResponse.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:stateless-rulegroup/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_TLSInspectionConfigurationResponse.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_TLSInspectionConfigurationResponse.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:tls-configuration/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_VpcEndpointAssociation.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_VpcEndpointAssociation.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:vpc-endpoint-association/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_ProxyRuleGroup.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_ProxyRuleGroup.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:proxy-rule-group/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_ProxyConfiguration.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_ProxyConfiguration.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:proxy-configuration/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_Proxy.html](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_Proxy.html)  |  arn:\$1\$1Partition\$1:network-firewall:\$1\$1Region\$1:\$1\$1Account\$1:proxy/\$1\$1Name\$1  |   [#awsnetworkfirewall-aws_ResourceTag___TagKey_](#awsnetworkfirewall-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Network Firewall
<a name="awsnetworkfirewall-policy-keys"></a>

AWS Network Firewall defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for Network Flow Monitor
<a name="list_networkflowmonitor"></a>

Network Flow Monitor (service prefix: `networkflowmonitor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/networkflowmonitor/2.0/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor-security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Network Flow Monitor
](#networkflowmonitor-actions-as-permissions)
+ [

## Resource types defined by Network Flow Monitor
](#networkflowmonitor-resources-for-iam-policies)
+ [

## Condition keys for Network Flow Monitor
](#networkflowmonitor-policy-keys)

## Actions defined by Network Flow Monitor
<a name="networkflowmonitor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#networkflowmonitor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_networkflowmonitor.html)

## Resource types defined by Network Flow Monitor
<a name="networkflowmonitor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#networkflowmonitor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor-configure-monitors.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor-configure-monitors.html)  |  arn:\$1\$1Partition\$1:networkflowmonitor:\$1\$1Region\$1:\$1\$1Account\$1:monitor/\$1\$1MonitorName\$1  |   [#networkflowmonitor-aws_ResourceTag___TagKey_](#networkflowmonitor-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor-organizations.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor-organizations.html)  |  arn:\$1\$1Partition\$1:networkflowmonitor:\$1\$1Region\$1:\$1\$1Account\$1:scope/\$1\$1ScopeId\$1  |   [#networkflowmonitor-aws_ResourceTag___TagKey_](#networkflowmonitor-aws_ResourceTag___TagKey_)   | 

## Condition keys for Network Flow Monitor
<a name="networkflowmonitor-policy-keys"></a>

Network Flow Monitor defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Network Manager
<a name="list_awsnetworkmanager"></a>

AWS Network Manager (service prefix: `networkmanager`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/vpc/latest/tgw/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/networkmanager/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Network Manager
](#awsnetworkmanager-actions-as-permissions)
+ [

## Resource types defined by AWS Network Manager
](#awsnetworkmanager-resources-for-iam-policies)
+ [

## Condition keys for AWS Network Manager
](#awsnetworkmanager-policy-keys)

## Actions defined by AWS Network Manager
<a name="awsnetworkmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsnetworkmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkmanager.html)

## Resource types defined by AWS Network Manager
<a name="awsnetworkmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsnetworkmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:global-network/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:site/\$1\$1GlobalNetworkId\$1/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:link/\$1\$1GlobalNetworkId\$1/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:device/\$1\$1GlobalNetworkId\$1/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:connection/\$1\$1GlobalNetworkId\$1/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:core-network/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:attachment/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:connect-peer/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html)  |  arn:\$1\$1Partition\$1:networkmanager::\$1\$1Account\$1:peering/\$1\$1ResourceId\$1  |   [#awsnetworkmanager-aws_ResourceTag___TagKey_](#awsnetworkmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Network Manager
<a name="awsnetworkmanager-policy-keys"></a>

AWS Network Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which customer gateways can be associated or disassociated | ARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which Direct Connect gateway can be used to a create/update attachment | ARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which edge locations can be added or removed from a Direct Connect gateway attachment | ArrayOfString | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which VPC subnets can be added or removed from a VPC attachment | ArrayOfARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which transit gateways can be registered, deregistered, or peered | ARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which transit gateway connect peers can be associated or disassociated | ARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which Transit Gateway Route Table can be used to create an attachment | ARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which VPC can be used to a create/update attachment | ARN | 
|   [https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html)  | Filters access by which Site-to-Site VPN can be used to a create/update attachment | ARN | 

# Actions, resources, and condition keys for AWS Network Manager Chat
<a name="list_awsnetworkmanagerchat"></a>

AWS Network Manager Chat (service prefix: `networkmanager-chat`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc/latest/reachability/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Network Manager Chat
](#awsnetworkmanagerchat-actions-as-permissions)
+ [

## Resource types defined by AWS Network Manager Chat
](#awsnetworkmanagerchat-resources-for-iam-policies)
+ [

## Condition keys for AWS Network Manager Chat
](#awsnetworkmanagerchat-policy-keys)

## Actions defined by AWS Network Manager Chat
<a name="awsnetworkmanagerchat-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsnetworkmanagerchat-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to cancel a response to a message | Write |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to create a conversation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to delete a conversation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to list conversation messages | List |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to list conversations | List |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to notify whether there is activity in a conversation | Write |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to send a conversation message | Write |  |  |  | 

## Resource types defined by AWS Network Manager Chat
<a name="awsnetworkmanagerchat-resources-for-iam-policies"></a>

AWS Network Manager Chat does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Network Manager Chat, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Network Manager Chat
<a name="awsnetworkmanagerchat-policy-keys"></a>

Network Manager Chat has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Nimble Studio
<a name="list_amazonnimblestudio"></a>

Amazon Nimble Studio (service prefix: `nimble`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/nimble-studio/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Nimble Studio
](#amazonnimblestudio-actions-as-permissions)
+ [

## Resource types defined by Amazon Nimble Studio
](#amazonnimblestudio-resources-for-iam-policies)
+ [

## Condition keys for Amazon Nimble Studio
](#amazonnimblestudio-policy-keys)

## Actions defined by Amazon Nimble Studio
<a name="amazonnimblestudio-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonnimblestudio-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnimblestudio.html)

## Resource types defined by Amazon Nimble Studio
<a name="amazonnimblestudio-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonnimblestudio-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_Studio.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_Studio.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:studio/\$1\$1StudioId\$1  |   [#amazonnimblestudio-aws_RequestTag___TagKey_](#amazonnimblestudio-aws_RequestTag___TagKey_)   [#amazonnimblestudio-aws_ResourceTag___TagKey_](#amazonnimblestudio-aws_ResourceTag___TagKey_)   [#amazonnimblestudio-aws_TagKeys](#amazonnimblestudio-aws_TagKeys)   [#amazonnimblestudio-nimble_studioId](#amazonnimblestudio-nimble_studioId)   | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StreamingImage.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StreamingImage.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:streaming-image/\$1\$1StreamingImageId\$1  |   [#amazonnimblestudio-aws_RequestTag___TagKey_](#amazonnimblestudio-aws_RequestTag___TagKey_)   [#amazonnimblestudio-aws_ResourceTag___TagKey_](#amazonnimblestudio-aws_ResourceTag___TagKey_)   [#amazonnimblestudio-aws_TagKeys](#amazonnimblestudio-aws_TagKeys)   [#amazonnimblestudio-nimble_studioId](#amazonnimblestudio-nimble_studioId)   | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StudioComponent.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StudioComponent.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:studio-component/\$1\$1StudioComponentId\$1  |   [#amazonnimblestudio-aws_RequestTag___TagKey_](#amazonnimblestudio-aws_RequestTag___TagKey_)   [#amazonnimblestudio-aws_ResourceTag___TagKey_](#amazonnimblestudio-aws_ResourceTag___TagKey_)   [#amazonnimblestudio-aws_TagKeys](#amazonnimblestudio-aws_TagKeys)   [#amazonnimblestudio-nimble_studioId](#amazonnimblestudio-nimble_studioId)   | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_LaunchProfile.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_LaunchProfile.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:launch-profile/\$1\$1LaunchProfileId\$1  |   [#amazonnimblestudio-aws_RequestTag___TagKey_](#amazonnimblestudio-aws_RequestTag___TagKey_)   [#amazonnimblestudio-aws_ResourceTag___TagKey_](#amazonnimblestudio-aws_ResourceTag___TagKey_)   [#amazonnimblestudio-aws_TagKeys](#amazonnimblestudio-aws_TagKeys)   [#amazonnimblestudio-nimble_studioId](#amazonnimblestudio-nimble_studioId)   | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StreamingSession.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StreamingSession.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:streaming-session/\$1\$1StreamingSessionId\$1  |   [#amazonnimblestudio-aws_RequestTag___TagKey_](#amazonnimblestudio-aws_RequestTag___TagKey_)   [#amazonnimblestudio-aws_ResourceTag___TagKey_](#amazonnimblestudio-aws_ResourceTag___TagKey_)   [#amazonnimblestudio-aws_TagKeys](#amazonnimblestudio-aws_TagKeys)   [#amazonnimblestudio-nimble_createdBy](#amazonnimblestudio-nimble_createdBy)   [#amazonnimblestudio-nimble_ownedBy](#amazonnimblestudio-nimble_ownedBy)   | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StreamingSessionBackup.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_StreamingSessionBackup.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:streaming-session-backup/\$1\$1StreamingSessionBackupId\$1  |   [#amazonnimblestudio-aws_RequestTag___TagKey_](#amazonnimblestudio-aws_RequestTag___TagKey_)   [#amazonnimblestudio-aws_ResourceTag___TagKey_](#amazonnimblestudio-aws_ResourceTag___TagKey_)   [#amazonnimblestudio-aws_TagKeys](#amazonnimblestudio-aws_TagKeys)   [#amazonnimblestudio-nimble_ownedBy](#amazonnimblestudio-nimble_ownedBy)   | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_Eula.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_Eula.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:eula/\$1\$1EulaId\$1  |  | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_EulaAcceptance.html](https://docs.aws.amazon.com/nimble-studio/latest/APIReference/API_EulaAcceptance.html)  |  arn:\$1\$1Partition\$1:nimble:\$1\$1Region\$1:\$1\$1Account\$1:eula-acceptance/\$1\$1EulaAcceptanceId\$1  |   [#amazonnimblestudio-nimble_studioId](#amazonnimblestudio-nimble_studioId)   | 

## Condition keys for Amazon Nimble Studio
<a name="amazonnimblestudio-policy-keys"></a>

Amazon Nimble Studio defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the createdBy request parameter or the ID of the creator of the resource | String | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the ownedBy request parameter or the ID of the owner of the resource | String | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the principalId request parameter | String | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html)  | Filters access by the ID of the logged in user | String | 
|   [https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html](https://docs.aws.amazon.com/nimble-studio/latest/userguide/security-iam-service-with-iam.html)  | Filters access by a specific studio | ARN | 

# Actions, resources, and condition keys for Amazon Nova Act
<a name="list_amazonnovaact"></a>

Amazon Nova Act (service prefix: `nova-act`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/nova-act/latest/userguide/what-is-nova-act.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/nova-act/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/nova-act/latest/userguide/security-iam-service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Nova Act
](#amazonnovaact-actions-as-permissions)
+ [

## Resource types defined by Amazon Nova Act
](#amazonnovaact-resources-for-iam-policies)
+ [

## Condition keys for Amazon Nova Act
](#amazonnovaact-policy-keys)

## Actions defined by Amazon Nova Act
<a name="amazonnovaact-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonnovaact-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnovaact.html)

## Resource types defined by Amazon Nova Act
<a name="amazonnovaact-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonnovaact-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/nova-act/latest/userguide/workflow-definition.html](https://docs.aws.amazon.com/nova-act/latest/userguide/workflow-definition.html)  |  arn:\$1\$1Partition\$1:nova-act:\$1\$1Region\$1:\$1\$1Account\$1:workflow-definition/\$1\$1WorkflowDefinitionName\$1  |  | 
|   [https://docs.aws.amazon.com/nova-act/latest/userguide/workflow-run.html](https://docs.aws.amazon.com/nova-act/latest/userguide/workflow-run.html)  |  arn:\$1\$1Partition\$1:nova-act:\$1\$1Region\$1:\$1\$1Account\$1:workflow-definition/\$1\$1WorkflowDefinitionName\$1/workflow-run/\$1\$1WorkflowRunId\$1  |  | 

## Condition keys for Amazon Nova Act
<a name="amazonnovaact-policy-keys"></a>

Nova Act has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon One Enterprise
<a name="list_amazononeenterprise"></a>

Amazon One Enterprise (service prefix: `one`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/one-enterprise/latest/userguide/one-enterprise-getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/one-enterprise/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/one-enterprise/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon One Enterprise
](#amazononeenterprise-actions-as-permissions)
+ [

## Resource types defined by Amazon One Enterprise
](#amazononeenterprise-resources-for-iam-policies)
+ [

## Condition keys for Amazon One Enterprise
](#amazononeenterprise-policy-keys)

## Actions defined by Amazon One Enterprise
<a name="amazononeenterprise-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazononeenterprise-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazononeenterprise.html)

## Resource types defined by Amazon One Enterprise
<a name="amazononeenterprise-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazononeenterprise-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/one-enterprise/latest/userguide/create-device-instance.html](https://docs.aws.amazon.com/one-enterprise/latest/userguide/create-device-instance.html)  |  arn:\$1\$1Partition\$1:one:\$1\$1Region\$1:\$1\$1Account\$1:device-instance/\$1\$1DeviceInstanceId\$1  |   [#amazononeenterprise-aws_ResourceTag___TagKey_](#amazononeenterprise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/one-enterprise/latest/userguide/configure-instance.html](https://docs.aws.amazon.com/one-enterprise/latest/userguide/configure-instance.html)  |  arn:\$1\$1Partition\$1:one:\$1\$1Region\$1:\$1\$1Account\$1:device-instance/\$1\$1DeviceInstanceId\$1/configuration/\$1\$1Version\$1  |  | 
|   [https://docs.aws.amazon.com/one-enterprise/latest/userguide/create-config-template.html](https://docs.aws.amazon.com/one-enterprise/latest/userguide/create-config-template.html)  |  arn:\$1\$1Partition\$1:one:\$1\$1Region\$1:\$1\$1Account\$1:device-configuration-template/\$1\$1TemplateId\$1  |   [#amazononeenterprise-aws_ResourceTag___TagKey_](#amazononeenterprise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/one-enterprise/latest/userguide/create-sites.html](https://docs.aws.amazon.com/one-enterprise/latest/userguide/create-sites.html)  |  arn:\$1\$1Partition\$1:one:\$1\$1Region\$1:\$1\$1Account\$1:site/\$1\$1SiteId\$1  |   [#amazononeenterprise-aws_ResourceTag___TagKey_](#amazononeenterprise-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/one-enterprise/latest/userguide/enrollment-entry.html](https://docs.aws.amazon.com/one-enterprise/latest/userguide/enrollment-entry.html)  |  arn:\$1\$1Partition\$1:one:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1UserId\$1  |  | 

## Condition keys for Amazon One Enterprise
<a name="amazononeenterprise-policy-keys"></a>

Amazon One Enterprise defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by using tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by using tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon OpenSearch
<a name="list_amazonopensearch"></a>

Amazon OpenSearch (service prefix: `opensearch`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon OpenSearch
](#amazonopensearch-actions-as-permissions)
+ [

## Resource types defined by Amazon OpenSearch
](#amazonopensearch-resources-for-iam-policies)
+ [

## Condition keys for Amazon OpenSearch
](#amazonopensearch-policy-keys)

## Actions defined by Amazon OpenSearch
<a name="amazonopensearch-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonopensearch-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/) [permission only] | Grants permission to access OpenSearch Application | Permissions management |   [#amazonopensearch-application](#amazonopensearch-application)   |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html)  | Grants permission to cancel submitted Auto Optimize Job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_CancelDirectQuery.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_CancelDirectQuery.html)  | Grants permission to cancel the query that is submitted on the OpenSearch DataSource resource | Write |   [#amazonopensearch-datasource](#amazonopensearch-datasource)   |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html)  | Grants permission to delete Auto Optimize Job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html)  | Grants permission to get the Auto Optimize Job details | Read |  |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_GetDirectQuery.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_GetDirectQuery.html)  | Grants permission to get the query status that are performed on the OpenSearch DataSource resource | Read |   [#amazonopensearch-datasource](#amazonopensearch-datasource)   |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_GetDirectQueryResult.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_GetDirectQueryResult.html)  | Grants permission to get the results of a query that is performed on the OpenSearch DataSource resource | Read |   [#amazonopensearch-datasource](#amazonopensearch-datasource)   |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html)  | Grants permission to retrieve a list of Auto Optimize Jobs | List |  |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_StartDirectQuery.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_StartDirectQuery.html)  | Grants permission to start a direct query on the provided OpenSearch DataSource arns | Write |   [#amazonopensearch-datasource](#amazonopensearch-datasource)   |  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-auto-optimize.html)  | Grants permission to create new Auto Optimize Job | Write |  |  |  | 

## Resource types defined by Amazon OpenSearch
<a name="amazonopensearch-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonopensearch-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html)  |  arn:\$1\$1Partition\$1:opensearch:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1AppId\$1  |  | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/datasource.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/datasource.html)  |  arn:\$1\$1Partition\$1:opensearch:\$1\$1Region\$1:\$1\$1Account\$1:datasource/\$1\$1DataSourceName\$1  |  | 

## Condition keys for Amazon OpenSearch
<a name="amazonopensearch-policy-keys"></a>

OpenSearch has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon OpenSearch Ingestion
<a name="list_amazonopensearchingestion"></a>

Amazon OpenSearch Ingestion (service prefix: `osis`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_Operations_Amazon_OpenSearch_Ingestion.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/) permission policies.

**Topics**
+ [

## Actions defined by Amazon OpenSearch Ingestion
](#amazonopensearchingestion-actions-as-permissions)
+ [

## Resource types defined by Amazon OpenSearch Ingestion
](#amazonopensearchingestion-resources-for-iam-policies)
+ [

## Condition keys for Amazon OpenSearch Ingestion
](#amazonopensearchingestion-policy-keys)

## Actions defined by Amazon OpenSearch Ingestion
<a name="amazonopensearchingestion-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonopensearchingestion-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchingestion.html)

## Resource types defined by Amazon OpenSearch Ingestion
<a name="amazonopensearchingestion-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonopensearchingestion-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_Pipeline.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_Pipeline.html)  |  arn:\$1\$1Partition\$1:osis:\$1\$1Region\$1:\$1\$1Account\$1:pipeline/\$1\$1PipelineName\$1  |   [#amazonopensearchingestion-aws_ResourceTag___TagKey_](#amazonopensearchingestion-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_PipelineEndpoint.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_PipelineEndpoint.html)  |  arn:\$1\$1Partition\$1:osis:\$1\$1Region\$1:\$1\$1Account\$1:endpoint/\$1\$1EndpointId\$1  |   [#amazonopensearchingestion-aws_ResourceTag___TagKey_](#amazonopensearchingestion-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_PipelineBlueprint.html](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_PipelineBlueprint.html)  |  arn:\$1\$1Partition\$1:osis:\$1\$1Region\$1:\$1\$1Account\$1:blueprint/\$1\$1BlueprintName\$1  |  | 

## Condition keys for Amazon OpenSearch Ingestion
<a name="amazonopensearchingestion-policy-keys"></a>

Amazon OpenSearch Ingestion defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon OpenSearch Serverless
<a name="list_amazonopensearchserverless"></a>

Amazon OpenSearch Serverless (service prefix: `aoss`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/opensearch-service/latest/ServerlessAPIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon OpenSearch Serverless
](#amazonopensearchserverless-actions-as-permissions)
+ [

## Resource types defined by Amazon OpenSearch Serverless
](#amazonopensearchserverless-resources-for-iam-policies)
+ [

## Condition keys for Amazon OpenSearch Serverless
](#amazonopensearchserverless-policy-keys)

## Actions defined by Amazon OpenSearch Serverless
<a name="amazonopensearchserverless-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonopensearchserverless-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html)

## Resource types defined by Amazon OpenSearch Serverless
<a name="amazonopensearchserverless-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonopensearchserverless-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html)  |  arn:\$1\$1Partition\$1:aoss:\$1\$1Region\$1:\$1\$1Account\$1:collection/\$1\$1CollectionId\$1  |   [#amazonopensearchserverless-aws_ResourceTag___TagKey_](#amazonopensearchserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html)  |  arn:\$1\$1Partition\$1:aoss:\$1\$1Region\$1:\$1\$1Account\$1:collection-group/\$1\$1CollectionGroupId\$1  |   [#amazonopensearchserverless-aws_ResourceTag___TagKey_](#amazonopensearchserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html)  |  arn:\$1\$1Partition\$1:aoss:\$1\$1Region\$1:\$1\$1Account\$1:dashboards/default  |  | 

## Condition keys for Amazon OpenSearch Serverless
<a name="amazonopensearchserverless-policy-keys"></a>

Amazon OpenSearch Serverless defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys)  | Filters access by the identifier of the collection | String | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys)  | Filters access by the collection name | String | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys)  | Filters access by the collection group name | String | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security_iam_serverless-conditionkeys)  | Filters access by the index | String | 
|   [security-iam-serverless.html#condition-keys-requesttag](security-iam-serverless.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [security-iam-serverless.html#condition-keys-resourcetag](security-iam-serverless.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [security-iam-serverless.html#condition-keys-tagkeys](security-iam-serverless.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon OpenSearch Service
<a name="list_amazonopensearchservice"></a>

Amazon OpenSearch Service (service prefix: `es`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon OpenSearch Service
](#amazonopensearchservice-actions-as-permissions)
+ [

## Resource types defined by Amazon OpenSearch Service
](#amazonopensearchservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon OpenSearch Service
](#amazonopensearchservice-policy-keys)

## Actions defined by Amazon OpenSearch Service
<a name="amazonopensearchservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonopensearchservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html)

## Resource types defined by Amazon OpenSearch Service
<a name="amazonopensearchservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonopensearchservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html)  |  arn:\$1\$1Partition\$1:es:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainName\$1  |   [#amazonopensearchservice-aws_ResourceTag___TagKey_](#amazonopensearchservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html)  |  arn:\$1\$1Partition\$1:opensearch:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1AppId\$1  |   [#amazonopensearchservice-aws_ResourceTag___TagKey_](#amazonopensearchservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html)  |  arn:\$1\$1Partition\$1:iam::\$1\$1Account\$1:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService  |   [#amazonopensearchservice-aws_ResourceTag___TagKey_](#amazonopensearchservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html)  |  arn:\$1\$1Partition\$1:iam::\$1\$1Account\$1:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService  |   [#amazonopensearchservice-aws_ResourceTag___TagKey_](#amazonopensearchservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/opensearch-service/latest/developerguide/datasource.html](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/datasource.html)  |  arn:\$1\$1Partition\$1:opensearch:\$1\$1Region\$1:\$1\$1Account\$1:datasource/\$1\$1DataSourceName\$1  |   [#amazonopensearchservice-aws_ResourceTag___TagKey_](#amazonopensearchservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon OpenSearch Service
<a name="amazonopensearchservice-policy-keys"></a>

Amazon OpenSearch Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS OpsWorks
<a name="list_awsopsworks"></a>

AWS OpsWorks (service prefix: `opsworks`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/opsworks/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/opsworks/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/opsworks/latest/userguide/workingsecurity.html) permission policies.

**Topics**
+ [

## Actions defined by AWS OpsWorks
](#awsopsworks-actions-as-permissions)
+ [

## Resource types defined by AWS OpsWorks
](#awsopsworks-resources-for-iam-policies)
+ [

## Condition keys for AWS OpsWorks
](#awsopsworks-policy-keys)

## Actions defined by AWS OpsWorks
<a name="awsopsworks-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsopsworks-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AssignInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AssignInstance.html)  | Grants permission to assign a registered instance to a layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AssignVolume.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AssignVolume.html)  | Grants permission to assign one of the stack's registered Amazon EBS volumes to a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AssociateElasticIp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AssociateElasticIp.html)  | Grants permission to associate one of the stack's registered Elastic IP addresses with a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AttachElasticLoadBalancer.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_AttachElasticLoadBalancer.html)  | Grants permission to attach an Elastic Load Balancing load balancer to a specified layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CloneStack.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CloneStack.html)  | Grants permission to create a clone of a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateApp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateApp.html)  | Grants permission to create an app for a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateDeployment.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateDeployment.html)  | Grants permission to run deployment or stack commands | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateInstance.html)  | Grants permission to create an instance in a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateLayer.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateLayer.html)  | Grants permission to create a layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateStack.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateStack.html)  | Grants permission to create a new stack | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateUserProfile.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_CreateUserProfile.html)  | Grants permission to create a new user profile | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteApp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteApp.html)  | Grants permission to delete a specified app | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteInstance.html)  | Grants permission to delete a specified instance, which terminates the associated Amazon EC2 instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteLayer.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteLayer.html)  | Grants permission to delete a specified layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteStack.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteStack.html)  | Grants permission to delete a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteUserProfile.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeleteUserProfile.html)  | Grants permission to delete a user profile | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterEcsCluster.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterEcsCluster.html)  | Grants permission to delete a user profile | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterElasticIp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterElasticIp.html)  | Grants permission to deregister a specified Elastic IP address | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterInstance.html)  | Grants permission to deregister a registered Amazon EC2 or on-premises instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterRdsDbInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterRdsDbInstance.html)  | Grants permission to deregister an Amazon RDS instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterVolume.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DeregisterVolume.html)  | Grants permission to deregister an Amazon EBS volume | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeAgentVersions.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeAgentVersions.html)  | Grants permission to describe the available AWS OpsWorks agent versions | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeApps.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeApps.html)  | Grants permission to request a description of a specified set of apps | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeCommands.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeCommands.html)  | Grants permission to describe the results of specified commands | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeDeployments.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeDeployments.html)  | Grants permission to request a description of a specified set of deployments | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeEcsClusters.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeEcsClusters.html)  | Grants permission to describe Amazon ECS clusters that are registered with a stack | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeElasticIps.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeElasticIps.html)  | Grants permission to describe Elastic IP addresses | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeElasticLoadBalancers.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeElasticLoadBalancers.html)  | Grants permission to describe a stack's Elastic Load Balancing instances | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeInstances.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeInstances.html)  | Grants permission to request a description of a set of instances | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeLayers.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeLayers.html)  | Grants permission to request a description of one or more layers in a specified stack | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeLoadBasedAutoScaling.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeLoadBasedAutoScaling.html)  | Grants permission to describe load-based auto scaling configurations for specified layers | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeMyUserProfile.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeMyUserProfile.html)  | Grants permission to describe a user's SSH information | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeOperatingSystems.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeOperatingSystems.html)  | Grants permission to describe the operating systems that are supported by AWS OpsWorks Stacks | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribePermissions.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribePermissions.html)  | Grants permission to describe the permissions for a specified stack | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeRaidArrays.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeRaidArrays.html)  | Grants permission to describe an instance's RAID arrays | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeRdsDbInstances.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeRdsDbInstances.html)  | Grants permission to describe Amazon RDS instances | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeServiceErrors.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeServiceErrors.html)  | Grants permission to describe AWS OpsWorks service errors | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeStackProvisioningParameters.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeStackProvisioningParameters.html)  | Grants permission to request a description of a stack's provisioning parameters | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeStackSummary.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeStackSummary.html)  | Grants permission to describe the number of layers and apps in a specified stack, and the number of instances in each state, such as running\$1setup or online | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeStacks.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeStacks.html)  | Grants permission to request a description of one or more stacks | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeTimeBasedAutoScaling.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeTimeBasedAutoScaling.html)  | Grants permission to describe time-based auto scaling configurations for specified instances | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeUserProfiles.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeUserProfiles.html)  | Grants permission to describe specified users | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeVolumes.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DescribeVolumes.html)  | Grants permission to describe an instance's Amazon EBS volumes | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DetachElasticLoadBalancer.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DetachElasticLoadBalancer.html)  | Grants permission to detache a specified Elastic Load Balancing instance from its layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DisassociateElasticIp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_DisassociateElasticIp.html)  | Grants permission to disassociate an Elastic IP address from its instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_GetHostnameSuggestion.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_GetHostnameSuggestion.html)  | Grants permission to get a generated host name for the specified layer, based on the current host name theme | Read |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RebootInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RebootInstance.html)  | Grants permission to grant RDP access to a Windows instance for a specified time period | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_ListTags.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_ListTags.html)  | Grants permission to return a list of tags that are applied to the specified stack or layer | List |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RebootInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RebootInstance.html)  | Grants permission to reboot a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterEcsCluster.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterEcsCluster.html)  | Grants permission to register a specified Amazon ECS cluster with a stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterElasticIp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterElasticIp.html)  | Grants permission to register an Elastic IP address with a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterInstance.html)  | Grants permission to register instances with a specified stack that were created outside of AWS OpsWorks | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterRdsDbInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterRdsDbInstance.html)  | Grants permission to register an Amazon RDS instance with a stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterVolume.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_RegisterVolume.html)  | Grants permission to register an Amazon EBS volume with a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_SetLoadBasedAutoScaling.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_SetLoadBasedAutoScaling.html)  | Grants permission to specify the load-based auto scaling configuration for a specified layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_SetPermission.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_SetPermission.html)  | Grants permission to specify a user's permissions | Permissions management |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_SetTimeBasedAutoScaling.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_SetTimeBasedAutoScaling.html)  | Grants permission to specify the time-based auto scaling configuration for a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StartInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StartInstance.html)  | Grants permission to start a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StartStack.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StartStack.html)  | Grants permission to start a stack's instances | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StopInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StopInstance.html)  | Grants permission to stop a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StopStack.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_StopStack.html)  | Grants permission to stop a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_TagResource.html)  | Grants permission to apply tags to a specified stack or layer | Tagging |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UnassignInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UnassignInstance.html)  | Grants permission to unassign a registered instance from all of it's layers | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UnassignVolume.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UnassignVolume.html)  | Grants permission to unassign an assigned Amazon EBS volume | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UntagResource.html)  | Grants permission to remove tags from a specified stack or layer | Tagging |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateApp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateApp.html)  | Grants permission to update a specified app | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateElasticIp.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateElasticIp.html)  | Grants permission to update a registered Elastic IP address's name | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateInstance.html)  | Grants permission to update a specified instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateLayer.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateLayer.html)  | Grants permission to update a specified layer | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateMyUserProfile.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateMyUserProfile.html)  | Grants permission to update a user's SSH public key | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateRdsDbInstance.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateRdsDbInstance.html)  | Grants permission to update an Amazon RDS instance | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateStack.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateStack.html)  | Grants permission to update a specified stack | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateUserProfile.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateUserProfile.html)  | Grants permission to update a specified user profile | Permissions management |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateVolume.html](https://docs.aws.amazon.com/opsworks/latest/APIReference/API_UpdateVolume.html)  | Grants permission to update an Amazon EBS volume's name or mount point | Write |   [#awsopsworks-stack](#awsopsworks-stack)   |  |  | 

## Resource types defined by AWS OpsWorks
<a name="awsopsworks-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsopsworks-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks.html](https://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks.html)  |  arn:\$1\$1Partition\$1:opsworks:\$1\$1Region\$1:\$1\$1Account\$1:stack/\$1\$1StackId\$1/  |  | 

## Condition keys for AWS OpsWorks
<a name="awsopsworks-policy-keys"></a>

OpsWorks has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS OpsWorks Configuration Management
<a name="list_awsopsworksconfigurationmanagement"></a>

AWS OpsWorks Configuration Management (service prefix: `opsworks-cm`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/opsworks/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/opsworks/latest/userguide/workingsecurity.html) permission policies.

**Topics**
+ [

## Actions defined by AWS OpsWorks Configuration Management
](#awsopsworksconfigurationmanagement-actions-as-permissions)
+ [

## Resource types defined by AWS OpsWorks Configuration Management
](#awsopsworksconfigurationmanagement-resources-for-iam-policies)
+ [

## Condition keys for AWS OpsWorks Configuration Management
](#awsopsworksconfigurationmanagement-policy-keys)

## Actions defined by AWS OpsWorks Configuration Management
<a name="awsopsworksconfigurationmanagement-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsopsworksconfigurationmanagement-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_AssociateNode.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_AssociateNode.html)  | Grants permission to associate a node to a configuration management server | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.html)  | Grants permission to create a backup for the specified server | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateServer.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateServer.html)  | Grants permission to create a new server | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DeleteBackup.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DeleteBackup.html)  | Grants permission to delete the specified backup and possibly its S3 bucket | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DeleteServer.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DeleteServer.html)  | Grants permission to delete the specified server with its corresponding CloudFormation stack and possibly the S3 bucket | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeAccountAttributes.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeAccountAttributes.html)  | Grants permission to describe the service limits for the user's account | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeBackups.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeBackups.html)  | Grants permission to describe a single backup, all backups of a specified server or all backups of the user's account | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeEvents.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeEvents.html)  | Grants permission to describe all events of the specified server | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeNodeAssociationStatus.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeNodeAssociationStatus.html)  | Grants permission to describe the association status for the specified node token and the specified server | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeServers.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeServers.html)  | Grants permission to describe the specified server or all servers of the user's account | List |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.html)  | Grants permission to disassociate a specified node from a server | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_ExportServerEngineAttribute.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_ExportServerEngineAttribute.html)  | Grants permission to export an engine attribute from a server | Read |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_ListTagsForResource.html)  | Grants permission to list the tags that are applied to the specified server or backup | Read |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_RestoreServer.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_RestoreServer.html)  | Grants permission to apply a backup to specified server. Possibly swaps out the ec2-instance if specified | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_StartMaintenance.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_StartMaintenance.html)  | Grants permission to start the server maintenance immediately | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_TagResource.html)  | Grants permission to apply tags to the specified server or backup | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_UntagResource.html)  | Grants permission to remove tags from the specified server or backup | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_UpdateServer.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_UpdateServer.html)  | Grants permission to update general server settings | Write |  |  |  | 
|   [https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_UpdateServerEngineAttributes.html](https://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_UpdateServerEngineAttributes.html)  | Grants permission to update server settings specific to the configuration management type | Write |  |  |  | 

## Resource types defined by AWS OpsWorks Configuration Management
<a name="awsopsworksconfigurationmanagement-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsopsworksconfigurationmanagement-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   server  |  arn:\$1\$1Partition\$1:opsworks-cm::\$1\$1Account\$1:server/\$1\$1ServerName\$1/\$1\$1UniqueId\$1  |  | 
|   backup  |  arn:\$1\$1Partition\$1:opsworks-cm::\$1\$1Account\$1:backup/\$1\$1ServerName\$1-\$1Date-and-Time-Stamp-of-Backup\$1  |  | 

## Condition keys for AWS OpsWorks Configuration Management
<a name="awsopsworksconfigurationmanagement-policy-keys"></a>

OpsworksCM has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Organizations
<a name="list_awsorganizations"></a>

AWS Organizations (service prefix: `organizations`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/organizations/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/organizations/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Organizations
](#awsorganizations-actions-as-permissions)
+ [

## Resource types defined by AWS Organizations
](#awsorganizations-resources-for-iam-policies)
+ [

## Condition keys for AWS Organizations
](#awsorganizations-policy-keys)

## Actions defined by AWS Organizations
<a name="awsorganizations-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsorganizations-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html)

## Resource types defined by AWS Organizations
<a name="awsorganizations-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsorganizations-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:account/o-\$1\$1OrganizationId\$1/\$1\$1AccountId\$1  |   [#awsorganizations-aws_ResourceTag___TagKey_](#awsorganizations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:handshake/o-\$1\$1OrganizationId\$1/\$1\$1HandshakeType\$1/h-\$1\$1HandshakeId\$1  |  | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:organization/o-\$1\$1OrganizationId\$1  |  | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:ou/o-\$1\$1OrganizationId\$1/ou-\$1\$1OrganizationalUnitId\$1  |   [#awsorganizations-aws_ResourceTag___TagKey_](#awsorganizations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:policy/o-\$1\$1OrganizationId\$1/\$1\$1PolicyType\$1/p-\$1\$1PolicyId\$1  |   [#awsorganizations-aws_ResourceTag___TagKey_](#awsorganizations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:resourcepolicy/o-\$1\$1OrganizationId\$1/rp-\$1\$1ResourcePolicyId\$1  |   [#awsorganizations-aws_ResourceTag___TagKey_](#awsorganizations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::aws:policy/\$1\$1PolicyType\$1/p-\$1\$1PolicyId\$1  |  | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:root/o-\$1\$1OrganizationId\$1/r-\$1\$1RootId\$1  |   [#awsorganizations-aws_ResourceTag___TagKey_](#awsorganizations-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)  |  arn:\$1\$1Partition\$1:organizations::\$1\$1Account\$1:transfer/o-\$1\$1OrganizationId\$1/\$1\$1TransferType\$1/\$1\$1TransferDirection\$1/rt-\$1\$1ResponsibilityTransferId\$1  |   [#awsorganizations-aws_ResourceTag___TagKey_](#awsorganizations-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Organizations
<a name="awsorganizations-policy-keys"></a>

AWS Organizations defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys)  | Filters access by the specified policy type names | String | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys)  | Filters access by the specified service principal names | String | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys)  | Filters access by the specified responsibility transfer by the direction | String | 
|   [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys)  | Filters access by the specified responsibility transfer type names | String | 

# Actions, resources, and condition keys for AWS Outposts
<a name="list_awsoutposts"></a>

AWS Outposts (service prefix: `outposts`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/outposts/latest/userguide/get-started-outposts.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/outposts/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Outposts
](#awsoutposts-actions-as-permissions)
+ [

## Resource types defined by AWS Outposts
](#awsoutposts-resources-for-iam-policies)
+ [

## Condition keys for AWS Outposts
](#awsoutposts-policy-keys)

## Actions defined by AWS Outposts
<a name="awsoutposts-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsoutposts-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoutposts.html)

## Resource types defined by AWS Outposts
<a name="awsoutposts-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsoutposts-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/outposts/latest/userguide/what-is-outposts.html](https://docs.aws.amazon.com/outposts/latest/userguide/what-is-outposts.html)  |  arn:\$1\$1Partition\$1:outposts:\$1\$1Region\$1:\$1\$1Account\$1:outpost/\$1\$1OutpostId\$1  |   [#awsoutposts-aws_ResourceTag___TagKey_](#awsoutposts-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/outposts/latest/userguide/what-is-outposts.html](https://docs.aws.amazon.com/outposts/latest/userguide/what-is-outposts.html)  |  arn:\$1\$1Partition\$1:outposts:\$1\$1Region\$1:\$1\$1Account\$1:site/\$1\$1SiteId\$1  |   [#awsoutposts-aws_ResourceTag___TagKey_](#awsoutposts-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Outposts
<a name="awsoutposts-policy-keys"></a>

AWS Outposts defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/outposts/latest/userguide/identity-access-management.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Panorama
<a name="list_awspanorama"></a>

AWS Panorama (service prefix: `panorama`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/panorama/latest/dev/panorama-welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/panorama/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/panorama/latest/dev/panorama-permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Panorama
](#awspanorama-actions-as-permissions)
+ [

## Resource types defined by AWS Panorama
](#awspanorama-resources-for-iam-policies)
+ [

## Condition keys for AWS Panorama
](#awspanorama-policy-keys)

## Actions defined by AWS Panorama
<a name="awspanorama-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspanorama-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html)

## Resource types defined by AWS Panorama
<a name="awspanorama-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awspanorama-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/panorama/latest/dev/gettingstarted-concepts.html#gettingstarted-concepts-appliance](https://docs.aws.amazon.com/panorama/latest/dev/gettingstarted-concepts.html#gettingstarted-concepts-appliance)  |  arn:\$1\$1Partition\$1:panorama:\$1\$1Region\$1:\$1\$1Account\$1:device/\$1\$1DeviceId\$1  |   [#awspanorama-aws_ResourceTag___TagKey_](#awspanorama-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/panorama/latest/dev/gettingstarted-concepts.html#gettingstarted-concepts-node](https://docs.aws.amazon.com/panorama/latest/dev/gettingstarted-concepts.html#gettingstarted-concepts-node)  |  arn:\$1\$1Partition\$1:panorama:\$1\$1Region\$1:\$1\$1Account\$1:package/\$1\$1PackageId\$1  |   [#awspanorama-aws_ResourceTag___TagKey_](#awspanorama-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/panorama/latest/dev/gettingstarted-concepts.html#gettingstarted-concepts-application](https://docs.aws.amazon.com/panorama/latest/dev/gettingstarted-concepts.html#gettingstarted-concepts-application)  |  arn:\$1\$1Partition\$1:panorama:\$1\$1Region\$1:\$1\$1Account\$1:applicationInstance/\$1\$1ApplicationInstanceId\$1  |   [#awspanorama-aws_ResourceTag___TagKey_](#awspanorama-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Panorama
<a name="awspanorama-policy-keys"></a>

AWS Panorama defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Parallel Computing Service
<a name="list_awsparallelcomputingservice"></a>

AWS Parallel Computing Service (service prefix: `pcs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/pcs/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pcs/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/pcs/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Parallel Computing Service
](#awsparallelcomputingservice-actions-as-permissions)
+ [

## Resource types defined by AWS Parallel Computing Service
](#awsparallelcomputingservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Parallel Computing Service
](#awsparallelcomputingservice-policy-keys)

## Actions defined by AWS Parallel Computing Service
<a name="awsparallelcomputingservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsparallelcomputingservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsparallelcomputingservice.html)

## Resource types defined by AWS Parallel Computing Service
<a name="awsparallelcomputingservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsparallelcomputingservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pcs/latest/APIReference/API_Cluster.html](https://docs.aws.amazon.com/pcs/latest/APIReference/API_Cluster.html)  |  arn:\$1\$1Partition\$1:pcs:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterIdentifier\$1  |   [#awsparallelcomputingservice-aws_ResourceTag___TagKey_](#awsparallelcomputingservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pcs/latest/APIReference/API_ComputeNodeGroup.html](https://docs.aws.amazon.com/pcs/latest/APIReference/API_ComputeNodeGroup.html)  |  arn:\$1\$1Partition\$1:pcs:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterIdentifier\$1/computenodegroup/\$1\$1ComputeNodeGroupIdentifier\$1  |   [#awsparallelcomputingservice-aws_ResourceTag___TagKey_](#awsparallelcomputingservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pcs/latest/APIReference/API_Queue.html](https://docs.aws.amazon.com/pcs/latest/APIReference/API_Queue.html)  |  arn:\$1\$1Partition\$1:pcs:\$1\$1Region\$1:\$1\$1Account\$1:cluster/\$1\$1ClusterIdentifier\$1/queue/\$1\$1QueueIdentifier\$1  |   [#awsparallelcomputingservice-aws_ResourceTag___TagKey_](#awsparallelcomputingservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Parallel Computing Service
<a name="awsparallelcomputingservice-policy-keys"></a>

AWS Parallel Computing Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Partner Central
<a name="list_awspartnercentral"></a>

AWS Partner Central (service prefix: `partnercentral`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/partner-central/latest/getting-started/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/partner-central/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/partner-central/latest/APIReference/access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Partner Central
](#awspartnercentral-actions-as-permissions)
+ [

## Resource types defined by AWS Partner Central
](#awspartnercentral-resources-for-iam-policies)
+ [

## Condition keys for AWS Partner Central
](#awspartnercentral-policy-keys)

## Actions defined by AWS Partner Central
<a name="awspartnercentral-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspartnercentral-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awspartnercentral.html)

## Resource types defined by AWS Partner Central
<a name="awspartnercentral-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awspartnercentral-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/engagement/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/engagement-by-accepting-invitation-task/\$1\$1TaskId\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/engagement-from-opportunity-task/\$1\$1TaskId\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/engagement-invitation/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-your-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-your-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/opportunity/\$1\$1Identifier\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/resource-snapshot-job/\$1\$1Identifier\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/engagement/\$1\$1EngagementIdentifier\$1/resource/\$1\$1ResourceType\$1/\$1\$1ResourceIdentifier\$1/template/\$1\$1TemplateIdentifier\$1/resource-snapshot/\$1\$1SnapshotRevision\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/API_ListSolutions.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/API_ListSolutions.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/solution/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-partner-registration.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-partner-registration.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/partner/\$1\$1Identifier\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-account-connections.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-account-connections.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/connection/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-account-connections.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-account-connections.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/connection-invitation/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-account-connections.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-account-connections.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/connection-preferences  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/opportunity-from-engagement-task/\$1\$1TaskId\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/using-the-benefits-api.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/using-the-benefits-api.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1::catalog/\$1\$1Catalog\$1/benefit/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-benefit-allocations.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-benefit-allocations.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/benefit-allocation/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-benefit-applications.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-benefit-applications.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/benefit-application/\$1\$1Identifier\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-channel-management.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-channel-management.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/program-management-account/\$1\$1Identifier\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-channel-management.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-channel-management.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/program-management-account/\$1\$1ProgramManagementAccountId\$1/relationship/\$1\$1RelationshipId\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-channel-management.html](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-channel-management.html)  |  arn:\$1\$1Partition\$1:partnercentral:\$1\$1Region\$1:\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/channel-handshake/\$1\$1Identifier\$1  |   [#awspartnercentral-aws_ResourceTag___TagKey_](#awspartnercentral-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/partner-analytics.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/partner-analytics.html)  |  arn:\$1\$1Partition\$1:partnercentral::\$1\$1Account\$1:catalog/\$1\$1Catalog\$1/ReportingData/\$1\$1TableId\$1/Dashboard/\$1\$1DashboardId\$1  |  | 

## Condition keys for AWS Partner Central
<a name="awspartnercentral-policy-keys"></a>

AWS Partner Central defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central)  | Filters access by a specific Catalog | String | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central)  | Filters access by channel handshake types | String | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central)  | Filters access by benefit fulfillment types | ArrayOfString | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central)  | Filters access by program | ArrayOfString | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central)  | Filters access by entity types for Opportunity association | String | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-aws-partner-central.html#condition-keys-for-aws-partner-central)  | Filters access by the type of verification being performed | String | 

# Actions, resources, and condition keys for AWS Partner central account management
<a name="list_awspartnercentralaccountmanagement"></a>

AWS Partner central account management (service prefix: `partnercentral-account-management`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/partner-central/latest/getting-started/account-linking.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Partner central account management
](#awspartnercentralaccountmanagement-actions-as-permissions)
+ [

## Resource types defined by AWS Partner central account management
](#awspartnercentralaccountmanagement-resources-for-iam-policies)
+ [

## Condition keys for AWS Partner central account management
](#awspartnercentralaccountmanagement-policy-keys)

## Actions defined by AWS Partner central account management
<a name="awspartnercentralaccountmanagement-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspartnercentralaccountmanagement-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html) [permission only] | Grants permission to Single Sign-On from AWS Partner Central into Legacy Partner Central | Write |  |   [#awspartnercentralaccountmanagement-partnercentral-account-management_LegacyPartnerCentralRole](#awspartnercentralaccountmanagement-partnercentral-account-management_LegacyPartnerCentralRole)   |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html) [permission only] | Grants permission to Single Sign-On from AWS Partner Central into Marketing Central | Write |  |   [#awspartnercentralaccountmanagement-partnercentral-account-management_MarketingCentralRole](#awspartnercentralaccountmanagement-partnercentral-account-management_MarketingCentralRole)   |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html) [permission only] | Grants permission to Single Sign-On from AWS Partner Central into ProServe Tools | Write |  |   [#awspartnercentralaccountmanagement-partnercentral-account-management_ProServeRole](#awspartnercentralaccountmanagement-partnercentral-account-management_ProServeRole)   |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html) [permission only] | Grants permission to associate Partner account to AWS account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html)  | Grants permission to associate Partner user to IAM role | Write |  |  |  | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html)  | Grants permission to disassociate Partner user to IAM role | Write |  |  |  | 

## Resource types defined by AWS Partner central account management
<a name="awspartnercentralaccountmanagement-resources-for-iam-policies"></a>

AWS Partner central account management does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Partner central account management, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Partner central account management
<a name="awspartnercentralaccountmanagement-policy-keys"></a>

AWS Partner central account management defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html)  | Filters access by the Legacy Partner Central role | ArrayOfString | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html)  | Filters access by Marketing Central role | ArrayOfString | 
|   [https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html](https://docs.aws.amazon.com/partner-central/latest/getting-started/controlling-access-in-apc-account-management.html)  | Filters access by ProServe Tools role | ArrayOfString | 

# Actions, resources, and condition keys for AWS Payment Cryptography
<a name="list_awspaymentcryptography"></a>

AWS Payment Cryptography (service prefix: `payment-cryptography`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Payment Cryptography
](#awspaymentcryptography-actions-as-permissions)
+ [

## Resource types defined by AWS Payment Cryptography
](#awspaymentcryptography-resources-for-iam-policies)
+ [

## Condition keys for AWS Payment Cryptography
](#awspaymentcryptography-policy-keys)

## Actions defined by AWS Payment Cryptography
<a name="awspaymentcryptography-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspaymentcryptography-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html)

## Resource types defined by AWS Payment Cryptography
<a name="awspaymentcryptography-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awspaymentcryptography-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [${APIReferenceDocPage}API_Key.html](${APIReferenceDocPage}API_Key.html)  |  arn:\$1\$1Partition\$1:payment-cryptography:\$1\$1Region\$1:\$1\$1Account\$1:key/\$1\$1KeyId\$1  |   [#awspaymentcryptography-aws_ResourceTag___TagKey_](#awspaymentcryptography-aws_ResourceTag___TagKey_)   [#awspaymentcryptography-payment-cryptography_ResourceAliases](#awspaymentcryptography-payment-cryptography_ResourceAliases)   | 
|   [${APIReferenceDocPage}API_Alias.html](${APIReferenceDocPage}API_Alias.html)  |  arn:\$1\$1Partition\$1:payment-cryptography:\$1\$1Region\$1:\$1\$1Account\$1:alias/\$1\$1Alias\$1  |   [#awspaymentcryptography-payment-cryptography_ResourceAliases](#awspaymentcryptography-payment-cryptography_ResourceAliases)   | 

## Condition keys for AWS Payment Cryptography
<a name="awspaymentcryptography-policy-keys"></a>

AWS Payment Cryptography defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by both the key and value of the tag in the request for the specified operation | String | 
|   [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by tags assigned to a key for the specified operation | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in the request for the specified operation | ArrayOfString | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by the CertificateAuthorityPublicKeyIdentifier specified in the request or the ImportKey, and ExportKey operations | String | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by the type of key material being imported [RootCertificatePublicKey, TrustedCertificatePublicKey, Tr34KeyBlock, Tr31KeyBlock, DiffieHellmanTr31KeyBlock, As2805KeyCryptogram] for the ImportKey operation | String | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by KeyAlgorithm specified in the request for the CreateKey operation | String | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by KeyClass specified in the request for the CreateKey operation | String | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by KeyClass specified in the request or associated with a key for the CreateKey operation | String | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by aliases in the request for the specified operation | String | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by aliases associated with a key for the specified operation | ArrayOfString | 
|   [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html)  | Filters access by the WrappingKeyIdentifier specified in the request for the ImportKey, and ExportKey operations | String | 

# Actions, resources, and condition keys for AWS Payments
<a name="list_awspayments"></a>

AWS Payments (service prefix: `payments`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Payments
](#awspayments-actions-as-permissions)
+ [

## Resource types defined by AWS Payments
](#awspayments-resources-for-iam-policies)
+ [

## Condition keys for AWS Payments
](#awspayments-policy-keys)

## Actions defined by AWS Payments
<a name="awspayments-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspayments-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awspayments.html)

## Resource types defined by AWS Payments
<a name="awspayments-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awspayments-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions)  |  arn:\$1\$1Partition\$1:payments::\$1\$1Account\$1:payment-instrument:\$1\$1ResourceId\$1  |   [#awspayments-aws_ResourceTag___TagKey_](#awspayments-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Payments
<a name="awspayments-policy-keys"></a>

AWS Payments defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Performance Insights
<a name="list_awsperformanceinsights"></a>

AWS Performance Insights (service prefix: `pi`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/performance-insights/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Performance Insights
](#awsperformanceinsights-actions-as-permissions)
+ [

## Resource types defined by AWS Performance Insights
](#awsperformanceinsights-resources-for-iam-policies)
+ [

## Condition keys for AWS Performance Insights
](#awsperformanceinsights-policy-keys)

## Actions defined by AWS Performance Insights
<a name="awsperformanceinsights-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsperformanceinsights-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html)

## Resource types defined by AWS Performance Insights
<a name="awsperformanceinsights-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsperformanceinsights-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html)  |  arn:\$1\$1Partition\$1:pi:\$1\$1Region\$1:\$1\$1Account\$1:metrics/\$1\$1ServiceType\$1/\$1\$1Identifier\$1  |   [#awsperformanceinsights-aws_ResourceTag___TagKey_](#awsperformanceinsights-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html)  |  arn:\$1\$1Partition\$1:pi:\$1\$1Region\$1:\$1\$1Account\$1:perf-reports/\$1\$1ServiceType\$1/\$1\$1Identifier\$1/\$1\$1ReportId\$1  |   [#awsperformanceinsights-aws_ResourceTag___TagKey_](#awsperformanceinsights-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Performance Insights
<a name="awsperformanceinsights-policy-keys"></a>

AWS Performance Insights defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [#condition-keys-requesttag](#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [#condition-keys-resourcetag](#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [#condition-keys-tagkeys](#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [#condition-keys-dimensions](#condition-keys-dimensions)  | Filters access by the requested dimensions | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Personalize
<a name="list_amazonpersonalize"></a>

Amazon Personalize (service prefix: `personalize`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/personalize/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/personalize/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/personalize/latest/dg/security.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Personalize
](#amazonpersonalize-actions-as-permissions)
+ [

## Resource types defined by Amazon Personalize
](#amazonpersonalize-resources-for-iam-policies)
+ [

## Condition keys for Amazon Personalize
](#amazonpersonalize-policy-keys)

## Actions defined by Amazon Personalize
<a name="amazonpersonalize-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonpersonalize-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpersonalize.html)

## Resource types defined by Amazon Personalize
<a name="amazonpersonalize-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonpersonalize-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/how-it-works-dataset-schema.html#schema-examples](https://docs.aws.amazon.com/personalize/latest/dg/how-it-works-dataset-schema.html#schema-examples)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:schema/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_FeatureTransformation.html](https://docs.aws.amazon.com/personalize/latest/dg/API_FeatureTransformation.html)  |  arn:\$1\$1Partition\$1:personalize:::feature-transformation/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Dataset.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Dataset.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_DatasetGroup.html](https://docs.aws.amazon.com/personalize/latest/dg/API_DatasetGroup.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:dataset-group/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_DatasetImportJob.html](https://docs.aws.amazon.com/personalize/latest/dg/API_DatasetImportJob.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:dataset-import-job/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/analyzing-data.html](https://docs.aws.amazon.com/personalize/latest/dg/analyzing-data.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:data-insights-job/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_DatasetExportJob.html](https://docs.aws.amazon.com/personalize/latest/dg/API_DatasetExportJob.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:dataset-export-job/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_DataDeletionJob.html](https://docs.aws.amazon.com/personalize/latest/dg/API_DataDeletionJob.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:data-deletion-job/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Solution.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Solution.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:solution/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Campaign.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Campaign.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:campaign/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_EventTracker.html](https://docs.aws.amazon.com/personalize/latest/dg/API_EventTracker.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:event-tracker/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Recipe.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Recipe.html)  |  arn:\$1\$1Partition\$1:personalize:::recipe/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Algorithm.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Algorithm.html)  |  arn:\$1\$1Partition\$1:personalize:::algorithm/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_BatchInferenceJob.html](https://docs.aws.amazon.com/personalize/latest/dg/API_BatchInferenceJob.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:batch-inference-job/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Filter.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Filter.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:filter/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_Recommender.html](https://docs.aws.amazon.com/personalize/latest/dg/API_Recommender.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:recommender/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_BatchSegmentJob.html](https://docs.aws.amazon.com/personalize/latest/dg/API_BatchSegmentJob.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:batch-segment-job/\$1\$1ResourceId\$1  |   [#amazonpersonalize-aws_ResourceTag___TagKey_](#amazonpersonalize-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/personalize/latest/dg/API_MetricAttribution.html](https://docs.aws.amazon.com/personalize/latest/dg/API_MetricAttribution.html)  |  arn:\$1\$1Partition\$1:personalize:\$1\$1Region\$1:\$1\$1Account\$1:metric-attribution/\$1\$1ResourceId\$1  |  | 

## Condition keys for Amazon Personalize
<a name="amazonpersonalize-policy-keys"></a>

Amazon Personalize defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Pinpoint
<a name="list_amazonpinpoint"></a>

Amazon Pinpoint (service prefix: `mobiletargeting`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/pinpoint/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pinpoint/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/pinpoint/latest/developerguide/permissions-actions.html#permissions-actions-apiactions) permission policies.

**Topics**
+ [

## Actions defined by Amazon Pinpoint
](#amazonpinpoint-actions-as-permissions)
+ [

## Resource types defined by Amazon Pinpoint
](#amazonpinpoint-resources-for-iam-policies)
+ [

## Condition keys for Amazon Pinpoint
](#amazonpinpoint-policy-keys)

## Actions defined by Amazon Pinpoint
<a name="amazonpinpoint-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonpinpoint-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html)

## Resource types defined by Amazon Pinpoint
<a name="amazonpinpoint-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonpinpoint-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1  |   [#amazonpinpoint-aws_ResourceTag___TagKey_](#amazonpinpoint-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-campaigns-campaign-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-campaigns-campaign-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/campaigns/\$1\$1CampaignId\$1  |   [#amazonpinpoint-aws_ResourceTag___TagKey_](#amazonpinpoint-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/journeys/\$1\$1JourneyId\$1  |   [#amazonpinpoint-aws_ResourceTag___TagKey_](#amazonpinpoint-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/journeys  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-segments-segment-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-segments-segment-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/segments/\$1\$1SegmentId\$1  |   [#amazonpinpoint-aws_ResourceTag___TagKey_](#amazonpinpoint-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/templates.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/templates.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:templates/\$1\$1TemplateName\$1/\$1\$1TemplateType\$1  |   [#amazonpinpoint-aws_ResourceTag___TagKey_](#amazonpinpoint-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/templates.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/templates.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:templates  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/recommenders.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/recommenders.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:recommenders/\$1\$1RecommenderId\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/recommenders.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/recommenders.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:recommenders/\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/phone-number-validate.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/phone-number-validate.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:phone/number/validate  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-channels.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-channels.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/channels  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-channels.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-channels.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/channels/\$1\$1ChannelType\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-eventstream.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-eventstream.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/eventstream  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-events.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-events.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/events  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-messages.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-messages.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/messages  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-verify-otp.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-verify-otp.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/verify-otp  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-verify-otp.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-verify-otp.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/otp  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-attributes-attribute-type.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-attributes-attribute-type.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/attributes/\$1\$1AttributeType\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-users-user-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-users-user-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/users/\$1\$1UserId\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-endpoints-endpoint-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-endpoints-endpoint-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/endpoints/\$1\$1EndpointId\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-jobs-import-job-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-jobs-import-job-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/jobs/import/\$1\$1JobId\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-jobs-export-job-id.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-jobs-export-job-id.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/jobs/export/\$1\$1JobId\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-kpis-daterange-kpi-name.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-kpis-daterange-kpi-name.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/kpis/daterange/\$1\$1KpiName\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-campaigns-campaign-id-kpis-daterange-kpi-name.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-campaigns-campaign-id-kpis-daterange-kpi-name.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/campaigns/\$1\$1CampaignId\$1/kpis/daterange/\$1\$1KpiName\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id-kpis-daterange-kpi-name.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id-kpis-daterange-kpi-name.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/journeys/\$1\$1JourneyId\$1/kpis/daterange/\$1\$1KpiName\$1  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id-execution-metrics.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id-execution-metrics.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/journeys/\$1\$1JourneyId\$1/execution-metrics  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id-activities-journey-activity-id-execution-metrics.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/apps-application-id-journeys-journey-id-activities-journey-activity-id-execution-metrics.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1/journeys/\$1\$1JourneyId\$1/activities/\$1\$1JourneyActivityId\$1/execution-metrics  |  | 
|   [https://docs.aws.amazon.com/pinpoint/latest/apireference/reports.html](https://docs.aws.amazon.com/pinpoint/latest/apireference/reports.html)  |  arn:\$1\$1Partition\$1:mobiletargeting:\$1\$1Region\$1:\$1\$1Account\$1:reports  |  | 

## Condition keys for Amazon Pinpoint
<a name="amazonpinpoint-policy-keys"></a>

Amazon Pinpoint defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by a key that is present in the request the user makes to the pinpoint service | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by a tag key and value pair | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-permissions.html#iam-contextkeys)  | Filters access by the list of all the tag key names present in the request the user makes to the pinpoint service | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Pinpoint Email Service
<a name="list_amazonpinpointemailservice"></a>

Amazon Pinpoint Email Service (service prefix: `ses`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/pinpoint/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policies.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Pinpoint Email Service
](#amazonpinpointemailservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Pinpoint Email Service
](#amazonpinpointemailservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Pinpoint Email Service
](#amazonpinpointemailservice-policy-keys)

## Actions defined by Amazon Pinpoint Email Service
<a name="amazonpinpointemailservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonpinpointemailservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointemailservice.html)

## Resource types defined by Amazon Pinpoint Email Service
<a name="amazonpinpointemailservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonpinpointemailservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_CreateConfigurationSet.html](https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_CreateConfigurationSet.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:configuration-set/\$1\$1ConfigurationSetName\$1  |   [#amazonpinpointemailservice-aws_ResourceTag___TagKey_](#amazonpinpointemailservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_DedicatedIp.html](https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_DedicatedIp.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:dedicated-ip-pool/\$1\$1DedicatedIPPool\$1  |   [#amazonpinpointemailservice-aws_ResourceTag___TagKey_](#amazonpinpointemailservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_DeliverabilityTestReport.html](https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_DeliverabilityTestReport.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:deliverability-test-report/\$1\$1ReportId\$1  |   [#amazonpinpointemailservice-aws_ResourceTag___TagKey_](#amazonpinpointemailservice-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_IdentityInfo.html](https://docs.aws.amazon.com/pinpoint-email/latest/APIReference/API_IdentityInfo.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:identity/\$1\$1IdentityName\$1  |   [#amazonpinpointemailservice-aws_ResourceTag___TagKey_](#amazonpinpointemailservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Pinpoint Email Service
<a name="amazonpinpointemailservice-policy-keys"></a>

Amazon Pinpoint Email Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the SES API version | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the "From" address of a message | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the "From" address that is used as the display name of a message | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the recipient addresses of a message, which include the "To", "CC", and "BCC" addresses | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Pinpoint SMS and Voice Service
<a name="list_amazonpinpointsmsandvoiceservice"></a>

Amazon Pinpoint SMS and Voice Service (service prefix: `sms-voice`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/pinpoint/latest/developerguide).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/pinpoint/latest/developerguide/permissions-actions.html#permissions-actions-apiactions) permission policies.

**Topics**
+ [

## Actions defined by Amazon Pinpoint SMS and Voice Service
](#amazonpinpointsmsandvoiceservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Pinpoint SMS and Voice Service
](#amazonpinpointsmsandvoiceservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Pinpoint SMS and Voice Service
](#amazonpinpointsmsandvoiceservice-policy-keys)

## Actions defined by Amazon Pinpoint SMS and Voice Service
<a name="amazonpinpointsmsandvoiceservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonpinpointsmsandvoiceservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets.html)  | Create a new configuration set. After you create the configuration set, you can add one or more event destinations to it. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations.html)  | Create a new event destination in a configuration set. | Write |  |  |   iam:PassRole   | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname.html)  | Deletes an existing configuration set. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations-eventdestinationname.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations-eventdestinationname.html)  | Deletes an event destination in a configuration set. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations.html)  | Obtain information about an event destination, including the types of events it reports, the Amazon Resource Name (ARN) of the destination, and the name of the event destination. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets.html)  | Return a list of configuration sets. This operation only returns the configuration sets that are associated with your account in the current AWS Region. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-voice-message.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-voice-message.html)  | Create a new voice message and send it to a recipient's phone number. | Write |  |  |  | 
|   [https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations-eventdestinationname.html](https://docs.aws.amazon.com/pinpoint-sms-voice/latest/APIReference/v1-sms-voice-configuration-sets-configurationsetname-event-destinations-eventdestinationname.html)  | Update an event destination in a configuration set. An event destination is a location that you publish information about your voice calls to. For example, you can log an event to an Amazon CloudWatch destination when a call fails. | Write |  |  |   iam:PassRole   | 

## Resource types defined by Amazon Pinpoint SMS and Voice Service
<a name="amazonpinpointsmsandvoiceservice-resources-for-iam-policies"></a>

Amazon Pinpoint SMS and Voice Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Pinpoint SMS and Voice Service, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Pinpoint SMS and Voice Service
<a name="amazonpinpointsmsandvoiceservice-policy-keys"></a>

Pinpoint SMS Voice has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Polly
<a name="list_amazonpolly"></a>

Amazon Polly (service prefix: `polly`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/polly/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/polly/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/polly/latest/dg/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Polly
](#amazonpolly-actions-as-permissions)
+ [

## Resource types defined by Amazon Polly
](#amazonpolly-resources-for-iam-policies)
+ [

## Condition keys for Amazon Polly
](#amazonpolly-policy-keys)

## Actions defined by Amazon Polly
<a name="amazonpolly-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonpolly-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_DeleteLexicon.html](https://docs.aws.amazon.com/polly/latest/dg/API_DeleteLexicon.html)  | Grants permission to delete the specified pronunciation lexicon stored in an AWS Region | Write |   [#amazonpolly-lexicon](#amazonpolly-lexicon)   |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_DescribeVoices.html](https://docs.aws.amazon.com/polly/latest/dg/API_DescribeVoices.html)  | Grants permission to describe the list of voices that are available for use when requesting speech synthesis | List |  |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_GetLexicon.html](https://docs.aws.amazon.com/polly/latest/dg/API_GetLexicon.html)  | Grants permission to retrieve the content of the specified pronunciation lexicon stored in an AWS Region | Read |   [#amazonpolly-lexicon](#amazonpolly-lexicon)   |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_GetSpeechSynthesisTask.html](https://docs.aws.amazon.com/polly/latest/dg/API_GetSpeechSynthesisTask.html)  | Grants permission to get information about specific speech synthesis task | Read |  |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_ListLexicons.html](https://docs.aws.amazon.com/polly/latest/dg/API_ListLexicons.html)  | Grants permission to list the pronunciation lexicons stored in an AWS Region | List |  |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_ListSpeechSynthesisTasks.html](https://docs.aws.amazon.com/polly/latest/dg/API_ListSpeechSynthesisTasks.html)  | Grants permission to list requested speech synthesis tasks | List |  |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_PutLexicon.html](https://docs.aws.amazon.com/polly/latest/dg/API_PutLexicon.html)  | Grants permission to store a pronunciation lexicon in an AWS Region | Write |   [#amazonpolly-lexicon](#amazonpolly-lexicon)   |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_StartSpeechSynthesisStream.html](https://docs.aws.amazon.com/polly/latest/dg/API_StartSpeechSynthesisStream.html)  | Grants permission to perform synthesis with bidirectional streaming | Read |   [#amazonpolly-lexicon](#amazonpolly-lexicon)   |  |  | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_StartSpeechSynthesisTask.html](https://docs.aws.amazon.com/polly/latest/dg/API_StartSpeechSynthesisTask.html)  | Grants permission to synthesize long inputs to the provided S3 location | Write |   [#amazonpolly-lexicon](#amazonpolly-lexicon)   |  |   s3:PutObject   | 
|   [https://docs.aws.amazon.com/polly/latest/dg/API_SynthesizeSpeech.html](https://docs.aws.amazon.com/polly/latest/dg/API_SynthesizeSpeech.html)  | Grants permission to synthesize speech | Read |   [#amazonpolly-lexicon](#amazonpolly-lexicon)   |  |  | 

## Resource types defined by Amazon Polly
<a name="amazonpolly-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonpolly-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/polly/latest/dg/managing-lexicons.html](https://docs.aws.amazon.com/polly/latest/dg/managing-lexicons.html)  |  arn:\$1\$1Partition\$1:polly:\$1\$1Region\$1:\$1\$1Account\$1:lexicon/\$1\$1LexiconName\$1  |  | 

## Condition keys for Amazon Polly
<a name="amazonpolly-policy-keys"></a>

Polly has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Price List
<a name="list_awspricelist"></a>

AWS Price List (service prefix: `pricing`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-pelong.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_Operations_AWS_Price_List_Service.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Price List
](#awspricelist-actions-as-permissions)
+ [

## Resource types defined by AWS Price List
](#awspricelist-resources-for-iam-policies)
+ [

## Condition keys for AWS Price List
](#awspricelist-policy-keys)

## Actions defined by AWS Price List
<a name="awspricelist-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspricelist-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_DescribeServices.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_DescribeServices.html)  | Grants permission to retrieve service details for all (paginated) services (if serviceCode is not set) or service detail for a particular service (if given serviceCode) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_GetAttributeValues.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_GetAttributeValues.html)  | Grants permission to retrieve all (paginated) possible values for a given attribute | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_GetPriceListFileUrl.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_GetPriceListFileUrl.html)  | Grants permission to retrieve the price list file URL for the given parameters | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_GetProducts.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_GetProducts.html)  | Grants permission to retrieve all matching products with given search criteria | Read |  |  |  | 
|   [https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_ListPriceLists.html](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_pricing_ListPriceLists.html)  | Grants permission to list all (paginated) eligible price lists for the given parameters | Read |  |  |  | 

## Resource types defined by AWS Price List
<a name="awspricelist-resources-for-iam-policies"></a>

AWS Price List does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Price List, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Price List
<a name="awspricelist-policy-keys"></a>

Price List has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS PricingPlanManager Service
<a name="list_awspricingplanmanagerservice"></a>

AWS PricingPlanManager Service (service prefix: `pricingplanmanager`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/pricingplanmanager/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pricingplanmanager/userguide/security-pricing-plan.html.).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/pricingplanmanager/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS PricingPlanManager Service
](#awspricingplanmanagerservice-actions-as-permissions)
+ [

## Resource types defined by AWS PricingPlanManager Service
](#awspricingplanmanagerservice-resources-for-iam-policies)
+ [

## Condition keys for AWS PricingPlanManager Service
](#awspricingplanmanagerservice-policy-keys)

## Actions defined by AWS PricingPlanManager Service
<a name="awspricingplanmanagerservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspricingplanmanagerservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to associate resources with a subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to cancel a subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to cancel a pending a change for a subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to create a subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to disassociate resources from a subscription | Write |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to get the details for a subscription | Read |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to list subscriptions in your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html](https://docs.aws.amazon.com/PricingPlanManager/latest/UserGuide/security-pricing-plan.html)  | Grants permission to update a subscription | Write |  |  |  | 

## Resource types defined by AWS PricingPlanManager Service
<a name="awspricingplanmanagerservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awspricingplanmanagerservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pricingplanmanager/userguide/subscription.html](https://docs.aws.amazon.com/pricingplanmanager/userguide/subscription.html)  |  arn:\$1\$1Partition\$1:pricingplanmanager::\$1\$1Account\$1:subscription/\$1\$1SubscriptionId\$1  |  | 

## Condition keys for AWS PricingPlanManager Service
<a name="awspricingplanmanagerservice-policy-keys"></a>

PricingPlanManager has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Private CA Connector for Active Directory
<a name="list_awsprivatecaconnectorforactivedirectory"></a>

AWS Private CA Connector for Active Directory (service prefix: `pca-connector-ad`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/privateca/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Private CA Connector for Active Directory
](#awsprivatecaconnectorforactivedirectory-actions-as-permissions)
+ [

## Resource types defined by AWS Private CA Connector for Active Directory
](#awsprivatecaconnectorforactivedirectory-resources-for-iam-policies)
+ [

## Condition keys for AWS Private CA Connector for Active Directory
](#awsprivatecaconnectorforactivedirectory-policy-keys)

## Actions defined by AWS Private CA Connector for Active Directory
<a name="awsprivatecaconnectorforactivedirectory-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsprivatecaconnectorforactivedirectory-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html)

## Resource types defined by AWS Private CA Connector for Active Directory
<a name="awsprivatecaconnectorforactivedirectory-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsprivatecaconnectorforactivedirectory-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_Connector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_Connector.html)  |  arn:\$1\$1Partition\$1:pca-connector-ad:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorId\$1  |   [#awsprivatecaconnectorforactivedirectory-aws_ResourceTag___TagKey_](#awsprivatecaconnectorforactivedirectory-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_DirectoryRegistration.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_DirectoryRegistration.html)  |  arn:\$1\$1Partition\$1:pca-connector-ad:\$1\$1Region\$1:\$1\$1Account\$1:directory-registration/\$1\$1DirectoryId\$1  |   [#awsprivatecaconnectorforactivedirectory-aws_ResourceTag___TagKey_](#awsprivatecaconnectorforactivedirectory-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_Template.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_Template.html)  |  arn:\$1\$1Partition\$1:pca-connector-ad:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorId\$1/template/\$1\$1TemplateId\$1  |   [#awsprivatecaconnectorforactivedirectory-aws_ResourceTag___TagKey_](#awsprivatecaconnectorforactivedirectory-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Private CA Connector for Active Directory
<a name="awsprivatecaconnectorforactivedirectory-policy-keys"></a>

AWS Private CA Connector for Active Directory defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html#condition-keys-requesttag](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html#condition-keys-requesttag)  | Filters access by on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html#condition-keys-resourcetag](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html#condition-keys-resourcetag)  | Filters access by on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html#condition-keys-tagkeys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforactivedirectory.html#condition-keys-tagkeys)  | Filters access by on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Private CA Connector for SCEP
<a name="list_awsprivatecaconnectorforscep"></a>

AWS Private CA Connector for SCEP (service prefix: `pca-connector-scep`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Private CA Connector for SCEP
](#awsprivatecaconnectorforscep-actions-as-permissions)
+ [

## Resource types defined by AWS Private CA Connector for SCEP
](#awsprivatecaconnectorforscep-resources-for-iam-policies)
+ [

## Condition keys for AWS Private CA Connector for SCEP
](#awsprivatecaconnectorforscep-policy-keys)

## Actions defined by AWS Private CA Connector for SCEP
<a name="awsprivatecaconnectorforscep-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsprivatecaconnectorforscep-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecaconnectorforscep.html)

## Resource types defined by AWS Private CA Connector for SCEP
<a name="awsprivatecaconnectorforscep-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsprivatecaconnectorforscep-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_Challenge.html](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_Challenge.html)  |  arn:\$1\$1Partition\$1:pca-connector-scep:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorId\$1/challenge/\$1\$1ChallengeId\$1  |   [#awsprivatecaconnectorforscep-aws_ResourceTag___TagKey_](#awsprivatecaconnectorforscep-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_Connector.html](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_Connector.html)  |  arn:\$1\$1Partition\$1:pca-connector-scep:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorId\$1  |   [#awsprivatecaconnectorforscep-aws_ResourceTag___TagKey_](#awsprivatecaconnectorforscep-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Private CA Connector for SCEP
<a name="awsprivatecaconnectorforscep-policy-keys"></a>

AWS Private CA Connector for SCEP defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.htmlreference_policies_iam-condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.htmlreference_policies_iam-condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.htmlreference_policies_iam-condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.htmlreference_policies_iam-condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.htmlreference_policies_iam-condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-scep.htmlreference_policies_iam-condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Private Certificate Authority
<a name="list_awsprivatecertificateauthority"></a>

AWS Private Certificate Authority (service prefix: `acm-pca`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/privateca/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/privateca/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Private Certificate Authority
](#awsprivatecertificateauthority-actions-as-permissions)
+ [

## Resource types defined by AWS Private Certificate Authority
](#awsprivatecertificateauthority-resources-for-iam-policies)
+ [

## Condition keys for AWS Private Certificate Authority
](#awsprivatecertificateauthority-policy-keys)

## Actions defined by AWS Private Certificate Authority
<a name="awsprivatecertificateauthority-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsprivatecertificateauthority-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html)

## Resource types defined by AWS Private Certificate Authority
<a name="awsprivatecertificateauthority-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsprivatecertificateauthority-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/privateca/latest/userguide/api-permissions.html](https://docs.aws.amazon.com/privateca/latest/userguide/api-permissions.html)  |  arn:\$1\$1Partition\$1:acm-pca:\$1\$1Region\$1:\$1\$1Account\$1:certificate-authority/\$1\$1CertificateAuthorityId\$1  |   [#awsprivatecertificateauthority-aws_ResourceTag___TagKey_](#awsprivatecertificateauthority-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Private Certificate Authority
<a name="awsprivatecertificateauthority-policy-keys"></a>

AWS Private Certificate Authority defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-varieties](https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-varieties)  | Filters access by the arn of the certificate template used in Issue Certificate request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS PrivateLink
<a name="list_awsprivatelink"></a>

AWS PrivateLink (service prefix: `vpce`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS PrivateLink
](#awsprivatelink-actions-as-permissions)
+ [

## Resource types defined by AWS PrivateLink
](#awsprivatelink-resources-for-iam-policies)
+ [

## Condition keys for AWS PrivateLink
](#awsprivatelink-policy-keys)

## Actions defined by AWS PrivateLink
<a name="awsprivatelink-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsprivatelink-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatelink.html)

## Resource types defined by AWS PrivateLink
<a name="awsprivatelink-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsprivatelink-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:vpc-endpoint/\$1\$1VpcEndpointId\$1  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:vpc-endpoint-service/\$1\$1VpcEndpointServiceId\$1  |  | 

## Condition keys for AWS PrivateLink
<a name="awsprivatelink-policy-keys"></a>

VPC Endpoints has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Proton
<a name="list_awsproton"></a>

AWS Proton (service prefix: `proton`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/proton/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/proton/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/proton/latest/adminguide/ag-controlling-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Proton
](#awsproton-actions-as-permissions)
+ [

## Resource types defined by AWS Proton
](#awsproton-resources-for-iam-policies)
+ [

## Condition keys for AWS Proton
](#awsproton-policy-keys)

## Actions defined by AWS Proton
<a name="awsproton-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsproton-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html)

## Resource types defined by AWS Proton
<a name="awsproton-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsproton-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:environment-template/\$1\$1Name\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:environment-template/\$1\$1TemplateName\$1:\$1\$1MajorVersion\$1.\$1\$1MinorVersion\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:environment-template/\$1\$1TemplateName\$1:\$1\$1MajorVersionId\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:environment-template/\$1\$1TemplateName\$1:\$1\$1MajorVersionId\$1.\$1\$1MinorVersionId\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:service-template/\$1\$1Name\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:service-template/\$1\$1TemplateName\$1:\$1\$1MajorVersion\$1.\$1\$1MinorVersion\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:service-template/\$1\$1TemplateName\$1:\$1\$1MajorVersionId\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html](https://docs.aws.amazon.com/proton/latest/adminguide/managing-svc-templates.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:service-template/\$1\$1TemplateName\$1:\$1\$1MajorVersionId\$1.\$1\$1MinorVersionId\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-environments.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-environments.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1Name\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-services.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-services.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1Name\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-services.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-services.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceName\$1/service-instance/\$1\$1Name\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-account-connections.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-env-account-connections.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:environment-account-connection/\$1\$1Id\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-repositories.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-repositories.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:repository/\$1\$1Provider\$1:\$1\$1Name\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-components.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-components.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:component/\$1\$1Id\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/proton/latest/adminguide/ag-deployments.html](https://docs.aws.amazon.com/proton/latest/adminguide/ag-deployments.html)  |  arn:\$1\$1Partition\$1:proton:\$1\$1Region\$1:\$1\$1Account\$1:deployment/\$1\$1Id\$1  |   [#awsproton-aws_ResourceTag___TagKey_](#awsproton-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Proton
<a name="awsproton-policy-keys"></a>

AWS Proton defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by specified environment template related to resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by specified service template related to resource | String | 

# Actions, resources, and condition keys for AWS Purchase Orders Console
<a name="list_awspurchaseordersconsole"></a>

AWS Purchase Orders Console (service prefix: `purchase-orders`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions) permission policies.

**Topics**
+ [

## Actions defined by AWS Purchase Orders Console
](#awspurchaseordersconsole-actions-as-permissions)
+ [

## Resource types defined by AWS Purchase Orders Console
](#awspurchaseordersconsole-resources-for-iam-policies)
+ [

## Condition keys for AWS Purchase Orders Console
](#awspurchaseordersconsole-policy-keys)

## Actions defined by AWS Purchase Orders Console
<a name="awspurchaseordersconsole-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awspurchaseordersconsole-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awspurchaseordersconsole.html)

## Resource types defined by AWS Purchase Orders Console
<a name="awspurchaseordersconsole-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awspurchaseordersconsole-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions)  |  arn:\$1\$1Partition\$1:purchase-orders::\$1\$1Account\$1:purchase-order/\$1\$1ResourceName\$1  |   [#awspurchaseordersconsole-aws_ResourceTag___TagKey_](#awspurchaseordersconsole-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Purchase Orders Console
<a name="awspurchaseordersconsole-policy-keys"></a>

AWS Purchase Orders Console defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the set of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Q
<a name="list_amazonq"></a>

Amazon Q (service prefix: `q`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Q
](#amazonq-actions-as-permissions)
+ [

## Resource types defined by Amazon Q
](#amazonq-resources-for-iam-policies)
+ [

## Condition keys for Amazon Q
](#amazonq-policy-keys)

## Actions defined by Amazon Q
<a name="amazonq-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonq-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonq.html)

## Resource types defined by Amazon Q
<a name="amazonq-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonq-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/as-whisper-admin.html#about-profiles](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/as-whisper-admin.html#about-profiles)  |  arn:\$1\$1Partition\$1:codewhisperer:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/plugins.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/plugins.html)  |  arn:\$1\$1Partition\$1:qdeveloper:\$1\$1Region\$1:\$1\$1Account\$1:plugin/\$1\$1Identifier\$1  |   [#amazonq-aws_ResourceTag___TagKey_](#amazonq-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Q
<a name="amazonq-policy-keys"></a>

Amazon Q defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by the tags associated with the Amazon Q resource | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by IAM Identity Center Group ID | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by IAM Identity Center User ID | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Q Business
<a name="list_amazonqbusiness"></a>

Amazon Q Business (service prefix: `qbusiness`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonq/latest/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](${UserGuideDocPage}security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Q Business
](#amazonqbusiness-actions-as-permissions)
+ [

## Resource types defined by Amazon Q Business
](#amazonqbusiness-resources-for-iam-policies)
+ [

## Condition keys for Amazon Q Business
](#amazonqbusiness-policy-keys)

## Actions defined by Amazon Q Business
<a name="amazonqbusiness-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonqbusiness-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqbusiness.html)

## Resource types defined by Amazon Q Business
<a name="amazonqbusiness-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonqbusiness-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-application.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-application.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-integration.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-integration.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/integration/\$1\$1IntegrationId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/select-retriever.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/select-retriever.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/retriever/\$1\$1RetrieverId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/select-retriever.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/select-retriever.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/index/\$1\$1IndexId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/connect-data.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/connect-data.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/index/\$1\$1IndexId\$1/data-source/\$1\$1DataSourceId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/plugins.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/plugins.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/plugin/\$1\$1PluginId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/using-web-experience.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/using-web-experience.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/web-experience/\$1\$1WebExperienceId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/subscriptions.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/subscriptions.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/subscription/\$1\$1SubscriptionId\$1  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/data-accessors.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/data-accessors.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/data-accessor/\$1\$1DataAccessorId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/business-use-dg/response-customization.html](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/response-customization.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/chat-response-configuration/\$1\$1ChatResponseConfigurationId\$1  |   [#amazonqbusiness-aws_ResourceTag___TagKey_](#amazonqbusiness-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Q Business
<a name="amazonqbusiness-policy-keys"></a>

Amazon Q Business defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security_iam_service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security_iam_service-with-iam.html)  | Filters access by IAM Identity Center Group ID | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security_iam_service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security_iam_service-with-iam.html)  | Filters access by IAM Identity Center User ID | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Q Business Q Apps
<a name="list_amazonqbusinessqapps"></a>

Amazon Q Business Q Apps (service prefix: `qapps`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonq/latest/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Q Business Q Apps
](#amazonqbusinessqapps-actions-as-permissions)
+ [

## Resource types defined by Amazon Q Business Q Apps
](#amazonqbusinessqapps-resources-for-iam-policies)
+ [

## Condition keys for Amazon Q Business Q Apps
](#amazonqbusinessqapps-policy-keys)

## Actions defined by Amazon Q Business Q Apps
<a name="amazonqbusinessqapps-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonqbusinessqapps-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqbusinessqapps.html)

## Resource types defined by Amazon Q Business Q Apps
<a name="amazonqbusinessqapps-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonqbusinessqapps-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-app.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-app.html)  |  arn:\$1\$1Partition\$1:qbusiness:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps.html)  |  arn:\$1\$1Partition\$1:qapps:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/qapp/\$1\$1AppId\$1  |   [#amazonqbusinessqapps-aws_ResourceTag___TagKey_](#amazonqbusinessqapps-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps.html)  |  arn:\$1\$1Partition\$1:qapps:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1/qapp/\$1\$1AppId\$1/session/\$1\$1SessionId\$1  |   [#amazonqbusinessqapps-aws_ResourceTag___TagKey_](#amazonqbusinessqapps-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Q Business Q Apps
<a name="amazonqbusinessqapps-policy-keys"></a>

Amazon Q Business Q Apps defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html)  | Filters access by whether Q App is published | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html)  | Filters access by whether Q App Session is shared | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html)  | Filters access by whether requester is Q App owner | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/security-iam.html)  | Filters access by whether requester is Q App Session moderator | String | 

# Actions, resources, and condition keys for Amazon Q Developer
<a name="list_amazonqdeveloper"></a>

Amazon Q Developer (service prefix: `qdeveloper`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Q Developer
](#amazonqdeveloper-actions-as-permissions)
+ [

## Resource types defined by Amazon Q Developer
](#amazonqdeveloper-resources-for-iam-policies)
+ [

## Condition keys for Amazon Q Developer
](#amazonqdeveloper-policy-keys)

## Actions defined by Amazon Q Developer
<a name="amazonqdeveloper-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonqdeveloper-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqdeveloper.html)

## Resource types defined by Amazon Q Developer
<a name="amazonqdeveloper-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonqdeveloper-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/codeTransformation.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/codeTransformation.html)  |  arn:\$1\$1Partition\$1:qdeveloper:\$1\$1Region\$1:\$1\$1Account\$1:codeTransformation/\$1\$1Identifier\$1  |   [#amazonqdeveloper-aws_ResourceTag___TagKey_](#amazonqdeveloper-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Q Developer
<a name="amazonqdeveloper-policy-keys"></a>

Amazon Q Developer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by the tags associated with the Amazon Q Developer resource | String | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Q in Connect
<a name="list_amazonqinconnect"></a>

Amazon Q in Connect (service prefix: `wisdom`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/connect/latest/adminguide/what-is-amazon-connect.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/connect/latest/adminguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Q in Connect
](#amazonqinconnect-actions-as-permissions)
+ [

## Resource types defined by Amazon Q in Connect
](#amazonqinconnect-resources-for-iam-policies)
+ [

## Condition keys for Amazon Q in Connect
](#amazonqinconnect-policy-keys)

## Actions defined by Amazon Q in Connect
<a name="amazonqinconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonqinconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqinconnect.html)

## Resource types defined by Amazon Q in Connect
<a name="amazonqinconnect-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonqinconnect-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AIAgentData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AIAgentData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:ai-agent/\$1\$1AssistantId\$1/\$1\$1AIAgentId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AIPromptData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AIPromptData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:ai-prompt/\$1\$1AssistantId\$1/\$1\$1AIPromptId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AIGuardrailData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AIGuardrailData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:ai-guardrail/\$1\$1AssistantId\$1/\$1\$1AIGuardrailId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AssistantData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AssistantData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:assistant/\$1\$1AssistantId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AssistantAssociationData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_AssistantAssociationData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:association/\$1\$1AssistantId\$1/\$1\$1AssistantAssociationId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_ContentData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_ContentData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:content/\$1\$1KnowledgeBaseId\$1/\$1\$1ContentId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_ContentAssociationData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_ContentAssociationData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:content-association/\$1\$1KnowledgeBaseId\$1/\$1\$1ContentId\$1/\$1\$1ContentAssociationId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_KnowledgeBaseData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_KnowledgeBaseData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:knowledge-base/\$1\$1KnowledgeBaseId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_MessageTemplateData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_MessageTemplateData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:message-template/\$1\$1KnowledgeBaseId\$1/\$1\$1MessageTemplateId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   [#amazonqinconnect-wisdom_MessageTemplate_RoutingProfileArn](#amazonqinconnect-wisdom_MessageTemplate_RoutingProfileArn)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_SessionData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_SessionData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:session/\$1\$1AssistantId\$1/\$1\$1SessionId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wisdom/latest/APIReference/API_QuickResponseData.html](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_QuickResponseData.html)  |  arn:\$1\$1Partition\$1:wisdom:\$1\$1Region\$1:\$1\$1Account\$1:quick-response/\$1\$1KnowledgeBaseId\$1/\$1\$1QuickResponseId\$1  |   [#amazonqinconnect-aws_ResourceTag___TagKey_](#amazonqinconnect-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Q in Connect
<a name="amazonqinconnect-policy-keys"></a>

Amazon Q in Connect defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonconnectwisdom.html#amazonconnectwisdom-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonconnectwisdom.html#amazonconnectwisdom-policy-keys)  | Filters access by the connect routing profile arns associated with the resource | ArrayOfARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonconnectwisdom.html#amazonconnectwisdom-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonconnectwisdom.html#amazonconnectwisdom-policy-keys)  | Filters access by the qualifiers that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonconnectwisdom.html#amazonconnectwisdom-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonconnectwisdom.html#amazonconnectwisdom-policy-keys)  | Filters access by the connect routing profile arn that is passed in the request | ARN | 

# Actions, resources, and condition keys for Amazon QLDB
<a name="list_amazonqldb"></a>

Amazon QLDB (service prefix: `qldb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/qldb/latest/developerguide/index.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/qldb/latest/developerguide/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/qldb/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon QLDB
](#amazonqldb-actions-as-permissions)
+ [

## Resource types defined by Amazon QLDB
](#amazonqldb-resources-for-iam-policies)
+ [

## Condition keys for Amazon QLDB
](#amazonqldb-policy-keys)

## Actions defined by Amazon QLDB
<a name="amazonqldb-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonqldb-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html)

## Resource types defined by Amazon QLDB
<a name="amazonqldb-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonqldb-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/ledger-structure.html](https://docs.aws.amazon.com/qldb/latest/developerguide/ledger-structure.html)  |  arn:\$1\$1Partition\$1:qldb:\$1\$1Region\$1:\$1\$1Account\$1:ledger/\$1\$1LedgerName\$1  |   [#amazonqldb-aws_ResourceTag___TagKey_](#amazonqldb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/streams.html](https://docs.aws.amazon.com/qldb/latest/developerguide/streams.html)  |  arn:\$1\$1Partition\$1:qldb:\$1\$1Region\$1:\$1\$1Account\$1:stream/\$1\$1LedgerName\$1/\$1\$1StreamId\$1  |   [#amazonqldb-aws_ResourceTag___TagKey_](#amazonqldb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/working.manage-tables.html](https://docs.aws.amazon.com/qldb/latest/developerguide/working.manage-tables.html)  |  arn:\$1\$1Partition\$1:qldb:\$1\$1Region\$1:\$1\$1Account\$1:ledger/\$1\$1LedgerName\$1/table/\$1\$1TableId\$1  |   [#amazonqldb-aws_ResourceTag___TagKey_](#amazonqldb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/qldb/latest/developerguide/working.catalog.html](https://docs.aws.amazon.com/qldb/latest/developerguide/working.catalog.html)  |  arn:\$1\$1Partition\$1:qldb:\$1\$1Region\$1:\$1\$1Account\$1:ledger/\$1\$1LedgerName\$1/information\$1schema/user\$1tables  |   [#amazonqldb-aws_ResourceTag___TagKey_](#amazonqldb-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon QLDB
<a name="amazonqldb-policy-keys"></a>

Amazon QLDB defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-purge](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-purge)  | Filters access by the value of purge that is specified in a PartiQL DROP statement | String | 

# Actions, resources, and condition keys for Amazon QuickSight
<a name="list_amazonquicksight"></a>

Amazon QuickSight (service prefix: `quicksight`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/quicksight/latest/user/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/quicksight/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/quicksight/latest/user/identity.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon QuickSight
](#amazonquicksight-actions-as-permissions)
+ [

## Resource types defined by Amazon QuickSight
](#amazonquicksight-resources-for-iam-policies)
+ [

## Condition keys for Amazon QuickSight
](#amazonquicksight-policy-keys)

## Actions defined by Amazon QuickSight
<a name="amazonquicksight-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonquicksight-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html)

## Resource types defined by Amazon QuickSight
<a name="amazonquicksight-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonquicksight-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AccountInfo.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AccountInfo.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:account/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_User.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_User.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Group.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Group.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Analysis.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Analysis.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:analysis/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Dashboard.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Dashboard.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:dashboard/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Template.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Template.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:template/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_VPCConnection.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_VPCConnection.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:vpcConnection/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_StartAssetBundleExportJob.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_StartAssetBundleExportJob.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:asset-bundle-export-job/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_StartAssetBundleImportJob.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_StartAssetBundleImportJob.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:asset-bundle-import-job/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DataSource.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DataSource.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:datasource/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DataSet.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DataSet.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Ingestion.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Ingestion.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1DatasetId\$1/ingestion/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_RefreshSchedule.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_RefreshSchedule.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:dataset/\$1\$1DatasetId\$1/refresh-schedule/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Theme.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Theme.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:theme/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_IAMPolicyAssignment.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_IAMPolicyAssignment.html)  |  arn:\$1\$1Partition\$1:quicksight::\$1\$1Account\$1:assignment/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AccountCustomization.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AccountCustomization.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:customization/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_NamespaceInfoV2.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_NamespaceInfoV2.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:namespace/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Folder.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Folder.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:folder/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/customizing-quicksight-email-templates.html](https://docs.aws.amazon.com/quicksight/latest/user/customizing-quicksight-email-templates.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:email-customization-template/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_TopicDetails.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_TopicDetails.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:topic/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DashboardSnapshotJob.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DashboardSnapshotJob.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:dashboard/\$1\$1DashboardId\$1/snapshot-job/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_BrandDetail.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_BrandDetail.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:brand/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CustomPermissions.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CustomPermissions.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:custompermissions/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_ActionConnectorDetail.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_ActionConnectorDetail.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:action-connector/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html](https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:agent/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html](https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:extension-access/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Flow.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Flow.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:flow/\$1\$1ResourceId\$1  |   [#amazonquicksight-aws_ResourceTag___TagKey_](#amazonquicksight-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Automation.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_Automation.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:automation-group/\$1\$1AutomationGroupId\$1/automation/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AutomationJob.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AutomationJob.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:automation-group/\$1\$1AutomationGroupId\$1/automation/\$1\$1AutomationId\$1/job/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AutomationGroup.html](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_AutomationGroup.html)  |  arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:automation-group/\$1\$1ResourceId\$1  |  | 

## Condition keys for Amazon QuickSight
<a name="amazonquicksight-policy-keys"></a>

Amazon QuickSight defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys | ArrayOfString | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/embedded-dashboards-for-authenticated-users-step-1.html](https://docs.aws.amazon.com/quicksight/latest/user/embedded-dashboards-for-authenticated-users-step-1.html)  | Filters access by the allowed embedding domains | ArrayOfString | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/security-scp.html](https://docs.aws.amazon.com/quicksight/latest/user/security-scp.html)  | Filters access by the user management options | String | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/security-scp.html](https://docs.aws.amazon.com/quicksight/latest/user/security-scp.html)  | Filters access by the edition of QuickSight | String | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html](https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html)  | Filters access by QuickSight group ARN | ARN | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html](https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html)  | Filters access by IAM user or role ARN | ARN | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/key-management.html](https://docs.aws.amazon.com/quicksight/latest/user/key-management.html)  | Filters access by KMS key ARNs | ArrayOfARN | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html](https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html)  | Filters access by session name | String | 
|   [https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html](https://docs.aws.amazon.com/quicksight/latest/user/iam-actions.html)  | Filters access by user name | String | 

# Actions, resources, and condition keys for Amazon RDS Data API
<a name="list_amazonrdsdataapi"></a>

Amazon RDS Data API (service prefix: `rds-data`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/rdsdataservice/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAM.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon RDS Data API
](#amazonrdsdataapi-actions-as-permissions)
+ [

## Resource types defined by Amazon RDS Data API
](#amazonrdsdataapi-resources-for-iam-policies)
+ [

## Condition keys for Amazon RDS Data API
](#amazonrdsdataapi-policy-keys)

## Actions defined by Amazon RDS Data API
<a name="amazonrdsdataapi-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonrdsdataapi-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrdsdataapi.html)

## Resource types defined by Amazon RDS Data API
<a name="amazonrdsdataapi-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonrdsdataapi-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Managing.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Managing.html)  |  arn:\$1\$1Partition\$1:rds:\$1\$1Region\$1:\$1\$1Account\$1:cluster:\$1\$1DbClusterInstanceName\$1  |   [#amazonrdsdataapi-aws_ResourceTag___TagKey_](#amazonrdsdataapi-aws_ResourceTag___TagKey_)   [#amazonrdsdataapi-aws_TagKeys](#amazonrdsdataapi-aws_TagKeys)   | 

## Condition keys for Amazon RDS Data API
<a name="amazonrdsdataapi-policy-keys"></a>

Amazon RDS Data API defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys associated with the resource | ArrayOfString | 

# Actions, resources, and condition keys for Amazon RDS IAM Authentication
<a name="list_amazonrdsiamauthentication"></a>

Amazon RDS IAM Authentication (service prefix: `rds-db`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon RDS IAM Authentication
](#amazonrdsiamauthentication-actions-as-permissions)
+ [

## Resource types defined by Amazon RDS IAM Authentication
](#amazonrdsiamauthentication-resources-for-iam-policies)
+ [

## Condition keys for Amazon RDS IAM Authentication
](#amazonrdsiamauthentication-policy-keys)

## Actions defined by Amazon RDS IAM Authentication
<a name="amazonrdsiamauthentication-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonrdsiamauthentication-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html)  | Allows IAM role or user to connect to RDS database | Permissions management |   [#amazonrdsiamauthentication-db-user](#amazonrdsiamauthentication-db-user)   |  |  | 

## Resource types defined by Amazon RDS IAM Authentication
<a name="amazonrdsiamauthentication-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonrdsiamauthentication-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html)  |  arn:\$1\$1Partition\$1:rds-db:\$1\$1Region\$1:\$1\$1Account\$1:dbuser:\$1\$1DbiResourceId\$1/\$1\$1DbUserName\$1  |  | 

## Condition keys for Amazon RDS IAM Authentication
<a name="amazonrdsiamauthentication-policy-keys"></a>

RDS IAM Authentication has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Recycle Bin
<a name="list_awsrecyclebin"></a>

AWS Recycle Bin (service prefix: `rbin`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/recyclebin/latest/APIReference/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/recyclebin/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin-perms.html#rule-perms) permission policies.

**Topics**
+ [

## Actions defined by AWS Recycle Bin
](#awsrecyclebin-actions-as-permissions)
+ [

## Resource types defined by AWS Recycle Bin
](#awsrecyclebin-resources-for-iam-policies)
+ [

## Condition keys for AWS Recycle Bin
](#awsrecyclebin-policy-keys)

## Actions defined by AWS Recycle Bin
<a name="awsrecyclebin-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsrecyclebin-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html)

## Resource types defined by AWS Recycle Bin
<a name="awsrecyclebin-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsrecyclebin-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-recycle-bin.html#recycle-bin-concepts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-recycle-bin.html#recycle-bin-concepts)  |  arn:\$1\$1Partition\$1:rbin:\$1\$1Region\$1:\$1\$1Account\$1:rule/\$1\$1ResourceName\$1  |   [#awsrecyclebin-aws_ResourceTag___TagKey_](#awsrecyclebin-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Recycle Bin
<a name="awsrecyclebin-policy-keys"></a>

AWS Recycle Bin defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin-perms.html#rbin-condition-keys](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin-perms.html#rbin-condition-keys)  | Filters access by the resource type of the existing rule | String | 
|   [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin-perms.html#rbin-condition-keys](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recycle-bin-perms.html#rbin-condition-keys)  | Filters access by the resource type in a request | String | 

# Actions, resources, and condition keys for Amazon Redshift
<a name="list_amazonredshift"></a>

Amazon Redshift (service prefix: `redshift`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/redshift/latest/mgmt/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/redshift/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Redshift
](#amazonredshift-actions-as-permissions)
+ [

## Resource types defined by Amazon Redshift
](#amazonredshift-resources-for-iam-policies)
+ [

## Condition keys for Amazon Redshift
](#amazonredshift-policy-keys)

## Actions defined by Amazon Redshift
<a name="amazonredshift-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonredshift-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html)

## Resource types defined by Amazon Redshift
<a name="amazonredshift-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonredshift-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:cluster:\$1\$1ClusterName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/dg/datashare-overview.html](https://docs.aws.amazon.com/redshift/latest/dg/datashare-overview.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:datashare:\$1\$1ProducerClusterNamespace\$1/\$1\$1DataShareName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_GROUP.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_GROUP.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:dbgroup:\$1\$1ClusterName\$1/\$1\$1DbGroup\$1  |  | 
|   [https://docs.aws.amazon.com/redshift/latest/dg/t_creating_database.html](https://docs.aws.amazon.com/redshift/latest/dg/t_creating_database.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:dbname:\$1\$1ClusterName\$1/\$1\$1DbName\$1  |  | 
|   [https://docs.aws.amazon.com/redshift/latest/dg/r_Users.html](https://docs.aws.amazon.com/redshift/latest/dg/r_Users.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:dbuser:\$1\$1ClusterName\$1/\$1\$1DbUser\$1  |  | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-events.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-events.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:eventsubscription:\$1\$1EventSubscriptionName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#working-with-HSM](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#working-with-HSM)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:hsmclientcertificate:\$1\$1HSMClientCertificateId\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#working-with-HSM](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#working-with-HSM)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:hsmconfiguration:\$1\$1HSMConfigurationId\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/zero-etl-using.html](https://docs.aws.amazon.com/redshift/latest/mgmt/zero-etl-using.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:integration:\$1\$1IntegrationIdentifier\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/dg/concepts.html](https://docs.aws.amazon.com/redshift/latest/dg/concepts.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:namespace:\$1\$1ClusterNamespace\$1  |  | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-parameter-groups.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-parameter-groups.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:parametergroup:\$1\$1ParameterGroupName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:securitygroup:\$1\$1SecurityGroupName\$1/ec2securitygroup/\$1\$1Owner\$1/\$1\$1Ec2SecurityGroupId\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:securitygroupingress:\$1\$1SecurityGroupName\$1/cidrip/\$1\$1IpRange\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:securitygroupingress:\$1\$1SecurityGroupName\$1/ec2securitygroup/\$1\$1Owner\$1/\$1\$1Ece2SecuritygroupId\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:snapshot:\$1\$1ClusterName\$1/\$1\$1SnapshotName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#configure-snapshot-copy-grant](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html#configure-snapshot-copy-grant)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:snapshotcopygrant:\$1\$1SnapshotCopyGrantName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:snapshotschedule:\$1\$1ScheduleIdentifier\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-cluster-subnet-groups.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-cluster-subnet-groups.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:subnetgroup:\$1\$1SubnetGroupName\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-usage-limits.html](https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-usage-limits.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:usagelimit:\$1\$1UsageLimitId\$1  |   [#amazonredshift-aws_ResourceTag___TagKey_](#amazonredshift-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-connect.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-connect.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:redshiftidcapplication:\$1\$1RedshiftIdcApplicationId\$1  |  | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-connect.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-connect.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:qev2idcapplication:\$1\$1Qev2IdcApplicationId\$1  |  | 

## Condition keys for Amazon Redshift
<a name="amazonredshift-policy-keys"></a>

Amazon Redshift defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by actions based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by actions based on tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by actions based on the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the allowWrites input parameter | Bool | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the datashare consumer arn | ARN | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the datashare consumer | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the database name | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the database user name | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the number of seconds until a temporary credential set expires | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the ARN of an inbound zero-ETL Integration resource | ARN | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the ARN of a zero-ETL Integration source | ARN | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by the ARN of a zero-ETL Integration target | ARN | 

# Actions, resources, and condition keys for Amazon Redshift Data API
<a name="list_amazonredshiftdataapi"></a>

Amazon Redshift Data API (service prefix: `redshift-data`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/redshift-data/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Redshift Data API
](#amazonredshiftdataapi-actions-as-permissions)
+ [

## Resource types defined by Amazon Redshift Data API
](#amazonredshiftdataapi-resources-for-iam-policies)
+ [

## Condition keys for Amazon Redshift Data API
](#amazonredshiftdataapi-policy-keys)

## Actions defined by Amazon Redshift Data API
<a name="amazonredshiftdataapi-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonredshiftdataapi-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html)

## Resource types defined by Amazon Redshift Data API
<a name="amazonredshiftdataapi-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonredshiftdataapi-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html)  |  arn:\$1\$1Partition\$1:redshift:\$1\$1Region\$1:\$1\$1Account\$1:cluster:\$1\$1ClusterName\$1  |   [#amazonredshiftdataapi-aws_ResourceTag___TagKey_](#amazonredshiftdataapi-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:workgroup/\$1\$1WorkgroupId\$1  |   [#amazonredshiftdataapi-aws_ResourceTag___TagKey_](#amazonredshiftdataapi-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:managed-workgroup/\$1\$1ManagedWorkgroupId\$1  |  | 

## Condition keys for Amazon Redshift Data API
<a name="amazonredshiftdataapi-policy-keys"></a>

Amazon Redshift Data API defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by glue catalog arn | ARN | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by session owner iam userid | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-overview.html#redshift-policy-resources.conditions)  | Filters access by statement owner iam userid | String | 

# Actions, resources, and condition keys for Amazon Redshift Serverless
<a name="list_amazonredshiftserverless"></a>

Amazon Redshift Serverless (service prefix: `redshift-serverless`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-serverless.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/redshift-serverless/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Redshift Serverless
](#amazonredshiftserverless-actions-as-permissions)
+ [

## Resource types defined by Amazon Redshift Serverless
](#amazonredshiftserverless-resources-for-iam-policies)
+ [

## Condition keys for Amazon Redshift Serverless
](#amazonredshiftserverless-policy-keys)

## Actions defined by Amazon Redshift Serverless
<a name="amazonredshiftserverless-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonredshiftserverless-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftserverless.html)

## Resource types defined by Amazon Redshift Serverless
<a name="amazonredshiftserverless-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonredshiftserverless-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-workgroup-namespace.html](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-workgroup-namespace.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:namespace/\$1\$1NamespaceId\$1  |   [#amazonredshiftserverless-aws_ResourceTag___TagKey_](#amazonredshiftserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-snapshots-recovery.html](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-snapshots-recovery.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:snapshot/\$1\$1SnapshotId\$1  |   [#amazonredshiftserverless-aws_ResourceTag___TagKey_](#amazonredshiftserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-workgroup-namespace.html](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-workgroup-namespace.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:workgroup/\$1\$1WorkgroupId\$1  |   [#amazonredshiftserverless-aws_ResourceTag___TagKey_](#amazonredshiftserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-managed-workgroup-namespace.html](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-managed-workgroup-namespace.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:managed-workgroup/\$1\$1ManagedWorkgroupName\$1  |  | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-snapshots-recovery.html](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-snapshots-recovery.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:recoverypoint/\$1\$1RecoveryPointId\$1  |   [#amazonredshiftserverless-aws_ResourceTag___TagKey_](#amazonredshiftserverless-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-connecting.html](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-connecting.html)  |  arn:\$1\$1Partition\$1:redshift-serverless:\$1\$1Region\$1:\$1\$1Account\$1:managedvpcendpoint/\$1\$1EndpointAccessId\$1  |  | 

## Condition keys for Amazon Redshift Serverless
<a name="amazonredshiftserverless-policy-keys"></a>

Amazon Redshift Serverless defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the endpoint access identifier | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the managed workgroup identifier | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the namespace identifier | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the recovery point identifier | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the snapshot identifier | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the table restore request identifier | String | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-policy-resources.resource-permissions.html)  | Filters access by the workgroup identifier | String | 

# Actions, resources, and condition keys for Amazon Rekognition
<a name="list_amazonrekognition"></a>

Amazon Rekognition (service prefix: `rekognition`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/rekognition/latest/APIReference/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/rekognition/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/rekognition/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Rekognition
](#amazonrekognition-actions-as-permissions)
+ [

## Resource types defined by Amazon Rekognition
](#amazonrekognition-resources-for-iam-policies)
+ [

## Condition keys for Amazon Rekognition
](#amazonrekognition-policy-keys)

## Actions defined by Amazon Rekognition
<a name="amazonrekognition-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonrekognition-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html)

## Resource types defined by Amazon Rekognition
<a name="amazonrekognition-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonrekognition-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/rekognition/latest/dg/collections.html](https://docs.aws.amazon.com/rekognition/latest/dg/collections.html)  |  arn:\$1\$1Partition\$1:rekognition:\$1\$1Region\$1:\$1\$1Account\$1:collection/\$1\$1CollectionId\$1  |   [#amazonrekognition-aws_ResourceTag___TagKey_](#amazonrekognition-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rekognition/latest/dg/streaming-video.html](https://docs.aws.amazon.com/rekognition/latest/dg/streaming-video.html)  |  arn:\$1\$1Partition\$1:rekognition:\$1\$1Region\$1:\$1\$1Account\$1:streamprocessor/\$1\$1StreamprocessorId\$1  |   [#amazonrekognition-aws_ResourceTag___TagKey_](#amazonrekognition-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rekognition/latest/customlabels-dg/mp-create-project.html](https://docs.aws.amazon.com/rekognition/latest/customlabels-dg/mp-create-project.html)  |  arn:\$1\$1Partition\$1:rekognition:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1/\$1\$1CreationTimestamp\$1  |   [#amazonrekognition-aws_ResourceTag___TagKey_](#amazonrekognition-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rekognition/latest/customlabels-dg/training-model.html](https://docs.aws.amazon.com/rekognition/latest/customlabels-dg/training-model.html)  |  arn:\$1\$1Partition\$1:rekognition:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1/version/\$1\$1VersionName\$1/\$1\$1CreationTimestamp\$1  |   [#amazonrekognition-aws_ResourceTag___TagKey_](#amazonrekognition-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/rekognition/latest/customlabels-dg/creating-datasets.html](https://docs.aws.amazon.com/rekognition/latest/customlabels-dg/creating-datasets.html)  |  arn:\$1\$1Partition\$1:rekognition:\$1\$1Region\$1:\$1\$1Account\$1:project/\$1\$1ProjectName\$1/dataset/\$1\$1DatasetType\$1/\$1\$1CreationTimestamp\$1  |   [#amazonrekognition-aws_ResourceTag___TagKey_](#amazonrekognition-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Rekognition
<a name="amazonrekognition-policy-keys"></a>

Amazon Rekognition defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS rePost Private
<a name="list_awsrepostprivate"></a>

AWS rePost Private (service prefix: `repostspace`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/repostprivate/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/repostprivate/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/repostprivate/latest/caguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS rePost Private
](#awsrepostprivate-actions-as-permissions)
+ [

## Resource types defined by AWS rePost Private
](#awsrepostprivate-resources-for-iam-policies)
+ [

## Condition keys for AWS rePost Private
](#awsrepostprivate-policy-keys)

## Actions defined by AWS rePost Private
<a name="awsrepostprivate-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsrepostprivate-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrepostprivate.html)

## Resource types defined by AWS rePost Private
<a name="awsrepostprivate-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsrepostprivate-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/repostprivate/latest/userguide/](https://docs.aws.amazon.com/repostprivate/latest/userguide/)  |  arn:\$1\$1Partition\$1:repostspace:\$1\$1Region\$1:\$1\$1Account\$1:space/\$1\$1ResourceId\$1  |   [#awsrepostprivate-aws_ResourceTag___TagKey_](#awsrepostprivate-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS rePost Private
<a name="awsrepostprivate-policy-keys"></a>

AWS rePost Private defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Resilience Hub
<a name="list_awsresiliencehub"></a>

AWS Resilience Hub (service prefix: `resiliencehub`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/resilience-hub/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/resilience-hub/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Resilience Hub
](#awsresiliencehub-actions-as-permissions)
+ [

## Resource types defined by AWS Resilience Hub
](#awsresiliencehub-resources-for-iam-policies)
+ [

## Condition keys for AWS Resilience Hub
](#awsresiliencehub-policy-keys)

## Actions defined by AWS Resilience Hub
<a name="awsresiliencehub-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsresiliencehub-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresiliencehub.html)

## Resource types defined by AWS Resilience Hub
<a name="awsresiliencehub-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsresiliencehub-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_ResiliencyPolicy.html](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_ResiliencyPolicy.html)  |  arn:\$1\$1Partition\$1:resiliencehub:\$1\$1Region\$1:\$1\$1Account\$1:resiliency-policy/\$1\$1ResiliencyPolicyId\$1  |   [#awsresiliencehub-aws_ResourceTag___TagKey_](#awsresiliencehub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_App.html](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_App.html)  |  arn:\$1\$1Partition\$1:resiliencehub:\$1\$1Region\$1:\$1\$1Account\$1:app/\$1\$1AppId\$1  |   [#awsresiliencehub-aws_ResourceTag___TagKey_](#awsresiliencehub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_AppAssessment.html](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_AppAssessment.html)  |  arn:\$1\$1Partition\$1:resiliencehub:\$1\$1Region\$1:\$1\$1Account\$1:app-assessment/\$1\$1AppAssessmentId\$1  |   [#awsresiliencehub-aws_ResourceTag___TagKey_](#awsresiliencehub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_RecommendationTemplate.html](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_RecommendationTemplate.html)  |  arn:\$1\$1Partition\$1:resiliencehub:\$1\$1Region\$1:\$1\$1Account\$1:recommendation-template/\$1\$1RecommendationTemplateId\$1  |   [#awsresiliencehub-aws_ResourceTag___TagKey_](#awsresiliencehub-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Resilience Hub
<a name="awsresiliencehub-policy-keys"></a>

AWS Resilience Hub defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Resource Access Manager (RAM)
<a name="list_awsresourceaccessmanagerram"></a>

AWS Resource Access Manager (RAM) (service prefix: `ram`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ram/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ram/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Resource Access Manager (RAM)
](#awsresourceaccessmanagerram-actions-as-permissions)
+ [

## Resource types defined by AWS Resource Access Manager (RAM)
](#awsresourceaccessmanagerram-resources-for-iam-policies)
+ [

## Condition keys for AWS Resource Access Manager (RAM)
](#awsresourceaccessmanagerram-policy-keys)

## Actions defined by AWS Resource Access Manager (RAM)
<a name="awsresourceaccessmanagerram-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsresourceaccessmanagerram-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanagerram.html)

## Resource types defined by AWS Resource Access Manager (RAM)
<a name="awsresourceaccessmanagerram-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsresourceaccessmanagerram-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceShare.html](https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceShare.html)  |  arn:\$1\$1Partition\$1:ram:\$1\$1Region\$1:\$1\$1Account\$1:resource-share/\$1\$1ResourcePath\$1  |   [#awsresourceaccessmanagerram-aws_ResourceTag___TagKey_](#awsresourceaccessmanagerram-aws_ResourceTag___TagKey_)   [#awsresourceaccessmanagerram-ram_AllowsExternalPrincipals](#awsresourceaccessmanagerram-ram_AllowsExternalPrincipals)   [#awsresourceaccessmanagerram-ram_ResourceShareName](#awsresourceaccessmanagerram-ram_ResourceShareName)   | 
|   [https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceShareInvitation.html](https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceShareInvitation.html)  |  arn:\$1\$1Partition\$1:ram:\$1\$1Region\$1:\$1\$1Account\$1:resource-share-invitation/\$1\$1ResourcePath\$1  |   [#awsresourceaccessmanagerram-ram_ShareOwnerAccountId](#awsresourceaccessmanagerram-ram_ShareOwnerAccountId)   | 
|   [https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceSharePermissionDetail.html](https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceSharePermissionDetail.html)  |  arn:\$1\$1Partition\$1:ram::\$1\$1Account\$1:permission/\$1\$1ResourcePath\$1  |   [#awsresourceaccessmanagerram-ram_PermissionArn](#awsresourceaccessmanagerram-ram_PermissionArn)   [#awsresourceaccessmanagerram-ram_PermissionResourceType](#awsresourceaccessmanagerram-ram_PermissionResourceType)   | 
|   [https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceSharePermissionDetail.html](https://docs.aws.amazon.com/ram/latest/APIReference/API_ResourceSharePermissionDetail.html)  |  arn:\$1\$1Partition\$1:ram:\$1\$1Region\$1:\$1\$1Account\$1:permission/\$1\$1ResourcePath\$1  |   [#awsresourceaccessmanagerram-aws_ResourceTag___TagKey_](#awsresourceaccessmanagerram-aws_ResourceTag___TagKey_)   [#awsresourceaccessmanagerram-ram_PermissionArn](#awsresourceaccessmanagerram-ram_PermissionArn)   [#awsresourceaccessmanagerram-ram_PermissionResourceType](#awsresourceaccessmanagerram-ram_PermissionResourceType)   | 

## Condition keys for AWS Resource Access Manager (RAM)
<a name="awsresourceaccessmanagerram-policy-keys"></a>

AWS Resource Access Manager (RAM) defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed when creating or tagging a resource share | ArrayOfString | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization | Bool | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by the specified Permission ARN | ARN | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by permissions of specified resource type | String | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by format of the specified principal | String | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization | Bool | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by the specified resource type | String | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by the specified ARN | ARN | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by a resource share with the specified name | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by RetainSharingOnAccountLeaveOrganization value within ResourceShareConfiguration that is set on resource share | Bool | 
|   [https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition](https://docs.aws.amazon.com/ram/latest/userguide/iam-policies.html#iam-policies-condition)  | Filters access by resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner's account ID | String | 

# Actions, resources, and condition keys for AWS Resource Explorer
<a name="list_awsresourceexplorer"></a>

AWS Resource Explorer (service prefix: `resource-explorer-2`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/resource-explorer/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/resource-explorer/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/resource-explorer/latest/userguide/security_iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Resource Explorer
](#awsresourceexplorer-actions-as-permissions)
+ [

## Resource types defined by AWS Resource Explorer
](#awsresourceexplorer-resources-for-iam-policies)
+ [

## Condition keys for AWS Resource Explorer
](#awsresourceexplorer-policy-keys)

## Actions defined by AWS Resource Explorer
<a name="awsresourceexplorer-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsresourceexplorer-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer.html)

## Resource types defined by AWS Resource Explorer
<a name="awsresourceexplorer-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsresourceexplorer-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_View.html](https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_View.html)  |  arn:\$1\$1Partition\$1:resource-explorer-2:\$1\$1Region\$1:\$1\$1Account\$1:view/\$1\$1ViewName\$1/\$1\$1ViewUuid\$1  |   [#awsresourceexplorer-aws_ResourceTag___TagKey_](#awsresourceexplorer-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_Index.html](https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_Index.html)  |  arn:\$1\$1Partition\$1:resource-explorer-2:\$1\$1Region\$1:\$1\$1Account\$1:index/\$1\$1IndexUuid\$1  |   [#awsresourceexplorer-aws_ResourceTag___TagKey_](#awsresourceexplorer-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/resource-explorer/latest/userguide/API_ManagedView.html](https://docs.aws.amazon.com/resource-explorer/latest/userguide/API_ManagedView.html)  |  arn:\$1\$1Partition\$1:resource-explorer-2:\$1\$1Region\$1:\$1\$1Account\$1:managed-view/\$1\$1ManagedViewName\$1/\$1\$1ManagedViewUuid\$1  |  | 

## Condition keys for AWS Resource Explorer
<a name="awsresourceexplorer-policy-keys"></a>

AWS Resource Explorer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag keys that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag keyss attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer.html)  | Filters access by the actual operation that is being invoked, available values: Search, ListResources | String | 

# Actions, resources, and condition keys for Amazon Resource Group Tagging API
<a name="list_amazonresourcegrouptaggingapi"></a>

Amazon Resource Group Tagging API (service prefix: `tag`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Resource Group Tagging API
](#amazonresourcegrouptaggingapi-actions-as-permissions)
+ [

## Resource types defined by Amazon Resource Group Tagging API
](#amazonresourcegrouptaggingapi-resources-for-iam-policies)
+ [

## Condition keys for Amazon Resource Group Tagging API
](#amazonresourcegrouptaggingapi-policy-keys)

## Actions defined by Amazon Resource Group Tagging API
<a name="amazonresourcegrouptaggingapi-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonresourcegrouptaggingapi-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_DescribeReportCreation.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_DescribeReportCreation.html)  | Grants permission to describe the status of the StartReportCreation operation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetComplianceSummary.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetComplianceSummary.html)  | Grants permission to retrieve a summary of how many resources are noncompliant with their effective tag policies | Read |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html)  | Grants permission to return tagged or previously tagged resources in the specified AWS Region for the calling account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetTagKeys.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetTagKeys.html)  | Grants permission to returns tag keys currently in use in the specified AWS Region for the calling account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetTagValues.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetTagValues.html)  | Grants permission to return tag values for the specified key that are used in the specified AWS Region for the calling account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_ListRequiredTags.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_ListRequiredTags.html)  | Grants permission to list required tags for supported resource types in the calling account | List |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_StartReportCreation.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_StartReportCreation.html)  | Grants permission to start generating a report listing all tagged resources in accounts across your organization, and whether each resource is compliant with the effective tag policy | Write |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_TagResources.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_TagResources.html)  | Grants permission to apply one or more tags to the specified resources | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_UntagResources.html](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_UntagResources.html)  | Grants permission to remove the specified tags from the specified resources | Tagging |  |  |  | 

## Resource types defined by Amazon Resource Group Tagging API
<a name="amazonresourcegrouptaggingapi-resources-for-iam-policies"></a>

Amazon Resource Group Tagging API does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Resource Group Tagging API, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Resource Group Tagging API
<a name="amazonresourcegrouptaggingapi-policy-keys"></a>

Resource Group Tagging has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Resource Groups
<a name="list_awsresourcegroups"></a>

AWS Resource Groups (service prefix: `resource-groups`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ARG/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ARG/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ARG/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Resource Groups
](#awsresourcegroups-actions-as-permissions)
+ [

## Resource types defined by AWS Resource Groups
](#awsresourcegroups-resources-for-iam-policies)
+ [

## Condition keys for AWS Resource Groups
](#awsresourcegroups-policy-keys)

## Actions defined by AWS Resource Groups
<a name="awsresourcegroups-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsresourcegroups-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html)

## Resource types defined by AWS Resource Groups
<a name="awsresourcegroups-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsresourcegroups-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html](https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html)  |  arn:\$1\$1Partition\$1:resource-groups:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1GroupName\$1  |   [#awsresourcegroups-aws_ResourceTag___TagKey_](#awsresourcegroups-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/arguide/app-tag-sync.html](https://docs.aws.amazon.com/servicecatalog/latest/arguide/app-tag-sync.html)  |  arn:\$1\$1Partition\$1:resource-groups:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1GroupName\$1/tag-sync-task/\$1\$1TaskId\$1  |   [#awsresourcegroups-aws_ResourceTag___TagKey_](#awsresourcegroups-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Resource Groups
<a name="awsresourcegroups-policy-keys"></a>

AWS Resource Groups defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon RHEL Knowledgebase Portal
<a name="list_amazonrhelknowledgebaseportal"></a>

Amazon RHEL Knowledgebase Portal (service prefix: `rhelkb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-rhel.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-rhel.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon RHEL Knowledgebase Portal
](#amazonrhelknowledgebaseportal-actions-as-permissions)
+ [

## Resource types defined by Amazon RHEL Knowledgebase Portal
](#amazonrhelknowledgebaseportal-resources-for-iam-policies)
+ [

## Condition keys for Amazon RHEL Knowledgebase Portal
](#amazonrhelknowledgebaseportal-policy-keys)

## Actions defined by Amazon RHEL Knowledgebase Portal
<a name="amazonrhelknowledgebaseportal-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonrhelknowledgebaseportal-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-rhel.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-rhel.html)  | Grants permission to access the Red Hat Knowledgebase portal | Read |  |  |  | 

## Resource types defined by Amazon RHEL Knowledgebase Portal
<a name="amazonrhelknowledgebaseportal-resources-for-iam-policies"></a>

Amazon RHEL Knowledgebase Portal does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon RHEL Knowledgebase Portal, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon RHEL Knowledgebase Portal
<a name="amazonrhelknowledgebaseportal-policy-keys"></a>

RHEL KB has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS RoboMaker
<a name="list_awsrobomaker"></a>

AWS RoboMaker (service prefix: `robomaker`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/robomaker/how-it-works.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/robomaker/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/robomaker/latest/dg/what-is-robomaker.html) permission policies.

**Topics**
+ [

## Actions defined by AWS RoboMaker
](#awsrobomaker-actions-as-permissions)
+ [

## Resource types defined by AWS RoboMaker
](#awsrobomaker-resources-for-iam-policies)
+ [

## Condition keys for AWS RoboMaker
](#awsrobomaker-policy-keys)

## Actions defined by AWS RoboMaker
<a name="awsrobomaker-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsrobomaker-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrobomaker.html)

## Resource types defined by AWS RoboMaker
<a name="awsrobomaker-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsrobomaker-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/managing-robot-applications.html](https://docs.aws.amazon.com/robomaker/latest/dg/managing-robot-applications.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:robot-application/\$1\$1ApplicationName\$1/\$1\$1CreatedOnEpoch\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/managing-simulation-applications.html](https://docs.aws.amazon.com/robomaker/latest/dg/managing-simulation-applications.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:simulation-application/\$1\$1ApplicationName\$1/\$1\$1CreatedOnEpoch\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/simulation.html](https://docs.aws.amazon.com/robomaker/latest/dg/simulation.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:simulation-job/\$1\$1SimulationJobId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/simulation-job-batch.html](https://docs.aws.amazon.com/robomaker/latest/dg/simulation-job-batch.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:simulation-job-batch/\$1\$1SimulationJobBatchId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/deployment.html](https://docs.aws.amazon.com/robomaker/latest/dg/deployment.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:deployment-job/\$1\$1DeploymentJobId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/fleets.html](https://docs.aws.amazon.com/robomaker/latest/dg/fleets.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:robot/\$1\$1RobotName\$1/\$1\$1CreatedOnEpoch\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/managing-simulation-applications.html](https://docs.aws.amazon.com/robomaker/latest/dg/managing-simulation-applications.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:deployment-fleet/\$1\$1FleetName\$1/\$1\$1CreatedOnEpoch\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-generation-jobs.html](https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-generation-jobs.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:world-generation-job/\$1\$1WorldGenerationJobId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-export-jobs.html](https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-export-jobs.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:world-export-job/\$1\$1WorldExportJobId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-simworld-templates.html](https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-simworld-templates.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:world-template/\$1\$1WorldTemplateJobId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-generated-worlds.html](https://docs.aws.amazon.com/robomaker/latest/dg/worlds-managing-generated-worlds.html)  |  arn:\$1\$1Partition\$1:robomaker:\$1\$1Region\$1:\$1\$1Account\$1:world/\$1\$1WorldId\$1  |   [#awsrobomaker-aws_ResourceTag___TagKey_](#awsrobomaker-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS RoboMaker
<a name="awsrobomaker-policy-keys"></a>

AWS RoboMaker defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/tagging-resources-iam-policies.html](https://docs.aws.amazon.com/robomaker/latest/dg/tagging-resources-iam-policies.html)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/tagging-resources-iam-policies.html](https://docs.aws.amazon.com/robomaker/latest/dg/tagging-resources-iam-policies.html)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/robomaker/latest/dg/tagging-resources-iam-policies.html](https://docs.aws.amazon.com/robomaker/latest/dg/tagging-resources-iam-policies.html)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Route 53
<a name="list_amazonroute53"></a>

Amazon Route 53 (service prefix: `route53`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/Route53/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53
](#amazonroute53-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53
](#amazonroute53-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53
](#amazonroute53-policy-keys)

## Actions defined by Amazon Route 53
<a name="amazonroute53-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html)

## Resource types defined by Amazon Route 53
<a name="amazonroute53-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonroute53-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [API_CidrCollection.html](API_CidrCollection.html)  |  arn:\$1\$1Partition\$1:route53:::cidrcollection/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_Change.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_Change.html)  |  arn:\$1\$1Partition\$1:route53:::change/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-reusable-delegation-set](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-reusable-delegation-set)  |  arn:\$1\$1Partition\$1:route53:::delegationset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-health-check](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-health-check)  |  arn:\$1\$1Partition\$1:route53:::healthcheck/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-hosted-zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-hosted-zone)  |  arn:\$1\$1Partition\$1:route53:::hostedzone/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/traffic-policies.html](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/traffic-policies.html)  |  arn:\$1\$1Partition\$1:route53:::trafficpolicy/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/traffic-policy-records.html](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/traffic-policy-records.html)  |  arn:\$1\$1Partition\$1:route53:::trafficpolicyinstance/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html)  |  arn:\$1\$1Partition\$1:route53:::queryloggingconfig/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:vpc/\$1\$1VpcId\$1  |  | 

## Condition keys for Amazon Route 53
<a name="amazonroute53-policy-keys"></a>

Amazon Route 53 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys)  | Filters access by the change actions, CREATE, UPSERT, or DELETE, in a ChangeResourceRecordSets request | ArrayOfString | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys)  | Filters access by the normalized DNS record names in a ChangeResourceRecordSets request | ArrayOfString | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys)  | Filters access by the DNS record types in a ChangeResourceRecordSets request | ArrayOfString | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrsetConditionKeys)  | Filters access by VPCs in request | String | 

# Actions, resources, and condition keys for Amazon Route 53 Domains
<a name="list_amazonroute53domains"></a>

Amazon Route 53 Domains (service prefix: `route53domains`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/Route53/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53 Domains
](#amazonroute53domains-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53 Domains
](#amazonroute53domains-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53 Domains
](#amazonroute53domains-policy-keys)

## Actions defined by Amazon Route 53 Domains
<a name="amazonroute53domains-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53domains-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_AcceptDomainTransferFromAnotherAwsAccount.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_AcceptDomainTransferFromAnotherAwsAccount.html)  | Grants permission to accept the transfer of a domain from another AWS account to the current AWS account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_AssociateDelegationSignerToDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_AssociateDelegationSignerToDomain.html)  | Grants permission to associate a new delegation signer to a domain | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_CancelDomainTransferToAnotherAwsAccount.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_CancelDomainTransferToAnotherAwsAccount.html)  | Grants permission to cancel the transfer of a domain from the current AWS account to another AWS account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_CheckDomainAvailability.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_CheckDomainAvailability.html)  | Grants permission to check the availability of one domain name | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_CheckDomainTransferability.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_CheckDomainTransferability.html)  | Grants permission to check whether a domain name can be transferred to Amazon Route 53 | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DeleteDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DeleteDomain.html)  | Grants permission to delete domains | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DeleteTagsForDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DeleteTagsForDomain.html)  | Grants permission to delete the specified tags for a domain | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainAutoRenew.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainAutoRenew.html)  | Grants permission to configure Amazon Route 53 to automatically renew the specified domain before the domain registration expires | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html)  | Grants permission to remove the transfer lock on the domain (specifically the clientTransferProhibited status) to allow domain transfers | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisassociateDelegationSignerFromDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisassociateDelegationSignerFromDomain.html)  | Grants permission to disassociate an existing delegation signer from a domain | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainAutoRenew.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainAutoRenew.html)  | Grants permission to configure Amazon Route 53 to automatically renew the specified domain before the domain registration expires | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_EnableDomainTransferLock.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_EnableDomainTransferLock.html)  | Grants permission to set the transfer lock on the domain (specifically the clientTransferProhibited status) to prevent domain transfers | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetContactReachabilityStatus.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetContactReachabilityStatus.html)  | Grants permission to get information about whether the registrant contact has responded for operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetDomainDetail.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetDomainDetail.html)  | Grants permission to get detailed information about a domain | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetDomainSuggestions.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetDomainSuggestions.html)  | Grants permission to get a list of suggested domain names given a string, which can either be a domain name or simply a word or phrase (without spaces) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetOperationDetail.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_GetOperationDetail.html)  | Grants permission to get the current status of an operation that is not completed | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListDomains.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListDomains.html)  | Grants permission to list all the domain names registered with Amazon Route 53 for the current AWS account | List |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListOperations.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListOperations.html)  | Grants permission to list the operation IDs of operations that are not yet complete | List |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListPrices.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListPrices.html)  | Grants permission to list the prices of operations for TLDs | List |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListTagsForDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ListTagsForDomain.html)  | Grants permission to list all the tags that are associated with the specified domain | Read |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_PushDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_PushDomain.html)  | Grants permission to change the IPS tag of .uk domain to initiate a transfer process from Route 53 to another registrar | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RegisterDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RegisterDomain.html)  | Grants permission to register domains | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RejectDomainTransferFromAnotherAwsAccount.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RejectDomainTransferFromAnotherAwsAccount.html)  | Grants permission to reject the transfer of a domain from another AWS account to the current AWS account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RenewDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RenewDomain.html)  | Grants permission to renew domains for the specified number of years | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ResendContactReachabilityEmail.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ResendContactReachabilityEmail.html)  | Grants permission to resend the confirmation email to the current email address for the registrant contact for operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ResendOperationAuthorization.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ResendOperationAuthorization.html)  | Grants permission to resend the operation authorization | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RetrieveDomainAuthCode.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_RetrieveDomainAuthCode.html)  | Grants permission to get the AuthCode for the domain | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_TransferDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_TransferDomain.html)  | Grants permission to transfer a domain from another registrar to Amazon Route 53 | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_TransferDomainToAnotherAwsAccount.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_TransferDomainToAnotherAwsAccount.html)  | Grants permission to transfer a domain from the current AWS account to another AWS account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateDomainContact.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateDomainContact.html)  | Grants permission to update the contact information for domain | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateDomainContactPrivacy.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateDomainContactPrivacy.html)  | Grants permission to update the domain contact privacy setting | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateDomainNameservers.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateDomainNameservers.html)  | Grants permission to replace the current set of name servers for a domain with the specified set of name servers | Write |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateTagsForDomain.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_UpdateTagsForDomain.html)  | Grants permission to add or update tags for a specified domain | Tagging |  |  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ViewBilling.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_ViewBilling.html)  | Grants permission to get all the domain-related billing records for the current AWS account for a specified period | Read |  |  |  | 

## Resource types defined by Amazon Route 53 Domains
<a name="amazonroute53domains-resources-for-iam-policies"></a>

Amazon Route 53 Domains does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon Route 53 Domains, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon Route 53 Domains
<a name="amazonroute53domains-policy-keys"></a>

Route 53 Domains has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Route 53 Profiles
<a name="list_amazonroute53profiles"></a>

Amazon Route 53 Profiles (service prefix: `route53profiles`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/Route53/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53 Profiles
](#amazonroute53profiles-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53 Profiles
](#amazonroute53profiles-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53 Profiles
](#amazonroute53profiles-policy-keys)

## Actions defined by Amazon Route 53 Profiles
<a name="amazonroute53profiles-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53profiles-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)

## Resource types defined by Amazon Route 53 Profiles
<a name="amazonroute53profiles-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonroute53profiles-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/#access-control-resources](https://docs.aws.amazon.com/Route53/latest/APIReference/#access-control-resources)  |  arn:\$1\$1Partition\$1:route53profiles:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1ResourceId\$1  |   [#amazonroute53profiles-aws_ResourceTag___TagKey_](#amazonroute53profiles-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/#access-control-resources](https://docs.aws.amazon.com/Route53/latest/APIReference/#access-control-resources)  |  arn:\$1\$1Partition\$1:route53profiles:\$1\$1Region\$1:\$1\$1Account\$1:profile-association/\$1\$1ResourceId\$1  |   [#amazonroute53profiles-aws_ResourceTag___TagKey_](#amazonroute53profiles-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Route 53 Profiles
<a name="amazonroute53profiles-policy-keys"></a>

Amazon Route 53 Profiles defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)  | Filters access by priority range of a Firewall Rule Group | Numeric | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)  | Filters access by Hosted Zone domains | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)  | Filters access by Resolver Rule domains | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)  | Filters access by specific resource ARNs | ARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)  | Filters access by given VPCs | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profiles.html)  | Filters access by specific resource type. Possible options include 'HostedZone', 'FirewallRuleGroup', 'ResolverQueryLoggingConfig', 'ResolverRule', and 'VpcEndpoint' | String | 

# Actions, resources, and condition keys for Amazon Route 53 Recovery Cluster
<a name="list_amazonroute53recoverycluster"></a>

Amazon Route 53 Recovery Cluster (service prefix: `route53-recovery-cluster`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route53-recovery.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/routing-control/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/r53recovery/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53 Recovery Cluster
](#amazonroute53recoverycluster-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53 Recovery Cluster
](#amazonroute53recoverycluster-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53 Recovery Cluster
](#amazonroute53recoverycluster-policy-keys)

## Actions defined by Amazon Route 53 Recovery Cluster
<a name="amazonroute53recoverycluster-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53recoverycluster-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoverycluster.html)

## Resource types defined by Amazon Route 53 Recovery Cluster
<a name="amazonroute53recoverycluster-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonroute53recoverycluster-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/recovery-cluster/latest/api/routingcontrol.html](https://docs.aws.amazon.com/recovery-cluster/latest/api/routingcontrol.html)  |  arn:\$1\$1Partition\$1:route53-recovery-control::\$1\$1Account\$1:controlpanel/\$1\$1ControlPanelId\$1/routingcontrol/\$1\$1RoutingControlId\$1  |  | 

## Condition keys for Amazon Route 53 Recovery Cluster
<a name="amazonroute53recoverycluster-policy-keys"></a>

Amazon Route 53 Recovery Cluster defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/routing-control/latest/APIReference/API_UpdateRoutingControlState.html](https://docs.aws.amazon.com/routing-control/latest/APIReference/API_UpdateRoutingControlState.html)  | Override safety rules to allow routing control state updates | Bool | 

# Actions, resources, and condition keys for Amazon Route 53 Recovery Controls
<a name="list_amazonroute53recoverycontrols"></a>

Amazon Route 53 Recovery Controls (service prefix: `route53-recovery-control-config`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route53-recovery.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/recovery-cluster/latest/api/resources.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/r53recovery/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53 Recovery Controls
](#amazonroute53recoverycontrols-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53 Recovery Controls
](#amazonroute53recoverycontrols-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53 Recovery Controls
](#amazonroute53recoverycontrols-policy-keys)

## Actions defined by Amazon Route 53 Recovery Controls
<a name="amazonroute53recoverycontrols-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53recoverycontrols-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoverycontrols.html)

## Resource types defined by Amazon Route 53 Recovery Controls
<a name="amazonroute53recoverycontrols-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonroute53recoverycontrols-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/recovery-cluster/latest/api/cluster.html](https://docs.aws.amazon.com/recovery-cluster/latest/api/cluster.html)  |  arn:\$1\$1Partition\$1:route53-recovery-control::\$1\$1Account\$1:cluster/\$1\$1ResourceId\$1  |   [#amazonroute53recoverycontrols-aws_ResourceTag___TagKey_](#amazonroute53recoverycontrols-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/recovery-cluster/latest/api/controlpanel.html](https://docs.aws.amazon.com/recovery-cluster/latest/api/controlpanel.html)  |  arn:\$1\$1Partition\$1:route53-recovery-control::\$1\$1Account\$1:controlpanel/\$1\$1ControlPanelId\$1  |   [#amazonroute53recoverycontrols-aws_ResourceTag___TagKey_](#amazonroute53recoverycontrols-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/recovery-cluster/latest/api/routingcontrol.html](https://docs.aws.amazon.com/recovery-cluster/latest/api/routingcontrol.html)  |  arn:\$1\$1Partition\$1:route53-recovery-control::\$1\$1Account\$1:controlpanel/\$1\$1ControlPanelId\$1/routingcontrol/\$1\$1RoutingControlId\$1  |  | 
|   [https://docs.aws.amazon.com/recovery-cluster/latest/api/safetyrule.html](https://docs.aws.amazon.com/recovery-cluster/latest/api/safetyrule.html)  |  arn:\$1\$1Partition\$1:route53-recovery-control::\$1\$1Account\$1:controlpanel/\$1\$1ControlPanelId\$1/safetyrule/\$1\$1SafetyRuleId\$1  |   [#amazonroute53recoverycontrols-aws_ResourceTag___TagKey_](#amazonroute53recoverycontrols-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Route 53 Recovery Controls
<a name="amazonroute53recoverycontrols-policy-keys"></a>

Amazon Route 53 Recovery Controls defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Route 53 Recovery Readiness
<a name="list_amazonroute53recoveryreadiness"></a>

Amazon Route 53 Recovery Readiness (service prefix: `route53-recovery-readiness`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route53-recovery.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/recovery-readiness/latest/api/resources.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/r53recovery/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53 Recovery Readiness
](#amazonroute53recoveryreadiness-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53 Recovery Readiness
](#amazonroute53recoveryreadiness-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53 Recovery Readiness
](#amazonroute53recoveryreadiness-policy-keys)

## Actions defined by Amazon Route 53 Recovery Readiness
<a name="amazonroute53recoveryreadiness-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53recoveryreadiness-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoveryreadiness.html)

## Resource types defined by Amazon Route 53 Recovery Readiness
<a name="amazonroute53recoveryreadiness-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonroute53recoveryreadiness-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.readiness-checks.html](https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.readiness-checks.html)  |  arn:\$1\$1Partition\$1:route53-recovery-readiness::\$1\$1Account\$1:readiness-check/\$1\$1ResourceId\$1  |   [#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_](#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.readiness-checks.html](https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.readiness-checks.html)  |  arn:\$1\$1Partition\$1:route53-recovery-readiness::\$1\$1Account\$1:resource-set/\$1\$1ResourceId\$1  |   [#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_](#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.recovery-groups.html](https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.recovery-groups.html)  |  arn:\$1\$1Partition\$1:route53-recovery-readiness::\$1\$1Account\$1:cell/\$1\$1ResourceId\$1  |   [#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_](#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.recovery-groups.html](https://docs.aws.amazon.com/r53recovery/latest/dg/recovery-readiness.recovery-groups.html)  |  arn:\$1\$1Partition\$1:route53-recovery-readiness::\$1\$1Account\$1:recovery-group/\$1\$1ResourceId\$1  |   [#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_](#amazonroute53recoveryreadiness-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Route 53 Recovery Readiness
<a name="amazonroute53recoveryreadiness-policy-keys"></a>

Amazon Route 53 Recovery Readiness defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Route 53 Resolver
<a name="list_amazonroute53resolver"></a>

Amazon Route 53 Resolver (service prefix: `route53resolver`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/Route53/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Route 53 Resolver
](#amazonroute53resolver-actions-as-permissions)
+ [

## Resource types defined by Amazon Route 53 Resolver
](#amazonroute53resolver-resources-for-iam-policies)
+ [

## Condition keys for Amazon Route 53 Resolver
](#amazonroute53resolver-policy-keys)

## Actions defined by Amazon Route 53 Resolver
<a name="amazonroute53resolver-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonroute53resolver-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html)

## Resource types defined by Amazon Route 53 Resolver
<a name="amazonroute53resolver-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonroute53resolver-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:resolver-dnssec-config/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:resolver-query-log-config/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:resolver-rule/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:autodefined-rule/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:resolver-endpoint/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:firewall-rule-group/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:firewall-rule-group-association/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:firewall-domain-list/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:firewall-config/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:resolver-config/\$1\$1ResourceId\$1  |  | 
|   [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-resources)  |  arn:\$1\$1Partition\$1:route53resolver:\$1\$1Region\$1:\$1\$1Account\$1:outpost-resolver/\$1\$1ResourceId\$1  |   [#amazonroute53resolver-aws_ResourceTag___TagKey_](#amazonroute53resolver-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Route 53 Resolver
<a name="amazonroute53resolver-policy-keys"></a>

Amazon Route 53 Resolver defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Route53 Global Resolver
<a name="list_awsroute53globalresolver"></a>

AWS Route53 Global Resolver (service prefix: `route53globalresolver`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/Route53/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Route53 Global Resolver
](#awsroute53globalresolver-actions-as-permissions)
+ [

## Resource types defined by AWS Route53 Global Resolver
](#awsroute53globalresolver-resources-for-iam-policies)
+ [

## Condition keys for AWS Route53 Global Resolver
](#awsroute53globalresolver-policy-keys)

## Actions defined by AWS Route53 Global Resolver
<a name="awsroute53globalresolver-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsroute53globalresolver-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsroute53globalresolver.html)

## Resource types defined by AWS Route53 Global Resolver
<a name="awsroute53globalresolver-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsroute53globalresolver-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_AccessSource.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_AccessSource.html)  |  arn:\$1\$1Partition\$1:route53globalresolver::\$1\$1Account\$1:access-source/\$1\$1Id\$1  |   [#awsroute53globalresolver-aws_ResourceTag___TagKey_](#awsroute53globalresolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_AccessToken.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_AccessToken.html)  |  arn:\$1\$1Partition\$1:route53globalresolver::\$1\$1Account\$1:access-token/\$1\$1Id\$1  |   [#awsroute53globalresolver-aws_ResourceTag___TagKey_](#awsroute53globalresolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_DNSView.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_DNSView.html)  |  arn:\$1\$1Partition\$1:route53globalresolver::\$1\$1Account\$1:dns-view/\$1\$1Id\$1  |   [#awsroute53globalresolver-aws_ResourceTag___TagKey_](#awsroute53globalresolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_FirewallDomainList.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_FirewallDomainList.html)  |  arn:\$1\$1Partition\$1:route53globalresolver::\$1\$1Account\$1:firewall-domain-list/\$1\$1Id\$1  |   [#awsroute53globalresolver-aws_ResourceTag___TagKey_](#awsroute53globalresolver-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_GlobalResolver.html](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53globalresolver_GlobalResolver.html)  |  arn:\$1\$1Partition\$1:route53globalresolver::\$1\$1Account\$1:global-resolver/\$1\$1Id\$1  |   [#awsroute53globalresolver-aws_ResourceTag___TagKey_](#awsroute53globalresolver-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Route53 Global Resolver
<a name="awsroute53globalresolver-policy-keys"></a>

AWS Route53 Global Resolver defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS RTB Fabric
<a name="list_awsrtbfabric"></a>

AWS RTB Fabric (service prefix: `rtbfabric`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/rtb-fabric/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS RTB Fabric
](#awsrtbfabric-actions-as-permissions)
+ [

## Resource types defined by AWS RTB Fabric
](#awsrtbfabric-resources-for-iam-policies)
+ [

## Condition keys for AWS RTB Fabric
](#awsrtbfabric-policy-keys)

## Actions defined by AWS RTB Fabric
<a name="awsrtbfabric-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsrtbfabric-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrtbfabric.html)

## Resource types defined by AWS RTB Fabric
<a name="awsrtbfabric-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsrtbfabric-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/links.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/links.html)  |  arn:\$1\$1Partition\$1:rtbfabric:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1/link/\$1\$1LinkId\$1  |   [#awsrtbfabric-aws_ResourceTag___TagKey_](#awsrtbfabric-aws_ResourceTag___TagKey_)   [#awsrtbfabric-rtbfabric_InboundExternalLinkLinkId](#awsrtbfabric-rtbfabric_InboundExternalLinkLinkId)   [#awsrtbfabric-rtbfabric_ResponderGatewayGatewayId](#awsrtbfabric-rtbfabric_ResponderGatewayGatewayId)   | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/links.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/links.html)  |  arn:\$1\$1Partition\$1:rtbfabric:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1/link/\$1\$1LinkId\$1  |   [#awsrtbfabric-aws_ResourceTag___TagKey_](#awsrtbfabric-aws_ResourceTag___TagKey_)   [#awsrtbfabric-rtbfabric_LinkLinkId](#awsrtbfabric-rtbfabric_LinkLinkId)   [#awsrtbfabric-rtbfabric_RequesterGatewayGatewayId](#awsrtbfabric-rtbfabric_RequesterGatewayGatewayId)   [#awsrtbfabric-rtbfabric_ResponderGatewayGatewayId](#awsrtbfabric-rtbfabric_ResponderGatewayGatewayId)   | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/links.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/links.html)  |  arn:\$1\$1Partition\$1:rtbfabric:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1/link/\$1\$1LinkId\$1  |   [#awsrtbfabric-aws_ResourceTag___TagKey_](#awsrtbfabric-aws_ResourceTag___TagKey_)   [#awsrtbfabric-rtbfabric_OutboundExternalLinkLinkId](#awsrtbfabric-rtbfabric_OutboundExternalLinkLinkId)   [#awsrtbfabric-rtbfabric_RequesterGatewayGatewayId](#awsrtbfabric-rtbfabric_RequesterGatewayGatewayId)   | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/working-with-requester-rtb-applications.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/working-with-requester-rtb-applications.html)  |  arn:\$1\$1Partition\$1:rtbfabric:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1  |   [#awsrtbfabric-aws_ResourceTag___TagKey_](#awsrtbfabric-aws_ResourceTag___TagKey_)   [#awsrtbfabric-rtbfabric_RequesterGatewayGatewayId](#awsrtbfabric-rtbfabric_RequesterGatewayGatewayId)   | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/working-with-responder-rtb-applications.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/working-with-responder-rtb-applications.html)  |  arn:\$1\$1Partition\$1:rtbfabric:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1  |   [#awsrtbfabric-aws_ResourceTag___TagKey_](#awsrtbfabric-aws_ResourceTag___TagKey_)   [#awsrtbfabric-rtbfabric_ResponderGatewayGatewayId](#awsrtbfabric-rtbfabric_ResponderGatewayGatewayId)   | 

## Condition keys for AWS RTB Fabric
<a name="awsrtbfabric-policy-keys"></a>

AWS RTB Fabric defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html)  | Filters access by gateway identifier supporting rtb-gw-\$1 formats | String | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html)  | Filters access by InboundExternalLink resource linkId identifier | String | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html)  | Filters access by Link resource linkId identifier | String | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html)  | Filters access by OutboundExternalLink resource linkId identifier | String | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html)  | Filters access by gateway identifier supporting rtb-gw-\$1 formats | String | 
|   [https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/security_iam_service-with-iam.html)  | Filters access by gateway identifier supporting rtb-gw-\$1 formats | String | 

# Actions, resources, and condition keys for Amazon S3 Express
<a name="list_amazons3express"></a>

Amazon S3 Express (service prefix: `s3express`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonS3/latest/API/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 Express
](#amazons3express-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 Express
](#amazons3express-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 Express
](#amazons3express-policy-keys)

## Actions defined by Amazon S3 Express
<a name="amazons3express-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3express-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3express.html)

## Resource types defined by Amazon S3 Express
<a name="amazons3express-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3express-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html)  |  arn:\$1\$1Partition\$1:s3express:\$1\$1Region\$1:\$1\$1Account\$1:bucket/\$1\$1BucketName\$1  |   [#amazons3express-aws_ResourceTag___TagKey_](#amazons3express-aws_ResourceTag___TagKey_)   [#amazons3express-s3express_BucketTag___TagKey_](#amazons3express-s3express_BucketTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html)  |  arn:\$1\$1Partition\$1:s3express:\$1\$1Region\$1:\$1\$1Account\$1:accesspoint/\$1\$1AccessPointName\$1  |   [#amazons3express-aws_ResourceTag___TagKey_](#amazons3express-aws_ResourceTag___TagKey_)   [#amazons3express-s3express_AccessPointTag___TagKey_](#amazons3express-s3express_AccessPointTag___TagKey_)   | 

## Condition keys for Amazon S3 Express
<a name="amazons3express-policy-keys"></a>

Amazon S3 Express defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-user-policy-request-tag](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-user-policy-request-tag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-user-policy-resource-tag](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-user-policy-resource-tag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-user-policy-tag-keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-user-policy-tag-keys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies)  | Filters access by the network origin (Internet or VPC) | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-db-tagging.html#example-access-points-db-policy-bucket-tag](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-db-tagging.html#example-access-points-db-policy-bucket-tag)  | Filters access by tag key-value pairs attached to the access point | String | 
|   [#example-all-access-restricted-to-localzone-group](#example-all-access-restricted-to-localzone-group)  | Filters access by AWS Local Zone network border group(s) provided in this condition key | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-policy-bucket-tag](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-tagging.html#example-policy-bucket-tag)  | Filters access by tag key-value pairs attached to the bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies)  | Filters access by the AWS Account ID that owns the access point | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies)  | Filters access by an access point Amazon Resource Name (ARN) | ARN | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-express-zonal-policy-keys.html#example-location-name](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-express-zonal-policy-keys.html#example-location-name)  | Filters access by a specific Availability Zone or Local Zone ID | String | 
|   [#example-permissions](#example-permissions)  | Filters access by the permission requested by Access Point Scope configuration, such as GetObject, PutObject | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-express-zonal-policy-keys.html#example-object-resource-account](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-express-zonal-policy-keys.html#example-object-resource-account)  | Filters access by the resource owner AWS account ID | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-express-zonal-policy-keys.html#example-session-mode](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-express-zonal-policy-keys.html#example-session-mode)  | Filters access by the permission requested by CreateSession API, such as ReadOnly and ReadWrite | String | 
|   [#example-object-tls-version](#example-object-tls-version)  | Filters access by the TLS version used by the client | Numeric | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by authentication method | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by the age in milliseconds of the request signature | Numeric | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by the AWS Signature Version used on the request | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by unsigned content in your bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-data-protection.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-data-protection.html)  | Filters access by server-side encryption | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.html#s3-express-require-sse-kms](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-UsingKMSEncryption.html#s3-express-require-sse-kms)  | Filters access by AWS KMS customer managed key for server-side encryption | ARN | 

# Actions, resources, and condition keys for Amazon S3 Files
<a name="list_amazons3files"></a>

Amazon S3 Files (service prefix: `s3files`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonS3/latest/API/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_S3_Files.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 Files
](#amazons3files-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 Files
](#amazons3files-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 Files
](#amazons3files-policy-keys)

## Actions defined by Amazon S3 Files
<a name="amazons3files-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3files-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3files.html)

## Resource types defined by Amazon S3 Files
<a name="amazons3files-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3files-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/creating-using-create-fs.html](https://docs.aws.amazon.com/AmazonS3/latest/API/creating-using-create-fs.html)  |  arn:\$1\$1Partition\$1:s3files:\$1\$1Region\$1:\$1\$1Account\$1:file-system/\$1\$1FileSystemId\$1  |   [#amazons3files-aws_ResourceTag___TagKey_](#amazons3files-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/s3files-access-points.html](https://docs.aws.amazon.com/AmazonS3/latest/API/s3files-access-points.html)  |  arn:\$1\$1Partition\$1:s3files:\$1\$1Region\$1:\$1\$1Account\$1:file-system/\$1\$1FileSystemId\$1/access-point/\$1\$1AccessPointId\$1  |   [#amazons3files-aws_ResourceTag___TagKey_](#amazons3files-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon S3 Files
<a name="amazons3files-policy-keys"></a>

Amazon S3 Files defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/s3files-access-points.html](https://docs.aws.amazon.com/AmazonS3/latest/API/s3files-access-points.html)  | Filters access by the ARN of the access point used to mount the file system | ARN | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/using-tags-s3files.html](https://docs.aws.amazon.com/AmazonS3/latest/API/using-tags-s3files.html)  | Filters access by the name of a resource-creating API action | String | 

# Actions, resources, and condition keys for Amazon S3 Glacier
<a name="list_amazons3glacier"></a>

Amazon S3 Glacier (service prefix: `glacier`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonglacier/latest/dev/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-api.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazonglacier/latest/dev/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 Glacier
](#amazons3glacier-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 Glacier
](#amazons3glacier-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 Glacier
](#amazons3glacier-policy-keys)

## Actions defined by Amazon S3 Glacier
<a name="amazons3glacier-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3glacier-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3glacier.html)

## Resource types defined by Amazon S3 Glacier
<a name="amazons3glacier-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3glacier-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonglacier/latest/dev/working-with-vaults.html](https://docs.aws.amazon.com/amazonglacier/latest/dev/working-with-vaults.html)  |  arn:\$1\$1Partition\$1:glacier:\$1\$1Region\$1:\$1\$1Account\$1:vaults/\$1\$1VaultName\$1  |  | 

## Condition keys for Amazon S3 Glacier
<a name="amazons3glacier-policy-keys"></a>

Amazon S3 Glacier defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonglacier/latest/dev/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/amazonglacier/latest/dev/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by how long an archive has been stored in the vault, in days | String | 
|   [https://docs.aws.amazon.com/amazonglacier/latest/dev/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/amazonglacier/latest/dev/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by a customer-defined tag | String | 

# Actions, resources, and condition keys for Amazon S3 Object Lambda
<a name="list_amazons3objectlambda"></a>

Amazon S3 Object Lambda (service prefix: `s3-object-lambda`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonS3/latest/dev/olap-best-practices.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonS3/latest/API/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 Object Lambda
](#amazons3objectlambda-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 Object Lambda
](#amazons3objectlambda-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 Object Lambda
](#amazons3objectlambda-policy-keys)

## Actions defined by Amazon S3 Object Lambda
<a name="amazons3objectlambda-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3objectlambda-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html)

## Resource types defined by Amazon S3 Object Lambda
<a name="amazons3objectlambda-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3objectlambda-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/dev/transforming-objects.html](https://docs.aws.amazon.com/AmazonS3/latest/dev/transforming-objects.html)  |  arn:\$1\$1Partition\$1:s3-object-lambda:\$1\$1Region\$1:\$1\$1Account\$1:accesspoint/\$1\$1AccessPointName\$1  |  | 

## Condition keys for Amazon S3 Object Lambda
<a name="amazons3objectlambda-policy-keys"></a>

Amazon S3 Object Lambda defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by the TLS version used by the client | Numeric | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by authentication method | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by the age in milliseconds of the request signature | Numeric | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html/#getobjectversion-limit-access-to-specific-version-3](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html/#getobjectversion-limit-access-to-specific-version-3)  | Filters access by a specific object version | String | 

# Actions, resources, and condition keys for Amazon S3 on Outposts
<a name="list_amazons3onoutposts"></a>

Amazon S3 on Outposts (service prefix: `s3-outposts`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonS3/latest/API/Type_API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 on Outposts
](#amazons3onoutposts-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 on Outposts
](#amazons3onoutposts-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 on Outposts
](#amazons3onoutposts-policy-keys)

## Actions defined by Amazon S3 on Outposts
<a name="amazons3onoutposts-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3onoutposts-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html)

## Resource types defined by Amazon S3 on Outposts
<a name="amazons3onoutposts-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3onoutposts-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html)  |  arn:\$1\$1Partition\$1:s3-outposts:\$1\$1Region\$1:\$1\$1Account\$1:outpost/\$1\$1OutpostId\$1/accesspoint/\$1\$1AccessPointName\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html)  |  arn:\$1\$1Partition\$1:s3-outposts:\$1\$1Region\$1:\$1\$1Account\$1:outpost/\$1\$1OutpostId\$1/bucket/\$1\$1BucketName\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/outposts-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/outposts-endpoints.html)  |  arn:\$1\$1Partition\$1:s3-outposts:\$1\$1Region\$1:\$1\$1Account\$1:outpost/\$1\$1OutpostId\$1/endpoint/\$1\$1EndpointId\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingObjects.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingObjects.html)  |  arn:\$1\$1Partition\$1:s3-outposts:\$1\$1Region\$1:\$1\$1Account\$1:outpost/\$1\$1OutpostId\$1/bucket/\$1\$1BucketName\$1/object/\$1\$1ObjectName\$1  |  | 

## Condition keys for Amazon S3 on Outposts
<a name="amazons3onoutposts-policy-keys"></a>

Amazon S3 on Outposts defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies)  | Filters access by the network origin (Internet or VPC) | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-access-points.html#access-points-policies)  | Filters access by the AWS Account ID that owns the access point | String | 
|   s3-outposts:DataAccessPointArn  | Filters access by an access point Amazon Resource Name (ARN) | ARN | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#tagging-and-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#tagging-and-policies)  | Filters access by requiring that an existing object tag has a specific tag key and value | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#tagging-and-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#tagging-and-policies)  | Filters access by restricting the tag keys and values allowed on objects | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#tagging-and-policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#tagging-and-policies)  | Filters access by restricting the tag keys allowed on objects | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by restricting incoming requests to a specific authentication method | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html)  | Filters access by requiring the delimiter parameter | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-numeric-condition-operators](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-numeric-condition-operators)  | Filters access by limiting the maximum number of keys returned in a ListBucket request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#condition-key-bucket-ops-2](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#condition-key-bucket-ops-2)  | Filters access by key name prefix | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by identifying the length of time, in milliseconds, that a signature is valid in an authenticated request | Numeric | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by identifying the version of AWS Signature that is supported for authenticated requests | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#getobjectversion-limit-access-to-specific-version-3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#getobjectversion-limit-access-to-specific-version-3)  | Filters access by a specific object version | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#permissions)  | Filters access by requiring the x-amz-acl header with a specific canned ACL in a request | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html)  | Filters access by disallowing unsigned content in your bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#putobject-limit-copy-source-3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#putobject-limit-copy-source-3)  | Filters access by restricting the copy source to a specific bucket, prefix, or object | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html)  | Filters access by enabling enforcement of object metadata behavior (COPY or REPLACE) when objects are copied | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html)  | Filters access by requiring server-side encryption | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html#sc-howtoset](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html#sc-howtoset)  | Filters access by storage class | String | 

# Actions, resources, and condition keys for Amazon S3 Tables
<a name="list_amazons3tables"></a>

Amazon S3 Tables (service prefix: `s3tables`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonS3/latest/API/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 Tables
](#amazons3tables-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 Tables
](#amazons3tables-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 Tables
](#amazons3tables-policy-keys)

## Actions defined by Amazon S3 Tables
<a name="amazons3tables-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3tables-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3tables.html)

## Resource types defined by Amazon S3 Tables
<a name="amazons3tables-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3tables-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets.html)  |  arn:\$1\$1Partition\$1:s3tables:\$1\$1Region\$1:\$1\$1Account\$1:bucket/\$1\$1TableBucketName\$1  |   [#amazons3tables-aws_ResourceTag___TagKey_](#amazons3tables-aws_ResourceTag___TagKey_)   [#amazons3tables-s3tables_TableBucketTag___TagKey_](#amazons3tables-s3tables_TableBucketTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-tables.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-tables.html)  |  arn:\$1\$1Partition\$1:s3tables:\$1\$1Region\$1:\$1\$1Account\$1:bucket/\$1\$1TableBucketName\$1/table/\$1\$1TableID\$1  |   [#amazons3tables-aws_ResourceTag___TagKey_](#amazons3tables-aws_ResourceTag___TagKey_)   [#amazons3tables-s3tables_TableBucketTag___TagKey_](#amazons3tables-s3tables_TableBucketTag___TagKey_)   [#amazons3tables-s3tables_namespace](#amazons3tables-s3tables_namespace)   [#amazons3tables-s3tables_tableName](#amazons3tables-s3tables_tableName)   | 

## Condition keys for Amazon S3 Tables
<a name="amazons3tables-policy-keys"></a>

Amazon S3 Tables defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html)  | Filters access by the AWS KMS key ARN for the key used to encrypt a table | ARN | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html)  | Filters access by the server-side encryption algorithm used to encrypt a table | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html)  | Filters access by the storage class that can be set on tables under a table bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html)  | Filters access by the tags associated with the table bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html)  | Filters access by the namespaces created in the table bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-setting-up.htmls3-tables-setting-up.html)  | Filters access by the name of the tables in the table bucket | String | 

# Actions, resources, and condition keys for Amazon S3 Vectors
<a name="list_amazons3vectors"></a>

Amazon S3 Vectors (service prefix: `s3vectors`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonS3/latest/API/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon S3 Vectors
](#amazons3vectors-actions-as-permissions)
+ [

## Resource types defined by Amazon S3 Vectors
](#amazons3vectors-resources-for-iam-policies)
+ [

## Condition keys for Amazon S3 Vectors
](#amazons3vectors-policy-keys)

## Actions defined by Amazon S3 Vectors
<a name="amazons3vectors-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazons3vectors-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3vectors.html)

## Resource types defined by Amazon S3 Vectors
<a name="amazons3vectors-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazons3vectors-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html)  |  arn:\$1\$1Partition\$1:s3vectors:\$1\$1Region\$1:\$1\$1Account\$1:bucket/\$1\$1BucketName\$1/index/\$1\$1IndexName\$1  |   [#amazons3vectors-aws_ResourceTag___TagKey_](#amazons3vectors-aws_ResourceTag___TagKey_)   [#amazons3vectors-s3vectors_VectorBucketTag___TagKey_](#amazons3vectors-s3vectors_VectorBucketTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html)  |  arn:\$1\$1Partition\$1:s3vectors:\$1\$1Region\$1:\$1\$1Account\$1:bucket/\$1\$1BucketName\$1  |   [#amazons3vectors-aws_ResourceTag___TagKey_](#amazons3vectors-aws_ResourceTag___TagKey_)   [#amazons3vectors-s3vectors_VectorBucketTag___TagKey_](#amazons3vectors-s3vectors_VectorBucketTag___TagKey_)   | 

## Condition keys for Amazon S3 Vectors
<a name="amazons3vectors-policy-keys"></a>

Amazon S3 Vectors defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html#s3-vectors-condition-keyss3-vectors-access-management.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html#s3-vectors-condition-keyss3-vectors-access-management.html)  | Filters access by the tags associated with the vector bucket | String | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html#s3-vectors-condition-keyss3-vectors-access-management.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html#s3-vectors-condition-keyss3-vectors-access-management.html)  | Filters access by the AWS KMS key ARN for the key used to encrypt a vector bucket | ARN | 
|   [https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html#s3-vectors-condition-keyss3-vectors-access-management.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-access-management.html#s3-vectors-condition-keyss3-vectors-access-management.html)  | Filters access by server-side encryption type | String | 

# Actions, resources, and condition keys for Amazon SageMaker data science assistant
<a name="list_amazonsagemakerdatascienceassistant"></a>

Amazon SageMaker data science assistant (service prefix: `sagemaker-data-science-assistant`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sagemaker-dsa/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sagemaker-dsa/security-iam-service-with-iam.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sagemaker-dsa/security-iam-service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SageMaker data science assistant
](#amazonsagemakerdatascienceassistant-actions-as-permissions)
+ [

## Resource types defined by Amazon SageMaker data science assistant
](#amazonsagemakerdatascienceassistant-resources-for-iam-policies)
+ [

## Condition keys for Amazon SageMaker data science assistant
](#amazonsagemakerdatascienceassistant-policy-keys)

## Actions defined by Amazon SageMaker data science assistant
<a name="amazonsagemakerdatascienceassistant-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsagemakerdatascienceassistant-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/sagemaker-dsa/APIReference/](https://docs.aws.amazon.com/sagemaker-dsa/APIReference/) [permission only] | Grants permission to start a conversation with SageMaker data science assistant | Write |  |  |  | 

## Resource types defined by Amazon SageMaker data science assistant
<a name="amazonsagemakerdatascienceassistant-resources-for-iam-policies"></a>

Amazon SageMaker data science assistant does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon SageMaker data science assistant, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon SageMaker data science assistant
<a name="amazonsagemakerdatascienceassistant-policy-keys"></a>

SageMakerDataScienceAssistant has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon SageMaker geospatial capabilities
<a name="list_amazonsagemakergeospatialcapabilities"></a>

Amazon SageMaker geospatial capabilities (service prefix: `sagemaker-geospatial`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_Operations_Amazon_SageMaker_geospatial_capabilities.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SageMaker geospatial capabilities
](#amazonsagemakergeospatialcapabilities-actions-as-permissions)
+ [

## Resource types defined by Amazon SageMaker geospatial capabilities
](#amazonsagemakergeospatialcapabilities-resources-for-iam-policies)
+ [

## Condition keys for Amazon SageMaker geospatial capabilities
](#amazonsagemakergeospatialcapabilities-policy-keys)

## Actions defined by Amazon SageMaker geospatial capabilities
<a name="amazonsagemakergeospatialcapabilities-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsagemakergeospatialcapabilities-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemakergeospatialcapabilities.html)

## Resource types defined by Amazon SageMaker geospatial capabilities
<a name="amazonsagemakergeospatialcapabilities-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsagemakergeospatialcapabilities-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial-eoj.html](https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial-eoj.html)  |  arn:\$1\$1Partition\$1:sagemaker-geospatial:\$1\$1Region\$1:\$1\$1Account\$1:earth-observation-job/\$1\$1JobID\$1  |   [#amazonsagemakergeospatialcapabilities-aws_ResourceTag___TagKey_](#amazonsagemakergeospatialcapabilities-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial-data-collections.html](https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial-data-collections.html)  |  arn:\$1\$1Partition\$1:sagemaker-geospatial:\$1\$1Region\$1:\$1\$1Account\$1:raster-data-collection/\$1\$1CollectionID\$1  |   [#amazonsagemakergeospatialcapabilities-aws_ResourceTag___TagKey_](#amazonsagemakergeospatialcapabilities-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial-vej.html](https://docs.aws.amazon.com/sagemaker/latest/dg/geospatial-vej.html)  |  arn:\$1\$1Partition\$1:sagemaker-geospatial:\$1\$1Region\$1:\$1\$1Account\$1:vector-enrichment-job/\$1\$1JobID\$1  |   [#amazonsagemakergeospatialcapabilities-aws_ResourceTag___TagKey_](#amazonsagemakergeospatialcapabilities-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon SageMaker geospatial capabilities
<a name="amazonsagemakergeospatialcapabilities-policy-keys"></a>

Amazon SageMaker geospatial capabilities defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon SageMaker Unified Studio MCP
<a name="list_amazonsagemakerunifiedstudiomcp"></a>

Amazon SageMaker Unified Studio MCP (service prefix: `sagemaker-unified-studio-mcp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/) permission policies.

**Topics**
+ [

## Actions defined by Amazon SageMaker Unified Studio MCP
](#amazonsagemakerunifiedstudiomcp-actions-as-permissions)
+ [

## Resource types defined by Amazon SageMaker Unified Studio MCP
](#amazonsagemakerunifiedstudiomcp-resources-for-iam-policies)
+ [

## Condition keys for Amazon SageMaker Unified Studio MCP
](#amazonsagemakerunifiedstudiomcp-policy-keys)

## Actions defined by Amazon SageMaker Unified Studio MCP
<a name="amazonsagemakerunifiedstudiomcp-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsagemakerunifiedstudiomcp-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/) [permission only] | Grants permission to call privileged tools in MCP service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/) [permission only] | Grants permission to call read-only tools in MCP service | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/) [permission only] | Grants permission to use MCP service | Read |  |  |  | 

## Resource types defined by Amazon SageMaker Unified Studio MCP
<a name="amazonsagemakerunifiedstudiomcp-resources-for-iam-policies"></a>

Amazon SageMaker Unified Studio MCP does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon SageMaker Unified Studio MCP, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon SageMaker Unified Studio MCP
<a name="amazonsagemakerunifiedstudiomcp-policy-keys"></a>

SageMaker Unified Studio MCP has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon SageMaker with MLflow
<a name="list_amazonsagemakerwithmlflow"></a>

Amazon SageMaker with MLflow (service prefix: `sagemaker-mlflow`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sagemaker/latest/APIReference/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sagemaker/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SageMaker with MLflow
](#amazonsagemakerwithmlflow-actions-as-permissions)
+ [

## Resource types defined by Amazon SageMaker with MLflow
](#amazonsagemakerwithmlflow-resources-for-iam-policies)
+ [

## Condition keys for Amazon SageMaker with MLflow
](#amazonsagemakerwithmlflow-policy-keys)

## Actions defined by Amazon SageMaker with MLflow
<a name="amazonsagemakerwithmlflow-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsagemakerwithmlflow-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to access the MLflow UI | Read |  |  |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to create an MLflow experiment | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to create a new model version | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to create a registered model | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to create a new run within an experiment | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to mark an MLflow experiment for deletion | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a logged model in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a tag for a logged model in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a model version | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a model version tag | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a registered model | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a registered model alias | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a registered model tag  | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to mark a run for deletion | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a tag on a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete a trace tag in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to delete traces in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to end a trace in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set status for a logged model in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get a URI to download model artifacts for a specific model version | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get metadata for an MLflow experiment | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get metadata for an MLflow experiment by name | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get the latest model versions | List |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get a logged model in MLflow | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get a list of all values for the specified metric for a given run | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get a model version by model name and version | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get model version by alias in MLflow | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get a registered model | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get metadata, metrics, parameters, and tags for a run | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to get information about a trace in MLflow | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to list artifacts for a run | List |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to list artifacts for a logged model in MLflow | List |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log a batch of metrics, parameters, and tags for a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log inputs for a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log params for a logged model in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log a metric for a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log the model associated with a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log outputs, such as models, for a run in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to log a parameter tracked during a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to rename a registered model | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to restore an experiment marked for deletion | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to restore a deleted run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to search for MLflow experiments | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to search for logged models in MLflow | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to search for a model version | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to search for registered models in MLflow | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to search for runs that satisfy expressions | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to search for traces in MLflow | Read |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set a tag on an experiment | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set tags for a logged model in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set a tag for the model version  | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set a registered model alias | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set a tag for a registered model | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set a tag on a run | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to set a trace tag in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to start a trace in MLflow | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to transition a model version to a particular stage | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to update the metadata for an MLflow experiment | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to update the model version | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to update a registered model | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 
|   [${APIReferenceDocPage}](${APIReferenceDocPage})  | Grants permission to update run metadata | Write |   [#amazonsagemakerwithmlflow-mlflow-tracking-server](#amazonsagemakerwithmlflow-mlflow-tracking-server)   |   [#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_](#amazonsagemakerwithmlflow-aws_ResourceTag___TagKey_)   |  | 

## Resource types defined by Amazon SageMaker with MLflow
<a name="amazonsagemakerwithmlflow-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsagemakerwithmlflow-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MlflowTrackingServer.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MlflowTrackingServer.html)  |  arn:\$1\$1Partition\$1:sagemaker:\$1\$1Region\$1:\$1\$1Account\$1:mlflow-tracking-server/\$1\$1MlflowTrackingServerName\$1  |  | 

## Condition keys for Amazon SageMaker with MLflow
<a name="amazonsagemakerwithmlflow-policy-keys"></a>

Amazon SageMaker with MLflow defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys)  | Filters access by a tag key and value pair | String | 

# Actions, resources, and condition keys for AWS Savings Plans
<a name="list_awssavingsplans"></a>

AWS Savings Plans (service prefix: `savingsplans`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/savingsplans/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/savingsplans/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/savingsplans/latest/userguide/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Savings Plans
](#awssavingsplans-actions-as-permissions)
+ [

## Resource types defined by AWS Savings Plans
](#awssavingsplans-resources-for-iam-policies)
+ [

## Condition keys for AWS Savings Plans
](#awssavingsplans-policy-keys)

## Actions defined by AWS Savings Plans
<a name="awssavingsplans-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssavingsplans-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html)

## Resource types defined by AWS Savings Plans
<a name="awssavingsplans-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssavingsplans-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/savingsplans/latest/userguide/what-is-savings-plans.html](https://docs.aws.amazon.com/savingsplans/latest/userguide/what-is-savings-plans.html)  |  arn:\$1\$1Partition\$1:savingsplans::\$1\$1Account\$1:savingsplan/\$1\$1ResourceId\$1  |   [#awssavingsplans-aws_ResourceTag___TagKey_](#awssavingsplans-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Savings Plans
<a name="awssavingsplans-policy-keys"></a>

AWS Savings Plans defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Secrets Manager
<a name="list_awssecretsmanager"></a>

AWS Secrets Manager (service prefix: `secretsmanager`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/secretsmanager/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/secretsmanager/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Secrets Manager
](#awssecretsmanager-actions-as-permissions)
+ [

## Resource types defined by AWS Secrets Manager
](#awssecretsmanager-resources-for-iam-policies)
+ [

## Condition keys for AWS Secrets Manager
](#awssecretsmanager-policy-keys)

## Actions defined by AWS Secrets Manager
<a name="awssecretsmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssecretsmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html)

## Resource types defined by AWS Secrets Manager
<a name="awssecretsmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssecretsmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-resources-for-iam-policies](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-resources-for-iam-policies)  |  arn:\$1\$1Partition\$1:secretsmanager:\$1\$1Region\$1:\$1\$1Account\$1:secret:\$1\$1SecretId\$1  |   [#awssecretsmanager-aws_RequestTag___TagKey_](#awssecretsmanager-aws_RequestTag___TagKey_)   [#awssecretsmanager-aws_ResourceTag___TagKey_](#awssecretsmanager-aws_ResourceTag___TagKey_)   [#awssecretsmanager-aws_TagKeys](#awssecretsmanager-aws_TagKeys)   [#awssecretsmanager-secretsmanager_ResourceTag_tag-key](#awssecretsmanager-secretsmanager_ResourceTag_tag-key)   [#awssecretsmanager-secretsmanager_resource_AllowRotationLambdaArn](#awssecretsmanager-secretsmanager_resource_AllowRotationLambdaArn)   [#awssecretsmanager-secretsmanager_resource_Type](#awssecretsmanager-secretsmanager_resource_Type)   | 

## Condition keys for AWS Secrets Manager
<a name="awssecretsmanager-policy-keys"></a>

AWS Secrets Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a key that is present in the request the user makes to the Secrets Manager service | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the list of all the tag key names present in the request the user makes to the Secrets Manager service | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the list of Regions in which to replicate the secret | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by whether the resource policy blocks broad AWS account access | Bool | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the description text in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the managed external secret rotation role ARN in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by whether the secret is to be deleted immediately without any recovery window | Bool | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by whether to overwrite a secret with the same name in the destination Region | Bool | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the key ARN of the KMS key in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the key identifier of the KMS key in the request. Deprecated: Use secretsmanager:KmsKeyArn | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by whether the rotation rules of the secret are to be modified | Bool | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the friendly name of the secret in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the number of days that Secrets Manager waits before it can delete the secret | Numeric | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by a tag key and value pair | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by whether the secret is to be rotated immediately | Bool | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the ARN of the rotation Lambda function in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the SecretID value in the request | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by primary region in which the secret is created if the secret is a multi-Region secret | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the managed external secret type in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the unique identifier of the version of the secret in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the list of version stages in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the ARN of the rotation Lambda function associated with the secret | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)  | Filters access by the managed external secret type associated with the secret | String | 

# Actions, resources, and condition keys for AWS Security Agent
<a name="list_awssecurityagent"></a>

AWS Security Agent (service prefix: `securityagent`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/securityagent/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/securityagent/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/securityagent/latest/userguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Security Agent
](#awssecurityagent-actions-as-permissions)
+ [

## Resource types defined by AWS Security Agent
](#awssecurityagent-resources-for-iam-policies)
+ [

## Condition keys for AWS Security Agent
](#awssecurityagent-policy-keys)

## Actions defined by AWS Security Agent
<a name="awssecurityagent-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssecurityagent-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityagent.html)

## Resource types defined by AWS Security Agent
<a name="awssecurityagent-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssecurityagent-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats](https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats)  |  arn:\$1\$1Partition\$1:securityagent:\$1\$1Region\$1:\$1\$1Account\$1:application/\$1\$1ApplicationId\$1  |   [#awssecurityagent-aws_ResourceTag___TagKey_](#awssecurityagent-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats](https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats)  |  arn:\$1\$1Partition\$1:securityagent:\$1\$1Region\$1:\$1\$1Account\$1:security-requirement-pack/\$1\$1SecurityRequirementPackId\$1  |   [#awssecurityagent-aws_ResourceTag___TagKey_](#awssecurityagent-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats](https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats)  |  arn:\$1\$1Partition\$1:securityagent:\$1\$1Region\$1:\$1\$1Account\$1:integration/\$1\$1IntegrationId\$1  |   [#awssecurityagent-aws_ResourceTag___TagKey_](#awssecurityagent-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats](https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats)  |  arn:\$1\$1Partition\$1:securityagent:\$1\$1Region\$1:\$1\$1Account\$1:agent-space/\$1\$1AgentId\$1  |   [#awssecurityagent-aws_ResourceTag___TagKey_](#awssecurityagent-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats](https://docs.aws.amazon.com/securityagent/latest/userguide/auth-and-access-control-iam-access-control-identity-based.html#arn-formats)  |  arn:\$1\$1Partition\$1:securityagent:\$1\$1Region\$1:\$1\$1Account\$1:target-domain/\$1\$1TargetDomainId\$1  |   [#awssecurityagent-aws_ResourceTag___TagKey_](#awssecurityagent-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Security Agent
<a name="awssecurityagent-policy-keys"></a>

AWS Security Agent defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Security Hub
<a name="list_awssecurityhub"></a>

AWS Security Hub (service prefix: `securityhub`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/securityhub/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/securityhub/1.0/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Security Hub
](#awssecurityhub-actions-as-permissions)
+ [

## Resource types defined by AWS Security Hub
](#awssecurityhub-resources-for-iam-policies)
+ [

## Condition keys for AWS Security Hub
](#awssecurityhub-policy-keys)

## Actions defined by AWS Security Hub
<a name="awssecurityhub-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssecurityhub-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html)

## Resource types defined by AWS Security Hub
<a name="awssecurityhub-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssecurityhub-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:hub/default  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:hubv2/\$1\$1HubV2Id\$1  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:product/\$1\$1Company\$1/\$1\$1ProductId\$1  |  | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:finding-aggregator/\$1\$1FindingAggregatorId\$1  |  | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:aggregatorv2/\$1\$1AggregatorV2Id\$1  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:automation-rule/\$1\$1AutomationRuleId\$1  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:automation-rulev2/\$1\$1AutomationRuleV2Id\$1  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:configuration-policy/\$1\$1ConfigurationPolicyId\$1  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#resources)  |  arn:\$1\$1Partition\$1:securityhub:\$1\$1Region\$1:\$1\$1Account\$1:connectorv2/\$1\$1ConnectorV2Id\$1  |   [#awssecurityhub-aws_ResourceTag___TagKey_](#awssecurityhub-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Security Hub
<a name="awssecurityhub-policy-keys"></a>

AWS Security Hub defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by actions based on the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-asffsyntaxpath](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-asffsyntaxpath)  | Filters access by the specified fields and values in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-ocsfsyntaxpath](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-ocsfsyntaxpath)  | Filters access by the specified fields and values in the request | String | 
|   [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#conditions](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-access.html#conditions)  | Filters access by the AwsAccountId field that is specified in the request | String | 

# Actions, resources, and condition keys for AWS Security Incident Response
<a name="list_awssecurityincidentresponse"></a>

AWS Security Incident Response (service prefix: `security-ir`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/security-ir/latest/userguide/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/security-ir/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/security-ir/latest/userguide/identity-and-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Security Incident Response
](#awssecurityincidentresponse-actions-as-permissions)
+ [

## Resource types defined by AWS Security Incident Response
](#awssecurityincidentresponse-resources-for-iam-policies)
+ [

## Condition keys for AWS Security Incident Response
](#awssecurityincidentresponse-policy-keys)

## Actions defined by AWS Security Incident Response
<a name="awssecurityincidentresponse-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssecurityincidentresponse-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityincidentresponse.html)

## Resource types defined by AWS Security Incident Response
<a name="awssecurityincidentresponse-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssecurityincidentresponse-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/security-ir/latest/userguide/cases.html](https://docs.aws.amazon.com/security-ir/latest/userguide/cases.html)  |  arn:\$1\$1Partition\$1:security-ir:\$1\$1Region\$1:\$1\$1Account\$1:case/\$1\$1CaseId\$1  |   [#awssecurityincidentresponse-aws_ResourceTag___TagKey_](#awssecurityincidentresponse-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html](https://docs.aws.amazon.com/security-ir/latest/userguide/select-a-membership-account.html)  |  arn:\$1\$1Partition\$1:security-ir:\$1\$1Region\$1:\$1\$1Account\$1:membership/\$1\$1MembershipId\$1  |   [#awssecurityincidentresponse-aws_ResourceTag___TagKey_](#awssecurityincidentresponse-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Security Incident Response
<a name="awssecurityincidentresponse-policy-keys"></a>

AWS Security Incident Response defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Security Lake
<a name="list_amazonsecuritylake"></a>

Amazon Security Lake (service prefix: `securitylake`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/security-lake/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/security-lake/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Security Lake
](#amazonsecuritylake-actions-as-permissions)
+ [

## Resource types defined by Amazon Security Lake
](#amazonsecuritylake-resources-for-iam-policies)
+ [

## Condition keys for Amazon Security Lake
](#amazonsecuritylake-policy-keys)

## Actions defined by Amazon Security Lake
<a name="amazonsecuritylake-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsecuritylake-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecuritylake.html)

## Resource types defined by Amazon Security Lake
<a name="amazonsecuritylake-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsecuritylake-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_DataLakeResource.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_DataLakeResource.html)  |  arn:\$1\$1Partition\$1:securitylake:\$1\$1Region\$1:\$1\$1Account\$1:data-lake/default  |   [#amazonsecuritylake-aws_RequestTag___TagKey_](#amazonsecuritylake-aws_RequestTag___TagKey_)   [#amazonsecuritylake-aws_ResourceTag___TagKey_](#amazonsecuritylake-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/security-lake/latest/APIReference/API_SubscriberResource.html](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_SubscriberResource.html)  |  arn:\$1\$1Partition\$1:securitylake:\$1\$1Region\$1:\$1\$1Account\$1:subscriber/\$1\$1SubscriberId\$1  |   [#amazonsecuritylake-aws_RequestTag___TagKey_](#amazonsecuritylake-aws_RequestTag___TagKey_)   [#amazonsecuritylake-aws_ResourceTag___TagKey_](#amazonsecuritylake-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Security Lake
<a name="amazonsecuritylake-policy-keys"></a>

Amazon Security Lake defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Server Migration Service
<a name="list_awsservermigrationservice"></a>

AWS Server Migration Service (service prefix: `sms`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/server-migration-service/latest/userguide/SMS_setup.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/server-migration-service/latest/userguide/SMS_setup.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Server Migration Service
](#awsservermigrationservice-actions-as-permissions)
+ [

## Resource types defined by AWS Server Migration Service
](#awsservermigrationservice-resources-for-iam-policies)
+ [

## Condition keys for AWS Server Migration Service
](#awsservermigrationservice-policy-keys)

## Actions defined by AWS Server Migration Service
<a name="awsservermigrationservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsservermigrationservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_CreateApp.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_CreateApp.html)  | Grants permission to create an application configuration to migrate on-premise application onto AWS | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_CreateReplicationJob.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_CreateReplicationJob.html)  | Grants permission to create a job to migrate on-premise server onto AWS | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteApp.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteApp.html)  | Grants permission to delete an existing application configuration | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteAppLaunchConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteAppLaunchConfiguration.html)  | Grants permission to delete launch configuration for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteAppReplicationConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteAppReplicationConfiguration.html)  | Grants permission to delete replication configuration for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteAppValidationConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteAppValidationConfiguration.html)  | Grants permission to delete validation configuration for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteReplicationJob.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteReplicationJob.html)  | Grants permission to delete an existing job to migrate on-premise server onto AWS | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteServerCatalog.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DeleteServerCatalog.html)  | Grants permission to delete the complete list of on-premise servers gathered into AWS | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DisassociateConnector.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_DisassociateConnector.html)  | Grants permission to disassociate a connector that has been associated | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GenerateChangeSet.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GenerateChangeSet.html)  | Grants permission to generate a changeSet for the CloudFormation stack of an application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GenerateTemplate.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GenerateTemplate.html)  | Grants permission to generate a CloudFormation template for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetApp.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetApp.html)  | Grants permission to get the configuration and statuses for an existing application | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppLaunchConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppLaunchConfiguration.html)  | Grants permission to get launch configuration for an existing application | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppReplicationConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppReplicationConfiguration.html)  | Grants permission to get replication configuration for an existing application | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppValidationConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppValidationConfiguration.html)  | Grants permission to get validation configuration for an existing application | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppValidationOutput.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetAppValidationOutput.html)  | Grants permission to get notification sent from application validation script. | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetConnectors.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetConnectors.html)  | Grants permission to get all connectors that have been associated | Read |  |  |  | 
|   GetMessages [permission only] | Grants permission to gets messages from AWS Server Migration Service to Server Migration Connector | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetReplicationJobs.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetReplicationJobs.html)  | Grants permission to get all existing jobs to migrate on-premise servers onto AWS | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetReplicationRuns.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetReplicationRuns.html)  | Grants permission to get all runs for an existing job | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetServers.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_GetServers.html)  | Grants permission to get all servers that have been imported | Read |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_ImportAppCatalog.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_ImportAppCatalog.html)  | Grants permission to import application catalog from AWS Application Discovery Service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_ImportServerCatalog.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_ImportServerCatalog.html)  | Grants permission to gather a complete list of on-premise servers | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_LaunchApp.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_LaunchApp.html)  | Grants permission to create and launch a CloudFormation stack for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_ListAppss.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_ListAppss.html)  | Grants permission to get a list of summaries for existing applications | List |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_NotifyAppValidationOutput.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_NotifyAppValidationOutput.html)  | Grants permission to send notification for application validation script | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_PutAppLaunchConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_PutAppLaunchConfiguration.html)  | Grants permission to create or update launch configuration for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_PutAppReplicationConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_PutAppReplicationConfiguration.html)  | Grants permission to create or update replication configuration for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_PutAppValidationConfiguration.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_PutAppValidationConfiguration.html)  | Grants permission to put validation configuration for an existing application | Write |  |  |  | 
|   SendMessage [permission only] | Grants permission to send message from Server Migration Connector to AWS Server Migration Service | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StartAppReplication.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StartAppReplication.html)  | Grants permission to create and start replication jobs for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StartOnDemandAppReplication.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StartOnDemandAppReplication.html)  | Grants permission to start a replication run for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StartOnDemandReplicationRun.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StartOnDemandReplicationRun.html)  | Grants permission to start a replication run for an existing replication job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StopAppReplication.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_StopAppReplication.html)  | Grants permission to stop and delete replication jobs for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_TerminateApp.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_TerminateApp.html)  | Grants permission to terminate the CloudFormation stack for an existing application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_UpdateApp.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_UpdateApp.html)  | Grants permission to update an existing application configuration | Write |  |  |  | 
|   [https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_UpdateReplicationJob.html](https://docs.aws.amazon.com/server-migration-service/latest/APIReference/API_UpdateReplicationJob.html)  | Grants permission to update an existing job to migrate on-premise server onto AWS | Write |  |  |  | 

## Resource types defined by AWS Server Migration Service
<a name="awsservermigrationservice-resources-for-iam-policies"></a>

AWS Server Migration Service does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Server Migration Service, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Server Migration Service
<a name="awsservermigrationservice-policy-keys"></a>

ServerMigrationService has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Serverless Application Repository
<a name="list_awsserverlessapplicationrepository"></a>

AWS Serverless Application Repository (service prefix: `serverlessrepo`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/what-is-serverlessrepo.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/resources.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Serverless Application Repository
](#awsserverlessapplicationrepository-actions-as-permissions)
+ [

## Resource types defined by AWS Serverless Application Repository
](#awsserverlessapplicationrepository-resources-for-iam-policies)
+ [

## Condition keys for AWS Serverless Application Repository
](#awsserverlessapplicationrepository-policy-keys)

## Actions defined by AWS Serverless Application Repository
<a name="awsserverlessapplicationrepository-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsserverlessapplicationrepository-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsserverlessapplicationrepository.html)

## Resource types defined by AWS Serverless Application Repository
<a name="awsserverlessapplicationrepository-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsserverlessapplicationrepository-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/serverlessrepo/latest/devguide/applications.html](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/applications.html)  |  arn:\$1\$1Partition\$1:serverlessrepo:\$1\$1Region\$1:\$1\$1Account\$1:applications/\$1\$1ResourceId\$1  |  | 

## Condition keys for AWS Serverless Application Repository
<a name="awsserverlessapplicationrepository-policy-keys"></a>

AWS Serverless Application Repository defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/applications.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/applications.html)  | Filters access by application type | String | 

# Actions, resources, and condition keys for AWS Service - Oracle Database@AWS
<a name="list_awsservice-oracledatabase_aws"></a>

AWS Service - Oracle Database@AWS (service prefix: `odb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/odb/latest/UserGuide/what-is-odb.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/odb/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/odb/latest/UserGuide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Service - Oracle Database@AWS
](#awsservice-oracledatabase_aws-actions-as-permissions)
+ [

## Resource types defined by AWS Service - Oracle Database@AWS
](#awsservice-oracledatabase_aws-resources-for-iam-policies)
+ [

## Condition keys for AWS Service - Oracle Database@AWS
](#awsservice-oracledatabase_aws-policy-keys)

## Actions defined by AWS Service - Oracle Database@AWS
<a name="awsservice-oracledatabase_aws-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsservice-oracledatabase_aws-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservice-oracledatabase_aws.html)

## Resource types defined by AWS Service - Oracle Database@AWS
<a name="awsservice-oracledatabase_aws-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsservice-oracledatabase_aws-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/odb/latest/APIReference/API_CloudAutonomousVmCluster.html](https://docs.aws.amazon.com/odb/latest/APIReference/API_CloudAutonomousVmCluster.html)  |  arn:\$1\$1Partition\$1:odb:\$1\$1Region\$1:\$1\$1Account\$1:cloud-autonomous-vm-cluster/\$1\$1CloudAutonomousVmClusterId\$1  |   [#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_](#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/odb/latest/APIReference/API_CloudExadataInfrastructure.html](https://docs.aws.amazon.com/odb/latest/APIReference/API_CloudExadataInfrastructure.html)  |  arn:\$1\$1Partition\$1:odb:\$1\$1Region\$1:\$1\$1Account\$1:cloud-exadata-infrastructure/\$1\$1CloudExadataInfrastructureId\$1  |   [#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_](#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/odb/latest/APIReference/API_CloudVmCluster.html](https://docs.aws.amazon.com/odb/latest/APIReference/API_CloudVmCluster.html)  |  arn:\$1\$1Partition\$1:odb:\$1\$1Region\$1:\$1\$1Account\$1:cloud-vm-cluster/\$1\$1CloudVmClusterId\$1  |   [#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_](#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/odb/latest/APIReference/API_DbNode.html](https://docs.aws.amazon.com/odb/latest/APIReference/API_DbNode.html)  |  arn:\$1\$1Partition\$1:odb:\$1\$1Region\$1:\$1\$1Account\$1:db-node/\$1\$1DbNodeId\$1  |   [#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_](#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/odb/latest/APIReference/API_OdbNetwork.html](https://docs.aws.amazon.com/odb/latest/APIReference/API_OdbNetwork.html)  |  arn:\$1\$1Partition\$1:odb:\$1\$1Region\$1:\$1\$1Account\$1:odb-network/\$1\$1OdbNetworkId\$1  |   [#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_](#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/odb/latest/APIReference/API_OdbPeeringConnection.html](https://docs.aws.amazon.com/odb/latest/APIReference/API_OdbPeeringConnection.html)  |  arn:\$1\$1Partition\$1:odb:\$1\$1Region\$1:\$1\$1Account\$1:odb-peering-connection/\$1\$1OdbPeeringConnectionId\$1  |   [#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_](#awsservice-oracledatabase_aws-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Service - Oracle Database@AWS
<a name="awsservice-oracledatabase_aws-policy-keys"></a>

AWS Service - Oracle Database@AWS defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Service Catalog
<a name="list_awsservicecatalog"></a>

AWS Service Catalog (service prefix: `servicecatalog`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Service Catalog
](#awsservicecatalog-actions-as-permissions)
+ [

## Resource types defined by AWS Service Catalog
](#awsservicecatalog-resources-for-iam-policies)
+ [

## Condition keys for AWS Service Catalog
](#awsservicecatalog-policy-keys)

## Actions defined by AWS Service Catalog
<a name="awsservicecatalog-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsservicecatalog-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html)

## Resource types defined by AWS Service Catalog
<a name="awsservicecatalog-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsservicecatalog-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/dg/API_app-registry_CreateApplication.html](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_app-registry_CreateApplication.html)  |  arn:\$1\$1Partition\$1:servicecatalog:\$1\$1Region\$1:\$1\$1Account\$1:/applications/\$1\$1ApplicationId\$1  |   [#awsservicecatalog-aws_ResourceTag___TagKey_](#awsservicecatalog-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/dg/API_app-registry_CreateAttributeGroup.html](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_app-registry_CreateAttributeGroup.html)  |  arn:\$1\$1Partition\$1:servicecatalog:\$1\$1Region\$1:\$1\$1Account\$1:/attribute-groups/\$1\$1AttributeGroupId\$1  |   [#awsservicecatalog-aws_ResourceTag___TagKey_](#awsservicecatalog-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/dg/API_PortfolioDetail.html](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_PortfolioDetail.html)  |  arn:\$1\$1Partition\$1:catalog:\$1\$1Region\$1:\$1\$1Account\$1:portfolio/\$1\$1PortfolioId\$1  |   [#awsservicecatalog-aws_ResourceTag___TagKey_](#awsservicecatalog-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProductViewDetail.html](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProductViewDetail.html)  |  arn:\$1\$1Partition\$1:catalog:\$1\$1Region\$1:\$1\$1Account\$1:product/\$1\$1ProductId\$1  |   [#awsservicecatalog-aws_ResourceTag___TagKey_](#awsservicecatalog-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Service Catalog
<a name="awsservicecatalog-policy-keys"></a>

AWS Service Catalog defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

**Note**  
For example policies that show how these condition keys can be used in an IAM policy, see [Example Access Policies for Provisioned Product Management](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/controlling_access.html) in the *Service Catalog Administrator Guide*.


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html)  | Filters access by controlling what value can be specified as the Resource parameter in an AppRegistry associate resource API | String | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html)  | Filters access by controlling what value can be specified as the ResourceType parameter in an AppRegistry associate resource API | String | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html)  | Filters access by user to see and perform actions on resources created by anyone in the account | String | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html)  | Filters access by user to see and perform actions on resources created either by them or by anyone federating into the same role as them | String | 
|   [https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/permissions-examples.html)  | Filters access by user to see and perform actions on only resources that they created | String | 

# Actions, resources, and condition keys for AWS service providing managed private networks
<a name="list_awsserviceprovidingmanagedprivatenetworks"></a>

AWS service providing managed private networks (service prefix: `private-networks`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/private-networks/latest/userguide/how-private-5g-works.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/private-networks/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS service providing managed private networks
](#awsserviceprovidingmanagedprivatenetworks-actions-as-permissions)
+ [

## Resource types defined by AWS service providing managed private networks
](#awsserviceprovidingmanagedprivatenetworks-resources-for-iam-policies)
+ [

## Condition keys for AWS service providing managed private networks
](#awsserviceprovidingmanagedprivatenetworks-policy-keys)

## Actions defined by AWS service providing managed private networks
<a name="awsserviceprovidingmanagedprivatenetworks-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsserviceprovidingmanagedprivatenetworks-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsserviceprovidingmanagedprivatenetworks.html)

## Resource types defined by AWS service providing managed private networks
<a name="awsserviceprovidingmanagedprivatenetworks-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsserviceprovidingmanagedprivatenetworks-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html)  |  arn:\$1\$1Partition\$1:private-networks:\$1\$1Region\$1:\$1\$1Account\$1:network/\$1\$1NetworkName\$1  |   [#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_](#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html)  |  arn:\$1\$1Partition\$1:private-networks:\$1\$1Region\$1:\$1\$1Account\$1:network-site/\$1\$1NetworkName\$1/\$1\$1NetworkSiteName\$1  |   [#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_](#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html)  |  arn:\$1\$1Partition\$1:private-networks:\$1\$1Region\$1:\$1\$1Account\$1:network-resource/\$1\$1NetworkName\$1/\$1\$1ResourceId\$1  |   [#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_](#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html)  |  arn:\$1\$1Partition\$1:private-networks:\$1\$1Region\$1:\$1\$1Account\$1:order/\$1\$1NetworkName\$1/\$1\$1OrderId\$1  |   [#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_](#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html](https://docs.aws.amazon.com/private-networks/latest/userguide/identity-access-management.html)  |  arn:\$1\$1Partition\$1:private-networks:\$1\$1Region\$1:\$1\$1Account\$1:device-identifier/\$1\$1NetworkName\$1/\$1\$1DeviceId\$1  |   [#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_](#awsserviceprovidingmanagedprivatenetworks-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS service providing managed private networks
<a name="awsserviceprovidingmanagedprivatenetworks-policy-keys"></a>

AWS service providing managed private networks defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by checking the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by checking tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Service Quotas
<a name="list_servicequotas"></a>

Service Quotas (service prefix: `servicequotas`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/servicequotas/latest/userguide/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by Service Quotas
](#servicequotas-actions-as-permissions)
+ [

## Resource types defined by Service Quotas
](#servicequotas-resources-for-iam-policies)
+ [

## Condition keys for Service Quotas
](#servicequotas-policy-keys)

## Actions defined by Service Quotas
<a name="servicequotas-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#servicequotas-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html)

## Resource types defined by Service Quotas
<a name="servicequotas-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#servicequotas-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/servicequotas/latest/userguide/identity-access-management.html#resources](https://docs.aws.amazon.com/servicequotas/latest/userguide/identity-access-management.html#resources)  |  arn:\$1\$1Partition\$1:servicequotas:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ServiceCode\$1/\$1\$1QuotaCode\$1  |  | 

## Condition keys for Service Quotas
<a name="servicequotas-policy-keys"></a>

Service Quotas defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/servicequotas/latest/userguide/identity-access-management.html#condition-keys](https://docs.aws.amazon.com/servicequotas/latest/userguide/identity-access-management.html#condition-keys)  | Filters access by the specified AWS service | String | 

# Actions, resources, and condition keys for Amazon SES
<a name="list_amazonses"></a>

Amazon SES (service prefix: `ses`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ses/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SES
](#amazonses-actions-as-permissions)
+ [

## Resource types defined by Amazon SES
](#amazonses-resources-for-iam-policies)
+ [

## Condition keys for Amazon SES
](#amazonses-policy-keys)

## Actions defined by Amazon SES
<a name="amazonses-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonses-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html)

## Resource types defined by Amazon SES
<a name="amazonses-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonses-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference/API_ConfigurationSet.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_ConfigurationSet.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:configuration-set/\$1\$1ConfigurationSetName\$1  |  | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference/API_CustomVerificationEmailTemplate.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_CustomVerificationEmailTemplate.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:custom-verification-email-template/\$1\$1TemplateName\$1  |  | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_IdentityInfo.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_IdentityInfo.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:identity/\$1\$1IdentityName\$1  |  | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference/API_Template.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_Template.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:template/\$1\$1TemplateName\$1  |  | 

## Condition keys for Amazon SES
<a name="amazonses-policy-keys"></a>

Amazon SES defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the SES API version | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the "From" address of a message | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the "From" address that is used as the display name of a message | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters actions based on the recipient addresses of a message, which include the "To", "CC", and "BCC" addresses | ArrayOfString | 

# Actions, resources, and condition keys for AWS Shield
<a name="list_awsshield"></a>

AWS Shield (service prefix: `shield`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/waf/latest/developerguide/shield-chapter.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/waf/latest/developerguide/waf-auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Shield
](#awsshield-actions-as-permissions)
+ [

## Resource types defined by AWS Shield
](#awsshield-resources-for-iam-policies)
+ [

## Condition keys for AWS Shield
](#awsshield-policy-keys)

## Actions defined by AWS Shield
<a name="awsshield-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsshield-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html)

## Resource types defined by AWS Shield
<a name="awsshield-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsshield-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AttackDetail.html](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AttackDetail.html)  |  arn:\$1\$1Partition\$1:shield::\$1\$1Account\$1:attack/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_Protection.html](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_Protection.html)  |  arn:\$1\$1Partition\$1:shield::\$1\$1Account\$1:protection/\$1\$1Id\$1  |   [#awsshield-aws_ResourceTag___TagKey_](#awsshield-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ProtectionGroup.html](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ProtectionGroup.html)  |  arn:\$1\$1Partition\$1:shield::\$1\$1Account\$1:protection-group/\$1\$1Id\$1  |   [#awsshield-aws_ResourceTag___TagKey_](#awsshield-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Shield
<a name="awsshield-policy-keys"></a>

AWS Shield defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Shield network security director
<a name="list_awsshieldnetworksecuritydirector"></a>

AWS Shield network security director (service prefix: `network-security-director`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/waf/latest/developerguide/nsd-what-it-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/network-security-director/latest/APIReference/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/waf/latest/developerguide/nsd-security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Shield network security director
](#awsshieldnetworksecuritydirector-actions-as-permissions)
+ [

## Resource types defined by AWS Shield network security director
](#awsshieldnetworksecuritydirector-resources-for-iam-policies)
+ [

## Condition keys for AWS Shield network security director
](#awsshieldnetworksecuritydirector-policy-keys)

## Actions defined by AWS Shield network security director
<a name="awsshieldnetworksecuritydirector-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsshieldnetworksecuritydirector-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_GetFinding.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_GetFinding.html)  | Grants permission to get a finding | Read |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_GetResource.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_GetResource.html)  | Grants permission to get a resource | Read |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListAccountSummaries.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListAccountSummaries.html)  | Grants permission to list account summaries for an account | List |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListFindings.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListFindings.html)  | Grants permission to list findings | List |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListInsights.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListInsights.html)  | Grants permission to list insights about the latest network security scan | List |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListRemediations.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListRemediations.html)  | Grants permission to list remediations for a finding | List |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListResources.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_ListResources.html)  | Grants permission to list resources | List |  |  |  | 
|   [https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_UpdateFinding.html](https://docs.aws.amazon.com/network-security-director/latest/APIReference/API_UpdateFinding.html)  | Grants permission to update the status of a finding | Write |  |  |  | 

## Resource types defined by AWS Shield network security director
<a name="awsshieldnetworksecuritydirector-resources-for-iam-policies"></a>

AWS Shield network security director does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Shield network security director, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Shield network security director
<a name="awsshieldnetworksecuritydirector-policy-keys"></a>

Network Security Director has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Signer
<a name="list_awssigner"></a>

AWS Signer (service prefix: `signer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/signer/latest/api/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/signer/latest/developerguide/accessctrl-toplevel.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Signer
](#awssigner-actions-as-permissions)
+ [

## Resource types defined by AWS Signer
](#awssigner-resources-for-iam-policies)
+ [

## Condition keys for AWS Signer
](#awssigner-policy-keys)

## Actions defined by AWS Signer
<a name="awssigner-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssigner-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html)

## Resource types defined by AWS Signer
<a name="awssigner-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssigner-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/signer/latest/developerguide/gs-profile.html](https://docs.aws.amazon.com/signer/latest/developerguide/gs-profile.html)  |  arn:\$1\$1Partition\$1:signer:\$1\$1Region\$1:\$1\$1Account\$1:/signing-profiles/\$1\$1ProfileName\$1  |   [#awssigner-aws_ResourceTag___TagKey_](#awssigner-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/signer/latest/developerguide/gs-job.html](https://docs.aws.amazon.com/signer/latest/developerguide/gs-job.html)  |  arn:\$1\$1Partition\$1:signer:\$1\$1Region\$1:\$1\$1Account\$1:/signing-jobs/\$1\$1JobId\$1  |  | 

## Condition keys for AWS Signer
<a name="awssigner-policy-keys"></a>

AWS Signer defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/signer/latest/developerguide/authen-apipermissions.html](https://docs.aws.amazon.com/signer/latest/developerguide/authen-apipermissions.html)  | Filters access by version of the Signing Profile | String | 

# Actions, resources, and condition keys for AWS Signin
<a name="list_awssignin"></a>

AWS Signin (service prefix: `signin`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/signin/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/signin/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Signin
](#awssignin-actions-as-permissions)
+ [

## Resource types defined by AWS Signin
](#awssignin-resources-for-iam-policies)
+ [

## Condition keys for AWS Signin
](#awssignin-policy-keys)

## Actions defined by AWS Signin
<a name="awssignin-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssignin-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssignin.html)

## Resource types defined by AWS Signin
<a name="awssignin-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssignin-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/signin/latest/APIReference](https://docs.aws.amazon.com/signin/latest/APIReference)  |  arn:\$1\$1Partition\$1:signin:\$1\$1Region\$1:\$1\$1Account\$1:oauth2/public-client/localhost  |  | 
|   [https://docs.aws.amazon.com/signin/latest/APIReference](https://docs.aws.amazon.com/signin/latest/APIReference)  |  arn:\$1\$1Partition\$1:signin:\$1\$1Region\$1:\$1\$1Account\$1:oauth2/public-client/remote  |  | 

## Condition keys for AWS Signin
<a name="awssignin-policy-keys"></a>

Signin has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Simple Email Service - Mail Manager
<a name="list_amazonsimpleemailservice-mailmanager"></a>

Amazon Simple Email Service - Mail Manager (service prefix: `ses`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ses/latest/dg/eb.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ses/latest/dg/control-user-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Simple Email Service - Mail Manager
](#amazonsimpleemailservice-mailmanager-actions-as-permissions)
+ [

## Resource types defined by Amazon Simple Email Service - Mail Manager
](#amazonsimpleemailservice-mailmanager-resources-for-iam-policies)
+ [

## Condition keys for Amazon Simple Email Service - Mail Manager
](#amazonsimpleemailservice-mailmanager-policy-keys)

## Actions defined by Amazon Simple Email Service - Mail Manager
<a name="amazonsimpleemailservice-mailmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsimpleemailservice-mailmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservice-mailmanager.html)

## Resource types defined by Amazon Simple Email Service - Mail Manager
<a name="amazonsimpleemailservice-mailmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsimpleemailservice-mailmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_AddonInstance.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_AddonInstance.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:addon-instance/\$1\$1AddonInstanceId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_AddonSubscription.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_AddonSubscription.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:addon-subscription/\$1\$1AddonSubscriptionId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_Archive.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_Archive.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-archive/\$1\$1ArchiveId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_IngressPoint.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_IngressPoint.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-ingress-point/\$1\$1IngressPointId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   [#amazonsimpleemailservice-mailmanager-ses_MailManagerIngressPointType](#amazonsimpleemailservice-mailmanager-ses_MailManagerIngressPointType)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_Relay.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_Relay.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-smtp-relay/\$1\$1RelayId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_RuleSet.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_RuleSet.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-rule-set/\$1\$1RuleSetId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_TrafficPolicy.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_TrafficPolicy.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-traffic-policy/\$1\$1TrafficPolicyId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_AddressList.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_AddressList.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-address-list/\$1\$1AddressListId\$1  |   [#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_](#amazonsimpleemailservice-mailmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Simple Email Service - Mail Manager
<a name="amazonsimpleemailservice-mailmanager-policy-keys"></a>

Amazon Simple Email Service - Mail Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys)  | Filters access by SES Addon Subscription ARN | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys)  | Filters access by SES Mail Manager ingress point type, for example OPEN or AUTH | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys)  | Filters access by SES Mail Manager rule set ARN | ARN | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsesmailmanager.html#amazonsesmailmanager-policy-keys)  | Filters access by SES Mail Manager traffic policy ARN | ARN | 

# Actions, resources, and condition keys for Amazon Simple Email Service v2
<a name="list_amazonsimpleemailservicev2"></a>

Amazon Simple Email Service v2 (service prefix: `ses`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ses/latest/APIReference-V2/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Simple Email Service v2
](#amazonsimpleemailservicev2-actions-as-permissions)
+ [

## Resource types defined by Amazon Simple Email Service v2
](#amazonsimpleemailservicev2-resources-for-iam-policies)
+ [

## Condition keys for Amazon Simple Email Service v2
](#amazonsimpleemailservicev2-policy-keys)

## Actions defined by Amazon Simple Email Service v2
<a name="amazonsimpleemailservicev2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsimpleemailservicev2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html)

## Resource types defined by Amazon Simple Email Service v2
<a name="amazonsimpleemailservicev2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsimpleemailservicev2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference/API_ReputationPolicy.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_ReputationPolicy.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:aws:reputation-policy/\$1\$1ReputationPolicyName\$1  |  | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference/API_ConfigurationSet.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_ConfigurationSet.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:configuration-set/\$1\$1ConfigurationSetName\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_ContactList.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_ContactList.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:contact-list/\$1\$1ContactListName\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_CustomVerificationEmailTemplateMetadata.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_CustomVerificationEmailTemplateMetadata.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:custom-verification-email-template/\$1\$1TemplateName\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DedicatedIp.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DedicatedIp.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:dedicated-ip-pool/\$1\$1DedicatedIPPool\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DeliverabilityTestReport.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DeliverabilityTestReport.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:deliverability-test-report/\$1\$1ReportId\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_ExportJobSummary.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_ExportJobSummary.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:export-job/\$1\$1ExportJobId\$1  |  | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_IdentityInfo.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_IdentityInfo.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:identity/\$1\$1IdentityName\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_ImportJobSummary.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_ImportJobSummary.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:import-job/\$1\$1ImportJobId\$1  |  | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_Template.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_Template.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:template/\$1\$1TemplateName\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_MultiRegionEndpoint.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_MultiRegionEndpoint.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:multi-region-endpoint/\$1\$1EndpointName\$1  |  | 
|   [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_Archive.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_Archive.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:mailmanager-archive/\$1\$1ArchiveId\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ses/latest/APIReference/API_Tenant.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_Tenant.html)  |  arn:\$1\$1Partition\$1:ses:\$1\$1Region\$1:\$1\$1Account\$1:tenant/\$1\$1TenantName\$1/\$1\$1TenantId\$1  |   [#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_](#amazonsimpleemailservicev2-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Simple Email Service v2
<a name="amazonsimpleemailservicev2-policy-keys"></a>

Amazon Simple Email Service v2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the SES API version | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the export source type | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the "From" address of a message | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the "From" address that is used as the display name of a message | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the multi-region endpoint ID that is used to send email | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the recipient addresses of a message, which include the "To", "CC", and "BCC" addresses | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the replica regions for Replicating domain DKIM signing key | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonses.html#amazonses-policy-keys)  | Filters access by the tenant name that is used to send email | String | 

# Actions, resources, and condition keys for Amazon Simple Workflow Service
<a name="list_amazonsimpleworkflowservice"></a>

Amazon Simple Workflow Service (service prefix: `swf`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonswf/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Simple Workflow Service
](#amazonsimpleworkflowservice-actions-as-permissions)
+ [

## Resource types defined by Amazon Simple Workflow Service
](#amazonsimpleworkflowservice-resources-for-iam-policies)
+ [

## Condition keys for Amazon Simple Workflow Service
](#amazonsimpleworkflowservice-policy-keys)

## Actions defined by Amazon Simple Workflow Service
<a name="amazonsimpleworkflowservice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsimpleworkflowservice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleworkflowservice.html)

## Resource types defined by Amazon Simple Workflow Service
<a name="amazonsimpleworkflowservice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsimpleworkflowservice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-domains.html](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-domains.html)  |  arn:\$1\$1Partition\$1:swf::\$1\$1Account\$1:/domain/\$1\$1DomainName\$1  |   [#amazonsimpleworkflowservice-aws_ResourceTag___TagKey_](#amazonsimpleworkflowservice-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Simple Workflow Service
<a name="amazonsimpleworkflowservice-policy-keys"></a>

Amazon Simple Workflow Service defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag of the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag of the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag of the key | ArrayOfString | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the name of the activity type | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the version of the activity type | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the name of the default task list | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the name of activities or workflows | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the value of tagFilter.tag | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the specified tag | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the specified tag | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the specified tag | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the specified tag | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the specified tag | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the name of the tasklist  | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the name of the type filter | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the version of the type filter | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the version of activities or workflows | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the name of the workflow type | String | 
|   [https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-iam.html##swf-dev-iam.api)  | Filters access by the version of the workflow type | String | 

# Actions, resources, and condition keys for Amazon SimpleDB
<a name="list_amazonsimpledb"></a>

Amazon SimpleDB (service prefix: `sdb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/UsingIAMWithSDB.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SimpleDB
](#amazonsimpledb-actions-as-permissions)
+ [

## Resource types defined by Amazon SimpleDB
](#amazonsimpledb-resources-for-iam-policies)
+ [

## Condition keys for Amazon SimpleDB
](#amazonsimpledb-policy-keys)

## Actions defined by Amazon SimpleDB
<a name="amazonsimpledb-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsimpledb-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_BatchDeleteAttributes.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_BatchDeleteAttributes.html)  | Grants permission to perform multiple DeleteAttributes operations in a single call, which reduces round trips and latencies | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_BatchPutAttributes.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_BatchPutAttributes.html)  | Grants permission to perform multiple PutAttribute operations in a single call, which reduces round trips and latencies | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_CreateDomain.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_CreateDomain.html)  | Grants permission to create a new domain | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_DeleteAttributes.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_DeleteAttributes.html)  | Grants permission to delete one or more attributes associated with the item | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_DeleteDomain.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_DeleteDomain.html)  | Grants permission to delete a domain | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_DomainMetadata.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_DomainMetadata.html)  | Grants permission to return information about the domain, including when the domain was created, the number of items and attributes, and the size of attribute names and values | Read |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_GetAttributes.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_GetAttributes.html)  | Grants permission to return all of the attributes associated with the item | Read |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_GetExport.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_GetExport.html)  | Grants permission to return information for an existing domain export arn | Read |   [#amazonsimpledb-export](#amazonsimpledb-export)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_ListDomains.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_ListDomains.html)  | Grants permission to list all domains | List |  |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_ListExports.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_ListExports.html)  | Grants permission to list all exports that were created. The results are paginated and can be filtered by domain name | List |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_PutAttributes.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_PutAttributes.html)  | Grants permission to create or replace attributes in an item | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_Select.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_Select.html)  | Grants permission to execute a query against the items in a domain | Read |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_StartDomainExport.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_StartDomainExport.html)  | Grants permission to initiates the export of a SimpleDB domain to an S3 bucket | Write |   [#amazonsimpledb-domain](#amazonsimpledb-domain)   |  |  | 

## Resource types defined by Amazon SimpleDB
<a name="amazonsimpledb-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsimpledb-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/DataModel.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/DataModel.html)  |  arn:\$1\$1Partition\$1:sdb:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainName\$1  |  | 
|   [https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/DataModel.html](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/DataModel.html)  |  arn:\$1\$1Partition\$1:sdb:\$1\$1Region\$1:\$1\$1Account\$1:domain/\$1\$1DomainName\$1/export/\$1\$1ExportUUID\$1  |  | 

## Condition keys for Amazon SimpleDB
<a name="amazonsimpledb-policy-keys"></a>

SimpleDB has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS SimSpace Weaver
<a name="list_awssimspaceweaver"></a>

AWS SimSpace Weaver (service prefix: `simspaceweaver`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/simspaceweaver/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/simspaceweaver/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/simspaceweaver/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS SimSpace Weaver
](#awssimspaceweaver-actions-as-permissions)
+ [

## Resource types defined by AWS SimSpace Weaver
](#awssimspaceweaver-resources-for-iam-policies)
+ [

## Condition keys for AWS SimSpace Weaver
](#awssimspaceweaver-policy-keys)

## Actions defined by AWS SimSpace Weaver
<a name="awssimspaceweaver-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssimspaceweaver-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssimspaceweaver.html)

## Resource types defined by AWS SimSpace Weaver
<a name="awssimspaceweaver-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssimspaceweaver-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/simspaceweaver/latest/userguide/working-with_configuring-simulation.html](https://docs.aws.amazon.com/simspaceweaver/latest/userguide/working-with_configuring-simulation.html)  |  arn:\$1\$1Partition\$1:simspaceweaver:\$1\$1Region\$1:\$1\$1Account\$1:simulation/\$1\$1SimulationName\$1  |   [#awssimspaceweaver-aws_ResourceTag___TagKey_](#awssimspaceweaver-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS SimSpace Weaver
<a name="awssimspaceweaver-policy-keys"></a>

AWS SimSpace Weaver defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Snow Device Management
<a name="list_awssnowdevicemanagement"></a>

AWS Snow Device Management (service prefix: `snow-device-management`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html#sdm-cli-commands).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Snow Device Management
](#awssnowdevicemanagement-actions-as-permissions)
+ [

## Resource types defined by AWS Snow Device Management
](#awssnowdevicemanagement-resources-for-iam-policies)
+ [

## Condition keys for AWS Snow Device Management
](#awssnowdevicemanagement-policy-keys)

## Actions defined by AWS Snow Device Management
<a name="awssnowdevicemanagement-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssnowdevicemanagement-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssnowdevicemanagement.html)

## Resource types defined by AWS Snow Device Management
<a name="awssnowdevicemanagement-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssnowdevicemanagement-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html](https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html)  |  arn:\$1\$1Partition\$1:snow-device-management:\$1\$1Region\$1:\$1\$1Account\$1:managed-device/\$1\$1ResourceId\$1  |   [#awssnowdevicemanagement-aws_ResourceTag___TagKey_](#awssnowdevicemanagement-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html](https://docs.aws.amazon.com/snowball/latest/developer-guide/aws-sdm.html)  |  arn:\$1\$1Partition\$1:snow-device-management:\$1\$1Region\$1:\$1\$1Account\$1:task/\$1\$1ResourceId\$1  |   [#awssnowdevicemanagement-aws_ResourceTag___TagKey_](#awssnowdevicemanagement-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Snow Device Management
<a name="awssnowdevicemanagement-policy-keys"></a>

AWS Snow Device Management defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the presence of tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Snowball
<a name="list_awssnowball"></a>

AWS Snowball (service prefix: `snowball`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/snowball/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/snowball/latest/api-reference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/snowball/latest/ug/) permission policies.

**Topics**
+ [

## Actions defined by AWS Snowball
](#awssnowball-actions-as-permissions)
+ [

## Resource types defined by AWS Snowball
](#awssnowball-resources-for-iam-policies)
+ [

## Condition keys for AWS Snowball
](#awssnowball-policy-keys)

## Actions defined by AWS Snowball
<a name="awssnowball-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssnowball-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CancelCluster.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CancelCluster.html)  | Grants permission to cancel a cluster job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CancelJob.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CancelJob.html)  | Grants permission to cancel the specified job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateAddress.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateAddress.html)  | Grants permission to create an address for a Snowball to be shipped to | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateCluster.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateCluster.html)  | Grants permission to create an empty cluster | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateJob.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateJob.html)  | Grants permission to creates a job to import or export data between Amazon S3 and your on-premises data center | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateLongTermPricing.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateLongTermPricing.html)  | Grants permission to creates a LongTermPricingListEntry for allowing customers to add an upfront billing contract for a job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateReturnShippingLabel.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateReturnShippingLabel.html)  | Grants permission to create a shipping label that will be used to return the Snow device to AWS | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeAddress.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeAddress.html)  | Grants permission to get specific details about that address in the form of an Address object | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeAddresses.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeAddresses.html)  | Grants permission to describe a specified number of ADDRESS objects | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeCluster.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeCluster.html)  | Grants permission to describe information about a specific cluster including shipping information, cluster status, and other important metadata | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeJob.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeJob.html)  | Grants permission to describe information about a specific job including shipping information, job status, and other important metadata | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeReturnShippingLabel.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeReturnShippingLabel.html)  | Grants permission to describe information on the shipping label of a Snow device that is being returned to AWS | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetJobManifest.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetJobManifest.html)  | Grants permission to get a link to an Amazon S3 presigned URL for the manifest file associated with the specified JobId value | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetJobUnlockCode.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetJobUnlockCode.html)  | Grants permission to get the UnlockCode code value for the specified job | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetSnowballUsage.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetSnowballUsage.html)  | Grants permission to get information about the Snowball service limit for your account, and also the number of Snowballs your account has in use | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetSoftwareUpdates.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetSoftwareUpdates.html)  | Grants permission to return an Amazon S3 presigned URL for an update file associated with a specified JobId | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListClusterJobs.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListClusterJobs.html)  | Grants permission to list JobListEntry objects of the specified length | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListClusters.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListClusters.html)  | Grants permission to list ClusterListEntry objects of the specified length | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListCompatibleImages.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListCompatibleImages.html)  | Grants permission to return a list of the different Amazon EC2 Amazon Machine Images (AMIs) that are owned by your AWS account that would be supported for use on a Snow device | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListJobs.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListJobs.html)  | Grants permission to list JobListEntry objects of the specified length | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListLongTermPricing.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListLongTermPricing.html)  | Grants permission to list LongTermPricingListEntry objects for the account making the request | Read |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListPickupLocations.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListPickupLocations.html)  | Grants permission to list Address objects where pickup is available, of the specified length | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListServiceVersions.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListServiceVersions.html)  | Grants permission to list all supported versions for Snow on-device services | List |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateCluster.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateCluster.html)  | Grants permission to update while a cluster's ClusterState value is in the AwaitingQuorum state, you can update some of the information associated with a cluster | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateJob.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateJob.html)  | Grants permission to update while a job's JobState value is New, you can update some of the information associated with a job | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateJobShipmentState.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateJobShipmentState.html)  | Grants permission to update the state when a the shipment states changes to a different state | Write |  |  |  | 
|   [https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateLongTermPricing.html](https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateLongTermPricing.html)  | Grants permission to update a specific upfront billing contract for a job | Write |  |  |  | 

## Resource types defined by AWS Snowball
<a name="awssnowball-resources-for-iam-policies"></a>

AWS Snowball does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Snowball, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Snowball
<a name="awssnowball-policy-keys"></a>

Snowball has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon SNS
<a name="list_amazonsns"></a>

Amazon SNS (service prefix: `sns`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sns/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sns/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SNS
](#amazonsns-actions-as-permissions)
+ [

## Resource types defined by Amazon SNS
](#amazonsns-resources-for-iam-policies)
+ [

## Condition keys for Amazon SNS
](#amazonsns-policy-keys)

## Actions defined by Amazon SNS
<a name="amazonsns-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsns-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html)

## Resource types defined by Amazon SNS
<a name="amazonsns-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsns-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html](https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html)  |  arn:\$1\$1Partition\$1:sns:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1TopicName\$1  |   [#amazonsns-aws_ResourceTag___TagKey_](#amazonsns-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon SNS
<a name="amazonsns-policy-keys"></a>

Amazon SNS defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags from request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys from request | ArrayOfString | 
|   [https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html#w2ab1c11c23c19](https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html#w2ab1c11c23c19)  | Filters access by the URL, email address, or ARN from a Subscribe request or a previously confirmed subscription | String | 
|   [https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html#w2ab1c11c23c19](https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html#w2ab1c11c23c19)  | Filters access by the protocol value from a Subscribe request or a previously confirmed subscription | String | 

# Actions, resources, and condition keys for AWS SQL Workbench
<a name="list_awssqlworkbench"></a>

AWS SQL Workbench (service prefix: `sqlworkbench`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/redshift/latest/mgmt/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS SQL Workbench
](#awssqlworkbench-actions-as-permissions)
+ [

## Resource types defined by AWS SQL Workbench
](#awssqlworkbench-resources-for-iam-policies)
+ [

## Condition keys for AWS SQL Workbench
](#awssqlworkbench-policy-keys)

## Actions defined by AWS SQL Workbench
<a name="awssqlworkbench-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssqlworkbench-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssqlworkbench.html)

## Resource types defined by AWS SQL Workbench
<a name="awssqlworkbench-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssqlworkbench-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html)  |  arn:\$1\$1Partition\$1:sqlworkbench:\$1\$1Region\$1:\$1\$1Account\$1:connection/\$1\$1ResourceId\$1  |   [#awssqlworkbench-aws_ResourceTag___TagKey_](#awssqlworkbench-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html)  |  arn:\$1\$1Partition\$1:sqlworkbench:\$1\$1Region\$1:\$1\$1Account\$1:query/\$1\$1ResourceId\$1  |   [#awssqlworkbench-aws_ResourceTag___TagKey_](#awssqlworkbench-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html)  |  arn:\$1\$1Partition\$1:sqlworkbench:\$1\$1Region\$1:\$1\$1Account\$1:chart/\$1\$1ResourceId\$1  |   [#awssqlworkbench-aws_ResourceTag___TagKey_](#awssqlworkbench-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2.html)  |  arn:\$1\$1Partition\$1:sqlworkbench:\$1\$1Region\$1:\$1\$1Account\$1:notebook/\$1\$1ResourceId\$1  |   [#awssqlworkbench-aws_ResourceTag___TagKey_](#awssqlworkbench-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS SQL Workbench
<a name="awssqlworkbench-policy-keys"></a>

AWS SQL Workbench defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags that are associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon SQS
<a name="list_amazonsqs"></a>

Amazon SQS (service prefix: `sqs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-authentication-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon SQS
](#amazonsqs-actions-as-permissions)
+ [

## Resource types defined by Amazon SQS
](#amazonsqs-resources-for-iam-policies)
+ [

## Condition keys for Amazon SQS
](#amazonsqs-policy-keys)

## Actions defined by Amazon SQS
<a name="amazonsqs-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonsqs-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html)

## Resource types defined by Amazon SQS
<a name="amazonsqs-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonsqs-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
The ARN of the queue is used only in IAM permission policies. In API and CLI calls, you use the queue's URL instead.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-queue-types.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-queue-types.html)  |  arn:\$1\$1Partition\$1:sqs:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1QueueName\$1  |   [#amazonsqs-aws_ResourceTag___TagKey_](#amazonsqs-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon SQS
<a name="amazonsqs-policy-keys"></a>

Amazon SQS defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Step Functions
<a name="list_awsstepfunctions"></a>

AWS Step Functions (service prefix: `states`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/step-functions/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/step-functions/latest/dg/procedure-create-iam-role.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Step Functions
](#awsstepfunctions-actions-as-permissions)
+ [

## Resource types defined by AWS Step Functions
](#awsstepfunctions-resources-for-iam-policies)
+ [

## Condition keys for AWS Step Functions
](#awsstepfunctions-policy-keys)

## Actions defined by AWS Step Functions
<a name="awsstepfunctions-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsstepfunctions-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html)

## Resource types defined by AWS Step Functions
<a name="awsstepfunctions-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsstepfunctions-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-activities.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-activities.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:activity:\$1\$1ActivityName\$1  |   [#awsstepfunctions-aws_ResourceTag___TagKey_](#awsstepfunctions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-executions.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-executions.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:execution:\$1\$1StateMachineName\$1:\$1\$1ExecutionId\$1  |   [#awsstepfunctions-aws_ResourceTag___TagKey_](#awsstepfunctions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-executions.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-executions.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:express:\$1\$1StateMachineName\$1:\$1\$1ExecutionId\$1:\$1\$1ExpressId\$1  |  | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-amazon-states-language.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-amazon-states-language.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:stateMachine:\$1\$1StateMachineName\$1  |   [#awsstepfunctions-aws_ResourceTag___TagKey_](#awsstepfunctions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-cd-aliasing-versioning.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-cd-aliasing-versioning.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:stateMachine:\$1\$1StateMachineName\$1:\$1\$1StateMachineVersionId\$1  |   [#awsstepfunctions-aws_ResourceTag___TagKey_](#awsstepfunctions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-cd-aliasing-versioning.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-cd-aliasing-versioning.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:stateMachine:\$1\$1StateMachineName\$1:\$1\$1StateMachineAliasName\$1  |   [#awsstepfunctions-aws_ResourceTag___TagKey_](#awsstepfunctions-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-examine-map-run.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-examine-map-run.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:mapRun:\$1\$1StateMachineName\$1/\$1\$1MapRunLabel\$1:\$1\$1MapRunId\$1  |  | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-examine-map-run.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-examine-map-run.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:execution:\$1\$1StateMachineName\$1/\$1\$1MapRunLabel\$1:\$1\$1ExecutionId\$1  |  | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/concepts-examine-map-run.html](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-examine-map-run.html)  |  arn:\$1\$1Partition\$1:states:\$1\$1Region\$1:\$1\$1Account\$1:express:\$1\$1StateMachineName\$1/\$1\$1MapRunLabel\$1:\$1\$1ExecutionId\$1:\$1\$1ExpressId\$1  |  | 

## Condition keys for AWS Step Functions
<a name="awsstepfunctions-policy-keys"></a>

AWS Step Functions defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/connect-third-party-apis.html](https://docs.aws.amazon.com/step-functions/latest/dg/connect-third-party-apis.html)  | Filters access by the endpoint that the HTTP Task state allows in the request | String | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/connect-third-party-apis.html](https://docs.aws.amazon.com/step-functions/latest/dg/connect-third-party-apis.html)  | Filters access by the method that the HTTP Task state allows in the request | String | 
|   [https://docs.aws.amazon.com/step-functions/latest/dg/auth-version-alias.html](https://docs.aws.amazon.com/step-functions/latest/dg/auth-version-alias.html)  | Filters access by the qualifier of a state machine ARN | ArrayOfString | 

# Actions, resources, and condition keys for AWS Storage Gateway
<a name="list_awsstoragegateway"></a>

AWS Storage Gateway (service prefix: `storagegateway`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/storagegateway/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/storagegateway/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/storagegateway/latest/userguide/UsingIAMWithStorageGateway.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Storage Gateway
](#awsstoragegateway-actions-as-permissions)
+ [

## Resource types defined by AWS Storage Gateway
](#awsstoragegateway-resources-for-iam-policies)
+ [

## Condition keys for AWS Storage Gateway
](#awsstoragegateway-policy-keys)

## Actions defined by AWS Storage Gateway
<a name="awsstoragegateway-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsstoragegateway-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html)

## Resource types defined by AWS Storage Gateway
<a name="awsstoragegateway-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsstoragegateway-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/filegateway/latest/files3/cache-report.html](https://docs.aws.amazon.com/filegateway/latest/files3/cache-report.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:share/\$1\$1ShareId\$1/cache-report/\$1\$1CacheReportId\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/resource_vtl-devices.html](https://docs.aws.amazon.com/storagegateway/latest/userguide/resource_vtl-devices.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1/device/\$1\$1Vtldevice\$1  |  | 
|   [https://docs.aws.amazon.com/filegateway/latest/filefsxw/attach-fsxw-filesystem.html](https://docs.aws.amazon.com/filegateway/latest/filefsxw/attach-fsxw-filesystem.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:fs-association/\$1\$1FsaId\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html](https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStartedCreateFileShare.html](https://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStartedCreateFileShare.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:share/\$1\$1ShareId\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#storage-gateway-vtl-concepts](https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#storage-gateway-vtl-concepts)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:tape/\$1\$1TapeBarcode\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingCustomTapePool.html](https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingCustomTapePool.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:tapepool/\$1\$1PoolId\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStartedCreateVolumes.html](https://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStartedCreateVolumes.html)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1/target/\$1\$1IscsiTarget\$1  |  | 
|   [https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#volume-gateway-concepts](https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#volume-gateway-concepts)  |  arn:\$1\$1Partition\$1:storagegateway:\$1\$1Region\$1:\$1\$1Account\$1:gateway/\$1\$1GatewayId\$1/volume/\$1\$1VolumeId\$1  |   [#awsstoragegateway-aws_ResourceTag___TagKey_](#awsstoragegateway-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Storage Gateway
<a name="awsstoragegateway-policy-keys"></a>

AWS Storage Gateway defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Supply Chain
<a name="list_awssupplychain"></a>

AWS Supply Chain (service prefix: `scn`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/aws-supply-chain/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/aws-supply-chain/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/aws-supply-chain/latest/adminguide/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Supply Chain
](#awssupplychain-actions-as-permissions)
+ [

## Resource types defined by AWS Supply Chain
](#awssupplychain-resources-for-iam-policies)
+ [

## Condition keys for AWS Supply Chain
](#awssupplychain-policy-keys)

## Actions defined by AWS Supply Chain
<a name="awssupplychain-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssupplychain-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html)

## Resource types defined by AWS Supply Chain
<a name="awssupplychain-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssupplychain-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html)  |  arn:\$1\$1Partition\$1:scn:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1  |   [#awssupplychain-aws_ResourceTag___TagKey_](#awssupplychain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html)  |  arn:\$1\$1Partition\$1:scn:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1/bill-of-materials-import-job/\$1\$1JobId\$1  |  | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html)  |  arn:\$1\$1Partition\$1:scn:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1/data-integration-flows/\$1\$1FlowName\$1  |   [#awssupplychain-aws_ResourceTag___TagKey_](#awssupplychain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html)  |  arn:\$1\$1Partition\$1:scn:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1/namespaces/\$1\$1Namespace\$1  |   [#awssupplychain-aws_ResourceTag___TagKey_](#awssupplychain-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupplychain.html)  |  arn:\$1\$1Partition\$1:scn:\$1\$1Region\$1:\$1\$1Account\$1:instance/\$1\$1InstanceId\$1/namespaces/\$1\$1Namespace\$1/datasets/\$1\$1DatasetName\$1  |   [#awssupplychain-aws_ResourceTag___TagKey_](#awssupplychain-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Supply Chain
<a name="awssupplychain-policy-keys"></a>

AWS Supply Chain defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by using tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by using tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by using tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Support
<a name="list_awssupport"></a>

AWS Support (service prefix: `support`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awssupport/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awssupport/latest/user/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Support
](#awssupport-actions-as-permissions)
+ [

## Resource types defined by AWS Support
](#awssupport-resources-for-iam-policies)
+ [

## Condition keys for AWS Support
](#awssupport-policy-keys)

## Actions defined by AWS Support
<a name="awssupport-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssupport-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
Support provides the ability to access, modify and resolve cases, as well as use Trusted Advisor actions. When you use the Support API to call Trusted Advisor-related actions, none of the "trustedadvisor:\$1" actions restrict your access. The "trustedadvisor:\$1" actions apply only to Trusted Advisor in the AWS Management Console.


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_AddAttachmentsToSet.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_AddAttachmentsToSet.html)  | Grants permission to add one or more attachments to an AWS Support case | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_AddCommunicationToCase.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_AddCommunicationToCase.html)  | Grants permission to add a customer communication to an AWS Support case | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_CreateCase.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_CreateCase.html)  | Grants permission to creates a new AWS Support case | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeAttachment.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeAttachment.html)  | Grants permission to describe attachment detail | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to allow secondary services to read AWS Support case attributes.This is an internally managed function | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCaseOptions.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCaseOptions.html)  | Grants permission to describe the available options for a single AWS Support case. This is an internally managed function | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCases.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCases.html)  | Grants permission to list AWS Support cases that matches the given inputs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to get a single communication and attachments for a single AWS Support case | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCommunications.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCommunications.html)  | Grants permission to list the communications and attachments for one or more AWS Support cases | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCreateCaseOptions.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeCreateCaseOptions.html)  | Grants permission to describes the available options for creating a support case | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to return issue types for AWS Support cases | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeServices.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeServices.html)  | Grants permission to list AWS services and categories that applies to each service | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeSeverityLevels.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeSeverityLevels.html)  | Grants permission to list severity levels that can be assigned to an AWS Support case | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to return the support level for an AWS Account identifier | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeSupportedLanguages.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeSupportedLanguages.html)  | Grants permission to describes the available support languages for a given category code, service code and issue type | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorCheckRefreshStatuses.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorCheckRefreshStatuses.html)  | Grants permission to get the status of a Trusted Advisor refresh check based on a list of check identifiers | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorCheckResult.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorCheckResult.html)  | Grants permission to get the results of the Trusted Advisor check that has the specified check identifier | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorCheckSummaries.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorCheckSummaries.html)  | Grants permission to get the summaries of the results of the Trusted Advisor checks that have the specified check identifiers | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorChecks.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_DescribeTrustedAdvisorChecks.html)  | Grants permission to get a list of all available Trusted Advisor checks, including name, identifier, category and description | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_GetInteraction.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_GetInteraction.html)  | Grants permission to retrieve personalized troubleshooting assistance for account and technical issues for a specific interaction | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to initiate a call on AWS Support Center. This is an internally managed function | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to initiate a chat on AWS Support Center.This is an internally managed function | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to initiate a live contact on AWS Support Center. This is an internally managed function | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to retrieve a list of entries within a specific interaction, including messages, status updates, or other relevant data points | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to retrieve a list of interactions, potentially with filters or pagination | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to allow secondary services to attach attributes to AWS Support cases. This is an internally managed function | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to rate an AWS Support case communication | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_RefreshTrustedAdvisorCheck.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_RefreshTrustedAdvisorCheck.html)  | Grants permission to requests a refresh of the Trusted Advisor check that has the specified check identifier | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_ResolveCase.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_ResolveCase.html)  | Grants permission to resolve an AWS Support case | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to mark a specific interaction as resolved by its unique identifier, indicating that the issue has been addressed and no further action is needed | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html)  | Grants permission to return a list of AWS Support cases that matches the given inputs | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_StartInteraction.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_StartInteraction.html)  | Grants permission to start a specific interaction to receive personalized troubleshooting assistance for account and technical issues | Write |  |  |   support:DescribeSupportLevel   | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_UpdateCaseSeverity.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_UpdateCaseSeverity.html)  | Grants permission to update the severity for a single AWS Support case. This is an internally managed function | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_UpdateInteraction.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_UpdateInteraction.html)  | Grants permission to update a specific interaction to receive personalized troubleshooting assistance for account and technical issues | Write |  |  |  | 

## Resource types defined by AWS Support
<a name="awssupport-resources-for-iam-policies"></a>

AWS Support does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Support, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Support
<a name="awssupport-policy-keys"></a>

Support has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Support App in Slack
<a name="list_awssupportappinslack"></a>

AWS Support App in Slack (service prefix: `supportapp`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/supportapp/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awssupport/latest/user/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Support App in Slack
](#awssupportappinslack-actions-as-permissions)
+ [

## Resource types defined by AWS Support App in Slack
](#awssupportappinslack-resources-for-iam-policies)
+ [

## Condition keys for AWS Support App in Slack
](#awssupportappinslack-policy-keys)

## Actions defined by AWS Support App in Slack
<a name="awssupportappinslack-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssupportappinslack-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_CreateSlackChannelConfiguration.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_CreateSlackChannelConfiguration.html)  | Grants permission to create a Slack channel configuration for your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_DeleteAccountAlias.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_DeleteAccountAlias.html)  | Grants permission to delete an alias from your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_DeleteSlackChannelConfiguration.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_DeleteSlackChannelConfiguration.html)  | Grants permission to delete a Slack channel configuration from your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_DeleteSlackWorkspaceConfiguration.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_DeleteSlackWorkspaceConfiguration.html)  | Grants permission to delete a Slack workspace configuration from your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/slack-authorization-permissions.html](https://docs.aws.amazon.com/awssupport/latest/user/slack-authorization-permissions.html) [permission only] | Grants permission to list all public Slack channels in a workspace that have invited the AWS Support App | Read |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_GetAccountAlias.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_GetAccountAlias.html)  | Grants permission to get the alias for your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/slack-authorization-permissions.html](https://docs.aws.amazon.com/awssupport/latest/user/slack-authorization-permissions.html) [permission only] | Grants permission to get parameters for the Slack OAuth code, which the AWS Support App uses to authorize the workspace | Read |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_ListSlackChannelConfigurations.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_ListSlackChannelConfigurations.html)  | Grants permission to list all Slack channel configurations for your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_ListSlackWorkspaceConfigurations.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_ListSlackWorkspaceConfigurations.html)  | Grants permission to list all Slack workspace configurations for your account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_PutAccountAlias.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_PutAccountAlias.html)  | Grants permission to create or update an alias for your account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/slack-authorization-permissions.html](https://docs.aws.amazon.com/awssupport/latest/user/slack-authorization-permissions.html) [permission only] | Grants permission to redeem the Slack OAuth code, which the AWS Support App uses to authorize the workspace | Write |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_RegisterSlackWorkspaceForOrganization.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_RegisterSlackWorkspaceForOrganization.html)  | Grants permission to register a Slack workspace for an AWS account that is part of an organization | Write |  |  |  | 
|   [https://docs.aws.amazon.com/supportapp/latest/APIReference/API_UpdateSlackChannelConfiguration.html](https://docs.aws.amazon.com/supportapp/latest/APIReference/API_UpdateSlackChannelConfiguration.html)  | Grants permission to update a Slack channel configuration for your account | Write |  |  |  | 

## Resource types defined by AWS Support App in Slack
<a name="awssupportappinslack-resources-for-iam-policies"></a>

AWS Support App in Slack does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Support App in Slack, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Support App in Slack
<a name="awssupportappinslack-policy-keys"></a>

Support App has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Support Console
<a name="list_awssupportconsole"></a>

AWS Support Console (service prefix: `support-console`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-console.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awssupport/latest/user/support-console-access-control.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awssupport/latest/user/support-console-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Support Console
](#awssupportconsole-actions-as-permissions)
+ [

## Resource types defined by AWS Support Console
](#awssupportconsole-resources-for-iam-policies)
+ [

## Condition keys for AWS Support Console
](#awssupportconsole-policy-keys)

## Actions defined by AWS Support Console
<a name="awssupportconsole-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssupportconsole-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to check whether the account has access to given product | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to create or update case draft for the given case type | Write |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to create an authenticated contact for the given contact type | Write |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to delete a case draft for the given case type | Write |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get dynamic help resources for given service and category | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to determines whether the calling account is GovCloud enabled | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get the state of the calling account | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get the support banner information | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get a case draft for given case type | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get classification predictions of an issue | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get a generated text summary of an issue | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to get a feedback questionnaire | Read |  |  |  | 
|   [${AuthZDocPage}](${AuthZDocPage}) [permission only] | Grants permission to save questionnaire feedback | Write |  |  |  | 

## Resource types defined by AWS Support Console
<a name="awssupportconsole-resources-for-iam-policies"></a>

AWS Support Console does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Support Console, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Support Console
<a name="awssupportconsole-policy-keys"></a>

Support Console has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Support Plans
<a name="list_awssupportplans"></a>

AWS Support Plans (service prefix: `supportplans`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awssupport/latest/user/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awssupport/latest/user/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Support Plans
](#awssupportplans-actions-as-permissions)
+ [

## Resource types defined by AWS Support Plans
](#awssupportplans-resources-for-iam-policies)
+ [

## Condition keys for AWS Support Plans
](#awssupportplans-policy-keys)

## Actions defined by AWS Support Plans
<a name="awssupportplans-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssupportplans-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html](https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html) [permission only] | Grants permission to create support plan schedules for this AWS account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html](https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html) [permission only] | Grants permission to view details about the current support plan for this AWS account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html](https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html) [permission only] | Grants permission to view details about the status for a request to update a support plan | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html](https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html) [permission only] | Grants permission to view a list of all support plan modifiers for this AWS account | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html](https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html) [permission only] | Grants permission to update the support plan for this AWS account | Write |  |  |  | 

## Resource types defined by AWS Support Plans
<a name="awssupportplans-resources-for-iam-policies"></a>

AWS Support Plans does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Support Plans, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Support Plans
<a name="awssupportplans-policy-keys"></a>

Support Plans has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Sustainability
<a name="list_awssustainability"></a>

AWS Sustainability (service prefix: `sustainability`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/sustainability/latest/userguide/what-is-sustainability.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/sustainability/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/sustainability/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Sustainability
](#awssustainability-actions-as-permissions)
+ [

## Resource types defined by AWS Sustainability
](#awssustainability-resources-for-iam-policies)
+ [

## Condition keys for AWS Sustainability
](#awssustainability-policy-keys)

## Actions defined by AWS Sustainability
<a name="awssustainability-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssustainability-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to view the carbon footprint tool | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sustainability/latest/APIReference/API_GetEstimatedCarbonEmissions.html](https://docs.aws.amazon.com/sustainability/latest/APIReference/API_GetEstimatedCarbonEmissions.html)  | Grants permission to view estimated carbon emission values based on customer grouping and filtering parameters | Read |  |  |  | 
|   [https://docs.aws.amazon.com/sustainability/latest/APIReference/API_GetEstimatedCarbonEmissionsDimensionValues.html](https://docs.aws.amazon.com/sustainability/latest/APIReference/API_GetEstimatedCarbonEmissionsDimensionValues.html)  | Grants permission to view the possible dimension values available for the estimated carbon emission values | Read |  |  |  | 

## Resource types defined by AWS Sustainability
<a name="awssustainability-resources-for-iam-policies"></a>

AWS Sustainability does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Sustainability, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Sustainability
<a name="awssustainability-policy-keys"></a>

Sustainability has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Systems Manager for SAP
<a name="list_awssystemsmanagerforsap"></a>

AWS Systems Manager for SAP (service prefix: `ssm-sap`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/systems-manager/index.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/systems-manager/index.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/systems-manager/index.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Systems Manager for SAP
](#awssystemsmanagerforsap-actions-as-permissions)
+ [

## Resource types defined by AWS Systems Manager for SAP
](#awssystemsmanagerforsap-resources-for-iam-policies)
+ [

## Condition keys for AWS Systems Manager for SAP
](#awssystemsmanagerforsap-policy-keys)

## Actions defined by AWS Systems Manager for SAP
<a name="awssystemsmanagerforsap-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssystemsmanagerforsap-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerforsap.html)

## Resource types defined by AWS Systems Manager for SAP
<a name="awssystemsmanagerforsap-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssystemsmanagerforsap-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/index.html](https://docs.aws.amazon.com/systems-manager/index.html)  |  arn:\$1\$1Partition\$1:ssm-sap:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ApplicationType\$1/\$1\$1ApplicationId\$1  |   [#awssystemsmanagerforsap-aws_ResourceTag___TagKey_](#awssystemsmanagerforsap-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/systems-manager/index.html](https://docs.aws.amazon.com/systems-manager/index.html)  |  arn:\$1\$1Partition\$1:ssm-sap:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ApplicationType\$1/\$1\$1ApplicationId\$1/COMPONENT/\$1\$1ComponentId\$1  |   [#awssystemsmanagerforsap-aws_ResourceTag___TagKey_](#awssystemsmanagerforsap-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/systems-manager/index.html](https://docs.aws.amazon.com/systems-manager/index.html)  |  arn:\$1\$1Partition\$1:ssm-sap:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1ApplicationType\$1/\$1\$1ApplicationId\$1/DB/\$1\$1DatabaseId\$1  |   [#awssystemsmanagerforsap-aws_ResourceTag___TagKey_](#awssystemsmanagerforsap-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Systems Manager for SAP
<a name="awssystemsmanagerforsap-policy-keys"></a>

AWS Systems Manager for SAP defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/index.html](https://docs.aws.amazon.com/systems-manager/index.html)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/systems-manager/index.html](https://docs.aws.amazon.com/systems-manager/index.html)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/systems-manager/index.html](https://docs.aws.amazon.com/systems-manager/index.html)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Systems Manager GUI Connect
<a name="list_awssystemsmanagerguiconnect"></a>

AWS Systems Manager GUI Connect (service prefix: `ssm-guiconnect`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Systems Manager GUI Connect
](#awssystemsmanagerguiconnect-actions-as-permissions)
+ [

## Resource types defined by AWS Systems Manager GUI Connect
](#awssystemsmanagerguiconnect-resources-for-iam-policies)
+ [

## Condition keys for AWS Systems Manager GUI Connect
](#awssystemsmanagerguiconnect-policy-keys)

## Actions defined by AWS Systems Manager GUI Connect
<a name="awssystemsmanagerguiconnect-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssystemsmanagerguiconnect-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html) [permission only] | Grants permission to terminate a GUI Connect connection | Write |  |  |  | 
|   [https://docs.aws.amazon.com/ssm-guiconnect/latest/APIReference/API_DeleteConnectionRecordingPreferences.html](https://docs.aws.amazon.com/ssm-guiconnect/latest/APIReference/API_DeleteConnectionRecordingPreferences.html)  | Grants permission to remove GUI Connect connection recording preferences | Write |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html) [permission only] | Grants permission to get the metadata for a GUI Connect connection | Read |  |  |  | 
|   [https://docs.aws.amazon.com/ssm-guiconnect/latest/APIReference/API_GetConnectionRecordingPreferences.html](https://docs.aws.amazon.com/ssm-guiconnect/latest/APIReference/API_GetConnectionRecordingPreferences.html)  | Grants permission to get GUI Connect connection recording preferences | Read |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html) [permission only] | Grants permission to list the metadata for GUI Connect connections | List |  |  |  | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html) [permission only] | Grants permission to start a GUI Connect connection | Write |  |  |  | 
|   [https://docs.aws.amazon.com/ssm-guiconnect/latest/APIReference/API_UpdateConnectionRecordingPreferences.html](https://docs.aws.amazon.com/ssm-guiconnect/latest/APIReference/API_UpdateConnectionRecordingPreferences.html)  | Grants permission to update GUI Connect connection recording preferences | Write |  |  |  | 

## Resource types defined by AWS Systems Manager GUI Connect
<a name="awssystemsmanagerguiconnect-resources-for-iam-policies"></a>

AWS Systems Manager GUI Connect does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Systems Manager GUI Connect, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Systems Manager GUI Connect
<a name="awssystemsmanagerguiconnect-policy-keys"></a>

GUI Connect has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Systems Manager Incident Manager
<a name="list_awssystemsmanagerincidentmanager"></a>

AWS Systems Manager Incident Manager (service prefix: `ssm-incidents`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/incident-manager/latest/userguide/what-is-incident-manager.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/incident-manager/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/incident-manager/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Systems Manager Incident Manager
](#awssystemsmanagerincidentmanager-actions-as-permissions)
+ [

## Resource types defined by AWS Systems Manager Incident Manager
](#awssystemsmanagerincidentmanager-resources-for-iam-policies)
+ [

## Condition keys for AWS Systems Manager Incident Manager
](#awssystemsmanagerincidentmanager-policy-keys)

## Actions defined by AWS Systems Manager Incident Manager
<a name="awssystemsmanagerincidentmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssystemsmanagerincidentmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanager.html)

## Resource types defined by AWS Systems Manager Incident Manager
<a name="awssystemsmanagerincidentmanager-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssystemsmanagerincidentmanager-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/response-plans.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/response-plans.html)  |  arn:\$1\$1Partition\$1:ssm-incidents::\$1\$1Account\$1:response-plan/\$1\$1ResponsePlan\$1  |   [#awssystemsmanagerincidentmanager-aws_ResourceTag___TagKey_](#awssystemsmanagerincidentmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/tracking-details.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/tracking-details.html)  |  arn:\$1\$1Partition\$1:ssm-incidents::\$1\$1Account\$1:incident-record/\$1\$1ResponsePlan\$1/\$1\$1IncidentRecord\$1  |   [#awssystemsmanagerincidentmanager-aws_ResourceTag___TagKey_](#awssystemsmanagerincidentmanager-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/disaster-recovery-resiliency.html#replication](https://docs.aws.amazon.com/incident-manager/latest/userguide/disaster-recovery-resiliency.html#replication)  |  arn:\$1\$1Partition\$1:ssm-incidents::\$1\$1Account\$1:replication-set/\$1\$1ReplicationSet\$1  |   [#awssystemsmanagerincidentmanager-aws_ResourceTag___TagKey_](#awssystemsmanagerincidentmanager-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Systems Manager Incident Manager
<a name="awssystemsmanagerincidentmanager-policy-keys"></a>

AWS Systems Manager Incident Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Systems Manager Incident Manager Contacts
<a name="list_awssystemsmanagerincidentmanagercontacts"></a>

AWS Systems Manager Incident Manager Contacts (service prefix: `ssm-contacts`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/incident-manager/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/incident-manager/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Systems Manager Incident Manager Contacts
](#awssystemsmanagerincidentmanagercontacts-actions-as-permissions)
+ [

## Resource types defined by AWS Systems Manager Incident Manager Contacts
](#awssystemsmanagerincidentmanagercontacts-resources-for-iam-policies)
+ [

## Condition keys for AWS Systems Manager Incident Manager Contacts
](#awssystemsmanagerincidentmanagercontacts-policy-keys)

## Actions defined by AWS Systems Manager Incident Manager Contacts
<a name="awssystemsmanagerincidentmanagercontacts-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssystemsmanagerincidentmanagercontacts-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html)

## Resource types defined by AWS Systems Manager Incident Manager Contacts
<a name="awssystemsmanagerincidentmanagercontacts-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssystemsmanagerincidentmanagercontacts-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html)  |  arn:\$1\$1Partition\$1:ssm-contacts:\$1\$1Region\$1:\$1\$1Account\$1:contact/\$1\$1ContactAlias\$1  |   [#awssystemsmanagerincidentmanagercontacts-aws_ResourceTag___TagKey_](#awssystemsmanagerincidentmanagercontacts-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html)  |  arn:\$1\$1Partition\$1:ssm-contacts:\$1\$1Region\$1:\$1\$1Account\$1:contactchannel/\$1\$1ContactAlias\$1/\$1\$1ContactChannelId\$1  |  | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/escalation.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/escalation.html)  |  arn:\$1\$1Partition\$1:ssm-contacts:\$1\$1Region\$1:\$1\$1Account\$1:engagement/\$1\$1ContactAlias\$1/\$1\$1EngagementId\$1  |  | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/escalation.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/escalation.html)  |  arn:\$1\$1Partition\$1:ssm-contacts:\$1\$1Region\$1:\$1\$1Account\$1:page/\$1\$1ContactAlias\$1/\$1\$1PageId\$1  |  | 
|   [https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-manager-on-call-schedule.html](https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-manager-on-call-schedule.html)  |  arn:\$1\$1Partition\$1:ssm-contacts:\$1\$1Region\$1:\$1\$1Account\$1:rotation/\$1\$1RotationId\$1  |   [#awssystemsmanagerincidentmanagercontacts-aws_ResourceTag___TagKey_](#awssystemsmanagerincidentmanagercontacts-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Systems Manager Incident Manager Contacts
<a name="awssystemsmanagerincidentmanagercontacts-policy-keys"></a>

AWS Systems Manager Incident Manager Contacts defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Systems Manager Quick Setup
<a name="list_awssystemsmanagerquicksetup"></a>

AWS Systems Manager Quick Setup (service prefix: `ssm-quicksetup`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/quick-setup/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Systems Manager Quick Setup
](#awssystemsmanagerquicksetup-actions-as-permissions)
+ [

## Resource types defined by AWS Systems Manager Quick Setup
](#awssystemsmanagerquicksetup-resources-for-iam-policies)
+ [

## Condition keys for AWS Systems Manager Quick Setup
](#awssystemsmanagerquicksetup-policy-keys)

## Actions defined by AWS Systems Manager Quick Setup
<a name="awssystemsmanagerquicksetup-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awssystemsmanagerquicksetup-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerquicksetup.html)

## Resource types defined by AWS Systems Manager Quick Setup
<a name="awssystemsmanagerquicksetup-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awssystemsmanagerquicksetup-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html)  |  arn:\$1\$1Partition\$1:ssm-quicksetup:\$1\$1Region\$1:\$1\$1Account\$1:configuration-manager/\$1\$1ConfigurationManagerId\$1  |   [#awssystemsmanagerquicksetup-aws_ResourceTag___TagKey_](#awssystemsmanagerquicksetup-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Systems Manager Quick Setup
<a name="awssystemsmanagerquicksetup-policy-keys"></a>

AWS Systems Manager Quick Setup defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Tag Editor
<a name="list_tageditor"></a>

Tag Editor (service prefix: `resource-explorer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/ARG/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ARG/latest/userguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/ARG/latest/userguide/) permission policies.

**Topics**
+ [

## Actions defined by Tag Editor
](#tageditor-actions-as-permissions)
+ [

## Resource types defined by Tag Editor
](#tageditor-resources-for-iam-policies)
+ [

## Condition keys for Tag Editor
](#tageditor-policy-keys)

## Actions defined by Tag Editor
<a name="tageditor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#tageditor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html#rg-permissions-te](https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html#rg-permissions-te) [permission only] | Grants permission to retrieve the resource types currently supported by Tag Editor | List |  |  |  | 
|   [https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html#rg-permissions-te](https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html#rg-permissions-te) [permission only] | Grants permission to retrieve the identifiers of the resources in the AWS account | List |  |  |  | 
|   [https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html#rg-permissions-te](https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted-prereqs.html#rg-permissions-te) [permission only] | Grants permission to retrieve the tags attached to the specified resource identifiers | Read |  |  |   tag:GetResources   | 

## Resource types defined by Tag Editor
<a name="tageditor-resources-for-iam-policies"></a>

Tag Editor does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Tag Editor, specify `"Resource": "*"` in your policy.

## Condition keys for Tag Editor
<a name="tageditor-policy-keys"></a>

Tag Editor has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Tax Settings
<a name="list_awstaxsettings"></a>

AWS Tax Settings (service prefix: `tax`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/api-reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Tax Settings
](#awstaxsettings-actions-as-permissions)
+ [

## Resource types defined by AWS Tax Settings
](#awstaxsettings-resources-for-iam-policies)
+ [

## Condition keys for AWS Tax Settings
](#awstaxsettings-policy-keys)

## Actions defined by AWS Tax Settings
<a name="awstaxsettings-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstaxsettings-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to batch delete tax registration data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to batch update tax registrations | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to cancel documents such as withholding slips | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to upload new documents such as withholding slips | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html)  | Grants permission to delete supplemental tax registration data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to delete tax registration data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to retrieve documents such as withholding slips | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to retrieve a generated URL to upload documents | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to view tax exemptions data | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html) [permission only] | Grants permission to view/download tax documents/forms | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to view tax inheritance status | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html) [permission only] | Grants permission to retrieve tax interview data | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html)  | Grants permission to view tax registrations data | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to download tax registration documents | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to view documents such as withholding slips | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html)  | Grants permission to view supplemental tax registrations | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to view tax registrations | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to view eligible withholding invoices | Read |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html)  | Grants permission to update supplemental tax registrations data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to set tax inheritance | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html) [permission only] | Grants permission to update tax interview data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html](https://docs.aws.amazon.com/marketplace/latest/userguide/detailed-management-portal-permissions.html)  | Grants permission to update tax registrations data | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html)  | Grants permission to update tax exemptions data | Write |  |  |  | 

## Resource types defined by AWS Tax Settings
<a name="awstaxsettings-resources-for-iam-policies"></a>

AWS Tax Settings does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Tax Settings, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Tax Settings
<a name="awstaxsettings-policy-keys"></a>

Tax Settings has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS Telco Network Builder
<a name="list_awstelconetworkbuilder"></a>

AWS Telco Network Builder (service prefix: `tnb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/tnb/latest/ug/how-tnb-works.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/tnb/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/tnb/latest/ug/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Telco Network Builder
](#awstelconetworkbuilder-actions-as-permissions)
+ [

## Resource types defined by AWS Telco Network Builder
](#awstelconetworkbuilder-resources-for-iam-policies)
+ [

## Condition keys for AWS Telco Network Builder
](#awstelconetworkbuilder-policy-keys)

## Actions defined by AWS Telco Network Builder
<a name="awstelconetworkbuilder-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstelconetworkbuilder-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awstelconetworkbuilder.html)

## Resource types defined by AWS Telco Network Builder
<a name="awstelconetworkbuilder-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awstelconetworkbuilder-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/tnb/latest/ug/function-packages.html](https://docs.aws.amazon.com/tnb/latest/ug/function-packages.html)  |  arn:\$1\$1Partition\$1:tnb:\$1\$1Region\$1:\$1\$1Account\$1:function-package/\$1\$1FunctionPackageId\$1  |   [#awstelconetworkbuilder-aws_ResourceTag___TagKey_](#awstelconetworkbuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/tnb/latest/ug/network-packages.html](https://docs.aws.amazon.com/tnb/latest/ug/network-packages.html)  |  arn:\$1\$1Partition\$1:tnb:\$1\$1Region\$1:\$1\$1Account\$1:network-package/\$1\$1NetworkPackageId\$1  |   [#awstelconetworkbuilder-aws_ResourceTag___TagKey_](#awstelconetworkbuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/tnb/latest/ug/network-instances.html](https://docs.aws.amazon.com/tnb/latest/ug/network-instances.html)  |  arn:\$1\$1Partition\$1:tnb:\$1\$1Region\$1:\$1\$1Account\$1:network-instance/\$1\$1NetworkInstanceId\$1  |   [#awstelconetworkbuilder-aws_ResourceTag___TagKey_](#awstelconetworkbuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/tnb/latest/ug/function-packages.html](https://docs.aws.amazon.com/tnb/latest/ug/function-packages.html)  |  arn:\$1\$1Partition\$1:tnb:\$1\$1Region\$1:\$1\$1Account\$1:function-instance/\$1\$1FunctionInstanceId\$1  |   [#awstelconetworkbuilder-aws_ResourceTag___TagKey_](#awstelconetworkbuilder-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/tnb/latest/ug/network-operations.html](https://docs.aws.amazon.com/tnb/latest/ug/network-operations.html)  |  arn:\$1\$1Partition\$1:tnb:\$1\$1Region\$1:\$1\$1Account\$1:network-operation/\$1\$1NetworkOperationId\$1  |   [#awstelconetworkbuilder-aws_ResourceTag___TagKey_](#awstelconetworkbuilder-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Telco Network Builder
<a name="awstelconetworkbuilder-policy-keys"></a>

AWS Telco Network Builder defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by checking the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by checking tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Textract
<a name="list_amazontextract"></a>

Amazon Textract (service prefix: `textract`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/textract/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/textract/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/textract/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Textract
](#amazontextract-actions-as-permissions)
+ [

## Resource types defined by Amazon Textract
](#amazontextract-resources-for-iam-policies)
+ [

## Condition keys for Amazon Textract
](#amazontextract-policy-keys)

## Actions defined by Amazon Textract
<a name="amazontextract-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazontextract-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html)

## Resource types defined by Amazon Textract
<a name="amazontextract-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazontextract-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/textract/latest/dg/API_AdapterOverview.html](https://docs.aws.amazon.com/textract/latest/dg/API_AdapterOverview.html)  |  arn:\$1\$1Partition\$1:textract:\$1\$1Region\$1:\$1\$1Account\$1:/adapters/\$1\$1AdapterId\$1  |   [#amazontextract-aws_ResourceTag___TagKey_](#amazontextract-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/textract/latest/dg/API_AdapterVersionOverview.html](https://docs.aws.amazon.com/textract/latest/dg/API_AdapterVersionOverview.html)  |  arn:\$1\$1Partition\$1:textract:\$1\$1Region\$1:\$1\$1Account\$1:/adapters/\$1\$1AdapterId\$1/versions/\$1\$1AdapterVersion\$1  |   [#amazontextract-aws_ResourceTag___TagKey_](#amazontextract-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Textract
<a name="amazontextract-policy-keys"></a>

Amazon Textract defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Timestream
<a name="list_amazontimestream"></a>

Amazon Timestream (service prefix: `timestream`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/timestream/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/timestream/latest/developerguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/timestream/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Timestream
](#amazontimestream-actions-as-permissions)
+ [

## Resource types defined by Amazon Timestream
](#amazontimestream-resources-for-iam-policies)
+ [

## Condition keys for Amazon Timestream
](#amazontimestream-policy-keys)

## Actions defined by Amazon Timestream
<a name="amazontimestream-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazontimestream-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontimestream.html)

## Resource types defined by Amazon Timestream
<a name="amazontimestream-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazontimestream-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/timestream/latest/developerguide/API_Database.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_Database.html)  |  arn:\$1\$1Partition\$1:timestream:\$1\$1Region\$1:\$1\$1Account\$1:database/\$1\$1DatabaseName\$1  |   [#amazontimestream-aws_ResourceTag___TagKey_](#amazontimestream-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/timestream/latest/developerguide/API_Table.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_Table.html)  |  arn:\$1\$1Partition\$1:timestream:\$1\$1Region\$1:\$1\$1Account\$1:database/\$1\$1DatabaseName\$1/table/\$1\$1TableName\$1  |   [#amazontimestream-aws_ResourceTag___TagKey_](#amazontimestream-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/timestream/latest/developerguide/API_ScheduledQuery.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_ScheduledQuery.html)  |  arn:\$1\$1Partition\$1:timestream:\$1\$1Region\$1:\$1\$1Account\$1:scheduled-query/\$1\$1ScheduledQueryName\$1  |   [#amazontimestream-aws_ResourceTag___TagKey_](#amazontimestream-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Timestream
<a name="amazontimestream-policy-keys"></a>

Amazon Timestream defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-tags)  | Filters access by the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Timestream InfluxDB
<a name="list_amazontimestreaminfluxdb"></a>

Amazon Timestream InfluxDB (service prefix: `timestream-influxdb`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/timestream/latest/developerguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/timestream/latest/developerguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Timestream InfluxDB
](#amazontimestreaminfluxdb-actions-as-permissions)
+ [

## Resource types defined by Amazon Timestream InfluxDB
](#amazontimestreaminfluxdb-resources-for-iam-policies)
+ [

## Condition keys for Amazon Timestream InfluxDB
](#amazontimestreaminfluxdb-policy-keys)

## Actions defined by Amazon Timestream InfluxDB
<a name="amazontimestreaminfluxdb-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazontimestreaminfluxdb-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontimestreaminfluxdb.html)

## Resource types defined by Amazon Timestream InfluxDB
<a name="amazontimestreaminfluxdb-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazontimestreaminfluxdb-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/API_DbClusterSummary.html](https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/API_DbClusterSummary.html)  |  arn:\$1\$1Partition\$1:timestream-influxdb:\$1\$1Region\$1:\$1\$1Account\$1:db-cluster/\$1\$1DbClusterId\$1  |   [#amazontimestreaminfluxdb-aws_ResourceTag___TagKey_](#amazontimestreaminfluxdb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/API_DbInstanceSummary.html](https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/API_DbInstanceSummary.html)  |  arn:\$1\$1Partition\$1:timestream-influxdb:\$1\$1Region\$1:\$1\$1Account\$1:db-instance/\$1\$1DbInstanceIdentifier\$1  |   [#amazontimestreaminfluxdb-aws_ResourceTag___TagKey_](#amazontimestreaminfluxdb-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/API_DbParameterGroupSummary.html](https://docs.aws.amazon.com/ts-influxdb/latest/ts-influxdb-api/API_DbParameterGroupSummary.html)  |  arn:\$1\$1Partition\$1:timestream-influxdb:\$1\$1Region\$1:\$1\$1Account\$1:db-parameter-group/\$1\$1DbParameterGroupIdentifier\$1  |   [#amazontimestreaminfluxdb-aws_ResourceTag___TagKey_](#amazontimestreaminfluxdb-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Timestream InfluxDB
<a name="amazontimestreaminfluxdb-policy-keys"></a>

Amazon Timestream InfluxDB defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Tiros
<a name="list_awstiros"></a>

AWS Tiros (service prefix: `tiros`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc/latest/reachability/identity-access-management.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Tiros
](#awstiros-actions-as-permissions)
+ [

## Resource types defined by AWS Tiros
](#awstiros-resources-for-iam-policies)
+ [

## Condition keys for AWS Tiros
](#awstiros-policy-keys)

## Actions defined by AWS Tiros
<a name="awstiros-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstiros-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to create a VPC reachability query | Write |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to extend a VPC reachability query to include the calling principals account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to get VPC reachability query answers | Read |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to get VPC reachability query explanations | Read |  |  |  | 
|   [https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html](https://docs.aws.amazon.com/vpc/latest/reachability/security_iam_required-API-permissions.html) [permission only] | Grants permission to list accounts that might be useful in a new query | Read |  |  |  | 

## Resource types defined by AWS Tiros
<a name="awstiros-resources-for-iam-policies"></a>

AWS Tiros does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Tiros, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Tiros
<a name="awstiros-policy-keys"></a>

Tiros has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Transcribe
<a name="list_amazontranscribe"></a>

Amazon Transcribe (service prefix: `transcribe`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/transcribe/latest/dg/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/transcribe/latest/dg/API_Reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/transcribe/latest/dg/auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Transcribe
](#amazontranscribe-actions-as-permissions)
+ [

## Resource types defined by Amazon Transcribe
](#amazontranscribe-resources-for-iam-policies)
+ [

## Condition keys for Amazon Transcribe
](#amazontranscribe-policy-keys)

## Actions defined by Amazon Transcribe
<a name="amazontranscribe-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazontranscribe-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateCallAnalyticsCategory.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateCallAnalyticsCategory.html)  | Grants permission to create an analytics category. Amazon Transcribe applies the conditions specified by your analytics categories to your call analytics jobs | Write |  |   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateLanguageModel.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateLanguageModel.html)  | Grants permission to create a new custom language model | Write |  |   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   s3:ListBucket   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateMedicalVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateMedicalVocabulary.html)  | Grants permission to create a new custom vocabulary that you can use to change the way Amazon Transcribe Medical handles transcription of an audio file | Write |  |   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabulary.html)  | Grants permission to create a new custom vocabulary that you can use to change the way Amazon Transcribe handles transcription of an audio file | Write |  |   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabularyFilter.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabularyFilter.html)  | Grants permission to create a new vocabulary filter that you can use to filter out words from the transcription of an audio file generated by Amazon Transcribe | Write |  |   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteCallAnalyticsCategory.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteCallAnalyticsCategory.html)  | Grants permission to delete a call analytics category using its name from Amazon Transcribe | Write |   [#amazontranscribe-callanalyticscategory](#amazontranscribe-callanalyticscategory)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteCallAnalyticsJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteCallAnalyticsJob.html)  | Grants permission to delete a previously submitted call analytics job along with any other generated results such as the transcription, models, and so on | Write |   [#amazontranscribe-callanalyticsjob](#amazontranscribe-callanalyticsjob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteLanguageModel.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteLanguageModel.html)  | Grants permission to delete a previously created custom language model | Write |   [#amazontranscribe-languagemodel](#amazontranscribe-languagemodel)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteMedicalScribeJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteMedicalScribeJob.html)  | Grants permission to delete a previously submitted Medical Scribe job | Write |   [#amazontranscribe-medicalscribejob](#amazontranscribe-medicalscribejob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteMedicalTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteMedicalTranscriptionJob.html)  | Grants permission to delete a previously submitted medical transcription job | Write |   [#amazontranscribe-medicaltranscriptionjob](#amazontranscribe-medicaltranscriptionjob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteMedicalVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteMedicalVocabulary.html)  | Grants permission to delete a medical vocabulary from Amazon Transcribe | Write |   [#amazontranscribe-medicalvocabulary](#amazontranscribe-medicalvocabulary)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteTranscriptionJob.html)  | Grants permission to delete a previously submitted transcription job along with any other generated results such as the transcription, models, and so on | Write |   [#amazontranscribe-transcriptionjob](#amazontranscribe-transcriptionjob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteVocabulary.html)  | Grants permission to delete a vocabulary from Amazon Transcribe | Write |   [#amazontranscribe-vocabulary](#amazontranscribe-vocabulary)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteVocabularyFilter.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DeleteVocabularyFilter.html)  | Grants permission to delete a vocabulary filter from Amazon Transcribe | Write |   [#amazontranscribe-vocabularyfilter](#amazontranscribe-vocabularyfilter)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_DescribeLanguageModel.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_DescribeLanguageModel.html)  | Grants permission to return information about a custom language model | Read |   [#amazontranscribe-languagemodel](#amazontranscribe-languagemodel)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetCallAnalyticsCategory.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetCallAnalyticsCategory.html)  | Grants permission to retrieve information about a call analytics category | Read |   [#amazontranscribe-callanalyticscategory](#amazontranscribe-callanalyticscategory)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetCallAnalyticsJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetCallAnalyticsJob.html)  | Grants permission to return information about a call analytics job | Read |   [#amazontranscribe-callanalyticsjob](#amazontranscribe-callanalyticsjob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetMedicalScribeJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetMedicalScribeJob.html)  | Grants permission to return information about a Medical Scribe job | Read |   [#amazontranscribe-medicalscribejob](#amazontranscribe-medicalscribejob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_GetMedicalScribeStream.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_GetMedicalScribeStream.html)  | Grants permission to get information about the specified AWS HealthScribe streaming session | Read |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetMedicalTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetMedicalTranscriptionJob.html)  | Grants permission to return information about a medical transcription job | Read |   [#amazontranscribe-medicaltranscriptionjob](#amazontranscribe-medicaltranscriptionjob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetMedicalVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetMedicalVocabulary.html)  | Grants permission to get information about a medical vocabulary | Read |   [#amazontranscribe-medicalvocabulary](#amazontranscribe-medicalvocabulary)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetTranscriptionJob.html)  | Grants permission to return information about a transcription job | Read |   [#amazontranscribe-transcriptionjob](#amazontranscribe-transcriptionjob)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetVocabulary.html)  | Grants permission to to get information about a vocabulary | Read |   [#amazontranscribe-vocabulary](#amazontranscribe-vocabulary)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_GetVocabularyFilter.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_GetVocabularyFilter.html)  | Grants permission to get information about a vocabulary filter | Read |   [#amazontranscribe-vocabularyfilter](#amazontranscribe-vocabularyfilter)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListCallAnalyticsCategories.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListCallAnalyticsCategories.html)  | Grants permission to list call analytics categories that has been created | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListCallAnalyticsJobs.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListCallAnalyticsJobs.html)  | Grants permission to list call analytics jobs with the specified status | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListLanguageModels.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListLanguageModels.html)  | Grants permission to list custom language models | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListMedicalScribeJobs.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListMedicalScribeJobs.html)  | Grants permission to list Medical Scribe jobs with the specified status | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListMedicalTranscriptionJobs.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListMedicalTranscriptionJobs.html)  | Grants permission to list medical transcription jobs with the specified status | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListMedicalVocabularies.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListMedicalVocabularies.html)  | Grants permission to return a list of medical vocabularies that match the specified criteria. If no criteria are specified, returns the entire list of vocabularies | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListTagsForResource.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListTagsForResource.html)  | Grants permission to list tags for a resource | Read |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListTranscriptionJobs.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListTranscriptionJobs.html)  | Grants permission to list transcription jobs with the specified status | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListVocabularies.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListVocabularies.html)  | Grants permission to return a list of vocabularies that match the specified criteria. If no criteria are specified, returns the entire list of vocabularies | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_ListVocabularyFilters.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_ListVocabularyFilters.html)  | Grants permission to return a list of vocabulary filters that match the specified criteria. If no criteria are specified, returns the at most 5 vocabulary filters | List |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_StartCallAnalyticsJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_StartCallAnalyticsJob.html)  | Grants permission to start an asynchronous analytics job that not only transcribes the audio recording of a caller and agent, but also returns additional insights | Write |  |   [#amazontranscribe-transcribe_OutputEncryptionKMSKeyId](#amazontranscribe-transcribe_OutputEncryptionKMSKeyId)   [#amazontranscribe-transcribe_OutputLocation](#amazontranscribe-transcribe_OutputLocation)   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartCallAnalyticsStreamTranscription.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartCallAnalyticsStreamTranscription.html)  | Grants permission to start a protocol where audio is streamed to Transcribe Call Analytics and the transcription results are streamed to your application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartCallAnalyticsStreamTranscriptionWebSocket.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartCallAnalyticsStreamTranscriptionWebSocket.html)  | Grants permission to start a WebSocket where audio is streamed to Transcribe Call Analytics and the transcription results are streamed to your application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_StartMedicalScribeJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_StartMedicalScribeJob.html)  | Grants permission to start an asynchronous job to transcribe patient-clinician conversations and generates clinical notes | Write |  |   [#amazontranscribe-transcribe_OutputBucketName](#amazontranscribe-transcribe_OutputBucketName)   [#amazontranscribe-transcribe_OutputEncryptionKMSKeyId](#amazontranscribe-transcribe_OutputEncryptionKMSKeyId)   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartMedicalScribeStream.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartMedicalScribeStream.html)  | Grants permission to start a bidirectional HTTP2 stream where audio is streamed to AWS HealthScribe and the transcription results are streamed to your application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartMedicalStreamTranscription.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartMedicalStreamTranscription.html)  | Grants permission to start a protocol where audio is streamed to Transcribe Medical and the transcription results are streamed to your application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartMedicalStreamTranscriptionWebSocket.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartMedicalStreamTranscriptionWebSocket.html)  | Grants permission to start a WebSocket where audio is streamed to Transcribe Medical and the transcription results are streamed to your application | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_StartMedicalTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_StartMedicalTranscriptionJob.html)  | Grants permission to start an asynchronous job to transcribe medical speech to text | Write |  |   [#amazontranscribe-transcribe_OutputBucketName](#amazontranscribe-transcribe_OutputBucketName)   [#amazontranscribe-transcribe_OutputEncryptionKMSKeyId](#amazontranscribe-transcribe_OutputEncryptionKMSKeyId)   [#amazontranscribe-transcribe_OutputKey](#amazontranscribe-transcribe_OutputKey)   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartStreamTranscription.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartStreamTranscription.html)  | Grants permission to start a bidirectional HTTP2 stream to transcribe speech to text in real time | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartStreamTranscriptionWebSocket.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_streaming_StartStreamTranscriptionWebSocket.html)  | Grants permission to start a websocket stream to transcribe speech to text in real time | Write |  |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_StartTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_StartTranscriptionJob.html)  | Grants permission to start an asynchronous job to transcribe speech to text | Write |  |   [#amazontranscribe-transcribe_OutputBucketName](#amazontranscribe-transcribe_OutputBucketName)   [#amazontranscribe-transcribe_OutputEncryptionKMSKeyId](#amazontranscribe-transcribe_OutputEncryptionKMSKeyId)   [#amazontranscribe-transcribe_OutputKey](#amazontranscribe-transcribe_OutputKey)   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_TagResource.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_TagResource.html)  | Grants permission to tag a resource with given key value pairs | Tagging |  |   [#amazontranscribe-aws_RequestTag___TagKey_](#amazontranscribe-aws_RequestTag___TagKey_)   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   [#amazontranscribe-transcribe_OutputBucketName](#amazontranscribe-transcribe_OutputBucketName)   [#amazontranscribe-transcribe_OutputEncryptionKMSKeyId](#amazontranscribe-transcribe_OutputEncryptionKMSKeyId)   [#amazontranscribe-transcribe_OutputKey](#amazontranscribe-transcribe_OutputKey)   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_UntagResource.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_UntagResource.html)  | Grants permission to untag a resource with given key | Tagging |  |   [#amazontranscribe-aws_TagKeys](#amazontranscribe-aws_TagKeys)   |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateCallAnalyticsCategory.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateCallAnalyticsCategory.html)  | Grants permission to update the call analytics category with new values. The UpdateCallAnalyticsCategory operation overwrites all of the existing information with the values that you provide in the request | Write |   [#amazontranscribe-callanalyticscategory](#amazontranscribe-callanalyticscategory)   |  |  | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateMedicalVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateMedicalVocabulary.html)  | Grants permission to update an existing medical vocabulary with new values. The UpdateMedicalVocabulary operation overwrites all of the existing information with the values that you provide in the request | Write |   [#amazontranscribe-medicalvocabulary](#amazontranscribe-medicalvocabulary)   |  |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateVocabulary.html)  | Grants permission to update an existing vocabulary with new values. The UpdateVocabulary operation overwrites all of the existing information with the values that you provide in the request | Write |   [#amazontranscribe-vocabulary](#amazontranscribe-vocabulary)   |  |   s3:GetObject   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateVocabularyFilter.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_UpdateVocabularyFilter.html)  | Grants permission to update an existing vocabulary filter with new values. The UpdateVocabularyFilter operation overwrites all of the existing information with the values that you provide in the request | Write |   [#amazontranscribe-vocabularyfilter](#amazontranscribe-vocabularyfilter)   |  |   s3:GetObject   | 

## Resource types defined by Amazon Transcribe
<a name="amazontranscribe-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazontranscribe-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_TranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_TranscriptionJob.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:transcription-job/\$1\$1JobName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabulary.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:vocabulary/\$1\$1VocabularyName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabularyFilter.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateVocabularyFilter.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:vocabulary-filter/\$1\$1VocabularyFilterName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_LanguageModel.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_LanguageModel.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:language-model/\$1\$1ModelName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_MedicalTranscriptionJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_MedicalTranscriptionJob.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:medical-transcription-job/\$1\$1JobName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateMedicalVocabulary.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateMedicalVocabulary.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:medical-vocabulary/\$1\$1VocabularyName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CallAnalyticsJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CallAnalyticsJob.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:analytics/\$1\$1JobName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateCallAnalyticsCategory.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_CreateCallAnalyticsCategory.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:analytics-category/\$1\$1CategoryName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transcribe/latest/dg/API_MedicalScribeJob.html](https://docs.aws.amazon.com/transcribe/latest/dg/API_MedicalScribeJob.html)  |  arn:\$1\$1Partition\$1:transcribe:\$1\$1Region\$1:\$1\$1Account\$1:medical-scribe-job/\$1\$1JobName\$1  |   [#amazontranscribe-aws_ResourceTag___TagKey_](#amazontranscribe-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Transcribe
<a name="amazontranscribe-policy-keys"></a>

Amazon Transcribe defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring tag values present in a resource creation request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys)  | Filters access based on the output bucket name included in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys)  | Filters access based on the KMS key id included in the request, provided in the form of a KMS key ARN | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys)  | Filters access based on the output key included in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazontranscribe.html#amazontranscribe-policy-keys)  | Filters access based on the output location included in the request | String | 

# Actions, resources, and condition keys for AWS Transfer Family
<a name="list_awstransferfamily"></a>

AWS Transfer Family (service prefix: `transfer`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/transfer/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/transfer/latest/userguide/api_reference.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/transfer/latest/userguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Transfer Family
](#awstransferfamily-actions-as-permissions)
+ [

## Resource types defined by AWS Transfer Family
](#awstransferfamily-resources-for-iam-policies)
+ [

## Condition keys for AWS Transfer Family
](#awstransferfamily-policy-keys)

## Actions defined by AWS Transfer Family
<a name="awstransferfamily-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstransferfamily-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html)

## Resource types defined by AWS Transfer Family
<a name="awstransferfamily-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awstransferfamily-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/create-user.html](https://docs.aws.amazon.com/transfer/latest/userguide/create-user.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1ServerId\$1/\$1\$1UserName\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/configuring-servers.html](https://docs.aws.amazon.com/transfer/latest/userguide/configuring-servers.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:server/\$1\$1ServerId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/transfer-workflows.html](https://docs.aws.amazon.com/transfer/latest/userguide/transfer-workflows.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:workflow/\$1\$1WorkflowId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html](https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:certificate/\$1\$1CertificateId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html](https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1ConnectorId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html](https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1ProfileId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html](https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:agreement/\$1\$1ServerId\$1/\$1\$1AgreementId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/edit-server-config.html](https://docs.aws.amazon.com/transfer/latest/userguide/edit-server-config.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:host-key/\$1\$1ServerId\$1/\$1\$1HostKeyId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/web-app.html](https://docs.aws.amazon.com/transfer/latest/userguide/web-app.html)  |  arn:\$1\$1Partition\$1:transfer:\$1\$1Region\$1:\$1\$1Account\$1:webapp/\$1\$1WebAppId\$1  |   [#awstransferfamily-aws_ResourceTag___TagKey_](#awstransferfamily-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Transfer Family
<a name="awstransferfamily-policy-keys"></a>

AWS Transfer Family defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html](https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html)  | Filters access by the connector protocol that is passed in the request | String | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html](https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html)  | Filters access by the storage domain that is passed in the request | String | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html](https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html)  | Filters access by the endpoint type that is passed in the request | String | 
|   [https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html](https://docs.aws.amazon.com/transfer/latest/userguide/transfer-condition-keys.html)  | Filters access by the server protocols that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Transform
<a name="list_awstransform"></a>

AWS Transform (service prefix: `transform`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/transform/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/transform/latest/userguide/security_iam_permissions.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/transform/latest/userguide/security-iam.html#security_iam_access-manage) permission policies.

**Topics**
+ [

## Actions defined by AWS Transform
](#awstransform-actions-as-permissions)
+ [

## Resource types defined by AWS Transform
](#awstransform-resources-for-iam-policies)
+ [

## Condition keys for AWS Transform
](#awstransform-policy-keys)

## Actions defined by AWS Transform
<a name="awstransform-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstransform-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransform.html)

## Resource types defined by AWS Transform
<a name="awstransform-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awstransform-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/transform/latest/userguide/security_iam_permissions.html](https://docs.aws.amazon.com/transform/latest/userguide/security_iam_permissions.html)  |  arn:\$1\$1Partition\$1:transform:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1Identifier\$1  |  | 
|   [https://docs.aws.amazon.com/transform/latest/userguide/security_iam_permissions.html](https://docs.aws.amazon.com/transform/latest/userguide/security_iam_permissions.html)  |  arn:\$1\$1Partition\$1:transform:\$1\$1Region\$1:\$1\$1Account\$1:connector/\$1\$1WorkspaceId\$1/\$1\$1ConnectorId\$1  |  | 

## Condition keys for AWS Transform
<a name="awstransform-policy-keys"></a>

AWS Transform defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Transform custom
<a name="list_awstransformcustom"></a>

AWS Transform custom (service prefix: `transform-custom`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/transform/latest/userguide/custom.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/transform/latest/userguide/custom.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/transform/latest/userguide/security-iam.html#security_iam_access-manage) permission policies.

**Topics**
+ [

## Actions defined by AWS Transform custom
](#awstransformcustom-actions-as-permissions)
+ [

## Resource types defined by AWS Transform custom
](#awstransformcustom-resources-for-iam-policies)
+ [

## Condition keys for AWS Transform custom
](#awstransformcustom-policy-keys)

## Actions defined by AWS Transform custom
<a name="awstransformcustom-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstransformcustom-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransformcustom.html)

## Resource types defined by AWS Transform custom
<a name="awstransformcustom-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awstransformcustom-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/transform/latest/userguide/custom.html](https://docs.aws.amazon.com/transform/latest/userguide/custom.html)  |  arn:\$1\$1Partition\$1:transform-custom:\$1\$1Region\$1:\$1\$1Account\$1:campaign/\$1\$1Name\$1  |   [#awstransformcustom-aws_ResourceTag___TagKey_](#awstransformcustom-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transform/latest/userguide/custom.html](https://docs.aws.amazon.com/transform/latest/userguide/custom.html)  |  arn:\$1\$1Partition\$1:transform-custom:\$1\$1Region\$1:\$1\$1Account\$1:package/\$1\$1TransformationPackageName\$1/knowledge-item/\$1\$1Id\$1  |   [#awstransformcustom-aws_ResourceTag___TagKey_](#awstransformcustom-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/transform/latest/userguide/custom.html](https://docs.aws.amazon.com/transform/latest/userguide/custom.html)  |  arn:\$1\$1Partition\$1:transform-custom:\$1\$1Region\$1:\$1\$1Account\$1:package/\$1\$1Name\$1  |   [#awstransformcustom-aws_ResourceTag___TagKey_](#awstransformcustom-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Transform custom
<a name="awstransformcustom-policy-keys"></a>

AWS Transform custom defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon Translate
<a name="list_amazontranslate"></a>

Amazon Translate (service prefix: `translate`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/translate/latest/dg/getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/translate/latest/APIReference/API_Operations.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/translate/latest/dg/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Translate
](#amazontranslate-actions-as-permissions)
+ [

## Resource types defined by Amazon Translate
](#amazontranslate-resources-for-iam-policies)
+ [

## Condition keys for Amazon Translate
](#amazontranslate-policy-keys)

## Actions defined by Amazon Translate
<a name="amazontranslate-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazontranslate-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranslate.html)

## Resource types defined by Amazon Translate
<a name="amazontranslate-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazontranslate-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/translate/latest/dg/how-custom-terminology.html](https://docs.aws.amazon.com/translate/latest/dg/how-custom-terminology.html)  |  arn:\$1\$1Partition\$1:translate:\$1\$1Region\$1:\$1\$1Account\$1:terminology/\$1\$1ResourceName\$1  |   [#amazontranslate-aws_ResourceTag___TagKey_](#amazontranslate-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/translate/latest/dg/customizing-translations-parallel-data.html](https://docs.aws.amazon.com/translate/latest/dg/customizing-translations-parallel-data.html)  |  arn:\$1\$1Partition\$1:translate:\$1\$1Region\$1:\$1\$1Account\$1:parallel-data/\$1\$1ResourceName\$1  |   [#amazontranslate-aws_ResourceTag___TagKey_](#amazontranslate-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Translate
<a name="amazontranslate-policy-keys"></a>

Amazon Translate defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring tag values present in a resource creation request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring tag value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-globally-available)  | Filters access by requiring the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS Trusted Advisor
<a name="list_awstrustedadvisor"></a>

AWS Trusted Advisor (service prefix: `trustedadvisor`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awssupport/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awssupport/latest/user/security.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Trusted Advisor
](#awstrustedadvisor-actions-as-permissions)
+ [

## Resource types defined by AWS Trusted Advisor
](#awstrustedadvisor-resources-for-iam-policies)
+ [

## Condition keys for AWS Trusted Advisor
](#awstrustedadvisor-policy-keys)

## Actions defined by AWS Trusted Advisor
<a name="awstrustedadvisor-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awstrustedadvisor-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).

**Note**  
The IAM Trusted Advisor policy description details apply only to the Trusted Advisor console. If you want to manage programmatic access to Trusted Advisor, use the Trusted Advisor operations in the AWS Support API.


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to update one or more exclusion status for a list of recommendation resources | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to create an engagement | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to create an engagement attachment | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to create an engagement communication | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to the organization management account to delete email notification preferences from a delegated administrator account for Trusted Advisor Priority | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view the AWS Support plan and various AWS Trusted Advisor preferences | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view if the AWS account has enabled or disabled AWS Trusted Advisor | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view details for the check items | Read |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view the refresh statuses for AWS Trusted Advisor checks | Read |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view the results and changed statuses for checks in the last 30 days | Read |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view AWS Trusted Advisor check summaries | Read |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view details for AWS Trusted Advisor checks | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to get your email notification preferences for Trusted Advisor Priority | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view the notification preferences for the AWS account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view if the AWS account meets the requirements to enable the organizational view feature | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view the linked AWS accounts that are in the organization | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view details for organizational view reports, such as the report name, runtime, date created, status, and format | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view risk details in AWS Trusted Advisor Priority | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view affected resources for a risk in AWS Trusted Advisor Priority | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view risks in AWS Trusted Advisor Priority | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view information about organizational view reports, such as the AWS Regions, check categories, check names, and resource statuses | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to download a file that contains details about the risk in AWS Trusted Advisor Priority | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to exclude recommendations for AWS Trusted Advisor checks | Write |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to create a report for AWS Trusted Advisor checks in your organization | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view an engagment | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view an engagment attachment | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view a specific engagement type | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to get a specific recommendation within an AWS Organization's organization. This API supports only prioritized recommendations | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to get a specific Recommendation | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to include recommendations for AWS Trusted Advisor checks | Write |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view, in the Trusted Advisor console, all of the accounts in an AWS organization that are contained by a root or organizational unit (OU) | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to list a filterable set of Checks | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view all communications for an engagement | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view all engagement types | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to view all engagements | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to list the accounts that own the resources for an AWS Organization aggregate recommendation. This API only supports prioritized recommendations | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to list Resources of a Recommendation within an AWS Organization. This API only supports prioritized recommendations | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to list a filterable set of Recommendations within an AWS Organization. This API only supports prioritized recommendations | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view, in the Trusted Advisor console, all of the organizational units (OUs) in a parent organizational unit or root | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to list Resources of a Recommendation | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to list a filterable set of Recommendations | List |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to view, in the Trusted Advisor console, all of the roots that are defined in an AWS organization | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to refresh an AWS Trusted Advisor check | Write |   [#awstrustedadvisor-checks](#awstrustedadvisor-checks)   |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to enable or disable AWS Trusted Advisor for the account | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to enable the organizational view feature for AWS Trusted Advisor | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to update the details of an engagement | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to update the status of an engagement | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to create or update your email notification preferences for Trusted Advisor Priority | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations) [permission only] | Grants permission to update notification preferences for AWS Trusted Advisor | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to update the lifecyle of a Recommendation within an AWS Organization. This API only supports prioritized recommendations | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor-api.html)  | Grants permission to update the lifecyle of a Recommendation. This API only supports prioritized recommendations | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations](https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html#trusted-advisor-operations)  | Grants permission to update the risk status in AWS Trusted Advisor Priority | Write |  |  |  | 

## Resource types defined by AWS Trusted Advisor
<a name="awstrustedadvisor-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awstrustedadvisor-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).

**Note**  
The ARN for the checks resource type should not include a region. In the format instead of '\$1\$1Region\$1' use a '\$1' or the policy will not work correctly.


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/awssupport/latest/APIReference/API_TrustedAdvisorCheckDescription.html](https://docs.aws.amazon.com/awssupport/latest/APIReference/API_TrustedAdvisorCheckDescription.html)  |  arn:\$1\$1Partition\$1:trustedadvisor:\$1\$1Region\$1:\$1\$1Account\$1:checks/\$1\$1CategoryCode\$1/\$1\$1CheckId\$1  |  | 

## Condition keys for AWS Trusted Advisor
<a name="awstrustedadvisor-policy-keys"></a>

Trusted Advisor has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS User Experience Customization
<a name="list_awsuserexperiencecustomization"></a>

AWS User Experience Customization (service prefix: `uxc`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/uxc.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/security_iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS User Experience Customization
](#awsuserexperiencecustomization-actions-as-permissions)
+ [

## Resource types defined by AWS User Experience Customization
](#awsuserexperiencecustomization-resources-for-iam-policies)
+ [

## Condition keys for AWS User Experience Customization
](#awsuserexperiencecustomization-policy-keys)

## Actions defined by AWS User Experience Customization
<a name="awsuserexperiencecustomization-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsuserexperiencecustomization-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_DeleteAccountColor.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_DeleteAccountColor.html)  | Grants permission to delete account color setting | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_GetAccountColor.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_GetAccountColor.html)  | Grants permission to retrieve account color for given account | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_GetAccountCustomizations.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_GetAccountCustomizations.html)  | Grants permission to retrieve account customizations | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_ListServices.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_ListServices.html)  | Grants permission to list available services | Read |  |  |  | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_PutAccountColor.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_PutAccountColor.html)  | Grants permission to set account color | Write |  |  |  | 
|   [https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_UpdateAccountCustomizations.html](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/APIReference/API_UpdateAccountCustomizations.html)  | Grants permission to update account customizations | Write |  |  |  | 

## Resource types defined by AWS User Experience Customization
<a name="awsuserexperiencecustomization-resources-for-iam-policies"></a>

AWS User Experience Customization does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS User Experience Customization, specify `"Resource": "*"` in your policy.

## Condition keys for AWS User Experience Customization
<a name="awsuserexperiencecustomization-policy-keys"></a>

User Experience Customization (UXC) has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS User Notifications
<a name="list_awsusernotifications"></a>

AWS User Notifications (service prefix: `notifications`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/notifications/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/notifications/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS User Notifications
](#awsusernotifications-actions-as-permissions)
+ [

## Resource types defined by AWS User Notifications
](#awsusernotifications-resources-for-iam-policies)
+ [

## Condition keys for AWS User Notifications
](#awsusernotifications-policy-keys)

## Actions defined by AWS User Notifications
<a name="awsusernotifications-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsusernotifications-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsusernotifications.html)

## Resource types defined by AWS User Notifications
<a name="awsusernotifications-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsusernotifications-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications::\$1\$1Account\$1:configuration/\$1\$1NotificationConfigurationId\$1/rule/\$1\$1EventRuleId\$1  |  | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications::\$1\$1Account\$1:configuration/\$1\$1NotificationConfigurationId\$1  |   [#awsusernotifications-aws_ResourceTag___TagKey_](#awsusernotifications-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications:\$1\$1Region\$1:\$1\$1Account\$1:configuration/\$1\$1NotificationConfigurationId\$1/event/\$1\$1NotificationEventId\$1  |  | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications::\$1\$1Account\$1:managed-notification-configuration/category/\$1\$1Category\$1/sub-category/\$1\$1Subcategory\$1/event/\$1\$1NotificationEventId\$1/child-event/\$1\$1NotificationChildEventId\$1  |  | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications::\$1\$1Account\$1:managed-notification-configuration/category/\$1\$1Category\$1/sub-category/\$1\$1Subcategory\$1  |  | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications::\$1\$1Account\$1:managed-notification-configuration/category/\$1\$1Category\$1/sub-category/\$1\$1Subcategory\$1/event/\$1\$1NotificationEventId\$1  |  | 

## Condition keys for AWS User Notifications
<a name="awsusernotifications-policy-keys"></a>

AWS User Notifications defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS User Notifications Contacts
<a name="list_awsusernotificationscontacts"></a>

AWS User Notifications Contacts (service prefix: `notifications-contacts`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/notifications/latest/userguide/managing-delivery-channels.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/notifications/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS User Notifications Contacts
](#awsusernotificationscontacts-actions-as-permissions)
+ [

## Resource types defined by AWS User Notifications Contacts
](#awsusernotificationscontacts-resources-for-iam-policies)
+ [

## Condition keys for AWS User Notifications Contacts
](#awsusernotificationscontacts-policy-keys)

## Actions defined by AWS User Notifications Contacts
<a name="awsusernotificationscontacts-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsusernotificationscontacts-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsusernotificationscontacts.html)

## Resource types defined by AWS User Notifications Contacts
<a name="awsusernotificationscontacts-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsusernotificationscontacts-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html](https://docs.aws.amazon.com/notifications/latest/userguide/resource-level-permissions.html)  |  arn:\$1\$1Partition\$1:notifications-contacts::\$1\$1Account\$1:emailcontact/\$1\$1EmailContactId\$1  |   [#awsusernotificationscontacts-aws_ResourceTag___TagKey_](#awsusernotificationscontacts-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS User Notifications Contacts
<a name="awsusernotificationscontacts-policy-keys"></a>

AWS User Notifications Contacts defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS User Subscriptions
<a name="list_awsusersubscriptions"></a>

AWS User Subscriptions (service prefix: `user-subscriptions`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/q-admin-setup-subscribe-management-account.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS User Subscriptions
](#awsusersubscriptions-actions-as-permissions)
+ [

## Resource types defined by AWS User Subscriptions
](#awsusersubscriptions-resources-for-iam-policies)
+ [

## Condition keys for AWS User Subscriptions
](#awsusersubscriptions-policy-keys)

## Actions defined by AWS User Subscriptions
<a name="awsusersubscriptions-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsusersubscriptions-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to create a User subscription Claim | Write |  |   [#awsusersubscriptions-user-subscriptions_CreateForSelf](#awsusersubscriptions-user-subscriptions_CreateForSelf)   |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to delete a User subscription Claim | Write |  |  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to list all User subscription Claims for Application | List |  |  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to list all User subscription Claims | List |  |  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to list all User subscriptions | List |  |  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to set a User subscription overage configuration | Write |  |  |  | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_permissions.html)  | Grants permission to update a User subscription Claim | Write |  |  |  | 

## Resource types defined by AWS User Subscriptions
<a name="awsusersubscriptions-resources-for-iam-policies"></a>

AWS User Subscriptions does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS User Subscriptions, specify `"Resource": "*"` in your policy.

## Condition keys for AWS User Subscriptions
<a name="awsusersubscriptions-policy-keys"></a>

AWS User Subscriptions defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-iam-service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by only allowing creation of User subscription Claims for the caller | Bool | 

# Actions, resources, and condition keys for AWS Verified Access
<a name="list_awsverifiedaccess"></a>

AWS Verified Access (service prefix: `verified-access`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/verified-access/latest/ug/what-is-verified-access.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/operation-list-verified-access.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/verified-access/latest/ug/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-create-instance) permission policies.

**Topics**
+ [

## Actions defined by AWS Verified Access
](#awsverifiedaccess-actions-as-permissions)
+ [

## Resource types defined by AWS Verified Access
](#awsverifiedaccess-resources-for-iam-policies)
+ [

## Condition keys for AWS Verified Access
](#awsverifiedaccess-policy-keys)

## Actions defined by AWS Verified Access
<a name="awsverifiedaccess-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsverifiedaccess-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/verified-access/latest/ug/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-create-instance](https://docs.aws.amazon.com/verified-access/latest/ug/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-create-instance) [permission only] | Grants permission to create Verified Access Instance | Write |  |  |  | 

## Resource types defined by AWS Verified Access
<a name="awsverifiedaccess-resources-for-iam-policies"></a>

AWS Verified Access does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to AWS Verified Access, specify `"Resource": "*"` in your policy.

## Condition keys for AWS Verified Access
<a name="awsverifiedaccess-policy-keys"></a>

Verified Access has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon Verified Permissions
<a name="list_amazonverifiedpermissions"></a>

Amazon Verified Permissions (service prefix: `verifiedpermissions`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon Verified Permissions
](#amazonverifiedpermissions-actions-as-permissions)
+ [

## Resource types defined by Amazon Verified Permissions
](#amazonverifiedpermissions-resources-for-iam-policies)
+ [

## Condition keys for Amazon Verified Permissions
](#amazonverifiedpermissions-policy-keys)

## Actions defined by Amazon Verified Permissions
<a name="amazonverifiedpermissions-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonverifiedpermissions-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonverifiedpermissions.html)

## Resource types defined by Amazon Verified Permissions
<a name="amazonverifiedpermissions-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonverifiedpermissions-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/policy-stores.html](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/policy-stores.html)  |  arn:\$1\$1Partition\$1:verifiedpermissions::\$1\$1Account\$1:policy-store/\$1\$1PolicyStoreId\$1  |   [#amazonverifiedpermissions-aws_ResourceTag___TagKey_](#amazonverifiedpermissions-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon Verified Permissions
<a name="amazonverifiedpermissions-policy-keys"></a>

Amazon Verified Permissions defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag key and value pair that is allowed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by a tag key and value pair of a resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by a list of tag keys that are allowed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon VPC Lattice
<a name="list_amazonvpclattice"></a>

Amazon VPC Lattice (service prefix: `vpc-lattice`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/vpc-lattice/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/vpc-lattice/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon VPC Lattice
](#amazonvpclattice-actions-as-permissions)
+ [

## Resource types defined by Amazon VPC Lattice
](#amazonvpclattice-resources-for-iam-policies)
+ [

## Condition keys for Amazon VPC Lattice
](#amazonvpclattice-policy-keys)

## Actions defined by Amazon VPC Lattice
<a name="amazonvpclattice-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonvpclattice-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvpclattice.html)

## Resource types defined by Amazon VPC Lattice
<a name="amazonvpclattice-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonvpclattice-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:accesslogsubscription/\$1\$1AccessLogSubscriptionId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/domain-verification.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/domain-verification.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:domainverification/\$1\$1DomainVerificationId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_DomainName](#amazonvpclattice-vpc-lattice_DomainName)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1/listener/\$1\$1ListenerId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_Protocol](#amazonvpclattice-vpc-lattice_Protocol)   [#amazonvpclattice-vpc-lattice_TargetGroupArns](#amazonvpclattice-vpc-lattice_TargetGroupArns)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configurations.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configurations.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:resourceconfiguration/\$1\$1ResourceConfigurationId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-endpoint-associations.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-endpoint-associations.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:resourceendpointassociation/\$1\$1ResourceEndpointAssociationId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_ResourceConfigurationArn](#amazonvpclattice-vpc-lattice_ResourceConfigurationArn)   [#amazonvpclattice-vpc-lattice_VpcEndpointId](#amazonvpclattice-vpc-lattice_VpcEndpointId)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateways.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateways.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:resourcegateway/\$1\$1ResourceGatewayId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_VpcId](#amazonvpclattice-vpc-lattice_VpcId)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html#listener-rules](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html#listener-rules)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1/listener/\$1\$1ListenerId\$1/rule/\$1\$1RuleId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_TargetGroupArns](#amazonvpclattice-vpc-lattice_TargetGroupArns)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_AuthType](#amazonvpclattice-vpc-lattice_AuthType)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-networks.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-networks.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:servicenetwork/\$1\$1ServiceNetworkId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_AuthType](#amazonvpclattice-vpc-lattice_AuthType)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-configuration)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:servicenetworkresourceassociation/\$1\$1ServiceNetworkResourceAssociationId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_ResourceConfigurationArn](#amazonvpclattice-vpc-lattice_ResourceConfigurationArn)   [#amazonvpclattice-vpc-lattice_ServiceNetworkArn](#amazonvpclattice-vpc-lattice_ServiceNetworkArn)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-service-associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-service-associations)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:servicenetworkserviceassociation/\$1\$1ServiceNetworkServiceAssociationId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_ServiceArn](#amazonvpclattice-vpc-lattice_ServiceArn)   [#amazonvpclattice-vpc-lattice_ServiceNetworkArn](#amazonvpclattice-vpc-lattice_ServiceNetworkArn)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-vpc-associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-vpc-associations)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:servicenetworkvpcassociation/\$1\$1ServiceNetworkVpcAssociationId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_PrivateDnsPreference](#amazonvpclattice-vpc-lattice_PrivateDnsPreference)   [#amazonvpclattice-vpc-lattice_PrivateDnsSpecifiedDomains](#amazonvpclattice-vpc-lattice_PrivateDnsSpecifiedDomains)   [#amazonvpclattice-vpc-lattice_SecurityGroupIds](#amazonvpclattice-vpc-lattice_SecurityGroupIds)   [#amazonvpclattice-vpc-lattice_ServiceNetworkArn](#amazonvpclattice-vpc-lattice_ServiceNetworkArn)   [#amazonvpclattice-vpc-lattice_VpcId](#amazonvpclattice-vpc-lattice_VpcId)   | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/target-groups.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/target-groups.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:targetgroup/\$1\$1TargetGroupId\$1  |   [#amazonvpclattice-aws_RequestTag___TagKey_](#amazonvpclattice-aws_RequestTag___TagKey_)   [#amazonvpclattice-aws_ResourceTag___TagKey_](#amazonvpclattice-aws_ResourceTag___TagKey_)   [#amazonvpclattice-aws_TagKeys](#amazonvpclattice-aws_TagKeys)   [#amazonvpclattice-vpc-lattice_CreateAction](#amazonvpclattice-vpc-lattice_CreateAction)   [#amazonvpclattice-vpc-lattice_VpcId](#amazonvpclattice-vpc-lattice_VpcId)   | 

## Condition keys for Amazon VPC Lattice
<a name="amazonvpclattice-policy-keys"></a>

Amazon VPC Lattice defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the auth type specified in the request | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the name of a resource-creating API action | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the domain name | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the private dns preference | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the private dns domains | ArrayOfString | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the protocol specified in the request | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the ARN of a resource configuration | ARN | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the IDs of security groups | ArrayOfString | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the ARN of a service | ARN | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the ARN of a service network | ARN | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the ARNs of target groups | ArrayOfARN | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the ID of a VPC endpoint | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/](https://docs.aws.amazon.com/vpc-lattice/latest/ug/)  | Filters access by the ID of a virtual private cloud (VPC) | String | 

# Actions, resources, and condition keys for Amazon VPC Lattice Services
<a name="list_amazonvpclatticeservices"></a>

Amazon VPC Lattice Services (service prefix: `vpc-lattice-svcs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/vpc-lattice/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/vpc-lattice/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon VPC Lattice Services
](#amazonvpclatticeservices-actions-as-permissions)
+ [

## Resource types defined by Amazon VPC Lattice Services
](#amazonvpclatticeservices-resources-for-iam-policies)
+ [

## Condition keys for Amazon VPC Lattice Services
](#amazonvpclatticeservices-policy-keys)

## Actions defined by Amazon VPC Lattice Services
<a name="amazonvpclatticeservices-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonvpclatticeservices-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvpclatticeservices.html)

## Resource types defined by Amazon VPC Lattice Services
<a name="amazonvpclatticeservices-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonvpclatticeservices-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1/\$1\$1RequestPath\$1  |  | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html](https://docs.aws.amazon.com/vpc-lattice/latest/ug/services.html)  |  arn:\$1\$1Partition\$1:vpc-lattice:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceId\$1  |  | 

## Condition keys for Amazon VPC Lattice Services
<a name="amazonvpclatticeservices-policy-keys"></a>

Amazon VPC Lattice Services defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the destination port the request is made to | Numeric | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by a header name-value pair in the request headers | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the method of the request | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the path portion of the request URL | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the query string key-value pairs in the request URL | ArrayOfString | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the ARN of the service receiving the request | ARN | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the ARN of the service network receiving the request | ARN | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the VPC the request is made from | String | 
|   [https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-condition-keys)  | Filters access by the owning account of the VPC the request is made from | String | 

# Actions, resources, and condition keys for AWS WAF
<a name="list_awswaf"></a>

AWS WAF (service prefix: `waf`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-chapter.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations_AWS_WAF.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS WAF
](#awswaf-actions-as-permissions)
+ [

## Resource types defined by AWS WAF
](#awswaf-resources-for-iam-policies)
+ [

## Condition keys for AWS WAF
](#awswaf-policy-keys)

## Actions defined by AWS WAF
<a name="awswaf-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awswaf-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awswaf.html)

## Resource types defined by AWS WAF
<a name="awswaf-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awswaf-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_ByteMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_ByteMatchSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:bytematchset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_IPSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_IPSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:ipset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RateBasedRule.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RateBasedRule.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:ratebasedrule/\$1\$1Id\$1  |   [#awswaf-aws_ResourceTag___TagKey_](#awswaf-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_Rule.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_Rule.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:rule/\$1\$1Id\$1  |   [#awswaf-aws_ResourceTag___TagKey_](#awswaf-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_SizeConstraintSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_SizeConstraintSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:sizeconstraintset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_SqlInjectionMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_SqlInjectionMatchSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:sqlinjectionset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_WebACL.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:webacl/\$1\$1Id\$1  |   [#awswaf-aws_ResourceTag___TagKey_](#awswaf-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_XssMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_XssMatchSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:xssmatchset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RegexMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RegexMatchSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:regexmatch/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RegexPatternSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RegexPatternSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:regexpatternset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_GeoMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_GeoMatchSet.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:geomatchset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RuleGroup.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_RuleGroup.html)  |  arn:\$1\$1Partition\$1:waf::\$1\$1Account\$1:rulegroup/\$1\$1Id\$1  |   [#awswaf-aws_ResourceTag___TagKey_](#awswaf-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS WAF
<a name="awswaf-policy-keys"></a>

AWS WAF defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS WAF Regional
<a name="list_awswafregional"></a>

AWS WAF Regional (service prefix: `waf-regional`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-chapter.htm).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations_AWS_WAF_Regional.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS WAF Regional
](#awswafregional-actions-as-permissions)
+ [

## Resource types defined by AWS WAF Regional
](#awswafregional-resources-for-iam-policies)
+ [

## Condition keys for AWS WAF Regional
](#awswafregional-policy-keys)

## Actions defined by AWS WAF Regional
<a name="awswafregional-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awswafregional-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafregional.html)

## Resource types defined by AWS WAF Regional
<a name="awswafregional-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awswafregional-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_ByteMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_ByteMatchSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:bytematchset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_IPSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_IPSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:ipset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_WebACL.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/app/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RateBasedRule.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RateBasedRule.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:ratebasedrule/\$1\$1Id\$1  |   [#awswafregional-aws_ResourceTag___TagKey_](#awswafregional-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_Rule.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_Rule.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:rule/\$1\$1Id\$1  |   [#awswafregional-aws_ResourceTag___TagKey_](#awswafregional-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_SizeConstraintSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_SizeConstraintSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:sizeconstraintset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_SqlInjectionMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_SqlInjectionMatchSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:sqlinjectionset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_WebACL.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:webacl/\$1\$1Id\$1  |   [#awswafregional-aws_ResourceTag___TagKey_](#awswafregional-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_XssMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_XssMatchSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:xssmatchset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RegexMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RegexMatchSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:regexmatch/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RegexPatternSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RegexPatternSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:regexpatternset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_GeoMatchSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_GeoMatchSet.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:geomatchset/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RuleGroup.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_RuleGroup.html)  |  arn:\$1\$1Partition\$1:waf-regional:\$1\$1Region\$1:\$1\$1Account\$1:rulegroup/\$1\$1Id\$1  |   [#awswafregional-aws_ResourceTag___TagKey_](#awswafregional-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS WAF Regional
<a name="awswafregional-policy-keys"></a>

AWS WAF Regional defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag-value assoicated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of mandatory tags in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS WAF V2
<a name="list_awswafv2"></a>

AWS WAF V2 (service prefix: `wafv2`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations_AWS_WAFV2.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/waf/latest/developerguide/waf-auth-and-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS WAF V2
](#awswafv2-actions-as-permissions)
+ [

## Resource types defined by AWS WAF V2
](#awswafv2-resources-for-iam-policies)
+ [

## Condition keys for AWS WAF V2
](#awswafv2-policy-keys)

## Actions defined by AWS WAF V2
<a name="awswafv2-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awswafv2-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html)

## Resource types defined by AWS WAF V2
<a name="awswafv2-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awswafv2-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/webacl/\$1\$1Name\$1/\$1\$1Id\$1  |   [#awswafv2-aws_ResourceTag___TagKey_](#awswafv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_IPSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_IPSet.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/ipset/\$1\$1Name\$1/\$1\$1Id\$1  |   [#awswafv2-aws_ResourceTag___TagKey_](#awswafv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_ManagedRuleSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_ManagedRuleSet.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/managedruleset/\$1\$1Name\$1/\$1\$1Id\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/rulegroup/\$1\$1Name\$1/\$1\$1Id\$1  |   [#awswafv2-aws_ResourceTag___TagKey_](#awswafv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_RegexPatternSet.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_RegexPatternSet.html)  |  arn:\$1\$1Partition\$1:wafv2:\$1\$1Region\$1:\$1\$1Account\$1:\$1\$1Scope\$1/regexpatternset/\$1\$1Name\$1/\$1\$1Id\$1  |   [#awswafv2-aws_ResourceTag___TagKey_](#awswafv2-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:elasticloadbalancing:\$1\$1Region\$1:\$1\$1Account\$1:loadbalancer/app/\$1\$1LoadBalancerName\$1/\$1\$1LoadBalancerId\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:apigateway:\$1\$1Region\$1::/restapis/\$1\$1ApiId\$1/stages/\$1\$1StageName\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:appsync:\$1\$1Region\$1:\$1\$1Account\$1:apis/\$1\$1GraphQLAPIId\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:cognito-idp:\$1\$1Region\$1:\$1\$1Account\$1:userpool/\$1\$1UserPoolId\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:apprunner:\$1\$1Region\$1:\$1\$1Account\$1:service/\$1\$1ServiceName\$1/\$1\$1ServiceId\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:verified-access-instance/\$1\$1VerifiedAccessInstanceId\$1  |  | 
|   [https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html](https://docs.aws.amazon.com/waf/latest/APIReference/API_WebACL.html)  |  arn:\$1\$1Partition\$1:amplify:\$1\$1Region\$1:\$1\$1Account\$1:apps/\$1\$1AppId\$1  |  | 

## Condition keys for AWS WAF V2
<a name="awswafv2-policy-keys"></a>

AWS WAF V2 defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the allowed set of values for each of the tags | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag-value associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the presence of mandatory tags in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by log destination ARN for PutLoggingConfiguration API | ARN | 
|   [https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys)  | Filters access by log scope for Logging Configuration API | String | 

# Actions, resources, and condition keys for AWS Well-Architected Tool
<a name="list_awswell-architectedtool"></a>

AWS Well-Architected Tool (service prefix: `wellarchitected`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/wellarchitected/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/wellarchitected/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/wellarchitected/latest/userguide/iam-auth-access.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Well-Architected Tool
](#awswell-architectedtool-actions-as-permissions)
+ [

## Resource types defined by AWS Well-Architected Tool
](#awswell-architectedtool-resources-for-iam-policies)
+ [

## Condition keys for AWS Well-Architected Tool
](#awswell-architectedtool-policy-keys)

## Actions defined by AWS Well-Architected Tool
<a name="awswell-architectedtool-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awswell-architectedtool-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html)

## Resource types defined by AWS Well-Architected Tool
<a name="awswell-architectedtool-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awswell-architectedtool-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_Workload.html](https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_Workload.html)  |  arn:\$1\$1Partition\$1:wellarchitected:\$1\$1Region\$1:\$1\$1Account\$1:workload/\$1\$1ResourceId\$1  |   [#awswell-architectedtool-aws_ResourceTag___TagKey_](#awswell-architectedtool-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_Lens.html](https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_Lens.html)  |  arn:\$1\$1Partition\$1:wellarchitected:\$1\$1Region\$1:\$1\$1Account\$1:lens/\$1\$1ResourceId\$1  |   [#awswell-architectedtool-aws_ResourceTag___TagKey_](#awswell-architectedtool-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_Profile.html](https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_Profile.html)  |  arn:\$1\$1Partition\$1:wellarchitected:\$1\$1Region\$1:\$1\$1Account\$1:profile/\$1\$1ResourceId\$1  |   [#awswell-architectedtool-aws_ResourceTag___TagKey_](#awswell-architectedtool-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_ReviewTemplate.html](https://docs.aws.amazon.com/wellarchitected/latest/APIReference/API_ReviewTemplate.html)  |  arn:\$1\$1Partition\$1:wellarchitected:\$1\$1Region\$1:\$1\$1Account\$1:review-template/\$1\$1ResourceId\$1  |   [#awswell-architectedtool-aws_ResourceTag___TagKey_](#awswell-architectedtool-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Well-Architected Tool
<a name="awswell-architectedtool-policy-keys"></a>

AWS Well-Architected Tool defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by tag keys in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/wellarchitected/latest/userguide/security_iam_id-based-policy-examples.html](https://docs.aws.amazon.com/wellarchitected/latest/userguide/security_iam_id-based-policy-examples.html)  | Filters access by project key | String | 

# Actions, resources, and condition keys for AWS Wickr
<a name="list_awswickr"></a>

AWS Wickr (service prefix: `wickr`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/wickr/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/wickr/latest/adminguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/wickr/latest/adminguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS Wickr
](#awswickr-actions-as-permissions)
+ [

## Resource types defined by AWS Wickr
](#awswickr-resources-for-iam-policies)
+ [

## Condition keys for AWS Wickr
](#awswickr-policy-keys)

## Actions defined by AWS Wickr
<a name="awswickr-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awswickr-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awswickr.html)

## Resource types defined by AWS Wickr
<a name="awswickr-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awswickr-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/wickr/latest/adminguide/](https://docs.aws.amazon.com/wickr/latest/adminguide/)  |  arn:\$1\$1Partition\$1:wickr:\$1\$1Region\$1:\$1\$1Account\$1:network/\$1\$1NetworkId\$1  |   [#awswickr-aws_ResourceTag___TagKey_](#awswickr-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS Wickr
<a name="awswickr-policy-keys"></a>

AWS Wickr defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by a tag's key and value in a request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys in a request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon WorkDocs
<a name="list_amazonworkdocs"></a>

Amazon WorkDocs (service prefix: `workdocs`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workdocs/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workdocs/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workdocs/latest/adminguide/prereqs.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkDocs
](#amazonworkdocs-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkDocs
](#amazonworkdocs-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkDocs
](#amazonworkdocs-policy-keys)

## Actions defined by Amazon WorkDocs
<a name="amazonworkdocs-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkdocs-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_AbortDocumentVersionUpload.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_AbortDocumentVersionUpload.html)  | Grants permission to abort the upload of the specified document version that was previously initiated by InitiateDocumentVersionUpload | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_ActivateUser.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_ActivateUser.html)  | Grants permission to activate the specified user. Only active users can access Amazon WorkDocs | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-notifications.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-notifications.html) [permission only] | Grants permission to add principals that are allowed to call notification subscription APIs for a given WorkDocs site | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_AddResourcePermissions.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_AddResourcePermissions.html)  | Grants permission to create a set of permissions for the specified folder or document | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html) [permission only] | Grants permission to add a user to a group | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/cloud_quick_start.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/cloud_quick_start.html) [permission only] | Grants permission to check an alias | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateComment.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateComment.html)  | Grants permission to add a new comment to the specified document version | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateCustomMetadata.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateCustomMetadata.html)  | Grants permission to add one or more custom properties to the specified resource | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateFolder.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateFolder.html)  | Grants permission to create a folder with the specified name and parent folder | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html) [permission only] | Grants permission to create an instance | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateLabels.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateLabels.html)  | Grants permission to add labels to the given resource | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateNotificationSubscription.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateNotificationSubscription.html)  | Grants permission to configure WorkDocs to use Amazon SNS notifications | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateUser.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateUser.html)  | Grants permission to create a user in a Simple AD or Microsoft AD directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeactivateUser.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeactivateUser.html)  | Grants permission to deactivate the specified user, which revokes the user's access to Amazon WorkDocs | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteComment.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteComment.html)  | Grants permission to delete the specified comment from the document version | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteCustomMetadata.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteCustomMetadata.html)  | Grants permission to delete custom metadata from the specified resource | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteDocument.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteDocument.html)  | Grants permission to permanently delete the specified document and its associated metadata | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteDocumentVersion.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteDocumentVersion.html)  | Grants permission to delete versions of a specified document | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteFolder.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteFolder.html)  | Grants permission to permanently delete the specified folder and its contents | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteFolderContents.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteFolderContents.html)  | Grants permission to delete the contents of the specified folder | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html#delete_site](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html#delete_site) [permission only] | Grants permission to delete an instance | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteLabels.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteLabels.html)  | Grants permission to delete one or more labels from a resource | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-notifications.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-notifications.html) [permission only] | Grants permission to delete principals that are allowed to call notification subscription APIs for a given WorkDocs site | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteNotificationSubscription.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteNotificationSubscription.html)  | Grants permission to delete the specified subscription from the specified organization | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteUser.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DeleteUser.html)  | Grants permission to delete the specified user from a Simple AD or Microsoft AD directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html#delete_site](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html#delete_site) [permission only] | Grants permission to deregister a directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeActivities.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeActivities.html)  | Grants permission to fetch user activities in a specified time period | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html) [permission only] | Grants permission to describe available directories | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeComments.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeComments.html)  | Grants permission to list all the comments for the specified document version | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeDocumentVersions.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeDocumentVersions.html)  | Grants permission to retrieve the document versions for the specified document | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeFolderContents.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeFolderContents.html)  | Grants permission to describe the contents of the specified folder, including its documents and sub-folders | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeGroups.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeGroups.html)  | Grants permission to describe the user groups | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/migration-tool.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/migration-tool.html) [permission only] | Grants permission to describe the export history for an instance | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html) [permission only] | Grants permission to describe instances | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-notifications.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-notifications.html) [permission only] | Grants permission to describe principals that are allowed to call notification subscription APIs for a given WorkDocs site | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeNotificationSubscriptions.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeNotificationSubscriptions.html)  | Grants permission to list the specified notification subscriptions | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeResourcePermissions.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeResourcePermissions.html)  | Grants permission to view a description of a specified resource's permissions | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeRootFolders.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeRootFolders.html)  | Grants permission to describe the root folders | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeUsers.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_DescribeUsers.html)  | Grants permission to view a description of the specified users. You can describe all users or filter the results (for example, by status or organization) | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocumentVersion.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocumentVersion.html) [permission only] | Grants permission to download a specified document version | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetCurrentUser.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetCurrentUser.html)  | Grants permission to retrieve the details of the current user | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocument.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocument.html)  | Grants permission to retrieve the specified document object | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocumentPath.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocumentPath.html)  | Grants permission to retrieve the path information (the hierarchy from the root folder) for the requested document | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocumentVersion.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetDocumentVersion.html)  | Grants permission to retrieve version metadata for the specified document | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetFolder.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetFolder.html)  | Grants permission to retrieve the metadata of the specified folder | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetFolderPath.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetFolderPath.html)  | Grants permission to retrieve the path information (the hierarchy from the root folder) for the specified folder | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_Operations.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_Operations.html) [permission only] | Grants permission to retrieve details for the specified group | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetResources.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_GetResources.html)  | Grants permission to get a collection of resources | Read |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_InitiateDocumentVersionUpload.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_InitiateDocumentVersionUpload.html)  | Grants permission to create a new document object and version object | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/existing-dir-setup.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/existing-dir-setup.html) [permission only] | Grants permission to register a directory | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_RemoveAllResourcePermissions.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_RemoveAllResourcePermissions.html)  | Grants permission to remove all the permissions from the specified resource | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_RemoveResourcePermission.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_RemoveResourcePermission.html)  | Grants permission to remove the permission for the specified principal from the specified resource | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_RestoreDocumentVersions.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_RestoreDocumentVersions.html)  | Grants permission to restore versions of a specified document | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_SearchResources.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_SearchResources.html)  | Grants permission to search metadata and the content of resources | List |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/migration-tool.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/migration-tool.html) [permission only] | Grants permission to start an export for an instance | Write |   [#amazonworkdocs-organization](#amazonworkdocs-organization)   |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateDocument.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateDocument.html)  | Grants permission to update the specified attributes of the specified document | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateDocumentVersion.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateDocumentVersion.html)  | Grants permission to change the status of the document version to ACTIVE | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateFolder.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateFolder.html)  | Grants permission to update the specified attributes of the specified folder | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/getting_started.html) [permission only] | Grants permission to update an instance alias | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateUser.html](https://docs.aws.amazon.com/workdocs/latest/APIReference/API_UpdateUser.html)  | Grants permission to update the specified attributes of the specified user, and grants or revokes administrative privileges to the Amazon WorkDocs site | Write |  |  |  | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/migration.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/migration.html) [permission only] | Grants permission to update the administrative settings for a user | Write |  |  |  | 

## Resource types defined by Amazon WorkDocs
<a name="amazonworkdocs-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkdocs-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workdocs/latest/adminguide/migration-tool.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/migration-tool.html)  |  arn:\$1\$1Partition\$1:workdocs:\$1\$1Region\$1:\$1\$1Account\$1:organization/\$1\$1ResourceId\$1  |  | 

## Condition keys for Amazon WorkDocs
<a name="amazonworkdocs-policy-keys"></a>

WorkDocs has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon WorkLink
<a name="list_amazonworklink"></a>

Amazon WorkLink (service prefix: `worklink`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/worklink/latest/ag/what-is.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/worklink/latest/api/Welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/worklink/latest/ag/configure-network.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkLink
](#amazonworklink-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkLink
](#amazonworklink-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkLink
](#amazonworklink-policy-keys)

## Actions defined by Amazon WorkLink
<a name="amazonworklink-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworklink-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworklink.html)

## Resource types defined by Amazon WorkLink
<a name="amazonworklink-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworklink-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/worklink/latest/api/API_CreateFleet.html](https://docs.aws.amazon.com/worklink/latest/api/API_CreateFleet.html)  |  arn:\$1\$1Partition\$1:worklink::\$1\$1Account\$1:fleet/\$1\$1FleetName\$1  |   [#amazonworklink-aws_ResourceTag___TagKey_](#amazonworklink-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon WorkLink
<a name="amazonworklink-policy-keys"></a>

Amazon WorkLink defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters actions based on the presence of tag key-value pairs in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters actions based on tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters actions based on the presence of tag keys in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon WorkMail
<a name="list_amazonworkmail"></a>

Amazon WorkMail (service prefix: `workmail`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workmail/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workmail/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workmail/latest/adminguide/iam_users_groups.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkMail
](#amazonworkmail-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkMail
](#amazonworkmail-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkMail
](#amazonworkmail-policy-keys)

## Actions defined by Amazon WorkMail
<a name="amazonworkmail-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkmail-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html)

## Resource types defined by Amazon WorkMail
<a name="amazonworkmail-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkmail-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workmail/latest/adminguide/organizations_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/organizations_overview.html)  |  arn:\$1\$1Partition\$1:workmail:\$1\$1Region\$1:\$1\$1Account\$1:organization/\$1\$1ResourceId\$1  |   [#amazonworkmail-aws_ResourceTag___TagKey_](#amazonworkmail-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon WorkMail
<a name="amazonworkmail-policy-keys"></a>

Amazon WorkMail defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tag key-value pairs that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tag key-value pairs attached to the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonworkmail.html#amazonworkmail-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonworkmail.html#amazonworkmail-policy-keys)  | Filters access by the ImpersonationRoleId that is passed in the request | String | 

# Actions, resources, and condition keys for Amazon WorkMail Message Flow
<a name="list_amazonworkmailmessageflow"></a>

Amazon WorkMail Message Flow (service prefix: `workmailmessageflow`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workmail/latest/adminguide/lambda-content.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workmail/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workmail/latest/adminguide/lambda-content.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkMail Message Flow
](#amazonworkmailmessageflow-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkMail Message Flow
](#amazonworkmailmessageflow-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkMail Message Flow
](#amazonworkmailmessageflow-policy-keys)

## Actions defined by Amazon WorkMail Message Flow
<a name="amazonworkmailmessageflow-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkmailmessageflow-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/workmail/latest/APIReference/API_messageflow_GetRawMessageContent.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_messageflow_GetRawMessageContent.html)  | Grants permission to read the content of email messages with the specified message ID | Read |   [#amazonworkmailmessageflow-RawMessage](#amazonworkmailmessageflow-RawMessage)   |  |  | 
|   [https://docs.aws.amazon.com/workmail/latest/APIReference/API_messageflow_PutRawMessageContent.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_messageflow_PutRawMessageContent.html)  | Grants permission to update the content of email messages with the specified message ID | Write |   [#amazonworkmailmessageflow-RawMessage](#amazonworkmailmessageflow-RawMessage)   |  |  | 

## Resource types defined by Amazon WorkMail Message Flow
<a name="amazonworkmailmessageflow-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkmailmessageflow-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workmail/latest/adminguide/lambda-content.html](https://docs.aws.amazon.com/workmail/latest/adminguide/lambda-content.html)  |  arn:\$1\$1Partition\$1:workmailmessageflow:\$1\$1Region\$1:\$1\$1Account\$1:message/\$1\$1OrganizationId\$1/\$1\$1Context\$1/\$1\$1MessageId\$1  |  | 

## Condition keys for Amazon WorkMail Message Flow
<a name="amazonworkmailmessageflow-policy-keys"></a>

WorkMail Message Flow has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for Amazon WorkSpaces
<a name="list_amazonworkspaces"></a>

Amazon WorkSpaces (service prefix: `workspaces`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workspaces/latest/userguide/workspaces-user-getting-started.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workspaces/latest/api/welcome.html).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkSpaces
](#amazonworkspaces-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkSpaces
](#amazonworkspaces-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkSpaces
](#amazonworkspaces-policy-keys)

## Actions defined by Amazon WorkSpaces
<a name="amazonworkspaces-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkspaces-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html)

## Resource types defined by Amazon WorkSpaces
<a name="amazonworkspaces-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkspaces-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspacecertificate/\$1\$1CertificateId\$1  |  | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-directory.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-directory.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:directory/\$1\$1DirectoryId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/bundles.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/bundles.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspacebundle/\$1\$1BundleId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/wsp_workspace_management.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/wsp_workspace_management.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspace/\$1\$1WorkspaceId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/bundles.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/bundles.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspaceimage/\$1\$1ImageId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspaceipgroup/\$1\$1GroupId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-pool.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-pool.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspacespool/\$1\$1PoolId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/cross-region-redirection.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/cross-region-redirection.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:connectionalias/\$1\$1ConnectionAliasId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/application-bundle-management.html](https://docs.aws.amazon.com/workspaces/latest/adminguide/application-bundle-management.html)  |  arn:\$1\$1Partition\$1:workspaces:\$1\$1Region\$1:\$1\$1Account\$1:workspaceapplication/\$1\$1WorkSpaceApplicationId\$1  |   [#amazonworkspaces-aws_ResourceTag___TagKey_](#amazonworkspaces-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon WorkSpaces
<a name="amazonworkspaces-policy-keys"></a>

Amazon WorkSpaces defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/workspaces/latest/adminguide/external-identity-providers-setting-up-saml.html#external-identity-providers-embed-inline-policy-for-IAM-role](https://docs.aws.amazon.com/workspaces/latest/adminguide/external-identity-providers-setting-up-saml.html#external-identity-providers-embed-inline-policy-for-IAM-role)  | Filters access by the ID of the Workspaces user | String | 

# Actions, resources, and condition keys for Amazon WorkSpaces Application Manager
<a name="list_amazonworkspacesapplicationmanager"></a>

Amazon WorkSpaces Application Manager (service prefix: `wam`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/wam/latest/adminguide/iam.html).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/wam/latest/adminguide/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/wam/latest/adminguide/iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkSpaces Application Manager
](#amazonworkspacesapplicationmanager-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkSpaces Application Manager
](#amazonworkspacesapplicationmanager-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkSpaces Application Manager
](#amazonworkspacesapplicationmanager-policy-keys)

## Actions defined by Amazon WorkSpaces Application Manager
<a name="amazonworkspacesapplicationmanager-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkspacesapplicationmanager-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  

| Actions | Description | Access level | Resource types (\$1required) | Condition keys | Dependent actions | 
| --- | --- | --- | --- | --- | --- | 
|   [https://docs.aws.amazon.com/wam/latest/adminguide/iam.html](https://docs.aws.amazon.com/wam/latest/adminguide/iam.html) [permission only] | Allows the Amazon WAM packaging instance to access your application package catalog. | Write |  |  |  | 

## Resource types defined by Amazon WorkSpaces Application Manager
<a name="amazonworkspacesapplicationmanager-resources-for-iam-policies"></a>

Amazon WorkSpaces Application Manager does not support specifying a resource ARN in the `Resource` element of an IAM policy statement. To allow access to Amazon WorkSpaces Application Manager, specify `"Resource": "*"` in your policy.

## Condition keys for Amazon WorkSpaces Application Manager
<a name="amazonworkspacesapplicationmanager-policy-keys"></a>

WAM has no service-specific context keys that can be used in the `Condition` element of policy statements. For the list of the global context keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).

# Actions, resources, and condition keys for AWS WorkSpaces Managed Instances
<a name="list_awsworkspacesmanagedinstances"></a>

AWS WorkSpaces Managed Instances (service prefix: `workspaces-instances`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workspaces/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workspaces/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workspaces/latest/userguide/workspaces-instances-access-control.html) permission policies.

**Topics**
+ [

## Actions defined by AWS WorkSpaces Managed Instances
](#awsworkspacesmanagedinstances-actions-as-permissions)
+ [

## Resource types defined by AWS WorkSpaces Managed Instances
](#awsworkspacesmanagedinstances-resources-for-iam-policies)
+ [

## Condition keys for AWS WorkSpaces Managed Instances
](#awsworkspacesmanagedinstances-policy-keys)

## Actions defined by AWS WorkSpaces Managed Instances
<a name="awsworkspacesmanagedinstances-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsworkspacesmanagedinstances-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsworkspacesmanagedinstances.html)

## Resource types defined by AWS WorkSpaces Managed Instances
<a name="awsworkspacesmanagedinstances-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsworkspacesmanagedinstances-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workspaces/latest/api/managed-workspaces-instances.html](https://docs.aws.amazon.com/workspaces/latest/api/managed-workspaces-instances.html)  |  arn:\$1\$1Partition\$1:workspaces-instances:\$1\$1Region\$1:\$1\$1Account\$1:workspaceinstance/\$1\$1WorkspaceInstanceId\$1  |   [#awsworkspacesmanagedinstances-aws_ResourceTag___TagKey_](#awsworkspacesmanagedinstances-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces/latest/api/managed-workspaces-volumes.html](https://docs.aws.amazon.com/workspaces/latest/api/managed-workspaces-volumes.html)  |  arn:\$1\$1Partition\$1:ec2:\$1\$1Region\$1:\$1\$1Account\$1:volume/\$1\$1VolumeId\$1  |   [#awsworkspacesmanagedinstances-aws_ResourceTag___TagKey_](#awsworkspacesmanagedinstances-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS WorkSpaces Managed Instances
<a name="awsworkspacesmanagedinstances-policy-keys"></a>

AWS WorkSpaces Managed Instances defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access based on the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access based on the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access based on the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon WorkSpaces Secure Browser
<a name="list_amazonworkspacessecurebrowser"></a>

Amazon WorkSpaces Secure Browser (service prefix: `workspaces-web`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workspaces-web/latest/adminguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workspaces-web/latest/adminguide/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkSpaces Secure Browser
](#amazonworkspacessecurebrowser-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkSpaces Secure Browser
](#amazonworkspacessecurebrowser-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkSpaces Secure Browser
](#amazonworkspacessecurebrowser-policy-keys)

## Actions defined by Amazon WorkSpaces Secure Browser
<a name="amazonworkspacessecurebrowser-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkspacessecurebrowser-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacessecurebrowser.html)

## Resource types defined by Amazon WorkSpaces Secure Browser
<a name="amazonworkspacessecurebrowser-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkspacessecurebrowser-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateBrowserSettings.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateBrowserSettings.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:browserSettings/\$1\$1BrowserSettingsId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateIdentityProvider.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateIdentityProvider.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:identityProvider/\$1\$1PortalId\$1/\$1\$1IdentityProviderId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateNetworkSettings.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateNetworkSettings.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:networkSettings/\$1\$1NetworkSettingsId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreatePortal.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreatePortal.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:portal/\$1\$1PortalId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateTrustStore.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateTrustStore.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:trustStore/\$1\$1TrustStoreId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateUserSettings.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateUserSettings.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:userSettings/\$1\$1UserSettingsId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateUserAccessLoggingSettings.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateUserAccessLoggingSettings.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:userAccessLoggingSettings/\$1\$1UserAccessLoggingSettingsId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateIpAccessSettings.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateIpAccessSettings.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:ipAccessSettings/\$1\$1IpAccessSettingsId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateDataProtectionSettings.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateDataProtectionSettings.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:dataProtectionSettings/\$1\$1DataProtectionSettingsId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateSessionLogger.html](https://docs.aws.amazon.com/workspaces-web/latest/APIReference/API_CreateSessionLogger.html)  |  arn:\$1\$1Partition\$1:workspaces-web:\$1\$1Region\$1:\$1\$1Account\$1:sessionLogger/\$1\$1SessionLoggerId\$1  |   [#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_](#amazonworkspacessecurebrowser-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon WorkSpaces Secure Browser
<a name="amazonworkspacessecurebrowser-policy-keys"></a>

Amazon WorkSpaces Secure Browser defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for Amazon WorkSpaces Thin Client
<a name="list_amazonworkspacesthinclient"></a>

Amazon WorkSpaces Thin Client (service prefix: `thinclient`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workspaces-thin-client/latest/ug/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workspaces-thin-client/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workspaces-thin-client/latest/ag/security-iam.html) permission policies.

**Topics**
+ [

## Actions defined by Amazon WorkSpaces Thin Client
](#amazonworkspacesthinclient-actions-as-permissions)
+ [

## Resource types defined by Amazon WorkSpaces Thin Client
](#amazonworkspacesthinclient-resources-for-iam-policies)
+ [

## Condition keys for Amazon WorkSpaces Thin Client
](#amazonworkspacesthinclient-policy-keys)

## Actions defined by Amazon WorkSpaces Thin Client
<a name="amazonworkspacesthinclient-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#amazonworkspacesthinclient-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesthinclient.html)

## Resource types defined by Amazon WorkSpaces Thin Client
<a name="amazonworkspacesthinclient-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkspacesthinclient-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/workspaces-thin-client/latest/api/API_Environment.html](https://docs.aws.amazon.com/workspaces-thin-client/latest/api/API_Environment.html)  |  arn:\$1\$1Partition\$1:thinclient:\$1\$1Region\$1:\$1\$1Account\$1:environment/\$1\$1EnvironmentId\$1  |   [#amazonworkspacesthinclient-aws_ResourceTag___TagKey_](#amazonworkspacesthinclient-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-thin-client/latest/api/API_Device.html](https://docs.aws.amazon.com/workspaces-thin-client/latest/api/API_Device.html)  |  arn:\$1\$1Partition\$1:thinclient:\$1\$1Region\$1:\$1\$1Account\$1:device/\$1\$1DeviceId\$1  |   [#amazonworkspacesthinclient-aws_ResourceTag___TagKey_](#amazonworkspacesthinclient-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/workspaces-thin-client/latest/api/API_SoftwareSet.html](https://docs.aws.amazon.com/workspaces-thin-client/latest/api/API_SoftwareSet.html)  |  arn:\$1\$1Partition\$1:thinclient:\$1\$1Region\$1:\$1\$1Account\$1:softwareset/\$1\$1SoftwareSetId\$1  |   [#amazonworkspacesthinclient-aws_ResourceTag___TagKey_](#amazonworkspacesthinclient-aws_ResourceTag___TagKey_)   | 

## Condition keys for Amazon WorkSpaces Thin Client
<a name="amazonworkspacesthinclient-policy-keys"></a>

Amazon WorkSpaces Thin Client defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 

# Actions, resources, and condition keys for AWS X-Ray
<a name="list_awsx-ray"></a>

AWS X-Ray (service prefix: `xray`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/xray/latest/devguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/xray/latest/api/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/xray/latest/devguide/security_iam_service-with-iam.html) permission policies.

**Topics**
+ [

## Actions defined by AWS X-Ray
](#awsx-ray-actions-as-permissions)
+ [

## Resource types defined by AWS X-Ray
](#awsx-ray-resources-for-iam-policies)
+ [

## Condition keys for AWS X-Ray
](#awsx-ray-policy-keys)

## Actions defined by AWS X-Ray
<a name="awsx-ray-actions-as-permissions"></a>

You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).

The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\$1") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\$1). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.

The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.

**Note**  
Resource condition keys are listed in the [Resource types](#awsx-ray-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\$1required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).


****  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html)

## Resource types defined by AWS X-Ray
<a name="awsx-ray-resources-for-iam-policies"></a>

The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#awsx-ray-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).


****  

| Resource types | ARN | Condition keys | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-groups](https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-groups)  |  arn:\$1\$1Partition\$1:xray:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1GroupName\$1/\$1\$1Id\$1  |   [#awsx-ray-aws_ResourceTag___TagKey_](#awsx-ray-aws_ResourceTag___TagKey_)   | 
|   [https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-sampling](https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-sampling)  |  arn:\$1\$1Partition\$1:xray:\$1\$1Region\$1:\$1\$1Account\$1:sampling-rule/\$1\$1SamplingRuleName\$1  |   [#awsx-ray-aws_ResourceTag___TagKey_](#awsx-ray-aws_ResourceTag___TagKey_)   | 

## Condition keys for AWS X-Ray
<a name="awsx-ray-policy-keys"></a>

AWS X-Ray defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).

To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).


****  

| Condition keys | Description | Type | 
| --- | --- | --- | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)  | Filters access by the tags that are passed in the request | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)  | Filters access by the tags associated with the resource | String | 
|   [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)  | Filters access by the tag keys that are passed in the request | ArrayOfString | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html#awsx-ray-actions-as-permissions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html#awsx-ray-actions-as-permissions)  | Filters access by LogGeneratingResourceArn in the request | ArrayOfARN | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html#awsx-ray-actions-as-permissions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html#awsx-ray-actions-as-permissions)  | Filters access by PolicyName in the request | String | 
|   [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html#awsx-ray-actions-as-permissions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html#awsx-ray-actions-as-permissions)  | Filters access by TraceSegmentDestination type in the request | String |