Identity and access management in Service Quotas
AWS uses security credentials to identify you and to grant you access to your AWS resources. You can use features of AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your AWS resources fully or in a limited way. You can do this without sharing your security credentials.
By default, principals, such as IAM roles or users, don't have permission to create, view, or modify AWS resources. To allow a principal to access resources such as a load balancer, and to perform tasks, perform the following steps:
-
Create an IAM policy that grants the principal permission to use the specific resources and API actions they need.
-
Attach the policy to the IAM principal or the group that the principal belongs to.
When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources.
For example, you can use IAM to create roles or users as the principals in your AWS account. A principal can represent a person, a system, or an application. Then you grant permissions to the principals to perform specific actions on the specified resources using an IAM policy.
Grant permissions using IAM policies
When you attach a policy to a principal or a group of principals, it allows or denies those principals permission to perform the specified tasks on the specified resources.
An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as shown in the following example.
{ "Version": "2012-10-17", "Statement":[{ "Effect": "
effect
", "Action": "action
", "Resource": "resource-arn
", "Condition": { "condition
": { "key
":"value
" } } }] }
-
Effect
– The value foreffect
can be eitherAllow
orDeny
. By default, IAM principals don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows. -
Action
– The value foraction
is the specific API action for which you are granting or denying permission. For more information about specifyingAction
, see API actions for Service Quotas. -
Resource
– The resource that's affected by the action. With some Service Quotas API actions, you can restrict the permissions granted or denied to a specific quota. To do so, specify its Amazon Resource Name (ARN) in this statement. Otherwise, you can use the wildcard character (*
) to specify all Service Quotas resources. For more information, see Service Quotas resources. -
Condition
– You can optionally use conditions to control when your policy is in effect. For more information, see Condition keys for Service Quotas.
For more information, see the IAM User Guide.
API actions for Service Quotas
In the Action
element of your IAM policy statement, you can specify any
API action that Service Quotas offers. You must prefix the action name with the lowercase string
servicequotas:
, as shown in the following example.
"Action": "servicequotas:GetServiceQuota"
To specify multiple actions in a single statement, enclose them in square brackets and separate them with a comma, as shown in the following example.
"Action": [
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
]
You can also specify multiple actions using the wildcard character (*
).
The following example specifies all API action names for Service Quotas that start with
Get
.
"Action": "servicequotas:Get*"
To specify all API actions for Service Quotas, use the wildcard character (*
), as
shown in the following example.
"Action": "servicequotas:*"
For the list of API actions for Service Quotas, see Service Quotas Actions.
Service Quotas resources
Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. For API actions that support resource-level permissions, you can control the resources that users are allowed to use with the action. To specify a resource in a policy statement, you must use its Amazon Resource Name (ARN).
The ARN for a quota has the format shown in the following example.
arn:aws:servicequotas:region-code
:account-id
:service-code
/quota-code
For API actions that don't support resource-level permissions, you must specify the resource statement shown in the following example.
"Resource": "*"
Resource-level permissions for Service Quotas
The following Service Quotas actions support resource-level permissions:
For more information, see Actions defined by Service Quotas in the Service Authorization Reference.
Condition keys for Service Quotas
When you create a policy, you can specify the conditions that control when the policy is in effect. Each condition contains one or more key-value pairs. There are global condition keys and service-specific condition keys.
The servicequotas:service
key is specific to Service Quotas. The following Service Quotas API
actions support this key:
For more information about global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.
Predefined AWS managed policies for Service Quotas
The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM principals, based on the access to Service Quotas that they require:
-
ServiceQuotasFullAccess
– Grants full access required to use Service Quotas features. -
ServiceQuotasReadOnlyAccess
– Grants read-only access to Service Quotas features.