Service Authorization Reference

Service Authorization Reference

Service Authorization Reference: Service Authorization Reference

Copyright © 2020 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
Table of Contents
Reference .......................................................................................................................................... 1
Actions, resources, and condition keys .......................................................................................... 1
Actions table ..................................................................................................................... 1
Resource types table .......................................................................................................... 2
Condition keys table ........................................................................................................... 2
AWS Accounts .................................................................................................................... 9
AWS Activate ................................................................................................................... 10
Alexa for Business ............................................................................................................ 11
AWS Amplify ................................................................................................................... 19
AWS Amplify Admin ......................................................................................................... 23
Amazon API Gateway ........................................................................................................ 28
AWS App Mesh ................................................................................................................ 29
AWS App Mesh Preview .................................................................................................... 35
AWS AppConfig ................................................................................................................ 40
Amazon AppFlow ............................................................................................................. 47
Application Auto Scaling ................................................................................................... 51
Application Discovery ........................................................................................................ 52
Application Discovery Arsenal ............................................................................................ 56
Amazon AppStream 2.0 .................................................................................................... 57
AWS AppSync .................................................................................................................. 66
AWS Artifact .................................................................................................................... 70
Amazon Athena ............................................................................................................... 72
AWS Audit Manager .......................................................................................................... 76
AWS Auto Scaling ............................................................................................................ 82
AWS Backup .................................................................................................................... 83
AWS Backup storage ......................................................................................................... 89
AWS Batch ...................................................................................................................... 90
AWS Billing ...................................................................................................................... 95
Amazon Braket ................................................................................................................ 96
AWS Budget Service ......................................................................................................... 98
AWS Certificate Manager ................................................................................................. 101
AWS Certificate Manager Private Certificate Authority ......................................................... 103
AWS Chatbot ................................................................................................................. 107
Amazon Chime ............................................................................................................... 109
Amazon Cloud Directory .................................................................................................. 132
AWS Cloud Map ............................................................................................................. 139
AWS Cloud9 ................................................................................................................... 142
AWS CloudFormation ...................................................................................................... 146
Amazon CloudFront ........................................................................................................ 156
AWS CloudHSM .............................................................................................................. 162
Amazon CloudSearch ...................................................................................................... 166
AWS CloudShell .............................................................................................................. 169
AWS CloudTrail .............................................................................................................. 171
Amazon CloudWatch ....................................................................................................... 174
CloudWatch Application Insights ...................................................................................... 178
Amazon CloudWatch Logs ............................................................................................... 180
Amazon CloudWatch Synthetics ....................................................................................... 185
AWS CodeArtifact ........................................................................................................... 187
AWS CodeBuild .............................................................................................................. 192
AWS CodeCommit .......................................................................................................... 198
AWS CodeDeploy ............................................................................................................ 208
Amazon CodeGuru .......................................................................................................... 214
Amazon CodeGuru Profiler .............................................................................................. 215
Amazon CodeGuru Reviewer ............................................................................................ 219
iii
AWS CodePipeline .......................................................................................................... 221

AWS CodeStar ................................................................................................................ 226
AWS CodeStar Connections .............................................................................................. 230
AWS CodeStar Notifications ............................................................................................. 235
Amazon Cognito Identity ................................................................................................. 239
Amazon Cognito Sync ..................................................................................................... 243
Amazon Cognito User Pools ............................................................................................. 245
Amazon Comprehend ...................................................................................................... 254
Comprehend Medical ...................................................................................................... 263
Compute Optimizer ........................................................................................................ 265
AWS Config ................................................................................................................... 266
Amazon Connect ............................................................................................................ 275
Amazon Connect Customer Profiles .................................................................................. 290
AWS Connector Service ................................................................................................... 294
AWS Cost and Usage Report ............................................................................................ 295
AWS Cost Explorer Service ............................................................................................... 296
AWS Data Exchange ........................................................................................................ 300
Amazon Data Lifecycle Manager ....................................................................................... 304
Data Pipeline ................................................................................................................. 306
AWS Database Migration Service ...................................................................................... 309
Database Query Metadata Service .................................................................................... 318
DataSync ....................................................................................................................... 320
AWS DeepComposer ....................................................................................................... 324
AWS DeepLens ............................................................................................................... 328
AWS DeepRacer .............................................................................................................. 331
Amazon Detective ........................................................................................................... 335
AWS Device Farm ........................................................................................................... 337
Amazon DevOps Guru ..................................................................................................... 347
AWS Direct Connect ........................................................................................................ 350
AWS Directory Service ..................................................................................................... 358
Amazon DynamoDB ........................................................................................................ 365
Amazon DynamoDB Accelerator (DAX) ............................................................................... 375
Amazon EC2 .................................................................................................................. 379
Amazon EC2 Auto Scaling ............................................................................................... 662
Amazon EC2 Image Builder .............................................................................................. 673
Amazon EC2 Instance Connect ......................................................................................... 680
AWS Elastic Beanstalk ..................................................................................................... 682
Amazon Elastic Block Store .............................................................................................. 691
Amazon Elastic Container Registry .................................................................................... 693
Amazon Elastic Container Registry Public .......................................................................... 697
Amazon Elastic Container Service ..................................................................................... 700
Amazon Elastic Container Service for Kubernetes ............................................................... 710
Amazon Elastic File System .............................................................................................. 715
Amazon Elastic Inference ................................................................................................. 720
Elastic Load Balancing ..................................................................................................... 721
Elastic Load Balancing V2 ................................................................................................ 725
Amazon Elastic MapReduce .............................................................................................. 733
Amazon Elastic Transcoder .............................................................................................. 738
Amazon ElastiCache ........................................................................................................ 741
Amazon Elasticsearch Service ........................................................................................... 751
Elemental Activations ...................................................................................................... 755
AWS Elemental Appliances and Software ........................................................................... 757
AWS Elemental MediaConnect .......................................................................................... 760
AWS Elemental MediaConvert .......................................................................................... 762
AWS Elemental MediaLive ............................................................................................... 766
AWS Elemental MediaPackage .......................................................................................... 773
AWS Elemental MediaPackage VOD .................................................................................. 777
iv
AWS Elemental MediaStore .............................................................................................. 780

AWS Elemental MediaTailor ............................................................................................. 783
Elemental Support Cases ................................................................................................. 785
Elemental Support Content ............................................................................................. 786
Amazon EMR on EKS (EMR Containers) ............................................................................. 787
Amazon EventBridge ....................................................................................................... 790
Amazon EventBridge Schemas ......................................................................................... 797
AWS Firewall Manager .................................................................................................... 801
Fleet Hub for AWS IoT Device Management ....................................................................... 806
Amazon Forecast ............................................................................................................ 809
Amazon Fraud Detector ................................................................................................... 814
Amazon FreeRTOS .......................................................................................................... 827
Amazon FSx ................................................................................................................... 829
Amazon GameLift ........................................................................................................... 833
Amazon Glacier .............................................................................................................. 842
AWS Global Accelerator ................................................................................................... 846
AWS Glue ...................................................................................................................... 851
AWS Glue DataBrew ........................................................................................................ 867
AWS Ground Station ....................................................................................................... 872
Amazon GroundTruth Labeling ......................................................................................... 876
Amazon GuardDuty ......................................................................................................... 877
AWS Health APIs and Notifications ................................................................................... 885
Amazon Honeycode ........................................................................................................ 887
IAM Access Analyzer ........................................................................................................ 890
Identity And Access Management ..................................................................................... 893
AWS Identity Store ......................................................................................................... 908
AWS Import Export Disk Service ....................................................................................... 909
Amazon Inspector ........................................................................................................... 910
Amazon Interactive Video Service ..................................................................................... 914
AWS IoT ........................................................................................................................ 919
AWS IoT 1-Click ............................................................................................................. 942
AWS IoT Analytics .......................................................................................................... 945
AWS IoT Core Device Advisor ........................................................................................... 950
AWS IoT Core for LoRaWAN ............................................................................................. 953
AWS IoT Device Tester .................................................................................................... 959
AWS IoT Events .............................................................................................................. 960
AWS IoT Greengrass ........................................................................................................ 965
AWS IoT SiteWise ........................................................................................................... 977
AWS IoT Things Graph .................................................................................................... 985
AWS IQ ......................................................................................................................... 991
AWS IQ Permissions ........................................................................................................ 992
Amazon Kendra .............................................................................................................. 993
AWS Key Management Service ......................................................................................... 998
Amazon Keyspaces (for Apache Cassandra) ...................................................................... 1010
Amazon Kinesis ............................................................................................................ 1013
Amazon Kinesis Analytics ............................................................................................... 1017
Amazon Kinesis Analytics V2 .......................................................................................... 1019
Amazon Kinesis Firehose ................................................................................................ 1022
Amazon Kinesis Video Streams ....................................................................................... 1025
AWS Lake Formation ..................................................................................................... 1029
AWS Lambda ................................................................................................................ 1031
Launch Wizard .............................................................................................................. 1039
Amazon Lex ................................................................................................................. 1040
AWS License Manager ................................................................................................... 1046
Amazon Lightsail .......................................................................................................... 1051
Amazon Location .......................................................................................................... 1063
Amazon Lookout for Vision ............................................................................................ 1067
v
Amazon Machine Learning ............................................................................................. 1069

Amazon Macie .............................................................................................................. 1073
Amazon Macie Classic .................................................................................................... 1080
Manage Amazon API Gateway ........................................................................................ 1082
Amazon Managed Blockchain ......................................................................................... 1084
Amazon Managed Service for Prometheus ....................................................................... 1087
Amazon Managed Streaming for Apache Kafka ................................................................. 1089
Amazon Managed Workflows for Apache Airflow .............................................................. 1093
AWS Marketplace .......................................................................................................... 1096
AWS Marketplace Catalog .............................................................................................. 1099
AWS Marketplace Commerce Analytics Service .................................................................. 1101
AWS Marketplace Entitlement Service ............................................................................. 1102
AWS Marketplace Image Building Service ......................................................................... 1103
AWS Marketplace Management Portal ............................................................................. 1104
AWS Marketplace Metering Service ................................................................................. 1106
AWS Marketplace Procurement Systems Integration .......................................................... 1107
Amazon Mechanical Turk ............................................................................................... 1108
Amazon Message Delivery Service ................................................................................... 1113
AWS Migration Hub ...................................................................................................... 1114
Amazon Mobile Analytics ............................................................................................... 1117
AWS Mobile Hub .......................................................................................................... 1118
Amazon Monitron ......................................................................................................... 1120
Amazon MQ ................................................................................................................. 1123
Amazon Neptune .......................................................................................................... 1127
AWS Network Firewall ................................................................................................... 1128
Network Manager ......................................................................................................... 1133
AWS OpsWorks ............................................................................................................. 1141
AWS OpsWorks Configuration Management ..................................................................... 1146
AWS Organizations ....................................................................................................... 1148
AWS Outposts .............................................................................................................. 1157
AWS Panorama ............................................................................................................. 1158
AWS Performance Insights ............................................................................................. 1164
Amazon Personalize ...................................................................................................... 1165
Amazon Pinpoint .......................................................................................................... 1169
Amazon Pinpoint Email Service ...................................................................................... 1181
Amazon Pinpoint SMS and Voice Service ......................................................................... 1188
Amazon Polly ............................................................................................................... 1190
AWS Price List .............................................................................................................. 1191
AWS Private Marketplace ............................................................................................... 1193
AWS Proton ................................................................................................................. 1197
AWS Purchase Orders Console ........................................................................................ 1202
Amazon QLDB .............................................................................................................. 1203
Amazon QuickSight ....................................................................................................... 1206
Amazon RDS ................................................................................................................ 1220
Amazon RDS Data API ................................................................................................... 1242
Amazon RDS IAM Authentication .................................................................................... 1244
Amazon Redshift .......................................................................................................... 1245
Amazon Redshift Data API ............................................................................................. 1260
Amazon Rekognition ..................................................................................................... 1261
AWS Resource Access Manager ....................................................................................... 1266
Amazon Resource Group Tagging API .............................................................................. 1273
AWS Resource Groups ................................................................................................... 1275
AWS RoboMaker ........................................................................................................... 1278
Amazon Route 53 ......................................................................................................... 1286
Amazon Route 53 Resolver ............................................................................................ 1293
Amazon Route53 Domains ............................................................................................. 1298
Amazon S3 .................................................................................................................. 1301
vi
Amazon S3 on Outposts ................................................................................................ 1359

Amazon SageMaker ....................................................................................................... 1382
AWS Savings Plans ........................................................................................................ 1432
AWS Secrets Manager ................................................................................................... 1435
AWS Security Hub ......................................................................................................... 1443
AWS Security Token Service ........................................................................................... 1448
AWS Server Migration Service ........................................................................................ 1457
AWS Serverless Application Repository ............................................................................ 1460
AWS Service Catalog ..................................................................................................... 1463
Service Quotas ............................................................................................................. 1473
Amazon SES ................................................................................................................. 1476
Amazon Session Manager Message Gateway Service .......................................................... 1484
AWS Shield .................................................................................................................. 1486
AWS Signer .................................................................................................................. 1488
Amazon Simple Workflow Service ................................................................................... 1491
Amazon SimpleDB ........................................................................................................ 1499
AWS Snowball .............................................................................................................. 1501
Amazon SNS ................................................................................................................ 1503
Amazon SQS ................................................................................................................ 1508
AWS SSO ..................................................................................................................... 1510
AWS SSO Directory ....................................................................................................... 1518
AWS Step Functions ...................................................................................................... 1523
Amazon Storage Gateway .............................................................................................. 1526
Amazon Sumerian ......................................................................................................... 1536
AWS Support ............................................................................................................... 1538
AWS Systems Manager .................................................................................................. 1540
AWS Tag Editor ............................................................................................................ 1557
Amazon Textract ........................................................................................................... 1558
AWS Timestream .......................................................................................................... 1559
Amazon Transcribe ........................................................................................................ 1562
AWS Transfer for SFTP .................................................................................................. 1567
Amazon Translate ......................................................................................................... 1570
AWS Trusted Advisor ..................................................................................................... 1572
AWS WAF .................................................................................................................... 1575
AWS WAF Regional ....................................................................................................... 1583
AWS WAF V2 ................................................................................................................ 1592
AWS Well-Architected Tool ............................................................................................ 1600
Amazon WorkDocs ........................................................................................................ 1603
Amazon WorkLink ......................................................................................................... 1608
Amazon WorkMail ......................................................................................................... 1612
Amazon WorkMail Message Flow .................................................................................... 1622
Amazon WorkSpaces ..................................................................................................... 1623
Amazon WorkSpaces Application Manager ....................................................................... 1627
AWS X-Ray ................................................................................................................... 1628
Related resources .................................................................................................................. 1632
vii
Actions, resources, and condition keys
Reference
The Service Authorization Reference provides a list of the actions, resources, and condition keys that are
supported by each AWS service. You can specify actions, resources, and condition keys in AWS Identity
and Access Management (IAM) policies to manage access to AWS resources.
Contents
• Actions, resources, and condition keys for AWS services (p. 1)
• Related resources (p. 1632)
Actions, resources, and condition keys for AWS

services
Each AWS service can define actions, resources, and condition context keys for use in IAM policies. This
topic describes how the elements provided for each service are documented.
Each topic consists of tables that provide the list of available actions, resources, and condition keys.
The actions table

The Actions table lists all the actions that you can use in an IAM policy statement's Action element.
Not all API operations that are defined by a service can be used as an action in an IAM policy. In addition,
a service might define some actions that don't directly correspond to an API operation. Use this list
to determine which actions you can use in an IAM policy. For more information about the Action,
Resource, or Condition elements, see IAM JSON policy elements reference. The Actions and
Description table columns are self-descriptive.
• The Access level column describes how the action is classified (List, Read, Write, Permissions
management, or Tagging). This classification can help you understand the level of access that an action
grants when you use it in a policy. For more information about access levels, see Understanding access
level summaries within policy summaries.
• The Resource types column indicates whether the action supports resource-level permissions. If the
column is empty, then the action does not support resource-level permissions and you must specify all
resources ("*") in your policy. If the column includes a resource type, then you can specify the resource
ARN in the Resource element of your policy. For more information about that resource, refer to that
row in the Resource types table. All actions and resources that are included in one statement must be
compatible with each other. If you specify a resource that is not valid for the action, any request to use
that action fails, and the statement's Effect does not apply.
Required resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type. Some actions support
multiple resource types. If the resource type is optional (not indicated as required), then you can
choose to use one but not the other.
• The Condition keys column includes keys that you can specify in a policy statement's Condition
element. Condition keys might be supported with an action, or with an action and a specific resource.
Pay close attention to whether the key is in the same row as a specific resource type. This table does
1
Resource types table
not include global condition keys that are available for any action or under unrelated circumstances.
For more information about global condition keys, see AWS global condition context keys.
• The Dependent actions column includes any additional permissions that you must have, in addition
to the permission for the action itself, to successfully call the action. This can be required if the action
accesses more than one resource.
The resource types table

The Resource types table lists all the resource types that you can specify as an ARN in the Resource
policy element. Not every resource type can be specified with every action. Some resource types work
with only certain actions. If you specify a resource type in a statement with an action that does not
support that resource type, then the statement doesn't allow access. For more information about the
Resource element, see IAM JSON policy elements: Resource.
• The ARN column specifies the Amazon Resource Name (ARN) format that you must use to reference
resources of this type. The portions that are preceded by a $ must be replaced by the actual values for
your scenario. For example, if you see $user-name in an ARN, you must replace that string with either
the actual IAM user's name or a policy variable that contains an IAM user's name. For more information
about ARNs, see IAM ARNs.
• The Condition keys column specifies condition context keys that you can include in an IAM policy
statement only when both this resource and a supporting action from the table above are included in
the statement.
The condition keys table

The condition keys table lists all of the condition context keys that you can use in an IAM policy
statement's Condition element. Not every key can be specified with every action or resource. Certain
keys only work with certain types of actions and resources. For more information about the Condition
element, see IAM JSON policy elements: Condition.
• The Type column specifies the data type of the condition key. This data type determines which
condition operators you can use to compare values in the request with the values in the policy
statement. You must use an operator that is appropriate for the data type. If you use an incorrect
operator, then the match always fails and the policy statement never applies.
If the Type column specifies a "List of …" one of the simple types, then you can use multiple
keys and values in your policies. Do this using condition set prefixes with your operators. Use the
ForAllValues prefix to specify that all values in the request must match a value in the policy
statement. Use the ForAnyValue prefix to specify that at least one value in the request matches one
of the values in the policy statement.
Topics
• Actions, resources, and condition keys for AWS Accounts (p. 9)
• Actions, resources, and condition keys for AWS Activate (p. 10)
• Actions, resources, and condition keys for Alexa for Business (p. 11)
• Actions, resources, and condition keys for AWS Amplify (p. 19)
• Actions, resources, and condition keys for AWS Amplify Admin (p. 23)
• Actions, resources, and condition keys for Amazon API Gateway (p. 28)
• Actions, resources, and condition keys for AWS App Mesh (p. 29)
• Actions, resources, and condition keys for AWS App Mesh Preview (p. 35)
• Actions, resources, and condition keys for AWS AppConfig (p. 40)
2
Condition keys table
• Actions, resources, and condition keys for Amazon AppFlow (p. 47)
• Actions, resources, and condition keys for Application Auto Scaling (p. 51)
• Actions, resources, and condition keys for Application Discovery (p. 52)
• Actions, resources, and condition keys for Application Discovery Arsenal (p. 56)
• Actions, resources, and condition keys for Amazon AppStream 2.0 (p. 57)
• Actions, resources, and condition keys for AWS AppSync (p. 66)
• Actions, resources, and condition keys for AWS Artifact (p. 70)
• Actions, resources, and condition keys for Amazon Athena (p. 72)
• Actions, resources, and condition keys for AWS Audit Manager (p. 76)
• Actions, resources, and condition keys for AWS Auto Scaling (p. 82)
• Actions, resources, and condition keys for AWS Backup (p. 83)
• Actions, resources, and condition keys for AWS Backup storage (p. 89)
• Actions, resources, and condition keys for AWS Batch (p. 90)
• Actions, resources, and condition keys for AWS Billing (p. 95)
• Actions, resources, and condition keys for Amazon Braket (p. 96)
• Actions, resources, and condition keys for AWS Budget Service (p. 98)
• Actions, resources, and condition keys for AWS Certificate Manager (p. 101)
• Actions, resources, and condition keys for AWS Certificate Manager Private Certificate
Authority (p. 103)
• Actions, resources, and condition keys for AWS Chatbot (p. 107)
• Actions, resources, and condition keys for Amazon Chime (p. 109)
• Actions, resources, and condition keys for Amazon Cloud Directory (p. 132)
• Actions, resources, and condition keys for AWS Cloud Map (p. 139)
• Actions, resources, and condition keys for AWS Cloud9 (p. 142)
• Actions, resources, and condition keys for AWS CloudFormation (p. 146)
• Actions, resources, and condition keys for Amazon CloudFront (p. 156)
• Actions, resources, and condition keys for AWS CloudHSM (p. 162)
• Actions, resources, and condition keys for Amazon CloudSearch (p. 166)
• Actions, resources, and condition keys for AWS CloudShell (p. 169)
• Actions, resources, and condition keys for AWS CloudTrail (p. 171)
• Actions, resources, and condition keys for Amazon CloudWatch (p. 174)
• Actions, resources, and condition keys for CloudWatch Application Insights (p. 178)
• Actions, resources, and condition keys for Amazon CloudWatch Logs (p. 180)
• Actions, resources, and condition keys for Amazon CloudWatch Synthetics (p. 185)
• Actions, resources, and condition keys for AWS CodeArtifact (p. 187)
• Actions, resources, and condition keys for AWS CodeBuild (p. 192)
• Actions, resources, and condition keys for AWS CodeCommit (p. 198)
• Actions, resources, and condition keys for AWS CodeDeploy (p. 208)
• Actions, resources, and condition keys for Amazon CodeGuru (p. 214)
• Actions, resources, and condition keys for Amazon CodeGuru Profiler (p. 215)
• Actions, resources, and condition keys for Amazon CodeGuru Reviewer (p. 219)
• Actions, resources, and condition keys for AWS CodePipeline (p. 221)
• Actions, resources, and condition keys for AWS CodeStar (p. 226)
3
• Actions, resources, and condition keys for AWS CodeStar Connections (p. 230)
• Actions, resources, and condition keys for AWS CodeStar Notifications (p. 235)
• Actions, resources, and condition keys for Amazon Cognito Identity (p. 239)
• Actions, resources, and condition keys for Amazon Cognito Sync (p. 243)
• Actions, resources, and condition keys for Amazon Cognito User Pools (p. 245)
• Actions, resources, and condition keys for Amazon Comprehend (p. 254)
• Actions, resources, and condition keys for Comprehend Medical (p. 263)
• Actions, resources, and condition keys for Compute Optimizer (p. 265)
• Actions, resources, and condition keys for AWS Config (p. 266)
• Actions, resources, and condition keys for Amazon Connect (p. 275)
• Actions, resources, and condition keys for Amazon Connect Customer Profiles (p. 290)
• Actions, resources, and condition keys for AWS Connector Service (p. 294)
• Actions, resources, and condition keys for AWS Cost and Usage Report (p. 295)
• Actions, resources, and condition keys for AWS Cost Explorer Service (p. 296)
• Actions, resources, and condition keys for AWS Data Exchange (p. 300)
• Actions, resources, and condition keys for Amazon Data Lifecycle Manager (p. 304)
• Actions, resources, and condition keys for Data Pipeline (p. 306)
• Actions, resources, and condition keys for AWS Database Migration Service (p. 309)
• Actions, resources, and condition keys for Database Query Metadata Service (p. 318)
• Actions, resources, and condition keys for DataSync (p. 320)
• Actions, resources, and condition keys for AWS DeepComposer (p. 324)
• Actions, resources, and condition keys for AWS DeepLens (p. 328)
• Actions, resources, and condition keys for AWS DeepRacer (p. 331)
• Actions, resources, and condition keys for Amazon Detective (p. 335)
• Actions, resources, and condition keys for AWS Device Farm (p. 337)
• Actions, resources, and condition keys for Amazon DevOps Guru (p. 347)
• Actions, resources, and condition keys for AWS Direct Connect (p. 350)
• Actions, resources, and condition keys for AWS Directory Service (p. 358)
• Actions, resources, and condition keys for Amazon DynamoDB (p. 365)
• Actions, resources, and condition keys for Amazon DynamoDB Accelerator (DAX) (p. 375)
• Actions, resources, and condition keys for Amazon EC2 (p. 379)
• Actions, resources, and condition keys for Amazon EC2 Auto Scaling (p. 662)
• Actions, resources, and condition keys for Amazon EC2 Image Builder (p. 673)
• Actions, resources, and condition keys for Amazon EC2 Instance Connect (p. 680)
• Actions, resources, and condition keys for AWS Elastic Beanstalk (p. 682)
• Actions, resources, and condition keys for Amazon Elastic Block Store (p. 691)
• Actions, resources, and condition keys for Amazon Elastic Container Registry (p. 693)
• Actions, resources, and condition keys for Amazon Elastic Container Registry Public (p. 697)
• Actions, resources, and condition keys for Amazon Elastic Container Service (p. 700)
• Actions, resources, and condition keys for Amazon Elastic Container Service for Kubernetes (p. 710)
• Actions, resources, and condition keys for Amazon Elastic File System (p. 715)
• Actions, resources, and condition keys for Amazon Elastic Inference (p. 720)
4
• Actions, resources, and condition keys for Elastic Load Balancing (p. 721)
• Actions, resources, and condition keys for Elastic Load Balancing V2 (p. 725)
• Actions, resources, and condition keys for Amazon Elastic MapReduce (p. 733)
• Actions, resources, and condition keys for Amazon Elastic Transcoder (p. 738)
• Actions, resources, and condition keys for Amazon ElastiCache (p. 741)
• Actions, resources, and condition keys for Amazon Elasticsearch Service (p. 751)
• Actions, resources, and condition keys for Elemental Activations (p. 755)
• Actions, resources, and condition keys for AWS Elemental Appliances and Software (p. 757)
• Actions, resources, and condition keys for AWS Elemental MediaConnect (p. 760)
• Actions, resources, and condition keys for AWS Elemental MediaConvert (p. 762)
• Actions, resources, and condition keys for AWS Elemental MediaLive (p. 766)
• Actions, resources, and condition keys for AWS Elemental MediaPackage (p. 773)
• Actions, resources, and condition keys for AWS Elemental MediaPackage VOD (p. 777)
• Actions, resources, and condition keys for AWS Elemental MediaStore (p. 780)
• Actions, resources, and condition keys for AWS Elemental MediaTailor (p. 783)
• Actions, resources, and condition keys for Elemental Support Cases (p. 785)
• Actions, resources, and condition keys for Elemental Support Content (p. 786)
• Actions, resources, and condition keys for Amazon EMR on EKS (EMR Containers) (p. 787)
• Actions, resources, and condition keys for Amazon EventBridge (p. 790)
• Actions, resources, and condition keys for Amazon EventBridge Schemas (p. 797)
• Actions, resources, and condition keys for AWS Firewall Manager (p. 801)
• Actions, resources, and condition keys for Fleet Hub for AWS IoT Device Management (p. 806)
• Actions, resources, and condition keys for Amazon Forecast (p. 809)
• Actions, resources, and condition keys for Amazon Fraud Detector (p. 814)
• Actions, resources, and condition keys for Amazon FreeRTOS (p. 827)
• Actions, resources, and condition keys for Amazon FSx (p. 829)
• Actions, resources, and condition keys for Amazon GameLift (p. 833)
• Actions, resources, and condition keys for Amazon Glacier (p. 842)
• Actions, resources, and condition keys for AWS Global Accelerator (p. 846)
• Actions, resources, and condition keys for AWS Glue (p. 851)
• Actions, resources, and condition keys for AWS Glue DataBrew (p. 867)
• Actions, resources, and condition keys for AWS Ground Station (p. 872)
• Actions, resources, and condition keys for Amazon GroundTruth Labeling (p. 876)
• Actions, resources, and condition keys for Amazon GuardDuty (p. 877)
• Actions, resources, and condition keys for AWS Health APIs and Notifications (p. 885)
• Actions, resources, and condition keys for Amazon Honeycode (p. 887)
• Actions, resources, and condition keys for IAM Access Analyzer (p. 890)
• Actions, resources, and condition keys for Identity And Access Management (p. 893)
• Actions, resources, and condition keys for AWS Identity Store (p. 908)
• Actions, resources, and condition keys for AWS Import Export Disk Service (p. 909)
• Actions, resources, and condition keys for Amazon Inspector (p. 910)
• Actions, resources, and condition keys for Amazon Interactive Video Service (p. 914)
5
• Actions, resources, and condition keys for AWS IoT (p. 919)
• Actions, resources, and condition keys for AWS IoT 1-Click (p. 942)
• Actions, resources, and condition keys for AWS IoT Analytics (p. 945)
• Actions, resources, and condition keys for AWS IoT Core Device Advisor (p. 950)
• Actions, resources, and condition keys for AWS IoT Core for LoRaWAN (p. 953)
• Actions, resources, and condition keys for AWS IoT Device Tester (p. 959)
• Actions, resources, and condition keys for AWS IoT Events (p. 960)
• Actions, resources, and condition keys for AWS IoT Greengrass (p. 965)
• Actions, resources, and condition keys for AWS IoT SiteWise (p. 977)
• Actions, resources, and condition keys for AWS IoT Things Graph (p. 985)
• Actions, resources, and condition keys for AWS IQ (p. 991)
• Actions, resources, and condition keys for AWS IQ Permissions (p. 992)
• Actions, resources, and condition keys for Amazon Kendra (p. 993)
• Actions, resources, and condition keys for AWS Key Management Service (p. 998)
• Actions, resources, and condition keys for Amazon Keyspaces (for Apache Cassandra) (p. 1010)
• Actions, resources, and condition keys for Amazon Kinesis (p. 1013)
• Actions, resources, and condition keys for Amazon Kinesis Analytics (p. 1017)
• Actions, resources, and condition keys for Amazon Kinesis Analytics V2 (p. 1019)
• Actions, resources, and condition keys for Amazon Kinesis Firehose (p. 1022)
• Actions, resources, and condition keys for Amazon Kinesis Video Streams (p. 1025)
• Actions, resources, and condition keys for AWS Lake Formation (p. 1029)
• Actions, resources, and condition keys for AWS Lambda (p. 1031)
• Actions, resources, and condition keys for Launch Wizard (p. 1039)
• Actions, resources, and condition keys for Amazon Lex (p. 1040)
• Actions, resources, and condition keys for AWS License Manager (p. 1046)
• Actions, resources, and condition keys for Amazon Lightsail (p. 1051)
• Actions, resources, and condition keys for Amazon Location (p. 1063)
• Actions, resources, and condition keys for Amazon Lookout for Vision (p. 1067)
• Actions, resources, and condition keys for Amazon Machine Learning (p. 1069)
• Actions, resources, and condition keys for Amazon Macie (p. 1073)
• Actions, resources, and condition keys for Amazon Macie Classic (p. 1080)
• Actions, resources, and condition keys for Manage Amazon API Gateway (p. 1082)
• Actions, resources, and condition keys for Amazon Managed Blockchain (p. 1084)
• Actions, resources, and condition keys for Amazon Managed Service for Prometheus (p. 1087)
• Actions, resources, and condition keys for Amazon Managed Streaming for Apache Kafka (p. 1089)
• Actions, resources, and condition keys for Amazon Managed Workflows for Apache Airflow (p. 1093)
• Actions, resources, and condition keys for AWS Marketplace (p. 1096)
• Actions, resources, and condition keys for AWS Marketplace Catalog (p. 1099)
• Actions, resources, and condition keys for AWS Marketplace Commerce Analytics Service (p. 1101)
• Actions, resources, and condition keys for AWS Marketplace Entitlement Service (p. 1102)
• Actions, resources, and condition keys for AWS Marketplace Image Building Service (p. 1103)
• Actions, resources, and condition keys for AWS Marketplace Management Portal (p. 1104)
6
• Actions, resources, and condition keys for AWS Marketplace Metering Service (p. 1106)
• Actions, resources, and condition keys for AWS Marketplace Procurement Systems
Integration (p. 1107)
• Actions, resources, and condition keys for Amazon Mechanical Turk (p. 1108)
• Actions, resources, and condition keys for Amazon Message Delivery Service (p. 1113)
• Actions, resources, and condition keys for AWS Migration Hub (p. 1114)
• Actions, resources, and condition keys for Amazon Mobile Analytics (p. 1117)
• Actions, resources, and condition keys for AWS Mobile Hub (p. 1118)
• Actions, resources, and condition keys for Amazon Monitron (p. 1120)
• Actions, resources, and condition keys for Amazon MQ (p. 1123)
• Actions, resources, and condition keys for Amazon Neptune (p. 1127)
• Actions, resources, and condition keys for AWS Network Firewall (p. 1128)
• Actions, resources, and condition keys for Network Manager (p. 1133)
• Actions, resources, and condition keys for AWS OpsWorks (p. 1141)
• Actions, resources, and condition keys for AWS OpsWorks Configuration Management (p. 1146)
• Actions, resources, and condition keys for AWS Organizations (p. 1148)
• Actions, resources, and condition keys for AWS Outposts (p. 1157)
• Actions, resources, and condition keys for AWS Panorama (p. 1158)
• Actions, resources, and condition keys for AWS Performance Insights (p. 1164)
• Actions, resources, and condition keys for Amazon Personalize (p. 1165)
• Actions, resources, and condition keys for Amazon Pinpoint (p. 1169)
• Actions, resources, and condition keys for Amazon Pinpoint Email Service (p. 1181)
• Actions, resources, and condition keys for Amazon Pinpoint SMS and Voice Service (p. 1188)
• Actions, resources, and condition keys for Amazon Polly (p. 1190)
• Actions, resources, and condition keys for AWS Price List (p. 1191)
• Actions, resources, and condition keys for AWS Private Marketplace (p. 1193)
• Actions, resources, and condition keys for AWS Proton (p. 1197)
• Actions, resources, and condition keys for AWS Purchase Orders Console (p. 1202)
• Actions, resources, and condition keys for Amazon QLDB (p. 1203)
• Actions, resources, and condition keys for Amazon QuickSight (p. 1206)
• Actions, resources, and condition keys for Amazon RDS (p. 1220)
• Actions, resources, and condition keys for Amazon RDS Data API (p. 1242)
• Actions, resources, and condition keys for Amazon RDS IAM Authentication (p. 1244)
• Actions, resources, and condition keys for Amazon Redshift (p. 1245)
• Actions, resources, and condition keys for Amazon Redshift Data API (p. 1260)
• Actions, resources, and condition keys for Amazon Rekognition (p. 1261)
• Actions, resources, and condition keys for AWS Resource Access Manager (p. 1266)
• Actions, resources, and condition keys for Amazon Resource Group Tagging API (p. 1273)
• Actions, resources, and condition keys for AWS Resource Groups (p. 1275)
• Actions, resources, and condition keys for AWS RoboMaker (p. 1278)
• Actions, resources, and condition keys for Amazon Route 53 (p. 1286)
• Actions, resources, and condition keys for Amazon Route 53 Resolver (p. 1293)
• Actions, resources, and condition keys for Amazon Route53 Domains (p. 1298)
7
• Actions, resources, and condition keys for Amazon S3 (p. 1301)

• Actions, resources, and condition keys for Amazon S3 on Outposts (p. 1359)
• Actions, resources, and condition keys for Amazon SageMaker (p. 1382)
• Actions, resources, and condition keys for AWS Savings Plans (p. 1432)
• Actions, resources, and condition keys for AWS Secrets Manager (p. 1435)
• Actions, resources, and condition keys for AWS Security Hub (p. 1443)
• Actions, resources, and condition keys for AWS Security Token Service (p. 1448)
• Actions, resources, and condition keys for AWS Server Migration Service (p. 1457)
• Actions, resources, and condition keys for AWS Serverless Application Repository (p. 1460)
• Actions, resources, and condition keys for AWS Service Catalog (p. 1463)
• Actions, resources, and condition keys for Service Quotas (p. 1473)
• Actions, resources, and condition keys for Amazon SES (p. 1476)
• Actions, resources, and condition keys for Amazon Session Manager Message Gateway
Service (p. 1484)
• Actions, resources, and condition keys for AWS Shield (p. 1486)
• Actions, resources, and condition keys for AWS Signer (p. 1488)
• Actions, resources, and condition keys for Amazon Simple Workflow Service (p. 1491)
• Actions, resources, and condition keys for Amazon SimpleDB (p. 1499)
• Actions, resources, and condition keys for AWS Snowball (p. 1501)
• Actions, resources, and condition keys for Amazon SNS (p. 1503)
• Actions, resources, and condition keys for Amazon SQS (p. 1508)
• Actions, resources, and condition keys for AWS SSO (p. 1510)
• Actions, resources, and condition keys for AWS SSO Directory (p. 1518)
• Actions, resources, and condition keys for AWS Step Functions (p. 1523)
• Actions, resources, and condition keys for Amazon Storage Gateway (p. 1526)
• Actions, resources, and condition keys for Amazon Sumerian (p. 1536)
• Actions, resources, and condition keys for AWS Support (p. 1538)
• Actions, resources, and condition keys for AWS Systems Manager (p. 1540)
• Actions, resources, and condition keys for AWS Tag Editor (p. 1557)
• Actions, resources, and condition keys for Amazon Textract (p. 1558)
• Actions, resources, and condition keys for AWS Timestream (p. 1559)
• Actions, resources, and condition keys for Amazon Transcribe (p. 1562)
• Actions, resources, and condition keys for AWS Transfer for SFTP (p. 1567)
• Actions, resources, and condition keys for Amazon Translate (p. 1570)
• Actions, resources, and condition keys for AWS Trusted Advisor (p. 1572)
• Actions, resources, and condition keys for AWS WAF (p. 1575)
• Actions, resources, and condition keys for AWS WAF Regional (p. 1583)
• Actions, resources, and condition keys for AWS WAF V2 (p. 1592)
• Actions, resources, and condition keys for AWS Well-Architected Tool (p. 1600)
• Actions, resources, and condition keys for Amazon WorkDocs (p. 1603)
• Actions, resources, and condition keys for Amazon WorkLink (p. 1608)
• Actions, resources, and condition keys for Amazon WorkMail (p. 1612)
• Actions, resources, and condition keys for Amazon WorkMail Message Flow (p. 1622)
8
AWS Accounts
• Actions, resources, and condition keys for Amazon WorkSpaces (p. 1623)
• Actions, resources, and condition keys for Amazon WorkSpaces Application Manager (p. 1627)
• Actions, resources, and condition keys for AWS X-Ray (p. 1628)

Accounts
AWS Accounts (service prefix: account) provides the following service-specific resources, actions, and
condition context keys for use in IAM permission policies.
References:
• Learn how to configure this service.

• View a list of the API operations available for this service.
• Learn how to secure this service and its resources by using IAM permission policies.
Topics
• Actions defined by AWS Accounts (p. 9)
• Resource types defined by AWS Accounts (p. 10)
• Condition keys for AWS Accounts (p. 10)
Actions defined by AWS Accounts

You can specify the following actions in the Action element of an IAM policy statement. Use policies
to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually
allow or deny access to the API operation or CLI command with the same name. However, in some cases,
a single action controls access to more than one operation. Alternatively, some operations require several
different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the Resource element of your
policy statement. If the column includes a resource type, then you can specify an ARN of that type in
a statement with that action. Required resources are indicated in the table with an asterisk (*). If you
specify a resource-level permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not indicated as required),
then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table (p. 1).
Actions Description Access Resource Condition Dependent

level types keys actions
(*required)
DisableRegion Grants permission to disable a Write account:TargetRegion

region (p. 10)
EnableRegion Grants permission to enable a Write account:TargetRegion

region (p. 10)
ListRegions Grants permission to list regions List
9
AWS Activate
Resource types defined by AWS Accounts

AWS Accounts does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Accounts, specify “Resource”: “*” in your policy.
Condition keys for AWS Accounts

AWS Accounts defines the following condition keys that can be used in the Condition element of an
IAM policy. You can use these keys to further refine the conditions under which the policy statement
applies. For details about the columns in the following table, see The condition keys table (p. 2).
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys Description Type
Filters access by a list of regions String

account:TargetRegion

Activate
AWS Activate (service prefix: activate) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Activate (p. 10)
• Resource types defined by AWS Activate (p. 11)
• Condition keys for AWS Activate (p. 11)
Actions defined by AWS Activate

different actions.
10
Alexa for Business

(*required)
CreateForm Grants permission to submit an Write

Activate application form
Grants permission to get Read

GetAccountContact
the AWS account contact
information

GetContentInfo Activate tech posts and offer
information
GetCosts Grants permission to get the Read

AWS cost information
GetCredits Grants permission to get the Read

AWS credit information
Grants permission to get the Read

GetMemberInfo Activate member information
GetProgram Grants permission to get an Read

Activate program
Grants permission to create or Write

PutMemberInfo update the Activate member
information
Resource types defined by AWS Activate

AWS Activate does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Activate, specify “Resource”: “*” in your policy.
Condition keys for AWS Activate

Activate has no service-specific context keys that can be used in the Condition element of policy
statements. For the list of the global context keys that are available to all services, see Available keys for
conditions.
Actions, resources, and condition keys for Alexa for

Business
Alexa for Business (service prefix: a4b) provides the following service-specific resources, actions, and
References:
Topics
• Actions defined by Alexa for Business (p. 12)
• Resource types defined by Alexa for Business (p. 18)
11
Alexa for Business
• Condition keys for Alexa for Business (p. 18)
Actions defined by Alexa for Business

different actions.

(*required)
ApproveSkill Associates a skill with the Write

organization under the
customer's AWS account. If a
skill is private, the user implicitly
accepts access to this skill during
enablement.
Associates a contact with a given Write addressbook*

AssociateContactWithAddressBook
address book. (p. 18)
contact*
(p. 18)
Associates device with given Write device*

AssociateDeviceWithRoom
room. (p. 18)
room*
(p. 18)
Associates the skill group with Write room*

AssociateSkillGroupWithRoom
given room. SkillGroup ARN and (p. 18)
Room ARN must be specified.
skillgroup*
(p. 18)
Associates a skill with a skill Write skillgroup*

AssociateSkillWithSkillGroup
group. (p. 18)
Makes a private skill available Write

AssociateSkillWithUsers
for enrolled users to enable on
their devices.
Completes the operation of Write

CompleteRegistration
registering an Alexa device.
12
Alexa for Business

(*required)
[permission
only]
Creates an address book with Write

CreateAddressBook
the specified details.
Creates a recurring schedule Write

CreateBusinessReportSchedule
for usage reports to deliver
to the specified S3 location
with a specified daily or weekly
interval.
Adds a new conference provider Write

CreateConferenceProvider
under the user's AWS account.
CreateContact Creates a contact with the Write

specified details.
CreateProfile Creates a new profile. Write
CreateRoom Create room with the specified Write profile*

details. (p. 18)
Creates a skill group with given Write

CreateSkillGroup name and description.
CreateUser Creates a user. Write user*

(p. 18)
Deletes an address book by the Write addressbook*

DeleteAddressBook
address book ARN. (p. 18)
Deletes the recurring report Write schedule*

DeleteBusinessReportSchedule
delivery schedule with the (p. 18)
specified schedule ARN.
Deletes a conference provider. Write conferenceprovider*

DeleteConferenceProvider (p. 18)
DeleteContact Deletes a contact by the contact Write contact*

ARN. (p. 18)
DeleteDevice Removes a device from Alexa For Write device*

Business. (p. 18)
DeleteProfile Delete profile by profile ARN. Write profile*

(p. 18)
DeleteRoom Delete room. Write room*

(p. 18)
Delete a parameter from a skill Write room*

DeleteRoomSkillParameter
and room. (p. 18)
Unlinks a third-party account Write room*

DeleteSkillAuthorization
from a skill. (p. 18)
13
Alexa for Business

(*required)
Deletes skill group with skill Write skillgroup*

DeleteSkillGroup group ARN. Skillgroup ARN must (p. 18)
be specified.
DeleteUser Delete a user. Write user*

(p. 18)
Disassociates a contact from a Write addressbook*

DisassociateContactFromAddressBook
given address book. (p. 18)
contact*
(p. 18)
Disassociates device from its Write device*

DisassociateDeviceFromRoom
current room. (p. 18)
Disassociates a skill from a skill Write skillgroup*

DisassociateSkillFromSkillGroup
group. (p. 18)
Makes a private skill unavailable Write user*

DisassociateSkillFromUsers
for enrolled users and prevents (p. 18)
them from enabling it on their
devices.
Disassociates the skill group Write room*

DisassociateSkillGroupFromRoom
from given room. SkillGroup (p. 18)
ARN and Room ARN must be
specified. skillgroup*
(p. 18)
Forgets smart home appliances Write room*

ForgetSmartHomeAppliances
associated to a room. (p. 18)
Gets the address book details by Read addressbook*

GetAddressBook the address book ARN. (p. 18)
Retrieves the existing conference Read

GetConferencePreference
preferences.
Gets details about a specific Read conferenceprovider*

GetConferenceProvider
conference provider. (p. 18)
GetContact Gets the contact details by the Read contact*

contact ARN. (p. 18)
GetDevice Get device details. Read device*

(p. 18)
Gets the network profile details Read networkprofile*

GetNetworkProfile
by the network profile ARN. (p. 18)
GetProfile Gets profile when provided with Read profile*

Profile ARN. (p. 18)
GetRoom Get room details. Read room*

(p. 18)
14
Alexa for Business

(*required)
Get an existing parameter that Read room*

GetRoomSkillParameter
has been set for a skill and (p. 18)
room.
GetSkillGroup Gets skill group details with skill Read skillgroup*

group ARN. Skillgroup ARN must (p. 18)
be specified.
Lists the details of the schedules List

ListBusinessReportSchedules
that a user configured.
Lists conference providers under List

ListConferenceProviders
a specific AWS account.
Lists the device event history, List device*

ListDeviceEvents including device connection (p. 18)
status, for up to 30 days.
ListSkills Lists skills. List
Lists all categories in the Alexa List

ListSkillsStoreCategories
skill store.
Lists all skills in the Alexa skill List

ListSkillsStoreSkillsByCategory
store by category.
Lists all of the smart home List room*

ListSmartHomeAppliances
appliances associated with a (p. 18)
room.
ListTags Lists all tags on a resource. Read device

(p. 18)
room
(p. 18)
user
(p. 18)
Sets the conference preferences Write

PutConferencePreference
on a specific conference provider
at the account level.
Publishes Alexa device setup Write

PutDeviceSetupEvents
events.
[permission
only]
Put a room specific parameter Write room*

PutRoomSkillParameter
for a skill. (p. 18)
15
Alexa for Business

(*required)
Links a user's account to a Write room*

PutSkillAuthorization
third-party skill provider. If this (p. 18)
API operation is called by an
assumed IAM role, the skill being
linked must be a private skill.
Also, the skill must be owned by
the AWS account that assumed
the IAM role.
Registers an Alexa-enabled Write

RegisterAVSDevice
device built by an Original
Equipment Manufacturer (OEM)
using Alexa Voice Service (AVS).
Registers an Alexa device. Write

RegisterDevice
[permission
only]
RejectSkill Disassociates a skill from the Write

organization under a user's AWS
account. If the skill is a private
skill, it moves to an AcceptStatus
of PENDING.
ResolveRoom Returns resolved room Read

information.
Revoke an invitation. Write user*

RevokeInvitation (p. 18)
Searches address books and lists List

SearchAddressBooks
the ones that meet a set of filter
and sort criteria.
Searches contacts and lists the List

SearchContacts ones that meet a set of filter and
sort criteria.
SearchDevices Search for devices. List
Searches network profiles and List

SearchNetworkProfiles
lists the ones that meet a set of
filter and sort criteria.
SearchProfiles Search for profiles. List
SearchRooms Search for rooms. List
Search for skill groups. List

SearchSkillGroups
SearchUsers Search for users. List
Send an invitation to a user. Write user*

SendInvitation (p. 18)
16
Alexa for Business

(*required)
Restore the device and its Write

StartDeviceSync account to its known, default
settings by clearing all
information and settings set by
its previous users.
Initiates the discovery of Read room*

StartSmartHomeApplianceDiscovery
any smart home appliances (p. 18)
associated with the room.
TagResource Adds metadata tags to a Tagging device

resource. (p. 18)
room
(p. 18)
user
(p. 18)
Removes metadata tags from a Tagging device

UntagResource resource. (p. 18)
room
(p. 18)
user
(p. 18)
Updates address book details by Write addressbook*

UpdateAddressBook
the address book ARN. (p. 18)
Updates the configuration of the Write schedule*

UpdateBusinessReportSchedule
report delivery schedule with (p. 18)
the specified schedule ARN.
Updates an existing conference Write conferenceprovider*

UpdateConferenceProvider
provider's settings. (p. 18)
Updates the contact details by Write contact*

UpdateContact the contact ARN. (p. 18)
UpdateDevice Updates device name. Write device*

(p. 18)
UpdateProfile Updates an existing profile. Write profile*

(p. 18)
UpdateRoom Update room details. Write room*

(p. 18)
Updates skill group details with Write skillgroup*

UpdateSkillGroupskill group ARN. Skillgroup ARN (p. 18)
must be specified.
17
Alexa for Business
Resource types defined by Alexa for Business

The following resource types are defined by this service and can be used in the Resource element of
IAM permission policy statements. Each action in the Actions table (p. 12) identifies the resource
types that can be specified with that action. A resource type can also define which condition keys you
can include in a policy. These keys are displayed in the last column of the table. For details about the
columns in the following table, see The resource types table (p. 2).
Resource ARN Condition keys

types
profile arn:${Partition}:a4b:${Region}:
${Account}:profile/${Resource_id}
room arn:${Partition}:a4b:${Region}: aws:ResourceTag/

${Account}:room/${Resource_id} ${TagKey} (p. 19)
device arn:${Partition}:a4b:${Region}: aws:ResourceTag/

${Account}:device/${Resource_id} ${TagKey} (p. 19)
skillgroup arn:${Partition}:a4b:${Region}:
${Account}:skill-group/${Resource_id}
user arn:${Partition}:a4b:${Region}: aws:ResourceTag/

${Account}:user/${Resource_id} ${TagKey} (p. 19)
addressbook arn:${Partition}:a4b:${Region}:
${Account}:address-book/${Resource_id}
arn:${Partition}:a4b:${Region}:
conferenceprovider
${Account}:conference-provider/
${Resource_id}
contact arn:${Partition}:a4b:${Region}:
${Account}:contact/${Resource_id}
schedule arn:${Partition}:a4b:${Region}:
${Account}:schedule/${Resource_id}
arn:${Partition}:a4b:${Region}:
networkprofile ${Account}:network-profile/${Resource_id}
Condition keys for Alexa for Business

Alexa for Business defines the following condition keys that can be used in the Condition element of
an IAM policy. You can use these keys to further refine the conditions under which the policy statement
a4b:amazonId Filters actions based on the Amazon Id in the request String
Filters actions based on the device type in the request String

a4b:filters_deviceType
18
AWS Amplify
aws:RequestTag/ Filters actions based on the allowed set of values for each of String
${TagKey} the tags
Filters actions based on tag-value assoicated with the String

aws:ResourceTag/ resource
${TagKey}
aws:TagKeys Filters actions based on the presence of mandatory tags in String

the request

Amplify
AWS Amplify (service prefix: amplify) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Amplify (p. 19)
• Resource types defined by AWS Amplify (p. 22)
• Condition keys for AWS Amplify (p. 23)
Actions defined by AWS Amplify

different actions.
19
AWS Amplify

(*required)
CreateApp Creates a new Amplify App. Write apps*

(p. 23)
aws:RequestTag/

${TagKey}
(p. 23)
aws:TagKeys
(p. 23)
Creates a new backend Write apps*

CreateBackendEnvironment
environment for an Amplify App. (p. 23)
CreateBranch Creates a new Branch for an Write apps*

Amplify App. (p. 23)
aws:RequestTag/

${TagKey}
(p. 23)
aws:TagKeys
(p. 23)
Create a deployment for manual Write branches*

CreateDeployment
deploy apps. (Apps are not (p. 23)
connected to repository)
Create a new DomainAssociation Write apps*

CreateDomainAssociation
on an App (p. 23)
aws:RequestTag/

${TagKey}
(p. 23)
aws:TagKeys
(p. 23)
Create a new webhook on an Write branches*

CreateWebHook App. (p. 23)
DeleteApp Delete an existing Amplify App Write apps*

by appId. (p. 23)
Deletes a branch for an Amplify Write apps*

DeleteBackendEnvironment
App. (p. 23)
DeleteBranch Deletes a branch for an Amplify Write branches*

App. (p. 23)
Deletes a DomainAssociation. Write domains*

DeleteDomainAssociation (p. 23)
DeleteJob Delete a job, for an Amplify Write jobs*

branch, part of Amplify App. (p. 23)
20
AWS Amplify

(*required)
Delete a webhook by id. Write apps*

DeleteWebHook (p. 23)
Generate website access logs for Write apps*

GenerateAccessLogs
a specific time range via a pre- (p. 23)
signed URL.
GetApp Retrieves an existing Amplify Read apps*

App by appId. (p. 23)
GetArtifactUrl Retrieves artifact info that Read apps*

corresponds to a artifactId. (p. 23)
Retrieves a backend Read apps*

GetBackendEnvironment
environment for an Amplify App. (p. 23)
GetBranch Retrieves a branch for an Read branches*

Retrieves domain info that Read domains*

GetDomainAssociation
corresponds to an appId and (p. 23)
domainName.
GetJob Get a job for a branch, part of an Read jobs*

GetWebHook Retrieves webhook info that Read apps*

corresponds to a webhookId. (p. 23)
ListApps Lists existing Amplify Apps. List
ListArtifacts List artifacts with an app, a List apps*

branch, a job and an artifact (p. 23)
type.
Lists backend environments for List apps*

ListBackendEnvironments
an Amplify App. (p. 23)
ListBranches Lists branches for an Amplify List apps*

App. (p. 23)
List domains with an app List apps*

ListDomainAssociations (p. 23)
ListJobs List Jobs for a branch, part of an List branches*

ListWebHooks List webhooks on an App. List apps*

(p. 23)
Start a deployment for manual Write branches*

StartDeployment deploy apps. (Apps are not (p. 23)
connected to repository)
StartJob Starts a new job for a branch, Write jobs*

part of an Amplify App. (p. 23)
21
AWS Amplify

(*required)
StopJob Stop a job that is in progress, Write jobs*

for an Amplify branch, part of (p. 23)
Amplify App.
TagResource This action tags an AWS Amplify Tagging apps

Console resource. (p. 23)
branches
(p. 23)
jobs
(p. 23)
aws:TagKeys
(p. 23)
aws:RequestTag/
${TagKey}
(p. 23)
This action removes a tag Tagging apps

UntagResource from an AWS Amplify Console (p. 23)
resource.
branches
(p. 23)
jobs
(p. 23)
aws:TagKeys
(p. 23)
UpdateApp Updates an existing Amplify Write apps*

App. (p. 23)
UpdateBranch Updates a branch for an Amplify Write branches*

App. (p. 23)
Update a DomainAssociation on Write domains*

UpdateDomainAssociation
an App. (p. 23)
Update a webhook. Write apps*

UpdateWebHook (p. 23)
Resource types defined by AWS Amplify

22
AWS Amplify Admin

types
apps arn:${Partition}:amplify:${Region}: aws:ResourceTag/

${Account}:apps/${AppId} ${TagKey} (p. 23)
branches arn:${Partition}:amplify:${Region}: aws:ResourceTag/

${Account}:apps/${AppId}/branches/ ${TagKey} (p. 23)
${BranchName}
jobs arn:${Partition}:amplify:${Region}:
${Account}:apps/${AppId}/branches/
${BranchName}/jobs/${JobId}
domains arn:${Partition}:amplify:${Region}: aws:ResourceTag/

${Account}:apps/${AppId}/domains/ ${TagKey} (p. 23)
${DomainName}
Condition keys for AWS Amplify

AWS Amplify defines the following condition keys that can be used in the Condition element of an IAM
policy. You can use these keys to further refine the conditions under which the policy statement applies.
For details about the columns in the following table, see The condition keys table (p. 2).
aws:RequestTag/ String
${TagKey}
aws:ResourceTag/ String
${TagKey}
aws:TagKeys String

Amplify Admin
AWS Amplify Admin (service prefix: amplifybackend) provides the following service-specific resources,
actions, and condition context keys for use in IAM permission policies.
References:

Topics
• Actions defined by AWS Amplify Admin (p. 24)
• Resource types defined by AWS Amplify Admin (p. 27)
• Condition keys for AWS Amplify Admin (p. 27)
23
AWS Amplify Admin
Actions defined by AWS Amplify Admin

different actions.

(*required)
CloneBackend Grants permission to clone an Write backend*

existing Amplify Admin backend (p. 27)
environment into a new Amplify
Admin backend enviroment
Grants permission to create a Write backend*

CreateBackend new Amplify Admin backend (p. 27)
environment by Amplify appId
Grants permission to create Write api*

CreateBackendAPIan API for an existing (p. 27)
Amplify Admin backend
environment by appId and backend*
backendEnvironmentName (p. 27)
environment*
(p. 27)
Grants permission to create an Write auth*

CreateBackendAuth
auth resource for an existing (p. 27)
environment*
(p. 27)
Grants permission to create a Write backend*

CreateBackendConfig
new Amplify Admin backend (p. 27)
config by Amplify appId
CreateToken Grants permission to create an Write backend*

Amplify Admin challenge token (p. 27)
by appId
Grants permission to delete an Write backend*

DeleteBackend existing Amplify Admin backend (p. 27)
24
AWS Amplify Admin

(*required)
environment by appId and environment*
Grants permission to delete an Write api*

DeleteBackendAPIAPI of an existing Amplify Admin (p. 27)
backend environment by appId
and backendEnvironmentName backend*
(p. 27)
environment*
(p. 27)
Grants permission to delete Write auth*

DeleteBackendAuth
an auth resource of an existing (p. 27)
environment*
(p. 27)
DeleteToken Grants permission to delete an Write backend*

by appId
Grants permission to generate Write api*

GenerateBackendAPIModels
models for an API of an existing (p. 27)
environment*
(p. 27)
GetBackend Grants permission to retrieve an Read backend*

environment by appId and
backendEnvironmentName environment*
(p. 27)
Grants permission to retrieve an Read api*

GetBackendAPI API of an existing Amplify Admin (p. 27)
(p. 27)
environment*
(p. 27)
Grants permission to retrieve Read api*

GetBackendAPIModels
models for an API of an existing (p. 27)
25
AWS Amplify Admin

(*required)
environment*
(p. 27)
Grants permission to retrieve Read auth*

GetBackendAuth an auth resource of an existing (p. 27)
environment*
(p. 27)
Grants permission to retrieve a Read backend*

GetBackendJob job of an existing Amplify Admin (p. 27)
and backendEnvironmentName job*
(p. 27)
GetToken Grants permission to retrieve an Read backend*

by appId
Grants permission to retrieve List backend*

ListBackendJobs the jobs of an existing (p. 27)
environment by appId and job*
Grants permission to delete all Write backend*

RemoveAllBackends
environments by appId
environment*
(p. 27)
Grants permission to delete an Write backend*

RemoveBackendConfig
Amplify Admin backend config (p. 27)
by Amplify appId
Grants permission to update an Write api*

UpdateBackendAPI
API of an existing Amplify Admin (p. 27)
(p. 27)
environment*
(p. 27)
Grants permission to update Write auth*

UpdateBackendAuth
an auth resource of an existing (p. 27)
environment*
(p. 27)
26
AWS Amplify Admin

(*required)
Grants permission to update an Write backend*

UpdateBackendConfig
Amplify Admin backend config (p. 27)
by Amplify appId
Grants permission to update a Write backend*

UpdateBackendJob
job of an existing Amplify Admin (p. 27)
and backendEnvironmentName job*
(p. 27)
Resource types defined by AWS Amplify Admin


types
backend arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}
environment arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}/environments
api arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}/api
auth arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}/auth
job arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}/job
config arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}/config
token arn:${Partition}:amplifybackend:${Region}:
${Account}:backend/${AppId}/token
Condition keys for AWS Amplify Admin

Amplify Admin has no service-specific context keys that can be used in the Condition element of policy
conditions.
27
Amazon API Gateway
Actions, resources, and condition keys for Amazon

API Gateway
Amazon API Gateway (service prefix: execute-api) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon API Gateway (p. 28)
• Resource types defined by Amazon API Gateway (p. 29)
• Condition keys for Amazon API Gateway (p. 29)
Actions defined by Amazon API Gateway

different actions.

(*required)
Used to invalidate API cache Write execute-

InvalidateCache upon a client request api-
general*
(p. 29)
Invoke Used to invoke an API upon a Write execute-

client request api-
general*
(p. 29)
ManageConnections controls Write execute-

ManageConnections
access to the @connections API api-
general*
(p. 29)
28
AWS App Mesh
Resource types defined by Amazon API Gateway


types
execute-api- arn:${Partition}:execute-api:${Region}:
general ${Account}:${ApiId}/${Stage}/${Method}/
${ApiSpecificResourcePath}
Condition keys for Amazon API Gateway

ExecuteAPI has no service-specific context keys that can be used in the Condition element of policy
conditions.
Actions, resources, and condition keys for AWS App

Mesh
AWS App Mesh (service prefix: appmesh) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS App Mesh (p. 29)
• Resource types defined by AWS App Mesh (p. 34)
• Condition keys for AWS App Mesh (p. 35)
Actions defined by AWS App Mesh

different actions.
29
AWS App Mesh

(*required)
Creates a gateway route that Write gatewayRoute*

CreateGatewayRoute
is associated with a virtual (p. 35)
gateway.
virtualService
(p. 35)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
CreateMesh Creates a service mesh. Write mesh*

(p. 34)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
CreateRoute Creates a route that is associated Write route*

with a virtual router. (p. 35)
virtualNode
(p. 35)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
Creates a virtual gateway within Write virtualGateway*

CreateVirtualGateway
a service mesh. (p. 35)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
Creates a virtual node within a Write virtualNode*

CreateVirtualNodeservice mesh. (p. 35)
virtualService
(p. 35)
30
AWS App Mesh

(*required)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
Creates a virtual router within a Write virtualRouter*

CreateVirtualRouter
service mesh. (p. 35)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
Creates a virtual service within a Write virtualService*

CreateVirtualService
virtualNode
(p. 35)
virtualRouter
(p. 35)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
Deletes an existing gateway Write gatewayRoute*

DeleteGatewayRoute
route. (p. 35)
DeleteMesh Deletes an existing service mesh. Write mesh*

(p. 34)
DeleteRoute Deletes an existing route. Write route*

(p. 35)
Deletes an existing virtual Write virtualGateway*

DeleteVirtualGateway
gateway. (p. 35)
Deletes an existing virtual node. Write virtualNode*

DeleteVirtualNode (p. 35)
Deletes an existing virtual Write virtualRouter*

DeleteVirtualRouter
router. (p. 35)
Deletes an existing virtual Write virtualService*

DeleteVirtualService
service. (p. 35)
Describes an existing gateway Read gatewayRoute*

DescribeGatewayRoute
route. (p. 35)
31
AWS App Mesh

(*required)
DescribeMesh Describes an existing service Read mesh*

mesh. (p. 34)
Describes an existing route. Read route*

DescribeRoute (p. 35)
Describes an existing virtual Read virtualGateway*

DescribeVirtualGateway
gateway. (p. 35)
Describes an existing virtual Read virtualNode*

DescribeVirtualNode
node. (p. 35)
Describes an existing virtual Read virtualRouter*

DescribeVirtualRouter
router. (p. 35)
Describes an existing virtual Read virtualService*

DescribeVirtualService
service. (p. 35)
Returns a list of existing gateway List virtualGateway*

ListGatewayRoutes
routes in a service mesh. (p. 35)
ListMeshes Returns a list of existing service List

meshes.
ListRoutes Returns a list of existing routes List virtualRouter*

in a service mesh. (p. 35)
List the tags for an App Mesh List gatewayRoute

ListTagsForResource
resource. (p. 35)
mesh
(p. 34)
route
(p. 35)
virtualGateway

(p. 35)
virtualNode
(p. 35)
virtualRouter
(p. 35)
virtualService
(p. 35)
Returns a list of existing virtual List mesh*

ListVirtualGateways
gateways in a service mesh. (p. 34)

ListVirtualNodes nodes. (p. 34)

ListVirtualRoutersrouters in a service mesh. (p. 34)
32
AWS App Mesh

(*required)

ListVirtualServicesservices in a service mesh. (p. 34)
Allows an Envoy Proxy to receive Read virtualGateway

StreamAggregatedResources
streamed resources for an App (p. 35)
Mesh endpoint (VirtualNode or
VirtualGateway). virtualNode
(p. 35)
TagResource Associates the specified tags to Write gatewayRoute

a resource with the specified (p. 35)
resourceArn.
mesh
(p. 34)
route
(p. 35)
virtualGateway

(p. 35)
virtualNode
(p. 35)
virtualRouter
(p. 35)
virtualService
(p. 35)
aws:TagKeys
(p. 35)
aws:RequestTag/
${TagKey}
(p. 35)
Deletes specified tags from a Write gatewayRoute

mesh
(p. 34)
route
(p. 35)
virtualGateway

(p. 35)
virtualNode
(p. 35)
virtualRouter
(p. 35)
33
AWS App Mesh

(*required)
virtualService
(p. 35)
aws:TagKeys
(p. 35)
Updates an existing gateway Write gatewayRoute*

UpdateGatewayRoute
route for a specified service (p. 35)
mesh and virtual gateway.
virtualService
(p. 35)
UpdateMesh Updates an existing service Write mesh*

mesh. (p. 34)
UpdateRoute Updates an existing route for Write route*

a specified service mesh and (p. 35)
virtual router.
virtualNode
(p. 35)
Updates an existing virtual Write virtualGateway*

UpdateVirtualGateway
gateway in a specified service (p. 35)
mesh.
Updates an existing virtual node Write virtualNode*

UpdateVirtualNode
in a specified service mesh. (p. 35)
Updates an existing virtual Write virtualRouter*

UpdateVirtualRouter
router in a specified service (p. 35)
mesh.
Updates an existing virtual Write mesh*

UpdateVirtualService
service in a specified service (p. 34)
mesh.
virtualNode
(p. 35)
virtualRouter
(p. 35)
Resource types defined by AWS App Mesh


types
mesh arn:${Partition}:appmesh:${Region}: aws:ResourceTag/

${Account}:mesh/${MeshName} ${TagKey} (p. 35)
34
AWS App Mesh Preview

types
virtualService arn:${Partition}:appmesh:${Region}: aws:ResourceTag/

${Account}:mesh/${MeshName}/virtualService/ ${TagKey} (p. 35)
${VirtualServiceName}
virtualNode arn:${Partition}:appmesh:${Region}: aws:ResourceTag/

${Account}:mesh/${MeshName}/virtualNode/ ${TagKey} (p. 35)
${VirtualNodeName}
virtualRouter arn:${Partition}:appmesh:${Region}: aws:ResourceTag/

${Account}:mesh/${MeshName}/virtualRouter/ ${TagKey} (p. 35)
${VirtualRouterName}
route arn:${Partition}:appmesh:${Region}: aws:ResourceTag/

${Account}:mesh/${MeshName}/virtualRouter/ ${TagKey} (p. 35)
${VirtualRouterName}/route/${RouteName}
arn:${Partition}:appmesh:${Region}: aws:ResourceTag/
virtualGateway ${Account}:mesh/${MeshName}/virtualGateway/ ${TagKey} (p. 35)
${VirtualGatewayName}
gatewayRoute arn:${Partition}:appmesh:${Region}: aws:ResourceTag/

${Account}:mesh/${MeshName}/virtualGateway/ ${TagKey} (p. 35)
${VirtualGatewayName}/gatewayRoute/
${GatewayRouteName}
Condition keys for AWS App Mesh

AWS App Mesh defines the following condition keys that can be used in the Condition element of an
aws:RequestTag/ Filters actions based on the presence of tag key-value pairs String
${TagKey} in the request.
Filters actions based on tag key-value pairs attached to the String

aws:ResourceTag/ resource.
${TagKey}
aws:TagKeys Filters actions based on the presence of tag keys in the String
request.
Actions, resources, and condition keys for AWS App

Mesh Preview
AWS App Mesh Preview (service prefix: appmesh-preview) provides the following service-specific
resources, actions, and condition context keys for use in IAM permission policies.
References:
35

Topics
• Actions defined by AWS App Mesh Preview (p. 36)
• Resource types defined by AWS App Mesh Preview (p. 39)
• Condition keys for AWS App Mesh Preview (p. 39)
Actions defined by AWS App Mesh Preview

different actions.

(*required)
Creates a gateway route that Write gatewayRoute*

CreateGatewayRoute
is associated with a virtual (p. 39)
gateway.
virtualService
(p. 39)
CreateMesh Creates a service mesh. Write mesh*

(p. 39)
CreateRoute Creates a route that is associated Write route*

with a virtual router. (p. 39)
virtualNode
(p. 39)
Creates a virtual gateway within Write virtualGateway*

CreateVirtualGateway
a service mesh. (p. 39)
Creates a virtual node within a Write virtualNode*

CreateVirtualNodeservice mesh. (p. 39)
virtualService
(p. 39)
36

(*required)
Creates a virtual router within a Write virtualRouter*

CreateVirtualRouter
Creates a virtual service within a Write virtualService*

CreateVirtualService
virtualNode
(p. 39)
virtualRouter
(p. 39)
Deletes an existing gateway Write gatewayRoute*

DeleteGatewayRoute
route. (p. 39)
DeleteMesh Deletes an existing service mesh. Write mesh*

(p. 39)
DeleteRoute Deletes an existing route. Write route*

(p. 39)
Deletes an existing virtual Write virtualGateway*

DeleteVirtualGateway
gateway. (p. 39)
Deletes an existing virtual node. Write virtualNode*

DeleteVirtualNode (p. 39)
Deletes an existing virtual Write virtualRouter*

DeleteVirtualRouter
router. (p. 39)
Deletes an existing virtual Write virtualService*

DeleteVirtualService
service. (p. 39)
Describes an existing gateway Read gatewayRoute*

DescribeGatewayRoute
route. (p. 39)
DescribeMesh Describes an existing service Read mesh*

mesh. (p. 39)
Describes an existing route. Read route*

DescribeRoute (p. 39)
Describes an existing virtual Read virtualGateway*

DescribeVirtualGateway
gateway. (p. 39)
Describes an existing virtual Read virtualNode*

DescribeVirtualNode
node. (p. 39)
Describes an existing virtual Read virtualRouter*

DescribeVirtualRouter
router. (p. 39)
Describes an existing virtual Read virtualService*

DescribeVirtualService
service. (p. 39)
Returns a list of existing gateway List virtualGateway*

ListGatewayRoutes
routes in a service mesh. (p. 39)
37

(*required)
ListMeshes Returns a list of existing service List

meshes.
ListRoutes Returns a list of existing routes List virtualRouter*

in a service mesh. (p. 39)

ListVirtualGateways
gateways in a service mesh. (p. 39)

ListVirtualNodes nodes. (p. 39)

ListVirtualRoutersrouters in a service mesh. (p. 39)

ListVirtualServicesservices in a service mesh. (p. 39)
Allows an Envoy Proxy to receive Read virtualGateway

StreamAggregatedResources
streamed resources for an App (p. 39)
Mesh endpoint (VirtualNode/
VirtualGateway). virtualNode
(p. 39)
Updates an existing gateway Write gatewayRoute*

UpdateGatewayRoute
route for a specified service (p. 39)
mesh and virtual gateway.
virtualService
(p. 39)
UpdateMesh Updates an existing service Write mesh*

mesh. (p. 39)
UpdateRoute Updates an existing route for Write route*

a specified service mesh and (p. 39)
virtual router.
virtualNode
(p. 39)
Updates an existing virtual Write virtualGateway*

UpdateVirtualGateway
gateway in a specified service (p. 39)
mesh.
Updates an existing virtual node Write virtualNode*

UpdateVirtualNode
in a specified service mesh. (p. 39)
Updates an existing virtual Write virtualRouter*

UpdateVirtualRouter
router in a specified service (p. 39)
mesh.
Updates an existing virtual Write mesh*

UpdateVirtualService
service in a specified service (p. 39)
mesh.
virtualNode
(p. 39)
38

(*required)
virtualRouter
(p. 39)
Resource types defined by AWS App Mesh Preview


types
mesh arn:${Partition}:appmesh-preview:${Region}:
${Account}:mesh/${MeshName}
virtualService arn:${Partition}:appmesh-preview:${Region}:
${Account}:mesh/${MeshName}/virtualService/
${VirtualServiceName}
virtualNode arn:${Partition}:appmesh-preview:${Region}:
${Account}:mesh/${MeshName}/virtualNode/
${VirtualNodeName}
virtualRouter arn:${Partition}:appmesh-preview:${Region}:
${Account}:mesh/${MeshName}/virtualRouter/
${VirtualRouterName}
route arn:${Partition}:appmesh-preview:${Region}:
${Account}:mesh/${MeshName}/virtualRouter/
${VirtualRouterName}/route/${RouteName}
arn:${Partition}:appmesh-preview:${Region}:
virtualGateway ${Account}:mesh/${MeshName}/virtualGateway/
${VirtualGatewayName}
gatewayRoute arn:${Partition}:appmesh-preview:${Region}:
${Account}:mesh/${MeshName}/virtualGateway/
${VirtualGatewayName}/gatewayRoute/
${GatewayRouteName}
Condition keys for AWS App Mesh Preview

App Mesh Preview has no service-specific context keys that can be used in the Condition element of
policy statements. For the list of the global context keys that are available to all services, see Available
keys for conditions.
39
AWS AppConfig

AppConfig
AWS AppConfig (service prefix: appconfig) provides the following service-specific resources, actions,
and condition context keys for use in IAM permission policies.
References:

Topics
• Actions defined by AWS AppConfig (p. 40)
• Resource types defined by AWS AppConfig (p. 46)
• Condition keys for AWS AppConfig (p. 47)
Actions defined by AWS AppConfig

different actions.

(*required)
Grants permission to create an Write application*

CreateApplicationapplication (p. 46)
aws:RequestTag/

${TagKey}
(p. 47)
aws:TagKeys
(p. 47)
Grants permission to create a Write application*

CreateConfigurationProfile
configuration profile (p. 46)
configurationprofile*

(p. 46)
40
AWS AppConfig

(*required)
aws:RequestTag/

${TagKey}
(p. 47)
aws:TagKeys
(p. 47)
Grants permission to create a Write deploymentstrategy*

CreateDeploymentStrategy
deployment strategy (p. 46)
aws:RequestTag/

${TagKey}
(p. 47)
aws:TagKeys
(p. 47)
Grants permission to create an Write application*

CreateEnvironment
environment (p. 46)
environment*
(p. 46)
aws:RequestTag/

${TagKey}
(p. 47)
aws:TagKeys
(p. 47)

CreateHostedConfigurationVersion
hosted configuration version (p. 46)

(p. 46)
hostedconfigurationversion*

(p. 46)
Grants permission to delete an Write application*

DeleteApplicationapplication (p. 46)
Grants permission to delete a Write application*

DeleteConfigurationProfile

(p. 46)
Grants permission to delete a Write deploymentstrategy*

DeleteDeploymentStrategy
Grants permission to delete an Write application*

DeleteEnvironment
environment (p. 46)
environment*
(p. 46)
41
AWS AppConfig

(*required)
Grants permission to delete a Write application*

DeleteHostedConfigurationVersion
hosted configuration version (p. 46)

(p. 46)

(p. 46)
Grants permission to view Read application*

GetApplication details about an application (p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)

GetConfiguration details about a configuration (p. 46)

(p. 46)
environment*
(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)

GetConfigurationProfile
details about a configuration (p. 46)
profile

(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)

GetDeployment details about a deployment (p. 46)
deployment*
(p. 46)
environment*
(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)
Grants permission to view Read deploymentstrategy*

GetDeploymentStrategy
details about a deployment (p. 46)
strategy
42
AWS AppConfig

(*required)
aws:ResourceTag/

${TagKey}
(p. 47)

GetEnvironment details about an environment (p. 46)
environment*
(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)

GetHostedConfigurationVersion
details about a hosted (p. 46)
configuration version

(p. 46)

(p. 46)
Grants permission to list the List

ListApplications applications in your account
Grants permission to list the List application*

ListConfigurationProfiles
configuration profiles for an (p. 46)
application

ListDeploymentStrategies
deployment strategies for your
account

ListDeployments deployments for an environment (p. 46)
environment*
(p. 46)

ListEnvironments environments for an application (p. 46)

ListHostedConfigurationVersions
hosted configuration versions (p. 46)
for a configuration profile

(p. 46)
Grants permission to view a list Read application

ListTagsForResource
of resource tags for a specified (p. 46)
resource
configurationprofile

(p. 46)
43
AWS AppConfig

(*required)
deployment
(p. 46)
deploymentstrategy

(p. 46)
environment
(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)
Grants permission to initiate a Write application*

StartDeployment deployment (p. 46)

(p. 46)
deployment*
(p. 46)
deploymentstrategy*

(p. 46)
environment*
(p. 46)
Grants permission to stop a Write application*

StopDeployment deployment (p. 46)
deployment*
(p. 46)
environment*
(p. 46)
TagResource Grants permission to tag an Tagging application

appconfig resource. (p. 46)

(p. 46)
deployment
(p. 46)
deploymentstrategy

(p. 46)
environment
(p. 46)
44
AWS AppConfig

(*required)
aws:TagKeys
(p. 47)
aws:RequestTag/
${TagKey}
(p. 47)
aws:ResourceTag/
${TagKey}
(p. 47)
Grants permission to untag an Tagging application

UntagResource appconfig resource. (p. 46)

(p. 46)
deployment
(p. 46)
deploymentstrategy

(p. 46)
environment
(p. 46)
aws:TagKeys
(p. 47)
Grants permission to modify an Write application*

UpdateApplication
application (p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)
Grants permission to modify a Write application*

UpdateConfigurationProfile

(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)
Grants permission to modify a Write deploymentstrategy*

UpdateDeploymentStrategy
aws:ResourceTag/

${TagKey}
(p. 47)
Grants permission to modify an Write application*

UpdateEnvironment
environment (p. 46)
45
AWS AppConfig

(*required)
environment*
(p. 46)
aws:ResourceTag/

${TagKey}
(p. 47)
Grants permission to validate a Write application*

ValidateConfiguration
configuration (p. 46)

(p. 46)
Resource types defined by AWS AppConfig


types
application arn:${Partition}:appconfig:${Region}: aws:ResourceTag/

${Account}:application/${ApplicationId} ${TagKey} (p. 47)
environment arn:${Partition}:appconfig:${Region}: aws:ResourceTag/

${Account}:application/${ApplicationId}/ ${TagKey} (p. 47)
environment/${EnvironmentId}
arn:${Partition}:appconfig: aws:ResourceTag/
${Region}:${Account}:application/ ${TagKey} (p. 47)
${ApplicationId}/configurationprofile/
${ConfigurationProfileId}
arn:${Partition}:appconfig:${Region}: aws:ResourceTag/
deploymentstrategy
${Account}:deploymentstrategy/ ${TagKey} (p. 47)
${DeploymentStrategyId}
deployment arn:${Partition}:appconfig:${Region}: aws:ResourceTag/

${Account}:application/${ApplicationId}/ ${TagKey} (p. 47)
environment/${EnvironmentId}/deployment/
${DeploymentNumber}
arn:${Partition}:appconfig:
hostedconfigurationversion
${Region}:${Account}:application/
${ApplicationId}/configurationprofile/
${ConfigurationProfileId}/
hostedconfigurationversion/${VersionNumber}
46
Amazon AppFlow
Condition keys for AWS AppConfig

AWS AppConfig defines the following condition keys that can be used in the Condition element of
aws:RequestTag/ Filters 'Create' requests based on the allowed set of values String
${TagKey} for a specified tags
Filters access based on a tag key-value pair assigned to the String

aws:ResourceTag/ AWS resource
${TagKey}
aws:TagKeys Filters 'Create' requests based on whether mandatory tags String

are included in the request

AppFlow
Amazon AppFlow (service prefix: appflow) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon AppFlow (p. 47)
• Resource types defined by Amazon AppFlow (p. 50)
• Condition keys for Amazon AppFlow (p. 50)
Actions defined by Amazon AppFlow

different actions.
47
Amazon AppFlow

(*required)
Grants permission to create a Write

CreateConnectorProfile
login profile to be used with
Amazon AppFlow flows
CreateFlow Grants permission to create an Write aws:RequestTag/

Amazon AppFlow flow ${TagKey}
(p. 50)
aws:TagKeys
(p. 50)
Grants permission to delete Write connectorprofile*

DeleteConnectorProfile
a login profile configured in (p. 50)
Amazon AppFlow
DeleteFlow Grants permission to delete an Write flow*

Amazon AppFlow flow (p. 50)
aws:RequestTag/

${TagKey}
(p. 50)
aws:TagKeys
(p. 50)
Grants permission to describe Read connectorprofile*

DescribeConnectorEntity
all fields for an object in a login (p. 50)
profile configured in Amazon
AppFlow
Grants permission to describe Read connectorprofile*

DescribeConnectorFields
all fields for an object in a login (p. 50)
[permission profile configured in Amazon
only] AppFlow (Console Only)
Grants permission to describe Read

DescribeConnectorProfiles
all login profiles configured in
Amazon AppFlow

DescribeConnectors
all connectors supported by
Amazon AppFlow
DescribeFlow Grants permission to describe Read

a specific flow configured in
Amazon AppFlow
Grants permission to describe Read flow*

DescribeFlowExecution
all flow executions for a flow (p. 50)
48
Amazon AppFlow

(*required)
[permission configured in Amazon AppFlow
only] (Console Only)
Grants permission to describe Read flow*

DescribeFlowExecutionRecords
all flow executions for a flow (p. 50)
configured in Amazon AppFlow
DescribeFlows Grants permission to describe Read

[permission all flows configured in Amazon
only] AppFlow (Console Only)
Grants permission to list all List connectorprofile*

ListConnectorEntities
objects for a login profile (p. 50)
configured in Amazon AppFlow
Grants permission to list all Read connectorprofile*

ListConnectorFields
objects for a login profile (p. 50)
[permission configured in Amazon AppFlow
ListFlows Grants permission to list all List flow*

flows configured in Amazon (p. 50)
AppFlow
Grants permission to list tags for List flow*

ListTagsForResource
a flow (p. 50)
RunFlow Grants permission to run a flow Write flow*

[permission configured in Amazon AppFlow (p. 50)
StartFlow Grants permission to activate Write flow*

(for scheduled and event- (p. 50)
triggered flows) or run (for on-
demand flows) a flow configured
in Amazon AppFlow
StopFlow Grants permission to deactivate Write flow*

a scheduled or event-triggered (p. 50)
flow configured in Amazon
AppFlow
TagResource Grants permission to tag a flow Tagging flow*

(p. 50)
aws:TagKeys
(p. 50)
aws:RequestTag/
${TagKey}
(p. 50)
Grants permission to untag a Tagging flow*

UntagResource flow (p. 50)
49
Amazon AppFlow

(*required)
aws:TagKeys
(p. 50)
Grants permission to update Write flow*

UpdateConnectorProfile
a login profile configured in (p. 50)
Amazon AppFlow
UpdateFlow Grants permission to update Write flow*

a flow configured in Amazon (p. 50)
AppFlow
Resource types defined by Amazon AppFlow


types
arn:${Partition}:appflow:${Region}:
connectorprofile ${Account}:connectorprofile/${profileName}
flow arn:${Partition}:appflow:${Region}: aws:ResourceTag/

${Account}:flow/${flowName} ${TagKey} (p. 50)
Condition keys for Amazon AppFlow

Amazon AppFlow defines the following condition keys that can be used in the Condition element of
${TagKey} the tags
Filters actions based on tag-value associated with the String

${TagKey}

the request
50
Application Auto Scaling
Actions, resources, and condition keys for Application

Auto Scaling
Application Auto Scaling (service prefix: application-autoscaling) provides the following service-
specific resources, actions, and condition context keys for use in IAM permission policies.
References:

Topics
• Actions defined by Application Auto Scaling (p. 51)
• Resource types defined by Application Auto Scaling (p. 52)
• Condition keys for Application Auto Scaling (p. 52)
Actions defined by Application Auto Scaling

different actions.

(*required)
Deletes an Application Auto Write

DeleteScalingPolicy
Scaling scaling policy that was
previously created.
Deletes an Application Auto Write

DeleteScheduledAction
Scaling scheduled action that
was previously created.
Deregisters a scalable target Write

DeregisterScalableTarget
that was previously registered.
Provides descriptive information Read

DescribeScalableTargets
for scalable targets with a
specified service namespace.
51
Application Discovery

(*required)

DescribeScalingActivities
for scaling activities with a
specified service namespace for
the previous six weeks.

DescribeScalingPolicies
for scaling policies with a

DescribeScheduledActions
for scheduled actions with a
Creates or updates a policy for Write

PutScalingPolicy an existing Application Auto
Scaling scalable target.
Creates or updates a scheduled Write

PutScheduledAction
action for an existing
Application Auto Scaling
scalable target.
Registers or updates a scalable Write

RegisterScalableTarget
target. A scalable target is a
resource that can be scaled
out or in with Application Auto
Scaling.
Resource types defined by Application Auto Scaling

Application Auto Scaling does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Application Auto Scaling, specify “Resource”: “*” in your
policy.
Condition keys for Application Auto Scaling

Application Auto Scaling has no service-specific context keys that can be used in the Condition
element of policy statements. For the list of the global context keys that are available to all services, see
Available keys for conditions.

Discovery
Application Discovery (service prefix: discovery) provides the following service-specific resources,
References:

52
Topics
• Actions defined by Application Discovery (p. 53)
• Resource types defined by Application Discovery (p. 56)
• Condition keys for Application Discovery (p. 56)
Actions defined by Application Discovery

different actions.

(*required)
Associates one or more Write

AssociateConfigurationItemsToApplication
configuration items with an
application.
Deletes one or more Migration Write

BatchDeleteImportData
Hub import tasks, each
identified by their import ID.
Each import task has a number
of records, which can identify
servers or applications.
Creates an application with the Write

CreateApplicationgiven name and description.
CreateTags Creates one or more tags for Tagging

configuration items. Tags
are metadata that help you
categorize IT assets. This
API accepts a list of multiple
configuration items.
Deletes a list of applications Write

DeleteApplications
and their associations with
configuration items.
DeleteTags Deletes the association between Tagging

configuration items and one or
more tags. This API accepts a list
of multiple configuration items.
53

(*required)
Lists agents or the Connector by Read

DescribeAgents ID or lists all agents/Connectors
associated with your user
account if you did not specify an
ID.
Retrieves attributes for a list Read

DescribeConfigurations
of configuration item IDs.
All of the supplied IDs must
be for the same asset type
(server, application, process,
or connection). Output fields
are specific to the asset type
selected. For example, the
output for a server configuration
item includes a list of attributes
about the server, such as host
name, operating system, and
number of network cards.
Lists exports as specified by Read

DescribeContinuousExports
ID. All continuous exports
associated with your user
account can be listed if you call
DescribeContinuousExports as is
without passing any parameters.
Retrieves the status of a given Read

DescribeExportConfigurations
export process. You can retrieve
status from a maximum of 100
processes.
Retrieve status of one or more Read

DescribeExportTasks
export tasks. You can retrieve
the status of up to 100 export
tasks.
Returns an array of import tasks List

DescribeImportTasks
for your account, including
status information, times, IDs,
the Amazon S3 Object URL for
the import file, and more.
DescribeTags Retrieves a list of configuration Read

items that are tagged with a
specific tag. Or retrieves a list
of all tags assigned to a specific
configuration item.
Disassociates one or more Write

DisassociateConfigurationItemsFromApplication
configuration items from an
application.
54

(*required)
Exports all discovered Write

ExportConfigurations
configuration data to an Amazon
S3 bucket or an application
that enables you to view and
evaluate the data. Data includes
tags and tag associations,
processes, connections, servers,
and system performance.
Retrieves a short summary of Read

GetDiscoverySummary
discovered assets.
Retrieves a list of configuration List

ListConfigurationsitems according to criteria you
specify in a filter. The filter
criteria identify relationship
requirements.
Retrieves a list of servers which List

ListServerNeighbors
are one network hop away from
a specified server.
Start the continuous flow of Write

StartContinuousExport
agent's discovered data into
Amazon Athena.
Instructs the specified agents or Write

StartDataCollectionByAgentIds
Connectors to start collecting
data.
Export the configuration data Write

StartExportTask about discovered configuration
items and relationships to an S3
bucket in a specified format.
Starts an import task. The Write

StartImportTask Migration Hub import feature
allows you to import details of
your on-premises environment
directly into AWS without having
to use the Application Discovery
Service (ADS) tools such as
the Discovery Connector or
Discovery Agent. This gives you
the option to perform migration
assessment and planning
directly from your imported data
including the ability to group
your devices as applications and
track their migration status.
Stop the continuous flow of Write

StopContinuousExport
agent's discovered data into
Amazon Athena.
55
Application Discovery Arsenal

(*required)
Instructs the specified agents or Write

StopDataCollectionByAgentIds
Connectors to stop collecting
data.
Updates metadata about an Write

UpdateApplication
application.
Resource types defined by Application Discovery

Application Discovery does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Application Discovery, specify “Resource”: “*” in your policy.
Condition keys for Application Discovery

Application Discovery has no service-specific context keys that can be used in the Condition element
of policy statements. For the list of the global context keys that are available to all services, see Available

Discovery Arsenal
Application Discovery Arsenal (service prefix: arsenal) provides the following service-specific resources,
References:

Topics
• Actions defined by Application Discovery Arsenal (p. 56)
• Resource types defined by Application Discovery Arsenal (p. 57)
• Condition keys for Application Discovery Arsenal (p. 57)
Actions defined by Application Discovery Arsenal

different actions.
56
Amazon AppStream 2.0

(*required)
Grants permission to register Write

RegisterOnPremisesAgent
AWS provided data collectors
[permission to the Application Discovery
only] Service
Resource types defined by Application Discovery Arsenal

Application Discovery Arsenal does not support specifying a resource ARN in the Resource element of
an IAM policy statement. To allow access to Application Discovery Arsenal, specify “Resource”: “*” in
your policy.
Condition keys for Application Discovery Arsenal

Application Discovery Arsenal has no service-specific context keys that can be used in the Condition

AppStream 2.0
Amazon AppStream 2.0 (service prefix: appstream) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon AppStream 2.0 (p. 57)
• Resource types defined by Amazon AppStream 2.0 (p. 65)
• Condition keys for Amazon AppStream 2.0 (p. 65)
Actions defined by Amazon AppStream 2.0

different actions.
57

(*required)
Grants permission to associate Write fleet*

AssociateFleet the specified fleet with the (p. 65)
specified stack
stack*
(p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to associate Write stack*

BatchAssociateUserStack
the specified users with the (p. 65)
specified stacks. Users in a user
pool cannot be assigned to aws:ResourceTag/

stacks with fleets that are joined ${TagKey}
to an Active Directory domain (p. 66)
Grants permission to Write stack*

BatchDisassociateUserStack
disassociate the specified users (p. 65)
from the specified stacks
aws:ResourceTag/

${TagKey}
(p. 66)
CopyImage Grants permission to copy the Write image*

specified image within the (p. 65)
same Region or to a new Region
within the same AWS account aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to create Write

CreateDirectoryConfig
a Directory Config object in
AppStream 2.0. This object
includes the configuration
information required to join
fleets and image builders to
Microsoft Active Directory
domains
CreateFleet Grants permission to create Write fleet*

a fleet. A fleet is a group of (p. 65)
streaming instances from which
applications are launched and image*
streamed to users (p. 65)
58

(*required)
aws:RequestTag/

${TagKey}
(p. 66)
aws:TagKeys
(p. 66)
Grants permission to create an Write image*

CreateImageBuilder
image builder. An image builder (p. 65)
is a virtual machine that is used
to create an image image-
builder*
(p. 65)
aws:RequestTag/

${TagKey}
(p. 66)
aws:TagKeys
(p. 66)
Grants permission to create a Write image-

CreateImageBuilderStreamingURL
URL to start an image builder builder*
streaming session (p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
CreateStack Grants permission to create Write stack*

a stack to start streaming (p. 65)
applications to users. A stack
consists of an associated fleet, aws:RequestTag/

user access policies, and storage ${TagKey}
configurations (p. 66)
aws:TagKeys
(p. 66)
Grants permission to create Write fleet*

CreateStreamingURL
a temporary URL to start an (p. 65)
AppStream 2.0 streaming
session for the specified user. stack*
A streaming URL enables (p. 65)
application streaming to be
aws:ResourceTag/

tested without user setup
${TagKey}
(p. 66)

CreateUsageReportSubscription
usage report subscription. Usage
reports are generated daily
CreateUser Grants permission to create a Write

new user in the user pool
59

(*required)
Grants permission to delete Write

DeleteDirectoryConfig
the specified Directory Config
object from AppStream 2.0. This
object includes the configuration
domains
DeleteFleet Grants permission to delete the Write fleet*

specified fleet (p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
DeleteImage Grants permission to delete Write image*

the specified image. An image (p. 65)
cannot be deleted when it is in
use aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to delete Write image-

DeleteImageBuilder
the specified image builder and builder*
release capacity (p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to delete Write image*

DeleteImagePermissions
permissions for the specified (p. 65)
private image
aws:ResourceTag/

${TagKey}
(p. 66)
DeleteStack Grants permission to delete Write stack*

the specified stack. After the (p. 65)
stack is deleted, the application
streaming environment aws:ResourceTag/

provided by the stack is no ${TagKey}
longer available to users. Also, (p. 66)
any reservations made for
application streaming sessions
for the stack are released
Grants permission to disable Write

DeleteUsageReportSubscription
usage report generation
DeleteUser Grants permission to delete a Write

user from the user pool
60

(*required)
Grants permission to retrieve Read

DescribeDirectoryConfigs
a list that describes one or
more specified Directory Config
objects for AppStream 2.0, if
the names for these objects
are provided. Otherwise, all
Directory Config objects in the
account are described. This
domains
Grants permission to retrieve a Read fleet

DescribeFleets list that describes one or more (p. 65)
specified fleets, if the fleet
names are provided. Otherwise,
all fleets in the account are
described
Grants permission to retrieve a Read image-

DescribeImageBuilders
list that describes one or more builder
specified image builders, if (p. 65)
the image builder names are
provided. Otherwise, all image
builders in the account are
described
Grants permission to retrieve Read image*

DescribeImagePermissions
a list that describes the (p. 65)
permissions for shared AWS
account IDs on a private image
that you own
Grants permission to retrieve Read image

DescribeImages a list that describes one or (p. 65)
more specified images, if the
image names or image ARNs are
provided. Otherwise, all images
in the account are described
Grants permission to retrieve a Read fleet*

DescribeSessions list that describes the streaming (p. 65)
sessions for the specified stack
and fleet. If a user ID is provided stack*
for the stack and fleet, only the (p. 65)
streaming sessions for that user
are described
61

(*required)
Grants permission to retrieve a Read stack

DescribeStacks list that describes one or more (p. 65)
specified stacks, if the stack
names are provided. Otherwise,
all stacks in the account are
described
Grants permission to retrieve a Read

DescribeUsageReportSubscriptions
list that describes one or more
usage report subscriptions
Grants permission to retrieve Read stack

DescribeUserStackAssociations
a list that describes the (p. 65)
UserStackAssociation objects
DescribeUsers Grants permission to retrieve a Read

list that describes users in the
user pool
DisableUser Grants permission to disable the Write

specified user in the user pool.
This action does not delete the
user
Grants permission to Write fleet*

DisassociateFleet disassociate the specified fleet (p. 65)
from the specified stack
stack*
(p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
EnableUser Grants permission to enable a Write

user in the user pool
ExpireSession Grants permission to Write

immediately stop the specified
streaming session

GetImageBuilderslist that describes one or more
[permission specified image builders, if
only] the image builder names are
provided. Otherwise, all image
builders in the account are
described
Grants permission to upload Write

GetParametersForThemeAssetUpload
theme assets
[permission
only]
62

(*required)
Grants permission to retrieve Read stack*

ListAssociatedFleets
the name of the fleet that is (p. 65)
associated with the specified
stack
Grants permission to retrieve the Read fleet*

ListAssociatedStacks
name of the stack with which (p. 65)
the specified fleet is associated

ListTagsForResource
list of all tags for the specified
AppStream 2.0 resource. The
following resources can be
tagged: Image builders, images,
fleets, and stacks
StartFleet Grants permission to start the Write fleet*

aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to start the Write image-

StartImageBuilderspecified image builder builder*
(p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
StopFleet Grants permission to stop the Write fleet*

aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to stop the Write image-

StopImageBuilderspecified image builder builder*
(p. 65)
aws:ResourceTag/

${TagKey}
(p. 66)
Stream Grants permission to federated Write stack*

users to sign in by using their (p. 65)
existing credentials and stream
applications from the specified appstream:userId

stack (p. 66)
63

(*required)
TagResource Grants permission to add or Tagging fleet

overwrite one or more tags (p. 65)
for the specified AppStream
2.0 resource. The following image
resources can be tagged: Image (p. 65)
builders, images, fleets, and
image-
stacks
builder
(p. 65)
stack
(p. 65)
aws:RequestTag/

${TagKey}
(p. 66)
aws:TagKeys
(p. 66)
aws:ResourceTag/
${TagKey}
(p. 66)
Grants permission to Tagging fleet

UntagResource disassociate one or more tags (p. 65)
from the specified AppStream
2.0 resource image
(p. 65)
image-
builder
(p. 65)
stack
(p. 65)
aws:TagKeys
(p. 66)
Grants permission to update Write

UpdateDirectoryConfig
the specified Directory Config
object in AppStream 2.0. This
domains
UpdateFleet Grants permission to update Write fleet*

the specified fleet. All attributes (p. 65)
except the fleet name can be
updated when the fleet is in the image
STOPPED state (p. 65)
64

(*required)
aws:ResourceTag/

${TagKey}
(p. 66)
Grants permission to add or Write image*

UpdateImagePermissions
update permissions for the (p. 65)
specified private image
aws:ResourceTag/

${TagKey}
(p. 66)
UpdateStack Grants permission to update the Write stack*

specified fields for the specified (p. 65)
stack
aws:ResourceTag/

${TagKey}
(p. 66)
Resource types defined by Amazon AppStream 2.0


types
fleet arn:${Partition}:appstream:${Region}: aws:ResourceTag/

${Account}:fleet/${FleetName} ${TagKey} (p. 66)
image arn:${Partition}:appstream:${Region}: aws:ResourceTag/

${Account}:image/${ImageName} ${TagKey} (p. 66)
image-builder arn:${Partition}:appstream:${Region}: aws:ResourceTag/

${Account}:image-builder/${ImageBuilderName} ${TagKey} (p. 66)
stack arn:${Partition}:appstream:${Region}: aws:ResourceTag/

${Account}:stack/${StackName} ${TagKey} (p. 66)
Condition keys for Amazon AppStream 2.0

Amazon AppStream 2.0 defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the
policy statement applies. For details about the columns in the following table, see The condition keys
table (p. 2).
65
AWS AppSync
appstream:userId Filters access by the ID of the AppStream 2.0 user String
${TagKey} in the request

${TagKey}
request

AppSync
AWS AppSync (service prefix: appsync) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS AppSync (p. 66)
• Resource types defined by AWS AppSync (p. 69)
• Condition keys for AWS AppSync (p. 70)
Actions defined by AWS AppSync

different actions.
66
AWS AppSync

(*required)
CreateApiKey Creates a unique key that you Write

can distribute to clients who are
executing your API.
Creates a DataSource object. Write

CreateDataSource
Create a new Function object. Write

CreateFunction
Creates a GraphqlApi object, Tagging aws:RequestTag/

iam:CreateServiceLinkedR
CreateGraphqlApiwhich is the top level AppSync ${TagKey}
resource. (p. 70)
aws:TagKeys
(p. 70)
Creates a Resolver object. A Write

CreateResolver resolver converts incoming
requests into a format that a
data source can understand,
and converts the data source's
responses into GraphQL.
CreateType Creates a Type object. Write
DeleteApiKey Deletes an API key. Write
Deletes a DataSource object. Write

DeleteDataSource
Deletes a Function object. Write

DeleteFunction
Deletes a GraphqlApi object. Write graphqlapi*

DeleteGraphqlApiThis will also clean up every (p. 70)
AppSync resource below that
API. aws:ResourceTag/

${TagKey}
(p. 70)
Deletes a Resolver object. Write

DeleteResolver
DeleteType Deletes a Type object. Write
Retrieves a DataSource object. Read

GetDataSource
GetFunction Retrieves a Function object. Read
Retrieves a GraphqlApi object. Read graphqlapi*

GetGraphqlApi (p. 70)
67
AWS AppSync

(*required)
aws:ResourceTag/

${TagKey}
(p. 70)
Retrieves the introspection Read

GetIntrospectionSchema
schema for a GraphQL API.
GetResolver Retrieves a Resolver object. Read
Retrieves the current status of a Read

GetSchemaCreationStatus
schema creation operation.
GetType Retrieves a Type object. Read
GraphQL Sends a GraphQL query to a Write field*

GraphQL API. (p. 70)
graphqlapi*
(p. 70)
ListApiKeys Lists the API keys for a given API. List
Lists the data sources for a given List

ListDataSources API.
ListFunctions Lists the functions for a given List

API.
Lists your GraphQL APIs. List

ListGraphqlApis
ListResolvers Lists the resolvers for a given API List

and type.
List the resolvers that are List

ListResolversByFunction
associated with a specific
function.
List the tags for a resource. Read graphqlapi

ListTagsForResource (p. 70)
aws:ResourceTag/

${TagKey}
(p. 70)
ListTypes Lists the types for a given API. List
SetWebACL Gives WebAcl permissions to Write

WAF.
Adds a new schema to Write

StartSchemaCreation
your GraphQL API. This
operation is asynchronous -
GetSchemaCreationStatus can
show when it has completed.
68
AWS AppSync

(*required)
TagResource Tag a resource. Tagging graphqlapi

(p. 70)
aws:RequestTag/

${TagKey}
(p. 70)
aws:ResourceTag/
${TagKey}
(p. 70)
aws:TagKeys
(p. 70)
Untag a resource. Tagging graphqlapi

UntagResource (p. 70)
aws:TagKeys
(p. 70)
UpdateApiKey Updates an API key for a given Write

API.
Updates a DataSource object. Write

UpdateDataSource
Updates an existing Function Write

UpdateFunction object.
Updates a GraphqlApi object. Write graphqlapi* iam:CreateServiceLinkedR

UpdateGraphqlApi (p. 70)
aws:ResourceTag/

${TagKey}
(p. 70)
Updates a Resolver object. Write

UpdateResolver
UpdateType Updates a Type object. Write
Resource types defined by AWS AppSync

69
AWS Artifact

types
datasource arn:${Partition}:appsync:${Region}:
${Account}:apis/${GraphQLAPIId}/datasources/
${DatasourceName}
graphqlapi arn:${Partition}:appsync:${Region}: aws:ResourceTag/

${Account}:apis/${GraphQLAPIId} ${TagKey} (p. 70)
field arn:${Partition}:appsync:${Region}:
${Account}:apis/${GraphQLAPIId}/types/
${TypeName}/fields/${FieldName}
type arn:${Partition}:appsync:${Region}:
${Account}:apis/${GraphQLAPIId}/types/
${TypeName}
function arn:${Partition}:appsync:${Region}:
${Account}:apis/${GraphQLAPIId}/functions/
${FunctionId}
Condition keys for AWS AppSync

AWS AppSync defines the following condition keys that can be used in the Condition element of an

${TagKey}
request

Artifact
AWS Artifact (service prefix: artifact) provides the following service-specific resources, actions, and
References:

70
AWS Artifact
Topics
• Actions defined by AWS Artifact (p. 71)
• Resource types defined by AWS Artifact (p. 71)
• Condition keys for AWS Artifact (p. 72)
Actions defined by AWS Artifact

different actions.

(*required)
Grants permission to accept an Write agreement*

AcceptAgreementAWS agreement that has not yet (p. 72)
been accepted by the customer
account.
Grants permission to download Read agreement

DownloadAgreement
an AWS agreement that has (p. 72)
not yet been accepted or a
customer agreement that has customer-
been accepted by the customer agreement
account. (p. 72)
Get Grants permission to download Read report-

an AWS compliance report package*
package. (p. 72)
Grants permission to terminate Write customer-

TerminateAgreement
a customer agreement that agreement*
was previously accepted by the (p. 72)
customer account.
Resource types defined by AWS Artifact

71
Amazon Athena

types
report- arn:${Partition}:artifact:::report-package/*
package
customer- arn:${Partition}:artifact::
agreement ${Account}:customer-agreement/*
agreement arn:${Partition}:artifact:::agreement/*
Condition keys for AWS Artifact

Artifact has no service-specific context keys that can be used in the Condition element of policy
conditions.

Athena
Amazon Athena (service prefix: athena) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Athena (p. 72)
• Resource types defined by Amazon Athena (p. 75)
• Condition keys for Amazon Athena (p. 75)
Actions defined by Amazon Athena

different actions.
72
Amazon Athena

(*required)
Grants permissions to get Read workgroup*

BatchGetNamedQuery
information about one or more (p. 75)
named queries.

BatchGetQueryExecution
query executions.
Grants permissions to create a Tagging datacatalog*

CreateDataCatalog
datacatalog. (p. 75)
aws:RequestTag/

${TagKey}
(p. 76)
aws:TagKeys
(p. 76)
Grants permissions to create a Write workgroup*

CreateNamedQuery
named query. (p. 75)
Grants permissions to create a Tagging workgroup*

CreateWorkGroupworkgroup. (p. 75)
aws:RequestTag/

${TagKey}
(p. 76)
aws:TagKeys
(p. 76)
Grants permissions to delete a Write datacatalog*

DeleteDataCatalog
Grants permissions to delete a Write workgroup*

DeleteNamedQuery
named query specified. (p. 75)
Grants permissions to delete a Write workgroup*

DeleteWorkGroupworkgroup. (p. 75)
Grants permissions to get a Read datacatalog*

GetDataCatalog datacatalog. (p. 75)
GetDatabase Grants permissions to get Read datacatalog*

a database for a given (p. 75)
datacatalog.

GetNamedQuery information about the specified (p. 75)
named query.

GetQueryExecution
information about the specified (p. 75)
query execution.
73
Amazon Athena

(*required)
Grants permissions to get the Read workgroup*

GetQueryResults query results. (p. 75)
Grants permissions to get the Read workgroup*

GetQueryResultsStream
query results stream. (p. 75)
Grants permissions to get a Read datacatalog*

GetTableMetadatametadata about a table for a (p. 75)
given datacatalog.
Grants permissions to get a Read workgroup*

GetWorkGroup workgroup. (p. 75)
Grants permissions to return List

ListDataCatalogs a list of datacatalogs for the
specified AWS account.
ListDatabases Grants permissions to return List datacatalog*

a list of databases for a given (p. 75)
datacatalog.
Grants permissions to return a List workgroup*

ListNamedQuerieslist of named queries in Amazon (p. 75)
Athena for the specified AWS
account.
Grants permissions to return a List workgroup*

ListQueryExecutions
list of query executions for the (p. 75)
Grants permissions to return List datacatalog*

ListTableMetadataa list of table metadata (p. 75)
in a database for a given
datacatalog.
Grants permissions to return a Read datacatalog*

ListTagsForResource
list of tags for a resource. (p. 75)
workgroup*
(p. 75)
Grants permissions to return List

ListWorkGroups a list of workgroups for the
Grants permissions to start a Write workgroup*

StartQueryExecution
query execution using an SQL (p. 75)
query provided as a string.
Grants permissions to stop the Write workgroup*

StopQueryExecution
specified query execution. (p. 75)
TagResource Grants permissions to add a tag Tagging datacatalog*

to a resource. (p. 75)
74
Amazon Athena

(*required)
workgroup*
(p. 75)
aws:RequestTag/

${TagKey}
(p. 76)
aws:TagKeys
(p. 76)
Grants permissions to remove a Tagging datacatalog*

UntagResource tag from a resource. (p. 75)
workgroup*
(p. 75)
aws:TagKeys
(p. 76)
Grants permissions to update a Write datacatalog*

UpdateDataCatalog
Grants permissions to update a Write workgroup*

UpdateWorkGroup
workgroup. (p. 75)
Resource types defined by Amazon Athena


types
datacatalog arn:${Partition}:athena:${Region}: aws:ResourceTag/

${Account}:datacatalog/${DataCatalogName} ${TagKey} (p. 76)
workgroup arn:${Partition}:athena:${Region}: aws:ResourceTag/

${Account}:workgroup/${WorkGroupName} ${TagKey} (p. 76)
Condition keys for Amazon Athena

Amazon Athena defines the following condition keys that can be used in the Condition element of
75
AWS Audit Manager

${TagKey}
request
Actions, resources, and condition keys for AWS Audit

Manager
AWS Audit Manager (service prefix: auditmanager) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Audit Manager (p. 76)
• Resource types defined by AWS Audit Manager (p. 81)
• Condition keys for AWS Audit Manager (p. 82)
Actions defined by AWS Audit Manager

different actions.
76
AWS Audit Manager

(*required)
Grants permission to associate Write assessment*

AssociateAssessmentReportEvidenceFolder
an evidence folder with an (p. 81)
assessment report in AWS Audit
Manager
Grants permission to associate a Write assessment*

BatchAssociateAssessmentReportEvidence
list of evidence to an assessment (p. 81)
report in AWS Audit Manager
Grants permission to create Write assessment*

BatchCreateDelegationByAssessment
delegations for an assessment in (p. 81)
AWS Audit Manager
Grants permission to delete Write assessment*

BatchDeleteDelegationByAssessment
delegations for an assessment in (p. 81)
AWS Audit Manager
Grants permission to Write assessment*

BatchDisassociateAssessmentReportEvidence
disassociate a list of evidence (p. 81)
from an assessment report in
AWS Audit Manager
Grants permission to import a Write assessmentControlSet*

BatchImportEvidenceToAssessmentControl
list of evidence to an assessment (p. 81)
control in AWS Audit Manager
Grants permission to create an Write aws:RequestTag/

CreateAssessmentassessment to be used with AWS ${TagKey}
Audit Manager (p. 82)
aws:TagKeys
(p. 82)

CreateAssessmentFramework
framework for use in AWS Audit
Manager
Grants permission to create an Write assessment*

CreateAssessmentReport
assessment report in AWS Audit (p. 81)
Manager
CreateControl Grants permission to create a Write aws:RequestTag/

control to be used in AWS Audit ${TagKey}
Manager (p. 82)
aws:TagKeys
(p. 82)
Grants permission to delete Write assessment*

DeleteAssessmentan assessment in AWS Audit (p. 81)
Manager
aws:RequestTag/

${TagKey}
(p. 82)
77
AWS Audit Manager

(*required)
aws:TagKeys
(p. 82)
Grants permission to delete an Write assessmentFramework*

DeleteAssessmentFramework
assessment framework in AWS (p. 81)
Audit Manager
aws:RequestTag/

${TagKey}
(p. 82)
aws:TagKeys
(p. 82)
Grants permission to delete an Write assessment*

DeleteAssessmentReport
assessment report in AWS Audit (p. 81)
Manager
DeleteControl Grants permission to delete a Write control*

control in AWS Audit Manager (p. 81)
aws:RequestTag/

${TagKey}
(p. 82)
aws:TagKeys
(p. 82)
Grants permission to deregister Write

DeregisterAccountan account in AWS Audit
Manager

DeregisterOrganizationAdminAccount
the delegated administrator
account for AWS Audit Manager
Grants permission to Write assessment*

DisassociateAssessmentReportEvidenceFolder
disassociate an evidence folder (p. 81)
from an assessment report in
AWS Audit Manager

GetAccountStatusstatus of an account in AWS
Audit Manager
Grants permission to get an Read assessment*

GetAssessment assessment created in AWS (p. 81)
Audit Manager
Grants permission to get an Read assessmentFramework*

GetAssessmentFramework
Audit Manager
Grants permission to get the Read assessment*

GetAssessmentReportUrl
URL for an assessment report in (p. 81)
AWS Audit Manager
78
AWS Audit Manager

(*required)
Grants permission to get Read assessment*

GetChangeLogs changelogs for an assessment in (p. 81)
AWS Audit Manager
GetControl Grants permission to get a Read control*

control in AWS Audit Manager (p. 81)
Grants permission to get all List

GetDelegations delegations in AWS Audit
Manager
GetEvidence Grants permission to get Read assessmentControlSet*

evidence from AWS Audit (p. 81)
Manager
Grants permission to get all Read assessmentControlSet*

GetEvidenceByEvidenceFolder
the evidence from an evidence (p. 81)
folder in AWS Audit Manager
Grants permission to get the Read assessmentControlSet*

GetEvidenceFolder
evidence folder from AWS Audit (p. 81)
Manager
Grants permission to get Read assessment*

GetEvidenceFoldersByAssessment
the evidence folders from (p. 81)
an assessment in AWS Audit
Manager
Grants permission to get the Read assessmentControlSet*

GetEvidenceFoldersByAssessmentControl
evidence folders from an (p. 81)
assessment control in AWS Audit
Manager

GetOrganizationAdminAccount
delegated administrator account
in AWS Audit Manager

GetServicesInScope
the services in scope for an
assessment in AWS Audit
Manager
GetSettings Grants permission to get all Read

settings configured in AWS Audit
Manager
Grants permission to list all List

ListAssessmentFrameworks
assessment frameworks in AWS
Audit Manager

ListAssessmentReports
assessment reports in AWS Audit
Manager
79
AWS Audit Manager

(*required)

ListAssessments assessments in AWS Audit
Manager
ListControls Grants permission to list all List

controls in AWS Audit Manager
Grants permission to list all the List

ListKeywordsForDataSource
data source keywords in AWS
Audit Manager

ListNotifications notifications in AWS Audit
Manager
Grants permission to list tags for List assessment

ListTagsForResource
an AWS Audit Manager resource (p. 81)
control
(p. 81)
Grants permission to register an Write

RegisterAccount account in AWS Audit Manager

RegisterOrganizationAdminAccount
account within the organization
as the delegated administrator
for AWS Audit Manager
TagResource Grants permission to tag an AWS Tagging assessment

Audit Manager resource (p. 81)
control
(p. 81)
aws:TagKeys
(p. 82)
aws:RequestTag/
${TagKey}
(p. 82)
Grants permission to untag an Tagging assessment

UntagResource AWS Audit Manager resource (p. 81)
control
(p. 81)
aws:TagKeys
(p. 82)
Grants permission to update Write assessment*

UpdateAssessment
an assessment in AWS Audit (p. 81)
Manager
80
AWS Audit Manager

(*required)
Grants permission to update an Write assessmentControlSet*

UpdateAssessmentControl
assessment control in AWS Audit (p. 81)
Manager
Grants permission to update the Write assessmentControlSet*

UpdateAssessmentControlSetStatus
status of an assessment control (p. 81)
set in AWS Audit Manager
Grants permission to update an Write assessmentFramework*

UpdateAssessmentFramework
Audit Manager
Grants permission to update the Write assessment*

UpdateAssessmentStatus
status of an assessment in AWS (p. 81)
Audit Manager
Grants permission to update a Write control*

UpdateControl control in AWS Audit Manager (p. 81)

UpdateSettings settings in AWS Audit Manager
Grants permission to validate Read

ValidateAssessmentReportIntegrity
the integrity of an assessment
report in AWS Audit Manager
Resource types defined by AWS Audit Manager


types
assessment arn:${Partition}:auditmanager:${Region}:
${Account}:assessment/${assessmentId}
arn:${Partition}:auditmanager:
assessmentFramework
${Region}:${Account}:assessment/
${assessmentFrameworkId}
arn:${Partition}:auditmanager:${Region}:
assessmentControlSet
${Account}:assessment/${assessmentId}/
controlSet/{controlSetId}
control arn:${Partition}:auditmanager:${Region}: aws:ResourceTag/

${Account}:control/${controlId} ${TagKey} (p. 82)
81
AWS Auto Scaling
Condition keys for AWS Audit Manager

AWS Audit Manager defines the following condition keys that can be used in the Condition element of
aws:RequestTag/ Filters actions based on the tags that are passed in the String
${TagKey} request
Filters actions based on the tags associated with the String

${TagKey}
aws:TagKeys Filters actions based on the tag keys that are passed in the String
request
Actions, resources, and condition keys for AWS Auto

Scaling
AWS Auto Scaling (service prefix: autoscaling-plans) provides the following service-specific
References:

Topics
• Actions defined by AWS Auto Scaling (p. 82)
• Resource types defined by AWS Auto Scaling (p. 83)
• Condition keys for AWS Auto Scaling (p. 83)
Actions defined by AWS Auto Scaling

different actions.
82
AWS Backup

(*required)
Creates a scaling plan. Write

CreateScalingPlan
Deletes the specified scaling Write

DeleteScalingPlanplan.
Describes the scalable resources Read

DescribeScalingPlanResources
in the specified scaling plan.
Describes the specified scaling Read

DescribeScalingPlans
plans or all of your scaling plans.
Retrieves the forecast data for a Read

GetScalingPlanResourceForecastData
scalable resource.
Updates a scaling plan. Write

UpdateScalingPlan
Resource types defined by AWS Auto Scaling

AWS Auto Scaling does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Auto Scaling, specify “Resource”: “*” in your policy.
Condition keys for AWS Auto Scaling

Auto Scaling has no service-specific context keys that can be used in the Condition element of policy
conditions.

Backup
AWS Backup (service prefix: backup) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Backup (p. 84)
• Resource types defined by AWS Backup (p. 88)
• Condition keys for AWS Backup (p. 88)
83
AWS Backup
Actions defined by AWS Backup

different actions.

(*required)
Allows to copy from a backup Write backup:CopyTargets

CopyFromBackupVault
vault (p. 89)
[permission
only] backup:CopyTargetOrgPaths
(p. 88)
Allows to copy into a backup Write aws:RequestTag/

CopyIntoBackupVault
vault ${TagKey}
[permission (p. 88)
only]
Creates a new backup plan Write backupPlan*

CreateBackupPlan (p. 88)
aws:RequestTag/

${TagKey}
(p. 88)
aws:TagKeys
(p. 88)
Creates a new resource Write backupPlan* iam:PassRole

CreateBackupSelection
assignment in a backup plan. (p. 88)
Creates a new backup vault. Write backupVault*

CreateBackupVault (p. 88)
aws:RequestTag/

${TagKey}
(p. 88)
aws:TagKeys
(p. 88)
Deletes a backup plan. Write backupPlan*

DeleteBackupPlan (p. 88)
84
AWS Backup

(*required)
Deletes a resource assignment Write backupPlan*

DeleteBackupSelection
from a backup plan. (p. 88)
Deletes a backup vault. Write backupVault*

DeleteBackupVault (p. 88)
Deletes backup vault access Write backupVault*

DeleteBackupVaultAccessPolicy
policy. (p. 88)
Removes notifications from Write backupVault*

DeleteBackupVaultNotifications
backup vault. (p. 88)
Deletes a recovery point from a Write recoveryPoint*

DeleteRecoveryPoint
Describes a backup job Read

DescribeBackupJob
Describes a new backup vault Read backupVault*

DescribeBackupVault
with the specified name. (p. 88)
Describes a copy job Read aws:RequestTag/

DescribeCopyJob ${TagKey}
(p. 88)
aws:TagKeys
(p. 88)
Describes global settings Read

DescribeGlobalSettings
Describes a protected resource. Read

DescribeProtectedResource
Describes a recovery point. Read recoveryPoint*

DescribeRecoveryPoint (p. 88)
Describes region settings Read

DescribeRegionSettings
Describes a restore job. Read

DescribeRestoreJob
Exports a backup plan as a Read

ExportBackupPlanTemplate
JSON.
Gets a backup plan. Read backupPlan*

GetBackupPlan (p. 88)
Transforms a JSON to a backup Read

GetBackupPlanFromJSON
plan.
Transforms a template to a Read

GetBackupPlanFromTemplate
backup plan.
85
AWS Backup

(*required)
Gets a backup plan resource Read backupPlan*

GetBackupSelection
assignment. (p. 88)
Gets backup vault access policy. Read backupVault*

GetBackupVaultAccessPolicy (p. 88)
Gets backup vault notifications. Read backupVault*

GetBackupVaultNotifications (p. 88)
Gets recovery point restore Read recoveryPoint*

GetRecoveryPointRestoreMetadata
metadata. (p. 88)
Gets supported resource types. Read

GetSupportedResourceTypes
Lists backup jobs. List

ListBackupJobs
Lists backup plan templates List

ListBackupPlanTemplates
provided by AWS Backup.
Lists backup plan versions. List backupPlan*

ListBackupPlanVersions (p. 88)
Lists backup plans. List

ListBackupPlans
Lists resource assignments for a List backupPlan*

ListBackupSelections
specific backup plan. (p. 88)
Lists backup vaults. List

ListBackupVaults
ListCopyJobs Lists copy jobs List
Lists protected resources by AWS List

ListProtectedResources
Backup.
Lists recovery points inside a List backupVault*

ListRecoveryPointsByBackupVault
Lists recovery points for a List

ListRecoveryPointsByResource
resource.
Lists restore jobs. List

ListRestoreJobs
ListTags Lists tags for a resource. List backupPlan

(p. 88)
backupVault
(p. 88)
recoveryPoint
(p. 88)
86
AWS Backup

(*required)
Adds an access policy to the Write backupVault*

PutBackupVaultAccessPolicy
Adds an SNS topic to the backup Write backupVault*

PutBackupVaultNotifications
vault. (p. 88)
Starts a new backup job. Write backupVault* iam:PassRole

StartBackupJob (p. 88)
StartCopyJob Copy a backup from a source Write recoveryPoint*

iam:PassRole
backup vault to a destination (p. 88)
backup vault.
aws:RequestTag/

${TagKey}
(p. 88)
aws:TagKeys
(p. 88)
Starts a new restore job. Write recoveryPoint*

iam:PassRole
StartRestoreJob (p. 88)
Stops a backup job. Write

StopBackupJob
TagResource Tags a resource. Tagging backupPlan

(p. 88)
backupVault
(p. 88)
recoveryPoint
(p. 88)
aws:RequestTag/

${TagKey}
(p. 88)
aws:TagKeys
(p. 88)
Untags a resource. Tagging backupPlan

backupVault
(p. 88)
recoveryPoint
(p. 88)
aws:TagKeys
(p. 88)
Updates a backup plan. Write backupPlan*

UpdateBackupPlan (p. 88)
87
AWS Backup

(*required)
Updates global settings Write

UpdateGlobalSettings
Updates the lifecycle of the Write recoveryPoint*

UpdateRecoveryPointLifecycle
recovery point. (p. 88)
Describes region settings Write

UpdateRegionSettings
Resource types defined by AWS Backup


types
backupVault arn:${Partition}:backup:${Region}: aws:ResourceTag/

${Account}:backup-vault:${BackupVaultName} ${TagKey} (p. 88)
backupPlan arn:${Partition}:backup:${Region}: aws:ResourceTag/

${Account}:backup-plan:${BackupPlanId} ${TagKey} (p. 88)
recoveryPoint arn:${Partition}:${Vendor}:${Region}:*: aws:ResourceTag/

${ResourceType}:${RecoveryPointId} ${TagKey} (p. 88)
Condition keys for AWS Backup

AWS Backup defines the following condition keys that can be used in the Condition element of an IAM
${TagKey} the tags

${TagKey}

the request
Filters actions based on the organization unit. String

backup:CopyTargetOrgPaths
88
AWS Backup storage
Filters actions based on the ARN of an backup vault. String

backup:CopyTargets

Backup storage
AWS Backup storage (service prefix: backup-storage) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Backup storage (p. 89)
• Resource types defined by AWS Backup storage (p. 90)
• Condition keys for AWS Backup storage (p. 90)
Actions defined by AWS Backup storage

different actions.

(*required)
Associates a KMS key to a Write

MountCapsule backup vault
[permission
only]
89
AWS Batch
Resource types defined by AWS Backup storage

AWS Backup storage does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to AWS Backup storage, specify “Resource”: “*” in your policy.
Condition keys for AWS Backup storage

Backup Storage has no service-specific context keys that can be used in the Condition element of
Actions, resources, and condition keys for AWS Batch

AWS Batch (service prefix: batch) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Batch (p. 90)
• Resource types defined by AWS Batch (p. 93)
• Condition keys for AWS Batch (p. 94)
Actions defined by AWS Batch

different actions.

(*required)
CancelJob Cancels a job in an AWS Batch Write job*

job queue. (p. 94)
90
AWS Batch

(*required)
Creates an AWS Batch compute Write aws:RequestTag/

CreateComputeEnvironment
environment. ${TagKey}
(p. 94)
aws:TagKeys
(p. 94)
Creates an AWS Batch job queue. Write compute-

CreateJobQueue environment*
(p. 94)
aws:RequestTag/

${TagKey}
(p. 94)
aws:TagKeys
(p. 94)
Deletes an AWS Batch compute Write compute-

DeleteComputeEnvironment
environment. environment*
(p. 94)
Deletes the specified job queue. Write job-

DeleteJobQueue queue*
(p. 94)
Deregisters an AWS Batch job Write job-

DeregisterJobDefinition
definition. definition*
(p. 94)
Describes one or more of your Read

DescribeComputeEnvironments
compute environments.
Describes a list of job definitions. Read

DescribeJobDefinitions
Describes one or more of your Read

DescribeJobQueues
job queues.
DescribeJobs Describes a list of AWS Batch Read

jobs.
ListJobs Returns a list of task jobs for a List

specified job queue.
List tags for the specified List compute-

ListTagsForResource
resource. environment
(p. 94)
job
(p. 94)
job-
definition
(p. 94)
91
AWS Batch

(*required)
job-queue
(p. 94)
Registers an AWS Batch job Write batch:User

RegisterJobDefinition
definition. (p. 94)
batch:Privileged
(p. 94)
batch:Image
(p. 94)
batch:LogDriver
(p. 94)
batch:AWSLogsGroup
(p. 94)
batch:AWSLogsRegion
(p. 94)
batch:AWSLogsStreamPrefix
(p. 94)
batch:AWSLogsCreateGroup
(p. 94)
aws:RequestTag/
${TagKey}
(p. 94)
aws:TagKeys
(p. 94)
SubmitJob Submits an AWS Batch job from Write job-

a job definition. definition*
(p. 94)
job-
queue*
(p. 94)
aws:RequestTag/

${TagKey}
(p. 94)
aws:TagKeys
(p. 94)
TagResource Tags the specified resource. Tagging compute-

environment
(p. 94)
job
(p. 94)
92
AWS Batch

(*required)
job-
definition
(p. 94)
job-queue
(p. 94)
aws:RequestTag/

${TagKey}
(p. 94)
aws:TagKeys
(p. 94)
TerminateJob Terminates a job in an AWS Write job*

Batch job queue. (p. 94)
Untags the specified resource. Tagging compute-

UntagResource environment
(p. 94)
job
(p. 94)
job-
definition
(p. 94)
job-queue
(p. 94)
aws:TagKeys
(p. 94)
Updates an AWS Batch compute Write compute-

UpdateComputeEnvironment
environment. environment*
(p. 94)
Updates a job queue. Write job-

UpdateJobQueue queue*
(p. 94)
Resource types defined by AWS Batch

93
AWS Batch

types
compute- arn:${Partition}:batch:${Region}: aws:ResourceTag/

environment ${Account}:compute-environment/ ${TagKey} (p. 94)
${ComputeEnvironmentName}
job-queue arn:${Partition}:batch:${Region}: aws:ResourceTag/

${Account}:job-queue/${JobQueueName} ${TagKey} (p. 94)
job-definition arn:${Partition}:batch:${Region}: aws:ResourceTag/

${Account}:job-definition/ ${TagKey} (p. 94)
${JobDefinitionName}:${Revision}
job arn:${Partition}:batch:${Region}: aws:ResourceTag/

${Account}:job/${jobId} ${TagKey} (p. 94)
Condition keys for AWS Batch

AWS Batch defines the following condition keys that can be used in the Condition element of an IAM
${TagKey} request.

${TagKey}
request.
When this parameter is true, the awslogs-group will be Boolean

batch:AWSLogsCreateGroup
created for the logs.
The awslogs group where the logs are located. String

batch:AWSLogsGroup
The region where the logs are sent to. String

batch:AWSLogsRegion
The awslogs log stream prefix. String

batch:AWSLogsStreamPrefix
batch:Image The image used to start a container. String
batch:LogDriver The log driver used for the container. String
batch:Privileged When this parameter is true, the container is given elevated Boolean
privileges on the host container instance (similar to the root
user).
batch:User The user name or numeric uid to use inside the container. String
94
AWS Billing
Actions, resources, and condition keys for AWS Billing

AWS Billing (service prefix: aws-portal) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Billing (p. 95)
• Resource types defined by AWS Billing (p. 96)
• Condition keys for AWS Billing (p. 96)
Actions defined by AWS Billing

different actions.

(*required)
Allow or deny IAM users Write

ModifyAccount permission to modify Account
Settings.
ModifyBilling Allow or deny IAM users Write

permission to modify billing
settings.
Allow or deny IAM users Write

ModifyPaymentMethods
permission to modify payment
methods.
ViewAccount Allow or deny IAM users Read

permission to view account
settings.
95
Amazon Braket

(*required)
ViewBilling Allow or deny IAM users Read

permission to view billing pages
in the console.
Allow or deny IAM users Read

ViewPaymentMethods
permission to view payment
methods.
ViewUsage Allow or deny IAM users Read

permission to view AWS usage
reports.
Resource types defined by AWS Billing

AWS Billing does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Billing, specify “Resource”: “*” in your policy.
Condition keys for AWS Billing

Billing has no service-specific context keys that can be used in the Condition element of policy
conditions.

Braket
Amazon Braket (service prefix: braket) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Braket (p. 96)
• Resource types defined by Amazon Braket (p. 98)
• Condition keys for Amazon Braket (p. 98)
Actions defined by Amazon Braket

different actions.
96
Amazon Braket

(*required)
Grants permission to cancel a Write quantum-

CancelQuantumTask
quantum task. task*
(p. 98)
Grants permission to create a Write quantum-

CreateQuantumTask
quantum task. task*
(p. 98)
aws:RequestTag/

${TagKey}
(p. 98)
aws:TagKeys
(p. 98)
GetDevice Grants permission to retrieve Read

information about the devices
available in Amazon Braket.
Grants permission to retrieve Read quantum-

GetQuantumTaskquantum tasks. task*
(p. 98)
Lists the tags that have been Read quantum-

ListTagsForResource
applied to the quantum task task
resource. (p. 98)
SearchDevices Grants permission to search for Read

devices available in Amazon
Braket.
Grants permission to search for Read

SearchQuantumTasks
quantum tasks.
TagResource Adds one or more tags to a Tagging quantum-

quantum task. task
(p. 98)
aws:RequestTag/

${TagKey}
(p. 98)
aws:TagKeys
(p. 98)
97
AWS Budget Service

(*required)
Remove one or more tags from Tagging quantum-

UntagResource a quantum task resource. A tag task
consists of a key-value pair (p. 98)
aws:TagKeys
(p. 98)
Resource types defined by Amazon Braket


types
quantum-task arn:${Partition}:braket:${Region}: aws:ResourceTag/

${Account}:quantum-task/${RandomId} ${TagKey} (p. 98)
Condition keys for Amazon Braket

Amazon Braket defines the following condition keys that can be used in the Condition element of an

${TagKey}
request

Budget Service
AWS Budget Service (service prefix: budgets) provides the following service-specific resources, actions,
98
AWS Budget Service
References:

Topics
• Actions defined by AWS Budget Service (p. 99)
• Resource types defined by AWS Budget Service (p. 100)
• Condition keys for AWS Budget Service (p. 100)
Actions defined by AWS Budget Service

different actions.
Note
The actions in this table are not APIs, but are instead permissions that grant access to the AWS
Billing and Cost Management APIs that access budgets.

(*required)
Grants permissions to create and Write budgetAction*

iam:PassRole
CreateBudgetAction
define a response that you can (p. 100)
configure to execute once your
budget has exceeded a specific
budget threshold.
Grants permissions to delete an Write budgetAction*

DeleteBudgetAction
action that is associated with a (p. 100)
specific budget.
Grants permissions to retrieve Read budgetAction*

DescribeBudgetAction
the details of specific budget (p. 100)
action associated with a budget.
Grants permissions to retrieve Read budgetAction*

DescribeBudgetActionHistories
a historical view of the budget (p. 100)
actions statuses associated
with a particular budget action.
99
AWS Budget Service

(*required)
These status include statues
such as 'Standby', 'Pending' and
'Executed'.
Grants permissions to retrieve Read

DescribeBudgetActionsForAccount
the details of all of the budget
actions associated with your
account.
Grants permissions to retrieve Read budget*

DescribeBudgetActionsForBudget
the details of all of the budget (p. 100)
actions associated with a
budget.
Grants permissions to initiate a Write budgetAction*

ExecuteBudgetAction
pending budget action as well (p. 100)
as reverse a previously executed
budget action.
ModifyBudget Grants permissions to modify Write budget*

budgets and budget details (p. 100)
Grants permissions to update Write budgetAction*

iam:PassRole
UpdateBudgetAction
the details of a specific budget (p. 100)
action associated with a budget.
ViewBudget Grants permissions to view Read budget*

budgets and budget details (p. 100)
Resource types defined by AWS Budget Service


types
budget arn:${Partition}:budgets::${Account}:budget/
${BudgetName}
budgetAction arn:${Partition}:budgets::${Account}:budget/
${BudgetName}/action/${ActionId}
Condition keys for AWS Budget Service

Budget has no service-specific context keys that can be used in the Condition element of policy
conditions.
100
AWS Certificate Manager

Certificate Manager
AWS Certificate Manager (service prefix: acm) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS Certificate Manager (p. 101)
• Resource types defined by AWS Certificate Manager (p. 103)
• Condition keys for AWS Certificate Manager (p. 103)
Actions defined by AWS Certificate Manager

different actions.

(*required)
Adds one or more tags to a Tagging certificate*

AddTagsToCertificate
certificate. (p. 103)
aws:RequestTag/

${TagKey}
(p. 103)
aws:TagKeys
(p. 103)
Deletes a certificate and its Write certificate*

DeleteCertificate associated private key. (p. 103)
101
AWS Certificate Manager

(*required)
Returns a list of the fields Read certificate*

DescribeCertificate
contained in the specified (p. 103)
certificate.
Exports a private certificate Read certificate*

ExportCertificate issued by a private certificate (p. 103)
authority (CA) for use anywhere.
GetCertificate Retrieves a certificate and Read certificate*

certificate chain for the (p. 103)
certificate specified by an ARN.
Imports a 3rd party SSL/TLS Write certificate*

ImportCertificate certificate into AWS Certificate (p. 103)
Manager (ACM).
aws:RequestTag/

${TagKey}
(p. 103)
aws:TagKeys
(p. 103)
Retrieves a list of the certificate List

ListCertificates ARNs and the domain name for
each ARN.
Lists the tags that have been Read

ListTagsForCertificate
applied to the certificate.
Remove one or more tags from Tagging certificate*

RemoveTagsFromCertificate
a certificate. A tag consists of a (p. 103)
key-value pair
aws:RequestTag/

${TagKey}
(p. 103)
aws:TagKeys
(p. 103)
Renews an eligable private Write certificate*

RenewCertificate certificate. (p. 103)
Requests a public or private Write aws:RequestTag/

RequestCertificatecertificate. ${TagKey}
(p. 103)
aws:TagKeys
(p. 103)
Resends an email to request Write certificate*

ResendValidationEmail
domain ownership validation. (p. 103)
Updates a certificate. Use to Write certificate*

UpdateCertificateOptions
specify whether to opt in to or (p. 103)
out of certificate transparency
logging.
102
AWS Certificate Manager Private Certificate Authority
Resource types defined by AWS Certificate Manager


types
certificate arn:${Partition}:acm:${Region}: aws:ResourceTag/

${Account}:certificate/${CertificateId} ${TagKey} (p. 103)
Condition keys for AWS Certificate Manager

AWS Certificate Manager defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request

Certificate Manager Private Certificate Authority
AWS Certificate Manager Private Certificate Authority (service prefix: acm-pca) provides the following
service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:

Topics
• Actions defined by AWS Certificate Manager Private Certificate Authority (p. 104)
• Resource types defined by AWS Certificate Manager Private Certificate Authority (p. 106)
• Condition keys for AWS Certificate Manager Private Certificate Authority (p. 106)
103
Actions defined by AWS Certificate Manager Private Certificate

Authority
different actions.

(*required)
Creates an ACM Private CA and Tagging aws:RequestTag/

CreateCertificateAuthority
its associated private key and ${TagKey}
configuration. (p. 107)
aws:TagKeys
(p. 107)
Creates an audit report for an Write certificate-

CreateCertificateAuthorityAuditReport
ACM Private CA. authority*
(p. 106)
Creates a permission for an ACM Permissions certificate-

CreatePermission Private CA. managementauthority*
(p. 106)
Deletes an ACM Private CA and Write certificate-

DeleteCertificateAuthority
its associated private key and authority*
Deletes a permission for an ACM Permissions certificate-

DeletePermission Private CA. managementauthority*
(p. 106)
DeletePolicy Deletes the policy for an ACM Permissions certificate-

Private CA. managementauthority*
(p. 106)
Returns a list of the Read certificate-

DescribeCertificateAuthority
configuration and status fields authority*
contained in the specified ACM (p. 106)
Private CA.
Returns the status and Read certificate-

DescribeCertificateAuthorityAuditReport
information about an ACM authority*
Private CA audit report. (p. 106)
104

(*required)
GetCertificate Retrieves an ACM Private CA Read certificate-

certificate and certificate chain authority*
for the certificate authority (p. 106)
specified by an ARN.
Retrieves an ACM Private CA Read certificate-

GetCertificateAuthorityCertificate
certificate and certificate chain authority*
for the certificate authority (p. 106)
Retrieves an ACM Private CA Read certificate-

GetCertificateAuthorityCsr
certificate signing request (CSR) authority*
for the certificate-authority (p. 106)
GetPolicy Retrieves the policy on an ACM Read certificate-

Private CA. authority*
(p. 106)
Imports an SSL/TLS certificate Write certificate-

ImportCertificateAuthorityCertificate
into ACM Private CA for use as authority*
the CA certificate of an ACM (p. 106)
Private CA.
Issues an ACM Private CA Write certificate-

IssueCertificate certificate. authority*
(p. 106)
acm-
pca:TemplateArn
(p. 107)
Retrieves a list of the ACM List

ListCertificateAuthorities
Private CA certificate authority
ARNs, and a summary of the
status of each CA in the calling
account.
Lists the permissions that have Read certificate-

ListPermissions been applied to the ACM Private authority*
CA certificate authority. (p. 106)
ListTags Lists the tags that have been Read certificate-

applied to the ACM Private CA authority*
certificate authority. (p. 106)
PutPolicy Puts a policy on an ACM Private Permissions certificate-

CA. managementauthority*
(p. 106)
Restores an ACM Private CA Write certificate-

RestoreCertificateAuthority
from the deleted state to the authority*
state it was in when deleted. (p. 106)
105

(*required)
Revokes a certificate issued by Write certificate-

RevokeCertificatean ACM Private CA. authority*
(p. 106)
Adds one or more tags to an Tagging certificate-

TagCertificateAuthority
(p. 106)
aws:TagKeys
(p. 107)
aws:RequestTag/
${TagKey}
(p. 107)
Remove one or more tags from Tagging certificate-

UntagCertificateAuthority
an ACM Private CA. authority*
(p. 106)
aws:TagKeys
(p. 107)
Updates the configuration of an Write certificate-

UpdateCertificateAuthority
(p. 106)
Resource types defined by AWS Certificate Manager Private

Certificate Authority

types
certificatearn:${Partition}:acm-pca:${Region}: aws:ResourceTag/

authority ${Account}:certificate-authority/ ${TagKey} (p. 107)
${CertificateAuthorityId}
Condition keys for AWS Certificate Manager Private Certificate

Authority
AWS Certificate Manager Private Certificate Authority defines the following condition keys that can be
used in the Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the following table, see The
condition keys table (p. 2).
106
AWS Chatbot
acm- Filters issue certificate requests based on the presence of String

pca:TemplateArn TemplateArn in the request.
aws:RequestTag/ Filters create requests based on the allowed set of values for String
${TagKey} each of the tags.
aws:ResourceTag/ Filters actions based on tag-value associated with the String

${TagKey} resource.
aws:TagKeys Filters create requests based on the presence of mandatory String

tags in the request.

Chatbot
AWS Chatbot (service prefix: chatbot) provides the following service-specific resources, actions, and
Topics
• Actions defined by AWS Chatbot (p. 107)
• Resource types defined by AWS Chatbot (p. 108)
• Condition keys for AWS Chatbot (p. 109)
Actions defined by AWS Chatbot

different actions.

(*required)
Creates an AWS Chatbot Chime Write

CreateChimeWebhookConfiguration
Webhook Configuration.
107
AWS Chatbot

(*required)
Creates an AWS Chatbot Slack Write

CreateSlackChannelConfiguration
Channel Configuration.
Deletes an AWS Chatbot Chime Write

DeleteChimeWebhookConfiguration
Deletes an AWS Chatbot Slack Write

DeleteSlackChannelConfiguration
Lists all AWS Chatbot Chime Read

DescribeChimeWebhookConfigurations
Webhook Configurations in an
AWS Account.
Lists all AWS Chatbot Slack Read

DescribeSlackChannelConfigurations
Channel Configurations in an
AWS account.
Lists all public Slack channels in Read

DescribeSlackChannels
the Slack workspace connected
to the AWS Account onboarded
with AWS Chatbot service.
Lists all authorized Slack Read

DescribeSlackWorkspaces
workspaces connected to the
AWS Account onboarded with
AWS Chatbot service.
Generate OAuth parameters to Read

GetSlackOauthParameters
request Slack OAuth code to
be used by the AWS Chatbot
service.
Redeem previously generated Write

RedeemSlackOauthCode
parameters with Slack API, to
acquire OAuth tokens to be used
by the AWS Chatbot service.
Updates an AWS Chatbot Chime Write

UpdateChimeWebhookConfiguration
Updates an AWS Chatbot Slack Write

UpdateSlackChannelConfiguration
Resource types defined by AWS Chatbot

108
Amazon Chime

types
arn:${Partition}:chatbot::${account}:
ChatbotConfiguration
${resourceType}/${resourceName}
Condition keys for AWS Chatbot

Chatbot has no service-specific context keys that can be used in the Condition element of policy
conditions.

Chime
Amazon Chime (service prefix: chime) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Chime (p. 109)
• Resource types defined by Amazon Chime (p. 131)
• Condition keys for Amazon Chime (p. 132)
Actions defined by Amazon Chime

different actions.
109
Amazon Chime

(*required)
Grants permission to accept Write

AcceptDelegate the delegate invitation to share
management of an Amazon
Chime account with another
AWS Account
ActivateUsers Grants permission to activate Write

users in an Amazon Chime
Enterprise account
AddDomain Grants permission to add a Write

domain to your Amazon Chime
account
Grants permission to add new or Write

AddOrUpdateGroups
update existing Active Directory
or Okta user groups associated
with your Amazon Chime
Enterprise account
Grants permission to associate a Write

AssociatePhoneNumberWithUser
phone number with an Amazon
Chime user
Grants permission to associate Write

AssociatePhoneNumbersWithVoiceConnector
multiple phone numbers with an
Amazon Chime Voice Connector

AssociatePhoneNumbersWithVoiceConnectorGroup
multiple phone numbers with an
Group

AssociateSigninDelegateGroupsWithAccount
the specified sign-in delegate
groups with the specified
Amazon Chime account.
Grants permission to authorize Write

AuthorizeDirectory
an Active Directory for your
Amazon Chime Enterprise
account
Grants permission to create new Write meeting*

BatchCreateAttendee
attendees for an active Amazon (p. 132)
Chime SDK meeting
Grants permission to batch add Write

BatchCreateRoomMembership
room members
Grants permission to move up Write

BatchDeletePhoneNumber
to 50 phone numbers to the
deletion queue
110
Amazon Chime

(*required)
Grants permission to suspend Write

BatchSuspendUser
up to 50 users from a Team or
EnterpriseLWA Amazon Chime
account
Grants permission to remove Write

BatchUnsuspendUser
the suspension from up to 50
previously suspended users for
the specified Amazon Chime
EnterpriseLWA account

BatchUpdatePhoneNumber
phone number details within the
UpdatePhoneNumberRequestItem
object for up to 50 phone
numbers

BatchUpdateUseruser details within the
UpdateUserRequestItem object
for up to 20 users for the
specified Amazon Chime account
Connect Grants permission to establish Write

a web socket connection to the
messaging session endpoint
Grants permission to connect an Write ds:ConnectDirectory

ConnectDirectoryActive Directory to your Amazon
Chime Enterprise account
Grants permission to create an Write

CreateAccount Amazon Chime account under
the administrator's AWS account
CreateApiKey Grants permission to create a Write

new SCIM access key for your
Amazon Chime account and
Okta configuration
Grants permission to create an Write aws:TagKeys

CreateAppInstance
app instance under the AWS (p. 132)
account
aws:RequestTag/
${TagKey}
(p. 132)
Grants permission to promote Write app-

CreateAppInstanceAdmin
an AppInstanceUser to an instance*
AppInstanceAdmin (p. 132)
app-
instance-
user*
(p. 132)
111
Amazon Chime

(*required)
Grants permission to create a Write aws:TagKeys

CreateAppInstanceUser
user under an Amazon Chime (p. 132)
AppInstance
aws:RequestTag/
${TagKey}
(p. 132)
Grants permission to create Write meeting*

CreateAttendee a new attendee for an active (p. 132)
Amazon Chime SDK meeting
CreateBot Grants permission to create Write

a bot for an Amazon Chime
Enterprise account
Grants permission to add a bot Write

CreateBotMembership
to a chat room in your Amazon
Grants permission to create a Write s3:CreateBucket

CreateCDRBucketnew Call Detail Record S3 bucket
s3:ListAllMyBuckets
Grants permission to create a Write app-

CreateChannel channel for an app instance instance-
under the AWS account user*
(p. 132)
aws:TagKeys
(p. 132)
aws:RequestTag/
${TagKey}
(p. 132)
Grants permission to ban a user Write app-

CreateChannelBanfrom a channel instance-
user*
(p. 132)
channel*
(p. 132)
Grants permission to add a user Write app-

CreateChannelMembership
to a channel instance-
user*
(p. 132)
channel*
(p. 132)
Grants permission to create a Write app-

CreateChannelModerator
channel moderator instance-
user*
(p. 132)
112
Amazon Chime

(*required)
channel*
(p. 132)
Grants permission to create Write aws:RequestTag/

CreateMeeting a new Amazon Chime SDK ${TagKey}
meeting in the specified media (p. 132)
Region, with no initial attendees
aws:TagKeys
(p. 132)
Grants permission to call a Write meeting*

CreateMeetingDialOut
phone number to join the (p. 132)
specified Amazon Chime SDK
meeting

CreateMeetingWithAttendees
a new Amazon Chime SDK ${TagKey}
meeting in the specified media (p. 132)
Region, with a set of attendees
aws:TagKeys
(p. 132)

CreatePhoneNumberOrder
phone number order with the
Carriers

CreateProxySession
proxy session for the specified
CreateRoom Grants permission to create a Write

room
Grants permission to add a room Write

CreateRoomMembership
member

CreateSipMediaApplication
an Amazon Chime SIP
media application under the
administrator's AWS account

CreateSipMediaApplicationCall
outbound call for Amazon
Chime SIP media application
under the administrator's AWS
account
CreateSipRule Grants permission to create an Write

Amazon Chime SIP rule under
CreateUser Grants permission to create a Write

user under the specified Amazon
Chime account.
113
Amazon Chime

(*required)

CreateVoiceConnector
account

CreateVoiceConnectorGroup
Group under the administrator's
AWS account
Grants permission to delete the Write

DeleteAccount specified Amazon Chime account

DeleteAccountOpenIdConfig
OpenIdConfig attributes from
your Amazon Chime account
DeleteApiKey Grants permission to delete Write

the specified SCIM access key
associated with your Amazon
Chime account and Okta
configuration
Grants permission to delete an Write app-

DeleteAppInstance
AppInstance instance*
(p. 132)
Grants permission to demote Write app-

DeleteAppInstanceAdmin
an AppInstanceAdmin to an instance*
AppInstanceUser (p. 132)
app-
instance-
user*
(p. 132)
Grants permission to disable Write app-

DeleteAppInstanceStreamingConfigurations
data streaming for the app instance*
instance (p. 132)

DeleteAppInstanceUser
AppInstanceUser instance-
user*
(p. 132)
Grants permission to delete Write meeting*

DeleteAttendee the specified attendee from an (p. 132)
Grants permission to delete a Write s3:DeleteBucket

DeleteCDRBucketCall Detail Record S3 bucket
from your Amazon Chime
account
114
Amazon Chime

(*required)
Grants permission to delete a Write app-

DeleteChannel channel instance-
user*
(p. 132)
channel*
(p. 132)
Grants permission to remove a Write app-

DeleteChannelBanuser from a channel's ban list instance-
user*
(p. 132)
channel*
(p. 132)
Grants permission to remove a Write app-

DeleteChannelMembership
member from a channel instance-
user*
(p. 132)
channel*
(p. 132)

DeleteChannelMessage
channel message instance-
user*
(p. 132)
channel*
(p. 132)

DeleteChannelModerator
channel moderator instance-
user*
(p. 132)
channel*
(p. 132)

DeleteDelegate delegated AWS account
management from your Amazon
Chime account
DeleteDomain Grants permission to delete Write

a domain from your Amazon
Chime account
Grants permission to delete an Write

DeleteEventsConfiguration
events configuration for a bot to
receive outgoing events
115
Amazon Chime

(*required)
DeleteGroups Grants permission to delete Write

Active Directory or Okta user
groups from your Amazon
Grants permission to delete the Write meeting*

DeleteMeeting specified Amazon Chime SDK (p. 132)
meeting
Grants permission to move a Write

DeletePhoneNumber
phone number to the deletion
queue
Grants permission to delete a Write

DeleteProxySession
DeleteRoom Grants permission to delete a Write

room
Grants permission to remove a Write

DeleteRoomMembership
room member

DeleteSipMediaApplication
Amazon Chime SIP media
application under the
DeleteSipRule Grants permission to delete Write

Amazon Chime SIP rule under

DeleteVoiceConnector
specified Amazon Chime Voice
Connector

DeleteVoiceConnectorEmergencyCallingConfiguration
emergency calling configuration
for the specified Amazon Chime
Voice Connector

DeleteVoiceConnectorGroup
Connector Group

DeleteVoiceConnectorOrigination
the origination settings for the
Connector

DeleteVoiceConnectorProxy
proxy configuration for the
Connector
116
Amazon Chime

(*required)

DeleteVoiceConnectorStreamingConfiguration
streaming configuration for the
Connector

DeleteVoiceConnectorTermination
termination settings for the
Connector
Grants permission to delete SIP Write

DeleteVoiceConnectorTerminationCredentials
termination credentials for the
Connector
Grants permission to get the full Read app-

DescribeAppInstance
details of an AppInstance instance*
(p. 132)

DescribeAppInstanceAdmin
details of an AppInstanceAdmin instance*
(p. 132)
app-
instance-
user*
(p. 132)

DescribeAppInstanceUser
details of an AppInstanceUser instance-
user*
(p. 132)

DescribeChannel details of a channel instance-
user*
(p. 132)
channel*
(p. 132)

DescribeChannelBan
details of a channel ban instance-
user*
(p. 132)
channel*
(p. 132)

DescribeChannelMembership
details of a channel membership instance-
user*
(p. 132)
117
Amazon Chime

(*required)
channel*
(p. 132)
Grants permission to get the Read app-

DescribeChannelMembershipForAppInstanceUser
details of a channel based on instance-
the membership of the specified user*
channel*
(p. 132)
Grants permission to get Read app-

DescribeChannelModeratedByAppInstanceUser
the full details of a channel instance-
moderated by the specified user*
channel*
(p. 132)

DescribeChannelModerator
the full details of a single instance-
ChannelModerator user*
(p. 132)
channel*
(p. 132)
Grants permission to Write

DisassociatePhoneNumberFromUser
disassociate the primary
provisioned number from the
specified Amazon Chime user

DisassociatePhoneNumbersFromVoiceConnector
disassociate multiple phone
numbers from the specified

DisassociatePhoneNumbersFromVoiceConnectorGroup
disassociate multiple phone
numbers from the specified
Group

DisassociateSigninDelegateGroupsFromAccount
disassociate the specified
sign-in delegate groups from
account.
Grants permission to disconnect Write

DisconnectDirectory
the Active Directory from your
Amazon Chime Enterprise
account
118
Amazon Chime

(*required)
GetAccount Grants permission to get details Read

account

GetAccountResource
details for the account resource
Chime account

GetAccountSettings
account settings for the
ID

GetAccountWithOpenIdConfig
the account details and
OpenIdConfig attributes for your
Amazon Chime account

GetAppInstanceRetentionSettings
retention settings for an app instance*
instance (p. 132)
Grants permission to get the Read app-

GetAppInstanceStreamingConfigurations
streaming configurations for an instance*
app instance (p. 132)
GetAttendee Grants permission to get Read meeting*

attendee details for a specified (p. 132)
meeting ID and attendee ID
GetBot Grants permission to retrieve Read

details for the specified bot
Grants permission to get details Read s3:GetBucketAcl

GetCDRBucket of a Call Detail Record S3 bucket
associated with your Amazon s3:GetBucketLocation
Chime account
s3:GetBucketLogging
s3:GetBucketVersioning
s3:GetBucketWebsite

GetChannelMessage
details of a channel message instance-
user*
(p. 132)
channel*
(p. 132)
GetDomain Grants permission to get domain Read

details for a domain associated
account
119
Amazon Chime

(*required)
Grants permission to Read

GetEventsConfiguration
retrieve details for an events
configuration for a bot to receive
outgoing events
Grants permission to get global Read

GetGlobalSettingssettings related to Amazon
Chime for the AWS account
GetMeeting Grants permission to get the Read meeting*

meeting record for a specified (p. 132)
meeting ID

GetMeetingDetailattendee, connection, and other
details for a meeting

GetMessagingSessionEndpoint
endpoint for the messaging
session
Grants permission to get details Read

GetPhoneNumberfor the specified phone number

GetPhoneNumberOrder
for the specified phone number
order
Grants permission to get phone Read

GetPhoneNumberSettings
number settings related to
Amazon Chime for the AWS
account

GetProxySession of the specified proxy session
Voice Connector
Gets the retention settings for Read

GetRetentionSettings
account.
GetRoom Grants permission to retrieve a Read

room

GetSipMediaApplication
details of Amazon Chime SIP

GetSipMediaApplicationLoggingConfiguration
logging configuration settings
for Amazon Chime SIP
120
Amazon Chime

(*required)
GetSipRule Grants permission to get details Read

of Amazon Chime SIP rule under

GetTelephonyLimits
telephony limits for the AWS
account
GetUser Grants permission to get details Read

for the specified user ID
Grants permission to get a Read

GetUserActivityReportData
summary of user activity on the
user details page
Grants permission to get user Read

GetUserByEmail details for an Amazon Chime
user based on the email address
in an Amazon Chime Enterprise
or Team account
Grants permission to get user Read

GetUserSettings settings related to the specified
Amazon Chime user

GetVoiceConnector
Voice Connector

GetVoiceConnectorEmergencyCallingConfiguration
of the emergency calling
configuration for the specified

GetVoiceConnectorGroup
Voice Connector Group

GetVoiceConnectorLoggingConfiguration
of the logging configuration for
Voice Connector

GetVoiceConnectorOrigination
of the origination settings for
Voice Connector

GetVoiceConnectorProxy
of the proxy configuration for
Voice Connector
121
Amazon Chime

(*required)

GetVoiceConnectorStreamingConfiguration
of the streaming configuration
Voice Connector

GetVoiceConnectorTermination
of the termination settings for
Voice Connector

GetVoiceConnectorTerminationHealth
of the termination health for the
Connector
Grants permission to send an Write

InviteDelegate invitation to accept a request for
AWS account delegation for an
InviteUsers Grants permission to invite Write

as many as 50 users to the
Grants permission to invite users Write

InviteUsersFromProvider
from a third party provider to
your Amazon Chime account
Grants permission to list List

ListAccountUsageReportData
Amazon Chime account usage
reporting data
ListAccounts Grants permission to list the List

Amazon Chime accounts under
ListApiKeys Grants permission to list the List

SCIM access keys defined for
your Amazon Chime account and
Okta configuration
Grants permission to list List app-

ListAppInstanceAdmins
administrators in the app instance*
instance (p. 132)
app-
instance-
user*
(p. 132)
Grants permission to list all List app-

ListAppInstanceUsers
AppInstanceUsers created under instance-
a single app instance user*
(p. 132)
122
Amazon Chime

(*required)

ListAppInstances Amazon Chime app instances instance*
created under a single AWS (p. 132)
account
Grants permission to list the List meeting*

ListAttendeeTags tags applied to an Amazon (p. 132)
Chime SDK attendee resource
ListAttendees Grants permission to list up to List meeting*

100 attendees for a specified (p. 132)
ListBots Grants permission to list List

the bots associated with the
administrator's Amazon Chime
Enterprise account
Grants permission to list Call List s3:ListAllMyBuckets

ListCDRBucket Detail Record S3 buckets
s3:ListBucket

ListCallingRegionscalling regions available for the
Grants permission to list all the List app-

ListChannelBans users banned from a particular instance-
channel user*
(p. 132)
channel*
(p. 132)

ListChannelMemberships
channel memberships in a instance-
channel user*
(p. 132)
channel*
(p. 132)

ListChannelMembershipsForAppInstanceUser
channels that a particular instance-
AppInstanceUser is a part of user*
(p. 132)

ListChannelMessages
messages in a channel instance-
user*
(p. 132)
channel*
(p. 132)
123
Amazon Chime

(*required)

ListChannelModerators
moderators for a channel instance-
user*
(p. 132)
channel*
(p. 132)
ListChannels Grants permission to list all the List app-

Channels created under a single instance-
Chime AppInstance user*
(p. 132)
channel*
(p. 132)

ListChannelsModeratedByAppInstanceUser
channels moderated by an app instance-
instance user user*
(p. 132)
ListDelegates Grants permission to list account List

delegate information associated
account
ListDirectories Grants permission to list active List

Active Directories hosted in the
Directory Service of your AWS
account
ListDomains Grants permission to list List

domains associated with your
ListGroups Grants permission to list Active List

Directory or Okta user groups

ListMeetingEventsevents that occurred for a
specified meeting
Grants permission to list the List meeting*

ListMeetingTags tags applied to an Amazon (p. 132)
Chime SDK meeting resource.
ListMeetings Grants permission to list up to List

100 active Amazon Chime SDK
meetings

ListMeetingsReportData
meetings ended during the
specified date range
124
Amazon Chime

(*required)

ListPhoneNumberOrders
phone number orders under the

ListPhoneNumbers
phone numbers under the
Grants permission to list proxy List

ListProxySessionssessions for the specified

ListRoomMemberships
room members
ListRooms Grants permission to list rooms List

ListSipMediaApplications
Amazon Chime SIP media
applications under the
ListSipRules Grants permission to list all List

Amazon Chime SIP rules under
Grants permission to list the List channel

ListTagsForResource
tags applied to an Amazon (p. 132)
Chime resource.
ListUsers Grants permission to list List

the users that belong to the

ListVoiceConnectorGroups
the Amazon Chime Voice
Connector Groups under the
Grants permission to list the SIP List

ListVoiceConnectorTerminationCredentials
Connector

ListVoiceConnectors
Amazon Chime Voice Connectors
account
LogoutUser Grants permission to log out Write

the specified user from all of
the devices they are currently
logged into
125
Amazon Chime

(*required)
Grants permission to enable Write app-

PutAppInstanceRetentionSettings
data retention for the app instance*
instance (p. 132)
Grants permission to configure Write app-

PutAppInstanceStreamingConfigurations
data streaming for the app instance*
instance (p. 132)

PutEventsConfiguration
update details for an events
configuration for a bot to receive
outgoing events
Puts retention settings for the Write

PutRetentionSettings

PutSipMediaApplicationLoggingConfiguration
logging configuration settings
for Amazon Chime SIP
Grants permission to add Write

PutVoiceConnectorEmergencyCallingConfiguration
emergency calling configuration
Voice Connector
Grants permission to add Write logs:CreateLogDelivery

PutVoiceConnectorLoggingConfiguration
logging configuration for the
specified Amazon Chime Voice logs:CreateLogGroup
Connector
logs:DeleteLogDelivery
logs:DescribeLogGroups
logs:GetLogDelivery
logs:ListLogDeliveries

PutVoiceConnectorOrigination
the origination settings for the
Connector
Grants permission to add proxy Write

PutVoiceConnectorProxy

PutVoiceConnectorStreamingConfiguration
streaming configuration for the
Connector
126
Amazon Chime

(*required)

PutVoiceConnectorTermination
the termination settings for the
Connector
Grants permission to add SIP Write

PutVoiceConnectorTerminationCredentials
Connector
Grants permission to redact Write app-

RedactChannelMessage
message content instance-
user*
(p. 132)
channel*
(p. 132)
Redacts the specified Chime Write

RedactConversationMessage
conversation Message
Redacts the specified Chime Write

RedactRoomMessage
room Message
Grants permission to regenerate Write

RegenerateSecurityToken
the security token for the
specified bot
Grants permission to modify Write

RenameAccount the account name for your
Amazon Chime Enterprise or
Team account
Grants permission to renew the Write

RenewDelegate delegation request associated
with an Amazon Chime account
Grants permission to reset Write

ResetAccountResource
the account resource in your
Grants permission to reset the Write

ResetPersonalPINpersonal meeting PIN for the
specified user on an Amazon
Chime account
Grants permission to restore the Write

RestorePhoneNumber
specified phone number from
the deltion queue back to the
phone number inventory
127
Amazon Chime

(*required)
Grants permission to download List

RetrieveDataExports
the file containing links to all
user attachments returned
as part of the "Request
attachments" action
Grants permission to search Read

SearchAvailablePhoneNumbers
phone numbers that can be
ordered from the carrier
Grants permission to send a Write app-

SendChannelMessage
message to a particular channel instance-
that the member is a part of user*
(p. 132)
channel*
(p. 132)
Grants permission to submit the Write

StartDataExport "Request attachments" request
Grants permission to submit Write

SubmitSupportRequest
a customer service support
request
SuspendUsers Grants permission to suspend Write

users from an Amazon Chime
Enterprise account
TagAttendee Grants permission to apply the Tagging meeting*

specified tags to the specified (p. 132)
Amazon Chime SDK attendee
TagMeeting Grants permission to apply the Tagging meeting*

Amazon Chime SDK meeting.
aws:TagKeys
(p. 132)
aws:RequestTag/
${TagKey}
(p. 132)
aws:ResourceTag/
${TagKey}
(p. 132)
TagResource Grants permission to apply the Tagging channel

Amazon Chime resource.
128
Amazon Chime

(*required)
aws:TagKeys
(p. 132)
aws:RequestTag/
${TagKey}
(p. 132)
aws:ResourceTag/
${TagKey}
(p. 132)

UnauthorizeDirectory
unauthorize an Active Directory
from your Amazon Chime
Enterprise account
Grants permission to untag the Tagging meeting*

UntagAttendee specified tags from the specified (p. 132)
Amazon Chime SDK attendee.
Grants permission to untag the Tagging meeting*

UntagMeeting specified tags from the specified (p. 132)
Amazon Chime SDK meeting.
Grants permission to untag the Tagging channel

UntagResource specified tags from the specified (p. 132)
Amazon Chime resource.

UpdateAccount account details for the specified
Grants permission to update the Write

UpdateAccountOpenIdConfig
OpenIdConfig attributes for your

UpdateAccountResource

UpdateAccountSettings
the settings for the specified
Grants permission to update Write app-

UpdateAppInstance
AppInstance metadata instance*
(p. 132)
Grants permission to update the Write app-

UpdateAppInstanceUser
details for an AppInstanceUser instance-
user*
(p. 132)
UpdateBot Grants permission to update the Write

status of the specified bot
129
Amazon Chime

(*required)
Grants permission to update Write s3:CreateBucket

UpdateCDRSettings
your Call Detail Record S3
bucket s3:DeleteBucket
s3:ListAllMyBuckets
Grants permission to update a Write app-

UpdateChannel channel's attributes instance-
user*
(p. 132)
channel*
(p. 132)
Grants permission to update the Write app-

UpdateChannelMessage
content of a message instance-
user*
(p. 132)
channel*
(p. 132)
Grants permission to set the Write app-

UpdateChannelReadMarker
timestamp to the point when instance-
a user last read messages in a user*
channel (p. 132)
channel*
(p. 132)

UpdateGlobalSettings
the global settings related to
Amazon Chime for the AWS
account

UpdatePhoneNumber
phone number details for the
specified phone number

UpdatePhoneNumberSettings
phone number settings related
to Amazon Chime for the AWS
account
Grants permission to update a Write

UpdateProxySession
UpdateRoom Grants permission to update a Write

room

UpdateRoomMembership
room membership role
130
Amazon Chime

(*required)

UpdateSipMediaApplication
properties of Amazon Chime
SIP media application under the

UpdateSipRule properties of Amazon Chime SIP
rule under the administrator's
AWS account

UpdateSupportedLicenses
supported license tiers available
for users in your Amazon Chime
account
UpdateUser Grants permission to update Write

user details for a specified user
ID

UpdateUserLicenses
licenses for your Amazon Chime
users

UpdateUserSettings
user settings related to the
specified Amazon Chime user

UpdateVoiceConnector
details for the specified Amazon
Chime Voice Connector

UpdateVoiceConnectorGroup
Group details for the specified
Group
Grants permission to validate Read

ValidateAccountResource
Resource types defined by Amazon Chime

131
Amazon Cloud Directory

types
meeting arn:${Partition}:chime:: aws:ResourceTag/

${AccountId}:meeting/${MeetingId} ${TagKey} (p. 132)
app-instance arn:${Partition}:chime::${AccountId}:app- aws:ResourceTag/

instance/${AppInstanceId} ${TagKey} (p. 132)
app-instance- arn:${Partition}:chime::${AccountId}:app- aws:ResourceTag/

user instance/${AppInstanceId}/user/ ${TagKey} (p. 132)
${AppInstanceUserId}
channel arn:${Partition}:chime::${AccountId}:app- aws:ResourceTag/

instance/${AppInstanceId}/channel/ ${TagKey} (p. 132)
${ChannelId}
Condition keys for Amazon Chime

Amazon Chime defines the following condition keys that can be used in the Condition element of an

${TagKey}
request

Cloud Directory
Amazon Cloud Directory (service prefix: clouddirectory) provides the following service-specific
References:

Topics
• Actions defined by Amazon Cloud Directory (p. 133)
132
• Resource types defined by Amazon Cloud Directory (p. 138)

• Condition keys for Amazon Cloud Directory (p. 138)
Actions defined by Amazon Cloud Directory

different actions.

(*required)
Adds a new Facet to an object. Write directory*

AddFacetToObject (p. 138)
ApplySchema Copies input published schema Write directory*

into Directory with same name (p. 138)
and version as that of published
schema. publishedSchema*

(p. 138)
AttachObject Attaches an existing object to Write directory*

another existing object. (p. 138)
AttachPolicy Attaches a policy object to any Write directory*

other object. (p. 138)
Attaches the specified object to Write directory*

AttachToIndex the specified index. (p. 138)
Attaches a typed link b/w a Write directory*

AttachTypedLink source & target object reference. (p. 138)
BatchRead Performs all the read operations Read directory*

in a batch. Each individual (p. 138)
operation inside BatchRead
needs to be granted permissions
explicitly.
BatchWrite Performs all the write Write directory*

operations in a batch. Each (p. 138)
individual operation inside
BatchWrite needs to be granted
permissions explicitly.
133

(*required)
Creates a Directory by copying Write publishedSchema*

CreateDirectory the published schema into the (p. 138)
directory.
CreateFacet Creates a new Facet in a schema. Write appliedSchema*

(p. 138)
developmentSchema*

(p. 138)
CreateIndex Creates an index object. Write directory*

(p. 138)
CreateObject Creates an object in a Directory. Write directory*

(p. 138)
Creates a new schema in a Write

CreateSchema development state.
Creates a new Typed Link facet Write appliedSchema*

CreateTypedLinkFacet
in a schema. (p. 138)
developmentSchema*

(p. 138)
Deletes a directory. Only Write directory*

DeleteDirectory disabled directories can be (p. 138)
deleted.
DeleteFacet Deletes a given Facet. All Write developmentSchema*

attributes and Rules associated (p. 138)
with the facet will be deleted.
DeleteObject Deletes an object and its Write directory*

associated attributes. (p. 138)
Deletes a given schema. Write developmentSchema*

DeleteSchema (p. 138)
publishedSchema*

(p. 138)
Deletes a given TypedLink Write developmentSchema*

DeleteTypedLinkFacet
Facet. All attributes and Rules (p. 138)
associated with the facet will be
deleted.
Detaches the specified object Write directory*

DetachFromIndexfrom the specified index. (p. 138)
DetachObject Detaches a given object from the Write directory*

parent object. (p. 138)
DetachPolicy Detaches a policy from an Write directory*

object. (p. 138)
134

(*required)
Detaches a given typed link b/ Write directory*

DetachTypedLink w given source and target object (p. 138)
reference.
Disables the specified directory. Write directory*

DisableDirectory (p. 138)
Enables the specified directory. Write directory*

EnableDirectory (p. 138)
GetDirectory Retrieves metadata about a Read directory*

directory. (p. 138)
GetFacet Gets details of the Facet, such as Read appliedSchema*

Facet Name, Attributes, Rules, or (p. 138)
ObjectType.
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
Retrieves attributes that are Read directory*

GetLinkAttributesassociated with a typed link. (p. 138)
Retrieves attributes within a Read directory*

GetObjectAttributes
facet that are associated with an (p. 138)
object.
Retrieves metadata about an Read directory*

GetObjectInformation
object. (p. 138)
Retrieves a JSON representation Read appliedSchema*

GetSchemaAsJsonof the schema. (p. 138)
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
Returns identity attributes order Read appliedSchema*

GetTypedLinkFacetInformation
information associated with a (p. 138)
given typed link facet.
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
Lists schemas applied to a List directory*

ListAppliedSchemaArns
directory. (p. 138)
Lists indices attached to an Read directory*

ListAttachedIndices
object. (p. 138)
135

(*required)
Retrieves the ARNs of schemas List

ListDevelopmentSchemaArns
in the development state.
ListDirectories Lists directories created within List

an account.
Retrieves attributes attached to Read appliedSchema*

ListFacetAttributes
the facet. (p. 138)
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
Retrieves the names of facets Read appliedSchema*

ListFacetNames that exist in a schema. (p. 138)
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
Returns a paginated list of all Read directory*

ListIncomingTypedLinks
incoming TypedLinks for a given (p. 138)
object.
ListIndex Lists objects attached to the Read directory*

specified index. (p. 138)
Lists all attributes associated Read directory*

ListObjectAttributes
with an object. (p. 138)
Returns a paginated list of child Read directory*

ListObjectChildrenobjects associated with a given (p. 138)
object.
Retrieves all available parent Read directory*

ListObjectParentPaths
paths for any object type such (p. 138)
as node, leaf node, policy node,
and index node objects.
Lists parent objects associated Read directory*

ListObjectParentswith a given object in pagination (p. 138)
fashion.
Returns policies attached to an Read directory*

ListObjectPoliciesobject in pagination fashion. (p. 138)
Returns a paginated list of all Read directory*

ListOutgoingTypedLinks
outgoing TypedLinks for a given (p. 138)
object.
136

(*required)
Returns all of the Read directory*

ListPolicyAttachments
ObjectIdentifiers to which a (p. 138)
given policy is attached.
Retrieves published schema List

ListPublishedSchemaArns
ARNs.
Returns tags for a resource. Read directory*

Returns a paginated list of Read appliedSchema*

ListTypedLinkFacetAttributes
attributes associated with typed (p. 138)
link facet.
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
Returns a paginated list of typed Read appliedSchema*

ListTypedLinkFacetNames
link facet names that exist in a (p. 138)
schema.
developmentSchema*

(p. 138)
publishedSchema*

(p. 138)
LookupPolicy Lists all policies from the root Read directory*

of the Directory to the object (p. 138)
specified.
Publishes a development Write developmentSchema*

PublishSchema schema with a version. (p. 138)
Allows a schema to be updated Write

PutSchemaFromJson
using JSON upload. Only
available for development
schemas.
Removes the specified facet Write directory*

RemoveFacetFromObject
from the specified object. (p. 138)
TagResource Adds tags to a resource. Tagging directory*

(p. 138)
Removes tags from a resource. Tagging directory*

UpdateFacet Adds/Updates/Deletes existing Write appliedSchema*

Attributes, Rules, or ObjectType (p. 138)
of a Facet.
developmentSchema*

(p. 138)
137

(*required)
Updates a given typed Write directory*

UpdateLinkAttributes
link’s attributes. Attributes (p. 138)
to be updated must not
contribute to the typed link’s
identity, as defined by its
IdentityAttributeOrder.
Updates a given object's Write directory*

UpdateObjectAttributes
attributes. (p. 138)
Updates the schema name with Write developmentSchema*

UpdateSchema a new name. (p. 138)
Adds/Updates/Deletes existing Write developmentSchema*

UpdateTypedLinkFacet
Attributes, Rules, identity (p. 138)
attribute order of a TypedLink
Facet.
Resource types defined by Amazon Cloud Directory


types
arn:${Partition}:clouddirectory:${Region}:
appliedSchema ${Account}:directory/${DirectoryId}/schema/
${SchemaName}/${Version}
developmentSchema
${Account}:schema/development/${SchemaName}
directory arn:${Partition}:clouddirectory:${Region}:
${Account}:directory/${DirectoryId}
publishedSchema${Account}:schema/published/${SchemaName}/
${Version}
Condition keys for Amazon Cloud Directory

Cloud Directory has no service-specific context keys that can be used in the Condition element of
138
AWS Cloud Map
Actions, resources, and condition keys for AWS Cloud

Map
AWS Cloud Map (service prefix: servicediscovery) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Cloud Map (p. 139)
• Resource types defined by AWS Cloud Map (p. 141)
• Condition keys for AWS Cloud Map (p. 142)
Actions defined by AWS Cloud Map

different actions.

(*required)
Creates an HTTP namespace. Write aws:TagKeys

CreateHttpNamespace (p. 142)
aws:RequestTag/
${TagKey}
(p. 142)
Creates a private namespace Write aws:TagKeys

CreatePrivateDnsNamespace
based on DNS, which will be (p. 142)
visible only inside a specified
Amazon VPC. aws:RequestTag/
${TagKey}
(p. 142)
139
AWS Cloud Map

(*required)
Creates a public namespace Write aws:TagKeys

CreatePublicDnsNamespace
based on DNS, which will be (p. 142)
visible on the internet.
aws:RequestTag/
${TagKey}
(p. 142)
CreateService Creates a service. Write namespace*

(p. 142)
servicediscovery:NamespaceArn

(p. 142)
aws:TagKeys
(p. 142)
aws:RequestTag/
${TagKey}
(p. 142)
Deletes a specified namespace. Write namespace*

DeleteNamespace (p. 142)
DeleteService Deletes a specified service. Write service*

(p. 142)
Deletes the records and the Write service*

DeregisterInstancehealth check, if any, that (p. 142)
Amazon Route 53 created for
the specified instance. servicediscovery:ServiceArn

(p. 142)
Discovers registered instances Read servicediscovery:NamespaceName

DiscoverInstancesfor a specified namespace and (p. 142)
service.
servicediscovery:ServiceName
(p. 142)
GetInstance Gets information about a Read servicediscovery:ServiceArn

specified instance. (p. 142)
Gets the current health Read servicediscovery:ServiceArn

GetInstancesHealthStatus
status (Healthy, Unhealthy, (p. 142)
or Unknown) of one or more
instances.
Gets information about a Read namespace*

GetNamespace namespace. (p. 142)
GetOperation Gets information about a Read

specific operation.
GetService Gets the settings for a specified Read service*

service. (p. 142)
140
AWS Cloud Map

(*required)
ListInstances Gets summary information List servicediscovery:ServiceArn

about the instances that were (p. 142)
registered with a specified
service.
Gets information about the List

ListNamespaces namespaces.
Lists operations that match the List

ListOperations criteria that you specify.
ListServices Gets settings for all the services List

that match specified filters.
Lists tags for the specified List

ListTagsForResource
resource.
Registers an instance based Write service*

RegisterInstance on the settings in a specified (p. 142)
service.
servicediscovery:ServiceArn

(p. 142)
TagResource Adds one or more tags to the Tagging aws:TagKeys

specified resource. (p. 142)
aws:RequestTag/
${TagKey}
(p. 142)
Removes one or more tags from Tagging aws:TagKeys

UntagResource the specified resource. (p. 142)
aws:RequestTag/
${TagKey}
(p. 142)
Updates the current health Write servicediscovery:ServiceArn

UpdateInstanceCustomHealthStatus
status for an instance that has a (p. 142)
custom health check.
Updates the settings in a Write service*

UpdateService specified service. (p. 142)
Resource types defined by AWS Cloud Map

141
AWS Cloud9

types
namespace arn:${Partition}:servicediscovery:${Region}: aws:ResourceTag/

${Account}:namespace/${NamespaceId} ${TagKey} (p. 142)
service arn:${Partition}:servicediscovery:${Region}: aws:ResourceTag/

${Account}:service/${ServiceId} ${TagKey} (p. 142)
Condition keys for AWS Cloud Map

AWS Cloud Map defines the following condition keys that can be used in the Condition element of
${TagKey} request

${TagKey}
request
A filter that lets you get objects by specifying the Amazon String
servicediscovery:NamespaceArn
Resource Name (ARN) for the related namespace.
A filter that lets you get objects by specifying the name of String
servicediscovery:NamespaceName
the related namespace.
A filter that lets you get objects by specifying the Amazon String
servicediscovery:ServiceArn
Resource Name (ARN) for the related service.
A filter that lets you get objects by specifying the name of String
servicediscovery:ServiceName
the related service.

Cloud9
AWS Cloud9 (service prefix: cloud9) provides the following service-specific resources, actions, and
References:

142
AWS Cloud9
Topics
• Actions defined by AWS Cloud9 (p. 143)
• Resource types defined by AWS Cloud9 (p. 145)
• Condition keys for AWS Cloud9 (p. 145)
Actions defined by AWS Cloud9

different actions.

(*required)
Grants permission to create Write cloud9:EnvironmentName

ec2:DescribeSubnets
CreateEnvironmentEC2
an AWS Cloud9 development (p. 146)
environment, launches an ec2:DescribeVpcs
Amazon Elastic Compute Cloud cloud9:InstanceType
(Amazon EC2) instance, and then (p. 146) iam:CreateServiceLinkedR
hosts the environment on the
instance. cloud9:SubnetId
(p. 146)
cloud9:UserArn
(p. 146)
Grants permission to add an Write environment*

CreateEnvironmentMembership
environment member to an (p. 145)
AWS Cloud9 development
environment. cloud9:UserArn

(p. 146)
cloud9:EnvironmentId
(p. 146)
cloud9:Permissions
(p. 146)
Grants permission to delete Write environment* iam:CreateServiceLinkedR

DeleteEnvironment
an AWS Cloud9 development (p. 145)
environment. If the environment
is hosted on an Amazon Elastic
Compute Cloud (Amazon EC2)
143
AWS Cloud9

(*required)
instance, also terminates the
instance.
Grants permission to delete Write environment*

DeleteEnvironmentMembership
an environment member from (p. 145)
an AWS Cloud9 development
environment.
Grants permission to get Read environment*

DescribeEnvironmentMemberships
information about environment (p. 145)
members for an AWS Cloud9
development environment. cloud9:UserArn

(p. 146)
(p. 146)
Grants permission to get status Read environment*

DescribeEnvironmentStatus
information for an AWS Cloud9 (p. 145)
development environment.
Grants permission to get Read environment*

DescribeEnvironments
information about AWS Cloud9 (p. 145)
development environments.
Grants permission to get IDE- Read

GetUserSettings specific settings of an AWS
[permission Cloud9 user.
only]
Grants permission to get a list Read

ListEnvironments of AWS Cloud9 development
environment identifiers.
Lists tags for a cloud9 Read environment*

ListTagsForResource
environment (p. 145)
TagResource Adds tags to a cloud9 Write environment*

aws:RequestTag/

${TagKey}
(p. 145)
aws:TagKeys
(p. 146)
Removes tags from a cloud9 Write environment*

UntagResource environment (p. 145)
aws:TagKeys
(p. 146)
144
AWS Cloud9

(*required)
Grants permission to change Write environment*

UpdateEnvironment
the settings of an existing (p. 145)
AWS Cloud9 development
environment.
Grants permission to change Write environment*

UpdateEnvironmentMembership
the settings of an existing (p. 145)
environment member for an
AWS Cloud9 development cloud9:UserArn

environment. (p. 146)
(p. 146)
cloud9:Permissions
(p. 146)

UpdateUserSettings
IDE-specific settings of an AWS
[permission Cloud9 user.
only]
Resource types defined by AWS Cloud9


types
environment arn:${Partition}:cloud9:${Region}: aws:ResourceTag/

${Account}:environment:${ResourceId} ${TagKey} (p. 146)
Condition keys for AWS Cloud9

AWS Cloud9 defines the following condition keys that can be used in the Condition element of an IAM
145
AWS CloudFormation

${TagKey}
request
Filters access by the AWS Cloud9 environment ID String

Filters access by the AWS Cloud9 environment name String

cloud9:EnvironmentName
Filters access by the instance type of the AWS Cloud9 String

cloud9:InstanceType environment's Amazon EC2 instance
Filters access by the type of AWS Cloud9 permissions String

cloud9:Permissions
cloud9:SubnetId Filters access by the subnet ID that the AWS Cloud9 String
environment will be created in
cloud9:UserArn Filters access by the user ARN specified ARN

CloudFormation
AWS CloudFormation (service prefix: cloudformation) provides the following service-specific
References:

Topics
• Actions defined by AWS CloudFormation (p. 146)
• Resource types defined by AWS CloudFormation (p. 155)
• Condition keys for AWS CloudFormation (p. 155)
Actions defined by AWS CloudFormation

different actions.
146
AWS CloudFormation

(*required)
Grants permission to cancel an Write stack*

CancelUpdateStack
update on the specified stack (p. 155)
Grants permission to continue Write stack*

ContinueUpdateRollback
rolling back a stack that is in (p. 155)
the UPDATE_ROLLBACK_FAILED
state to the cloudformation:RoleArn

UPDATE_ROLLBACK_COMPLETE (p. 156)
state
Grants permission to create a list Write stack*

CreateChangeSet of changes for a stack (p. 155)
cloudformation:ChangeSetName

(p. 156)
cloudformation:ResourceTypes
(p. 156)
cloudformation:ImportResourceTypes
(p. 156)
cloudformation:RoleArn
(p. 156)
cloudformation:StackPolicyUrl
(p. 156)
cloudformation:TemplateUrl
(p. 156)
aws:RequestTag/
${TagKey}
(p. 155)
aws:TagKeys
(p. 155)
CreateStack Grants permission to create Write stack*

a stack as specified in the (p. 155)
template

(p. 156)
(p. 156)
(p. 156)
147
AWS CloudFormation

(*required)
(p. 156)
aws:RequestTag/
${TagKey}
(p. 155)
aws:TagKeys
(p. 155)
Grants permission to create Write stackset*

CreateStackInstances
stack instances for the specified (p. 155)
accounts, within the specified
regions stackset-
target
(p. 155)
type
(p. 155)
Grants permission to create Write stackset-

CreateStackSet a stackset as specified in the target
template (p. 155)
type
(p. 155)

(p. 156)
(p. 156)
aws:RequestTag/
${TagKey}
(p. 155)
aws:TagKeys
(p. 155)
Grants permission to upload Write

CreateUploadBucket
templates to Amazon S3
[permission buckets. Used only by the AWS
only] CloudFormation console and
is not documented in the API
reference
Grants permission to delete the Write stack*

DeleteChangeSet specified change set. Deleting (p. 155)
change sets ensures that no one
executes the wrong change set cloudformation:ChangeSetName

(p. 156)
DeleteStack Grants permission to delete a Write stack*

specified stack (p. 155)
148
AWS CloudFormation

(*required)

(p. 156)
Grants permission to delete Write stackset*

DeleteStackInstances
stack instances for the specified (p. 155)
accounts, in the specified
regions stackset-
target
(p. 155)
type
(p. 155)
Grants permission to delete a Write stackset*

DeleteStackSet specified stackset (p. 155)
stackset-
target
(p. 155)
type
(p. 155)

DeregisterType an existing CloudFormation type
or type version

DescribeAccountLimits
retrieve your account's AWS
CloudFormation limits
Grants permission to return the Read stack*

DescribeChangeSet
description for the specified (p. 155)
change set

(p. 156)
Grants permission to return Read

DescribeStackDriftDetectionStatus
information about a stack drift
detection operation
Grants permission to return Read stack*

DescribeStackEvents
all stack related events for a (p. 155)
specified stack
Grants permission to return the Read stackset*

DescribeStackInstance
stack instance that's associated (p. 155)
with the specified stack set, AWS
account, and region stackset-
target
(p. 155)
type
(p. 155)
149
AWS CloudFormation

(*required)

DescribeStackResource
a description of the specified (p. 155)
resource in the specified stack
Grants permission to return drift Read stack*

DescribeStackResourceDrifts
information for the resources (p. 155)
that have been checked for drift
in the specified stack
Grants permission to return AWS Read stack*

DescribeStackResources
resource descriptions for running (p. 155)
and deleted stacks

DescribeStackSet description of the specified stack (p. 155)
set
stackset-
target
(p. 155)
type
(p. 155)

DescribeStackSetOperation
description of the specified stack (p. 155)
set operation
stackset-
target
(p. 155)
type
(p. 155)
Grants permission to return the List stack*

DescribeStacks description for the specified (p. 155)
stack
DescribeType Grants permission to return Read

information about the
CloudFormation type requested

DescribeTypeRegistration
registration process for a
CloudFormation type
Grants permission to detects Read stack*

DetectStackDrift whether a stack's actual (p. 155)
configuration differs, or has
drifted, from it's expected
configuration, as defined in
the stack template and any
values specified as template
parameters
150
AWS CloudFormation

(*required)

DetectStackResourceDrift
information about whether a (p. 155)
resource's actual configuration
differs, or has drifted, from
it's expected configuration, as
defined in the stack template
and any values specified as
template parameters
Grants permission to enable Read stackset*

DetectStackSetDrift
users to detect drift on a stack (p. 155)
set and the stack instances that
belong to that stack set stackset-
target
(p. 155)
type
(p. 155)
Grants permission to return the Read

EstimateTemplateCost
estimated monthly cost of a
template
Grants permission to update Write stack*

ExecuteChangeSeta stack using the input (p. 155)
information that was provided
when the specified change set cloudformation:ChangeSetName

was created (p. 156)
Grants permission to return the Read stack*

GetStackPolicy stack policy for a specified stack (p. 155)
GetTemplate Grants permission to return the Read stack*

template body for a specified (p. 155)
stack
Grants permission to return Read stack

GetTemplateSummary
information about a new or (p. 155)
existing template
stackset
(p. 155)
Grants permission to return List stack*

ListChangeSets the ID and status of each active (p. 155)
change set for a stack. For
example, AWS CloudFormation
lists change sets that are in
the CREATE_IN_PROGRESS or
CREATE_PENDING state
ListExports Grants permission to list all List

exported output values in the
account and region in which you
call this action
151
AWS CloudFormation

(*required)
ListImports Grants permission to list all List

stacks that are importing an
exported output value
Grants permission to return List stackset*

ListStackInstancessummary information about (p. 155)
stack instances that are
associated with the specified stackset-
stack set target
(p. 155)
type
(p. 155)
Grants permission to return List stack*

ListStackResources
descriptions of all resources of (p. 155)
the specified stack

ListStackSetOperationResults
summary information about the (p. 155)
results of a stack set operation
stackset-
target
(p. 155)
type
(p. 155)

ListStackSetOperations
summary information about (p. 155)
operations performed on a stack
set stackset-
target
(p. 155)
type
(p. 155)
ListStackSets Grants permission to return List stackset*

stack sets that are associated
with the user stackset-
target
(p. 155)
type
(p. 155)
ListStacks Grants permission to return List

the summary information for
stacks whose status matches the
specified StackStatusFilter

ListTypeRegistrations
CloudFormation type
registration attempts
152
AWS CloudFormation

(*required)

ListTypeVersions versions of a particular
CloudFormation type
ListTypes Grants permission to list List

available CloudFormation types
RegisterType Grants permission to register a Write

new CloudFormation type
Grants permission to set a stack Permissions stack*

SetStackPolicy policy for a specified stack management (p. 155)

(p. 156)
Grants permission to set which Write

SetTypeDefaultVersion
version of a CloudFormation
type applies to CloudFormation
operations
Grants permission to send a Write stack*

SignalResource signal to the specified resource (p. 155)
with a success or failure status
Grants permission to stop an in- Write stackset*

StopStackSetOperation
progress operation on a stack (p. 155)
set and its associated stack
instances stackset-
target
(p. 155)
type
(p. 155)
TagResource Grants permission to tag Tagging stack

cloudformation resources (p. 155)
stackset
(p. 155)
Grants permission to untag Tagging stack

UntagResource cloudformation resources (p. 155)
stackset
(p. 155)
UpdateStack Grants permission to update Write stack*

a stack as specified in the (p. 155)
template
153
AWS CloudFormation

(*required)

(p. 156)
(p. 156)
(p. 156)
(p. 156)
aws:RequestTag/
${TagKey}
(p. 155)
aws:TagKeys
(p. 155)
Grants permission to update Write stackset*

UpdateStackInstances
the parameter values for stack (p. 155)
instances for the specified
accounts, within the specified stackset-
regions target
(p. 155)
type
(p. 155)
Grants permission to update Write stackset*

UpdateStackSet a stackset as specified in the (p. 155)
template
stackset-
target
(p. 155)
type
(p. 155)

(p. 156)
(p. 156)
aws:RequestTag/
${TagKey}
(p. 155)
aws:TagKeys
(p. 155)
Grants permission to update Write stack*

UpdateTerminationProtection
termination protection for the (p. 155)
specified stack
154
AWS CloudFormation

(*required)
Grants permission to validate a Read

ValidateTemplatespecified template
Resource types defined by AWS CloudFormation


types
changeset arn:${Partition}:cloudformation:${Region}:
${Account}:changeSet/${ChangeSetName}/${Id}
stack arn:${Partition}:cloudformation:${Region}: aws:ResourceTag/

${Account}:stack/${StackName}/${Id} ${TagKey} (p. 155)
stackset arn:${Partition}:cloudformation:${Region}: aws:ResourceTag/

${Account}:stackset/${StackSetName}:${Id} ${TagKey} (p. 155)
stackset- arn:${Partition}:cloudformation:${Region}:
target ${Account}:stackset-target/${StackSetTarget}
type arn:${Partition}:cloudformation:${Region}:
${Account}:type/resource/${Type}
Condition keys for AWS CloudFormation

AWS CloudFormation defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} request

${TagKey}
request
155
Amazon CloudFront
Filters actions based on an AWS CloudFormation change String

set name. Use to control which change sets IAM users can
execute or delete
Filters actions based on the template resource types, such as String

cloudformation:ImportResourceTypes
AWS::EC2::Instance. Use to control which resource types IAM
users can work with when they want to import a resource
into a stack
Filters actions based on the template resource types, such as String

AWS::EC2::Instance. Use to control which resource types IAM
users can work with when they create or update a stack
Filters actions based on the ARN of an IAM service role. Use ARN
to control which service role IAM users can use to work with
stacks or change sets
Filters actions based on an Amazon S3 stack policy URL. Use String

to control which stack policies IAM users can associate with a
stack during a create or update stack action
Filters actions based on an Amazon S3 template URL. Use to String

control which templates IAM users can use when they create
or update stacks

CloudFront
Amazon CloudFront (service prefix: cloudfront) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon CloudFront (p. 156)
• Resource types defined by Amazon CloudFront (p. 161)
• Condition keys for Amazon CloudFront (p. 162)
Actions defined by Amazon CloudFront

different actions.
156
Amazon CloudFront

(*required)
This action adds a new cache Write

CreateCachePolicypolicy to CloudFront.
This action creates a new Write origin-

CreateCloudFrontOriginAccessIdentity
CloudFront origin access access-
identity. identity*
(p. 161)
This action creates a new web Write distribution*

CreateDistributiondistribution. (p. 161)
This action creates a new web Tagging distribution*

CreateDistributionWithTags
distribution with tags. (p. 161)
aws:RequestTag/

${TagKey}
(p. 162)
aws:TagKeys
(p. 162)
This action creates a new field- Write

CreateFieldLevelEncryptionConfig
level encryption configuration.
This action creates a field-level Write

CreateFieldLevelEncryptionProfile
encryption profile.
This action creates a new Write distribution*

CreateInvalidationinvalidation batch request. (p. 161)
This action adds a new origin Write

CreateOriginRequestPolicy
request policy to CloudFront.
This action adds a new public Write

CreatePublicKey key to CloudFront.
This action creates a new RTMP Write streaming-

CreateStreamingDistribution
distribution. distribution*
(p. 161)
This action creates a new RTMP Tagging streaming-

CreateStreamingDistributionWithTags
distribution with tags. distribution*
(p. 161)
157
Amazon CloudFront

(*required)
aws:RequestTag/

${TagKey}
(p. 162)
aws:TagKeys
(p. 162)
This action deletes a cache Write

DeleteCachePolicypolicy.
This action deletes a CloudFront Write origin-

DeleteCloudFrontOriginAccessIdentity
origin access identity. access-
identity*
(p. 161)
This action deletes a web Write distribution*

DeleteDistributiondistribution. (p. 161)
This action deletes a field-level Write

DeleteFieldLevelEncryptionConfig
encryption configuration.
This action deletes a field-level Write

DeleteFieldLevelEncryptionProfile
This action deletes an origin Write

DeleteOriginRequestPolicy
request policy.
This action deletes a public key Write

DeletePublicKey from CloudFront.
This action deletes an RTMP Write streaming-

DeleteStreamingDistribution
distribution. distribution*
(p. 161)
Get the cache policy Read

GetCachePolicy
Get the cache policy Read

GetCachePolicyConfig
configuration
Get the information about Read origin-

GetCloudFrontOriginAccessIdentity
a CloudFront origin access access-
identity. identity*
(p. 161)
Get the configuration Read origin-

GetCloudFrontOriginAccessIdentityConfig
information about a Cloudfront access-
origin access identity. identity*
(p. 161)
Get the information about a web Read distribution*

GetDistribution distribution. (p. 161)
Get the configuration Read distribution*

GetDistributionConfig
information about a distribution. (p. 161)
158
Amazon CloudFront

(*required)
Get the field-level encryption Read

GetFieldLevelEncryption
configuration information.

GetFieldLevelEncryptionConfig

GetFieldLevelEncryptionProfile

GetFieldLevelEncryptionProfileConfig
profile configuration
information.
Get the information about an Read distribution*

GetInvalidation invalidation. (p. 161)
Get the origin request policy Read

GetOriginRequestPolicy
Get the origin request policy Read

GetOriginRequestPolicyConfig
configuration
GetPublicKey Get the public key information. Read
Get the public key configuration Read

GetPublicKeyConfig
information.
Get the information about an Read streaming-

GetStreamingDistribution
RTMP distribution. distribution*
(p. 161)
Get the configuration Read streaming-

GetStreamingDistributionConfig
information about a streaming distribution*
distribution. (p. 161)
List all cache policies that have List

ListCachePolicies been created in CloudFront for
this account.
List your CloudFront origin List

ListCloudFrontOriginAccessIdentities
access identities.
List the distributions associated List

ListDistributions with your AWS account.
List distribution IDs for List

ListDistributionsByCachePolicyId
distributions that have a cache
behavior that's associated with
the specified cache policy.
List distribution IDs for List

ListDistributionsByOriginRequestPolicyId
distributions that have a cache
behavior that's associated with
the specified origin request
policy.
159
Amazon CloudFront

(*required)
List the distributions associated List

ListDistributionsByWebACLId
with your AWS account with
given AWS WAF web ACL.
List all field-level encryption List

ListFieldLevelEncryptionConfigs
configurations that have been
created in CloudFront for this
account.
List all field-level encryption List

ListFieldLevelEncryptionProfiles
profiles that have been created
in CloudFront for this account.
List your invalidation batches. List distribution*

ListInvalidations (p. 161)
List all origin request policies List

ListOriginRequestPolicies
that have been created in
CloudFront for this account.
ListPublicKeys List all public keys that have List

been added to CloudFront for
this account.
List your RTMP distributions. List

ListStreamingDistributions
List tags for a CloudFront Read distribution

ListTagsForResource
resource. (p. 161)
streaming-
distribution
(p. 161)
TagResource Add tags to a CloudFront Tagging distribution

resource. (p. 161)
streaming-
distribution
(p. 161)
aws:RequestTag/

${TagKey}
(p. 162)
aws:TagKeys
(p. 162)
Remove tags from a CloudFront Tagging distribution

streaming-
distribution
(p. 161)
160
Amazon CloudFront

(*required)
aws:TagKeys
(p. 162)
This action updates a cache Write

UpdateCachePolicy
policy.
This action sets the Write origin-

UpdateCloudFrontOriginAccessIdentity
configuration for a CloudFront access-
origin access identity. identity*
(p. 161)
This action updates the Write distribution*

UpdateDistribution
configuration for a web (p. 161)
distribution.
This action updates a field-level Write

UpdateFieldLevelEncryptionConfig
encryption configuration.
This action updates a field-level Write

UpdateFieldLevelEncryptionProfile
This action updates an origin Write

UpdateOriginRequestPolicy
request policy.
This action updates public key Write

UpdatePublicKey information.
This action updates the Write streaming-

UpdateStreamingDistribution
configuration for an RTMP distribution*
distribution. (p. 161)
Resource types defined by Amazon CloudFront


types
distribution arn:${Partition}:cloudfront:: aws:ResourceTag/

${Account}:distribution/${DistributionId} ${TagKey} (p. 162)
streaming- arn:${Partition}:cloudfront:: aws:ResourceTag/

distribution ${Account}:streaming-distribution/ ${TagKey} (p. 162)
${DistributionId}
origin-access- arn:${Partition}:cloudfront::
identity ${Account}:origin-access-identity/${Id}
161
AWS CloudHSM

types
field-level- arn:${Partition}:cloudfront::
encryption ${Account}:field-level-encryption/${Id}
field-level- arn:${Partition}:cloudfront::
encryption- ${Account}:field-level-encryption-profile/
profile ${Id}
cache-policy arn:${Partition}:cloudfront::
${Account}:cache-policy/${Id}
origin- arn:${Partition}:cloudfront::
request-policy ${Account}:origin-request-policy/${Id}
Condition keys for Amazon CloudFront

Amazon CloudFront defines the following condition keys that can be used in the Condition element of

${TagKey}
request

CloudHSM
AWS CloudHSM (service prefix: cloudhsm) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS CloudHSM (p. 163)
• Resource types defined by AWS CloudHSM (p. 165)
• Condition keys for AWS CloudHSM (p. 166)
162
AWS CloudHSM
Actions defined by AWS CloudHSM

different actions.

(*required)
Adds or overwrites one or more Tagging

AddTagsToResource
tags for the specified AWS
CloudHSM resource
Creates a copy of a backup in the Write backup*

CopyBackupToRegion
specified region (p. 166)
aws:RequestTag/

${TagKey}
(p. 166)
aws:TagKeys
(p. 166)
CreateCluster Creates a new AWS CloudHSM Write backup

cluster (p. 166)
aws:RequestTag/

${TagKey}
(p. 166)
aws:TagKeys
(p. 166)
CreateHapg Creates a high-availability Write

partition group
CreateHsm Creates a new hardware security Write cluster*

module (HSM) in the specified (p. 166)
AWS CloudHSM cluster
Creates an HSM client Write

CreateLunaClient
DeleteBackup Deletes the specified CloudHSM Write backup*

backup (p. 166)
163
AWS CloudHSM

(*required)
DeleteCluster Deletes the specified AWS Write cluster*

CloudHSM cluster (p. 166)
DeleteHapg Deletes a high-availability Write

partition group
DeleteHsm Deletes the specified HSM Write
Deletes a client Write

DeleteLunaClient
Gets information about backups Read

DescribeBackups of AWS CloudHSM clusters
Gets information about AWS Read

DescribeClusters CloudHSM clusters
DescribeHapg Retrieves information about a Read

high-availability partition group
DescribeHsm Retrieves information about an Read

HSM. You can identify the HSM
by its ARN or its serial number
Retrieves information about an Read

DescribeLunaClient
HSM client
GetConfig Gets the configuration files Read

necessary to connect to all high
availability partition groups the
client is associated with
Claims an AWS CloudHSM Write cluster*

InitializeCluster cluster (p. 166)
Lists the Availability Zones that List

ListAvailableZoneshave available AWS CloudHSM
capacity
ListHapgs Lists the high-availability List

partition groups for the account
ListHsms Retrieves the identifiers of all List

of the HSMs provisioned for the
current customer
Lists all of the clients List

ListLunaClients
ListTags Gets a list of tags for the Read backup

specified AWS CloudHSM cluster (p. 166)
cluster
(p. 166)
164
AWS CloudHSM

(*required)
Returns a list of all tags for Read

ListTagsForResource
the specified AWS CloudHSM
resource
ModifyHapg Modifies an existing high- Write

availability partition group
ModifyHsm Modifies an HSM Write
Modifies the certificate used by Write

ModifyLunaClientthe client
Removes one or more tags from Tagging

RemoveTagsFromResource
the specified AWS CloudHSM
resource
Restores the specified CloudHSM Write backup*

RestoreBackup backup (p. 166)
TagResource Adds or overwrites one or more Tagging backup

tags for the specified AWS (p. 166)
CloudHSM cluster
cluster
(p. 166)
aws:RequestTag/

${TagKey}
(p. 166)
aws:TagKeys
(p. 166)
Removes the specified tag or Tagging backup

UntagResource tags from the specified AWS (p. 166)
CloudHSM cluster
cluster
(p. 166)
aws:TagKeys
(p. 166)
Resource types defined by AWS CloudHSM

165
Amazon CloudSearch

types
backup arn:${Partition}:cloudhsm: aws:ResourceTag/

${Region}:${Account}:backup/ ${TagKey} (p. 166)
${CloudHsmBackupInstanceName}
cluster arn:${Partition}:cloudhsm: aws:ResourceTag/

${Region}:${Account}:cluster/ ${TagKey} (p. 166)
${CloudHsmClusterInstanceName}
Condition keys for AWS CloudHSM

AWS CloudHSM defines the following condition keys that can be used in the Condition element of an

${TagKey}
request

CloudSearch
Amazon CloudSearch (service prefix: cloudsearch) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon CloudSearch (p. 167)
• Resource types defined by Amazon CloudSearch (p. 169)
• Condition keys for Amazon CloudSearch (p. 169)
166
Amazon CloudSearch
Actions defined by Amazon CloudSearch

different actions.

(*required)
AddTags Attaches resource tags to an Tagging domain*

Amazon CloudSearch domain. (p. 169)
Indexes the search suggestions. Write domain*

BuildSuggesters (p. 169)
CreateDomain Creates a new search domain. Write domain*

(p. 169)
Configures an analysis scheme Write domain*

DefineAnalysisScheme
that can be applied to a (p. 169)
text or text-array field to
define language-specific text
processing options.
Configures an Expression for the Write domain*

DefineExpression search domain. (p. 169)
Configures an IndexField for the Write domain*

DefineIndexField search domain. (p. 169)
Configures a suggester for a Write domain*

DefineSuggester domain. (p. 169)
Deletes an analysis scheme. Write domain*

DeleteAnalysisScheme (p. 169)
DeleteDomain Permanently deletes a search Write domain*

domain and all of its data. (p. 169)
Removes an Expression from the Write domain*

DeleteExpression search domain. (p. 169)
Removes an IndexField from the Write domain*

DeleteIndexField search domain. (p. 169)
167
Amazon CloudSearch

(*required)
Deletes a suggester. Write domain*

DeleteSuggester (p. 169)
Gets the analysis schemes Read domain*

DescribeAnalysisSchemes
configured for a domain. (p. 169)
Gets the availability options Read domain*

DescribeAvailabilityOptions
Gets the domain endpoint Read domain*

DescribeDomainEndpointOptions
options configured for a domain. (p. 169)
Gets information about the List domain*

DescribeDomains search domains owned by this (p. 169)
account.
Gets the expressions configured Read domain*

DescribeExpressions
for the search domain. (p. 169)
Gets information about the Read domain*

DescribeIndexFields
index fields configured for the (p. 169)
search domain.
Gets the scaling parameters Read domain*

DescribeScalingParameters
Gets information about the Read domain*

DescribeServiceAccessPolicies
access policies that control (p. 169)
access to the domain's
document and search endpoints.
Gets the suggesters configured Read domain*

DescribeSuggesters
for a domain. (p. 169)
Tells the search domain to start Write domain*

IndexDocuments indexing its documents using the (p. 169)
latest indexing options.
Lists all search domains owned List domain*

ListDomainNamesby an account. (p. 169)
ListTags Displays all of the resource tags Read domain*

for an Amazon CloudSearch (p. 169)
domain.
RemoveTags Removes the specified resource Tagging domain*

tags from an Amazon ES (p. 169)
domain.
Configures the availability Write domain*

UpdateAvailabilityOptions
options for a domain. (p. 169)
Configures the domain endpoint Write domain*

UpdateDomainEndpointOptions
options for a domain. (p. 169)
168
AWS CloudShell

(*required)
Configures scaling parameters Write domain*

UpdateScalingParameters
for a domain. (p. 169)
Configures the access rules that Permissions domain*

UpdateServiceAccessPolicies
control access to the domain's management (p. 169)
document and search endpoints.
document Allows access to the document Write domain

[permission service operations. (p. 169)
only]
search Allows access to the search Read domain

[permission operations. (p. 169)
only]
suggest Allows access to the suggest Read domain

[permission operations. (p. 169)
only]
Resource types defined by Amazon CloudSearch

Note
For information about using Amazon CloudSearch resource ARNs in an IAM policy, see Amazon
CloudSearch ARNs in the Amazon CloudSearch Developer Guide.

types
domain arn:${Partition}:cloudsearch:${Region}:
${Account}:domain/${DomainName}
Condition keys for Amazon CloudSearch

CloudSearch has no service-specific context keys that can be used in the Condition element of policy
conditions.

CloudShell
AWS CloudShell (service prefix: cloudshell) provides the following service-specific resources, actions,
References:
169
AWS CloudShell

Topics
• Actions defined by AWS CloudShell (p. 170)
• Resource types defined by AWS CloudShell (p. 171)
• Condition keys for AWS CloudShell (p. 171)
Actions defined by AWS CloudShell

different actions.

(*required)
Grants permissions to create a Write

CreateEnvironment
CloudShell environment
[permission
only]
CreateSession Grants permissions to connect to Write Environment*

[permission a CloudShell environment from (p. 171)
only] the AWS Console
Grants permissions to download Write Environment*

GetFileDownloadUrls
files from a CloudShell (p. 171)
[permission environment
only]
Grants permissions to Write Environment*

GetFileUploadUrlsupload files to a CloudShell (p. 171)
only]
Grants permissions to forward Write Environment*

PutCredentials console credentials to the (p. 171)
only]
170
AWS CloudTrail
Resource types defined by AWS CloudShell


types
Environment arn:${Partition}:cloudshell:${Region}:
${Account}:environment/${EnvironmentId}
Condition keys for AWS CloudShell

CloudShell has no service-specific context keys that can be used in the Condition element of policy
conditions.

CloudTrail
AWS CloudTrail (service prefix: cloudtrail) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS CloudTrail (p. 171)
• Resource types defined by AWS CloudTrail (p. 173)
• Condition keys for AWS CloudTrail (p. 173)
Actions defined by AWS CloudTrail

different actions.
171
AWS CloudTrail

(*required)
AddTags Grants permission to add one or Tagging trail*

more tags to a trail, up to a limit (p. 173)
of 10
CreateTrail Grants permission to create a Write trail* s3:PutObject

trail that specifies the settings (p. 173)
for delivery of log data to an
Amazon S3 bucket
DeleteTrail Grants permission to delete a Write trail*

trail (p. 173)
DescribeTrails Grants permission to list settings Read

for the trails associated with the
current region for your account
Grants permission to list settings Read trail*

GetEventSelectorsfor event selectors configured (p. 173)
for a trail
Grants permission to list Read trail*

GetInsightSelectors
CloudTrail Insights selectors that (p. 173)
are configured for a trail
GetTrail Grants permission to list settings Read

for the trail
GetTrailStatus Grants permission to retrieve Read trail*

a JSON-formatted list of (p. 173)
information about the specified
trail
ListPublicKeys Grants permission to list the Read

public keys whose private keys
were used to sign trail digest
files within a specified time
range
ListTags Grants permission to list the Read trail*

tags for trails in the current (p. 173)
region
ListTrails Grants permission to list trails List

associated with the current
region for your account
LookupEvents Grants permission to look up Read

API activity events captured by
CloudTrail that create, update,
172
AWS CloudTrail

(*required)
or delete resources in your
account
Grants permission to create and Write trail*

PutEventSelectorsupdate event selectors for a trail (p. 173)
Grants permission to create Write trail*

PutInsightSelectors
and update CloudTrail Insights (p. 173)
selectors for a trail
RemoveTags Grants permission to remove Tagging trail*

tags from a trail (p. 173)
StartLogging Grants permission to start the Write trail*

recording of AWS API calls and (p. 173)
log file delivery for a trail
StopLogging Grants permission to stop the Write trail*

recording of AWS API calls and (p. 173)
log file delivery for a trail
UpdateTrail Grants permission to update the Write trail*

settings that specify delivery of (p. 173)
log files
Resource types defined by AWS CloudTrail

Note
For policies that control access to CloudTrail actions, the Resource element is always set to "*".
For information about using resource ARNs in an IAM policy, see Granting Custom Permissions in
the AWS CloudTrail User Guide.

types
trail arn:${Partition}:cloudtrail:${Region}:
${Account}:trail/${TrailName}
Condition keys for AWS CloudTrail

CloudTrail has no service-specific context keys that can be used in the Condition element of policy
conditions.
173
Amazon CloudWatch

CloudWatch
Amazon CloudWatch (service prefix: cloudwatch) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon CloudWatch (p. 174)
• Resource types defined by Amazon CloudWatch (p. 178)
• Condition keys for Amazon CloudWatch (p. 178)
Actions defined by Amazon CloudWatch

different actions.

(*required)
DeleteAlarms Grants permission to delete a Write alarm*

collection of alarms (p. 178)

DeleteAnomalyDetector
specified anomaly detection
model from your account.
Grants permission to delete all Write dashboard*

DeleteDashboardsCloudWatch dashboards that (p. 178)
you specify
Grants permission to delete a Write insight-

DeleteInsightRules
collection of insight rules rule*
(p. 178)
174
Amazon CloudWatch

(*required)
Grants permission to retrieve the Read alarm*

DescribeAlarmHistory
history for the specified alarm (p. 178)
Grants permission to describe all Read alarm*

DescribeAlarms alarms, currently owned by the (p. 178)
user's account

DescribeAlarmsForMetric
all alarms configured on the
specified metric, currently
owned by the user's account
Grants permission to lists the Read

DescribeAnomalyDetectors
anomaly detection models
that you have created in your
account.
Grants permission to describe all Read

DescribeInsightRules
insight rules, currently owned by
the user's account
Grants permission to disable Write alarm*

DisableAlarmActions
actions for a collection of alarms (p. 178)
Grants permission to disable a Write insight-

DisableInsightRules
(p. 178)
Grants permission to enable Write alarm*

EnableAlarmActions
actions for a collection of alarms (p. 178)
Grants permission to enable a Write insight-

EnableInsightRules
(p. 178)
Grants permission to display Read dashboard*

GetDashboard the details of the CloudWatch (p. 178)
dashboard you specify
Grants permission to return Read insight-

GetInsightRuleReport
the top-N report of unique rule*
contributors over a time range (p. 178)
for a given insight rule

GetMetricData batch amounts of CloudWatch
metric data and perform metric
math on retrieved data

GetMetricStatistics
statistics for the specified metric

GetMetricWidgetImage
snapshots of metric widgets
175
Amazon CloudWatch

(*required)
Grants permission to return a list List

ListDashboards of all CloudWatch dashboards in
your account
ListMetrics Grants permission to retrieve a List

list of valid metrics stored for
the AWS account owner
Grants permission to list tags for List alarm

ListTagsForResource
an Amazon CloudWatch resource (p. 178)
insight-
rule
(p. 178)
SCENARIO: CloudWatch-Alarm alarm*

(p. 178)
SCENARIO: CloudWatch- insight-

InsightRule rule*
(p. 178)
Grants permission to create or Write

PutAnomalyDetector
update an anomaly detection
model for a CloudWatch metric.
Grants permission to create or Write alarm*

PutCompositeAlarm
update a composite alarm (p. 178)
aws:RequestTag/

${TagKey}
(p. 178)
aws:TagKeys
(p. 178)
PutDashboard Grants permission to create Write dashboard*

a CloudWatch dashboard, or (p. 178)
update an existing dashboard if
it already exists
Grants permission to create a Write insight-

PutInsightRule new insight rule or replace an rule*
existing insight rule (p. 178)
aws:RequestTag/

${TagKey}
(p. 178)
aws:TagKeys
(p. 178)
Grants permission to create or Write alarm*

PutMetricAlarm update an alarm and associates (p. 178)
it with the specified Amazon
CloudWatch metric
176
Amazon CloudWatch

(*required)
aws:RequestTag/

${TagKey}
(p. 178)
aws:TagKeys
(p. 178)
Grants permission to publish Write cloudwatch:namespace

PutMetricData metric data points to Amazon (p. 178)
CloudWatch
Grants permission to Write alarm*

SetAlarmState temporarily set the state of an (p. 178)
alarm for testing purposes
TagResource Grants permission to add tags to Tagging alarm

an Amazon CloudWatch resource (p. 178)
insight-
rule
(p. 178)
aws:TagKeys
(p. 178)
aws:RequestTag/
${TagKey}
(p. 178)

(p. 178)

InsightRule rule*
(p. 178)
Grants permission to remove Tagging alarm

UntagResource a tag from an Amazon (p. 178)
CloudWatch resource
insight-
rule
(p. 178)
aws:TagKeys
(p. 178)

(p. 178)

InsightRule rule*
(p. 178)
177
CloudWatch Application Insights
Resource types defined by Amazon CloudWatch


types
alarm arn:${Partition}:cloudwatch:${Region}: aws:ResourceTag/

${Account}:alarm:${AlarmName} ${TagKey} (p. 178)
dashboard arn:${Partition}:cloudwatch::
${Account}:dashboard/${DashboardName}
insight-rule arn:${Partition}:cloudwatch:${Region}: aws:ResourceTag/

${Account}:insight-rule/${InsightRuleName} ${TagKey} (p. 178)
Condition keys for Amazon CloudWatch

Amazon CloudWatch defines the following condition keys that can be used in the Condition element of
${TagKey} the tags

${TagKey}

the request
Filters actions based on the presence of optional namespace String

cloudwatch:namespace
values
Actions, resources, and condition keys for

CloudWatch Application Insights (service prefix: applicationinsights) provides the following
References:

178
Topics
• Actions defined by CloudWatch Application Insights (p. 179)
• Resource types defined by CloudWatch Application Insights (p. 180)
• Condition keys for CloudWatch Application Insights (p. 180)
Actions defined by CloudWatch Application Insights

different actions.

(*required)
Creates an application from a Write

CreateApplicationresource group
Creates a component from a Write

CreateComponentgroup of resources
Deletes an application Write

DeleteApplication
Deletes a component Write

DeleteComponent
Describes an application Read

DescribeApplication
Describes a component Read

DescribeComponent
Describes a component Read

DescribeComponentConfiguration
configuration
Describe the recommended Read

DescribeComponentConfigurationRecommendation
application component
configuration
Describes an observation Read

DescribeObservation
Describes a problem Read

DescribeProblem
179
Amazon CloudWatch Logs

(*required)
Describes the observation in a Read

DescribeProblemObservations
problem
Lists all applications List

ListApplications
List an application's components List

ListComponents
ListProblems Lists the problems in an List

application
Updates an application Write

UpdateApplication
Updates a component Write

UpdateComponent
Updates a component Write

UpdateComponentConfiguration
configuration
Resource types defined by CloudWatch Application Insights

CloudWatch Application Insights does not support specifying a resource ARN in the Resource element
of an IAM policy statement. To allow access to CloudWatch Application Insights, specify “Resource”:
“*” in your policy.
Condition keys for CloudWatch Application Insights

CloudWatch Application Insights has no service-specific context keys that can be used in the Condition

CloudWatch Logs
Amazon CloudWatch Logs (service prefix: logs) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon CloudWatch Logs (p. 181)
• Resource types defined by Amazon CloudWatch Logs (p. 185)
• Condition keys for Amazon CloudWatch Logs (p. 185)
180
Actions defined by Amazon CloudWatch Logs

different actions.

(*required)
Associates the specified AWS Write log-

AssociateKmsKey Key Management Service (AWS group*
KMS) customer master key (p. 185)
(CMK) with the specified log
group.
Cancels an export task if it is in Write

CancelExportTaskPENDING or RUNNING state
Creates an ExportTask which Write log-

CreateExportTaskallows you to efficiently export group*
data from a Log Group to your (p. 185)
Amazon S3 bucket
Creates the log delivery Write

CreateLogDelivery
[permission
only]
Creates a new log group with Write log-

CreateLogGroup the specified name group*
(p. 185)
Creates a new log stream with Write log-

CreateLogStream the specified name group*
(p. 185)
Deletes the destination with the Write

DeleteDestinationspecified name and eventually
disables all the subscription
filters that publish to it
Deletes the log delivery Write

DeleteLogDeliveryinformation for specified log
[permission delivery
only]
181

(*required)
Deletes the log group with the Write log-

DeleteLogGroup specified name and permanently group*
deletes all the archived log (p. 185)
events associated with it
Deletes a log stream and Write log-

DeleteLogStream permanently deletes all the stream*
archived log events associated (p. 185)
with it
Deletes a metric filter associated Write log-

DeleteMetricFilterwith the specified log group group*
(p. 185)
Deletes a resource policy from Write

DeleteResourcePolicy
this account
Deletes the retention policy of Write log-

DeleteRetentionPolicy
the specified log group group*
(p. 185)
Deletes a subscription filter Write log-

DeleteSubscriptionFilter
associated with the specified log group*
group (p. 185)
Returns all the destinations that List

DescribeDestinations
are associated with the AWS
account making the request
Returns all the export tasks that List

DescribeExportTasks
are associated with the AWS
account making the request
Returns all the log groups that List log-

DescribeLogGroups
are associated with the AWS group*
account making the request (p. 185)
Returns all the log streams that List log-

DescribeLogStreams
are associated with the specified group*
log group (p. 185)
Returns all the metrics filters List log-

DescribeMetricFilters
associated with the specified log group*
group (p. 185)
Returns a list of CloudWatch List

DescribeQueries Logs Insights queries that are
scheduled, executing, or have
been executed recently in this
account. You can request all
queries, or limit it to queries of
a specific log group or queries
with a certain status.
182

(*required)
Return all the resource policies List

DescribeResourcePolicies
in this account.
Returns all the subscription List log-

DescribeSubscriptionFilters
filters associated with the group*
specified log group (p. 185)
Disassociates the associated Write log-

DisassociateKmsKey
AWS Key Management Service group*
(AWS KMS) customer master (p. 185)
key (CMK) from the specified log
group
Retrieves log events, optionally Read log-

FilterLogEvents filtered by a filter pattern from group*
the specified log group (p. 185)
Gets the log delivery Read

GetLogDelivery information for specified log
only]
GetLogEvents Retrieves log events from the Read log-

specified log stream stream*
(p. 185)
Returns a list of the fields that Read log-

GetLogGroupFields
are included in log events in the group*
specified log group, along with (p. 185)
the percentage of log events
that contain each field. The
search is limited to a time period
that you specify.
GetLogRecord Retrieves all the fields and Read

values of a single log event. All
fields are retrieved, even if the
original query that produced
the logRecordPointer retrieved
only a subset of fields. Fields
are returned as field name/field
value pairs.
Returns the results from the Read

GetQueryResults specified query. If the query is in
progress, partial results of that
current execution are returned.
Only the fields requested in the
query are returned.
Lists all the log deliveries for List

ListLogDeliveries specified account and/or log
[permission source
only]
183

(*required)
Lists the tags for the specified List log-

ListTagsLogGrouplog group group*
(p. 185)
Creates or updates a Destination Write iam:PassRole

PutDestination
Creates or updates an access Write

PutDestinationPolicy
policy associated with an
existing Destination
PutLogEvents Uploads a batch of log events to Write log-

the specified log stream stream*
(p. 185)
Creates or updates a metric Write log-

PutMetricFilter filter and associates it with the group*
specified log group (p. 185)
Creates or updates a resource Write

PutResourcePolicypolicy allowing other AWS
services to put log events to this
account
Sets the retention of the Write log-

PutRetentionPolicy
specified log group group*
(p. 185)
Creates or updates a Write log- iam:PassRole

PutSubscriptionFilter
subscription filter and associates group*
it with the specified log group (p. 185)
StartQuery Schedules a query of a log group Read log-

using CloudWatch Logs Insights. group*
You specify the log group and (p. 185)
time range to query, and the
query string to use.
StopQuery Stops a CloudWatch Logs Read

Insights query that is in
progress. If the query has
already ended, the operation
returns an error indicating
that the specified query is not
running.
TagLogGroup Adds or updates the specified Write log-

tags for the specified log group group*
(p. 185)
Tests the filter pattern of a Read

TestMetricFilter metric filter against a sample of
log event messages
184
Amazon CloudWatch Synthetics

(*required)
Removes the specified tags from Write log-

UntagLogGroup the specified log group group*
(p. 185)
Updates the log delivery Write

UpdateLogDelivery
information for specified log
only]
Resource types defined by Amazon CloudWatch Logs


types
log-group arn:${Partition}:logs:${Region}:
${Account}:log-group:${LogGroupName}
log-stream arn:${Partition}:logs:${Region}:
${Account}:log-group:${LogGroupName}:log-
stream:${LogStreamName}
Condition keys for Amazon CloudWatch Logs

CloudWatch Logs has no service-specific context keys that can be used in the Condition element of

CloudWatch Synthetics
Amazon CloudWatch Synthetics (service prefix: synthetics) provides the following service-specific
References:

Topics
• Actions defined by Amazon CloudWatch Synthetics (p. 186)
• Resource types defined by Amazon CloudWatch Synthetics (p. 187)
185
Amazon CloudWatch Synthetics
• Condition keys for Amazon CloudWatch Synthetics (p. 187)
Actions defined by Amazon CloudWatch Synthetics

different actions.

(*required)
CreateCanary Create a canary. Write
DeleteCanary Deletes a canary. Amazon Write canary*

Synthetics deletes all the (p. 187)
resources except for the Lambda
function and the CloudWatch
Alarms if you created one.
Returns information of all Read

DescribeCanaries canaries.
Returns information about the Read

DescribeCanariesLastRun
last test run associated with all
canaries.
Returns information about all Read canary*

GetCanaryRuns the test runs associated with a (p. 187)
canary.
Returns a list of all tags and Read canary

ListTagsForResource
values associated with a canary. (p. 187)
StartCanary Starts a canary, so that Amazon Write canary*

Synthetics starts monitoring a (p. 187)
website.
StopCanary Stops a canary. Write canary*

(p. 187)
TagResource Adds one or more tags to a Write canary

canary. (p. 187)
Removes one or more tags from Write canary

UntagResource a canary. (p. 187)
186
AWS CodeArtifact

(*required)
Updates a canary. Write canary*

UpdateCanary (p. 187)
Resource types defined by Amazon CloudWatch Synthetics


types
canary arn:${Partition}:synthetics::
${Account}:canary:${CanaryName}
Condition keys for Amazon CloudWatch Synthetics

CloudWatch Synthetics has no service-specific context keys that can be used in the Condition element

CodeArtifact
AWS CodeArtifact (service prefix: codeartifact) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS CodeArtifact (p. 187)
• Resource types defined by AWS CodeArtifact (p. 191)
• Condition keys for AWS CodeArtifact (p. 191)
Actions defined by AWS CodeArtifact

187
AWS CodeArtifact
different actions.

(*required)
Grants permission to add Write repository*

AssociateExternalConnection
an external connection to a (p. 191)
repository
Grants permission to associate Write repository*

AssociateWithDownstreamRepository
an existing repository as an (p. 191)
upstream repository to another
repository
Grants permission to copy Write package*

CopyPackageVersions
package versions from one (p. 191)
repository to another repository
in the same domain. repository*
(p. 191)
CreateDomain Grants permission to create a Write aws:RequestTag/

new domain ${TagKey}
(p. 191)
aws:TagKeys
(p. 192)
Grants permission to create a Write aws:RequestTag/

CreateRepository new repository ${TagKey}
(p. 191)
aws:TagKeys
(p. 192)
DeleteDomain Grants permission to delete a Write domain*

domain (p. 191)
Grants permission to delete the Permissions domain*

DeleteDomainPermissionsPolicy
resource policy set on a domain management (p. 191)
Grants permission to delete Write package*

DeletePackageVersions
package versions (p. 191)
Grants permission to delete a Write repository*

DeleteRepository repository (p. 191)
188
AWS CodeArtifact

(*required)
Grants permission to delete Permissions repository*

DeleteRepositoryPermissionsPolicy
the resource policy set on a management (p. 191)
repository
Grants permission to return Read domain*

DescribeDomain information about a domain (p. 191)
Grants permission to return Read package*

DescribePackageVersion
information about a package (p. 191)
version
Grants permission to return Read repository*

DescribeRepository
detailed information about a (p. 191)
repository
Grants permission to Write repository*

DisassociateExternalConnection
disassociate an external (p. 191)
connection from a repository
Grants permission to set the Write package*

DisposePackageVersions
status of package versions to (p. 191)
Disposed and delete their assets
Grants permission to generate a Read domain*

GetAuthorizationToken
temporary authentication token (p. 191)
for accessing repositories in a
domain
Grants permission to return a Read domain*

GetDomainPermissionsPolicy
domain's resource policy (p. 191)
Grants permission to return an Read package*

GetPackageVersionAsset
asset (or file) that is part of a (p. 191)
package version
Grants permission to return a Read package*

GetPackageVersionReadme
package version's readme file (p. 191)
Grants permission to return an Read repository*

GetRepositoryEndpoint
endpoint for a repository (p. 191)
Grants permission to return a Read repository*

GetRepositoryPermissionsPolicy
repository's resource policy (p. 191)
ListDomains Grants permission to list the List

domains in the current user's
AWS account
Grants permission to list a List package*

ListPackageVersionAssets
package version's assets (p. 191)
Grants permission to list the List package*

ListPackageVersionDependencies
direct dependencies of a (p. 191)
package version
189
AWS CodeArtifact

(*required)
Grants permission to list a List package*

ListPackageVersions
package's versions (p. 191)
ListPackages Grants permission to list the List repository*

packages in a repository (p. 191)

ListRepositories repositories administered by the
calling account
Grants permission to list the List domain*

ListRepositoriesInDomain
repositories in a domain (p. 191)
Grants permission to list tags for List domain

ListTagsForResource
a CodeArtifact resource (p. 191)
repository
(p. 191)
Grants permission to publish Write package*

PublishPackageVersion
assets and metadata to a (p. 191)
repository endpoint
Grants permission to attach a Write domain*

PutDomainPermissionsPolicy
resource policy to a domain (p. 191)
Grants permission to add, Write package*

PutPackageMetadata
modify or remove package (p. 191)
metadata using a repository
endpoint
Grants permission to attach a Write repository*

PutRepositoryPermissionsPolicy
resource policy to a repository (p. 191)

ReadFromRepository
package assets and metadata (p. 191)
from a repository endpoint
TagResource Grants permission to tag a Tagging domain

CodeArtifact resource (p. 191)
repository
(p. 191)
aws:RequestTag/

${TagKey}
(p. 191)
aws:TagKeys
(p. 192)
Grants permission to remove a Tagging domain

UntagResource tag from a CodeArtifact resource (p. 191)
repository
(p. 191)
190
AWS CodeArtifact

(*required)
aws:TagKeys
(p. 192)
Grants permission to modify the Write package*

UpdatePackageVersionsStatus
status of one or more versions of (p. 191)
a package
Grants permission to modify the Write repository*

UpdateRepositoryproperties of a repository (p. 191)
Resource types defined by AWS CodeArtifact


types
domain arn:${Partition}:codeartifact:${Region}: aws:ResourceTag/

${Account}:domain/${DomainName} ${TagKey} (p. 191)
repository arn:${Partition}:codeartifact:${Region}: aws:ResourceTag/

${Account}:repository/${DomainName}/ ${TagKey} (p. 191)
${RepositoryName}
package arn:${Partition}:codeartifact:${Region}:
${Account}:package/${DomainName}/
${RepositoryName}/${PackageFormat}/
${PackageNamespace}/${PackageName}
Condition keys for AWS CodeArtifact

AWS CodeArtifact defines the following condition keys that can be used in the Condition element of

${TagKey}
191
AWS CodeBuild
request

CodeBuild
AWS CodeBuild (service prefix: codebuild) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS CodeBuild (p. 192)
• Resource types defined by AWS CodeBuild (p. 197)
• Condition keys for AWS CodeBuild (p. 198)
Actions defined by AWS CodeBuild

different actions.

(*required)
Deletes one or more builds. Write project*

BatchDeleteBuilds (p. 197)
Gets information about one or Read project*

BatchGetBuildBatches
more build batches. (p. 197)

BatchGetBuilds more builds. (p. 197)
192
AWS CodeBuild

(*required)

BatchGetProjects more build projects. (p. 197)
Returns an array of ReportGroup Read report-

BatchGetReportGroups
objects that are specified by group*
the input reportGroupArns (p. 198)
parameter.
Returns an array of the Report Read report-

BatchGetReports objects specified by the input group*
reportArns parameter. (p. 198)
Adds or updates information Write report-

BatchPutCodeCoverages
about a report. group*
[permission (p. 198)
only]
Adds or updates information Write report-

BatchPutTestCases
about a report. group*
only]
CreateProject Creates a build project. Write project*

(p. 197)
aws:RequestTag/

${TagKey}
(p. 198)
aws:TagKeys
(p. 198)
CreateReport Creates a report. A report is Write report-

[permission created when tests specified in group*
only] the buildspec file for a report (p. 198)
groups run during the build of a
project.
Creates a report group. Write report-

CreateReportGroup group*
(p. 198)
aws:RequestTag/

${TagKey}
(p. 198)
aws:TagKeys
(p. 198)
193
AWS CodeBuild

(*required)
For an existing AWS CodeBuild Write project*

CreateWebhook build project that has its source (p. 197)
code stored in a GitHub or
Bitbucket repository, enables
AWS CodeBuild to start
rebuilding the source code every
time a code change is pushed to
the repository.
Deletes a build batch. Write project*

DeleteBuildBatch (p. 197)
Deletes an OAuth token from Write

DeleteOAuthToken
a connected third-party OAuth
[permission provider. Only used in the AWS
only] CodeBuild console.
DeleteProject Deletes a build project. Write project*

(p. 197)
DeleteReport Deletes a report. Write report-

group*
(p. 198)
Deletes a report group. Write report-

DeleteReportGroup group*
(p. 198)
Deletes a resource policy for Permissions project

the associated project or report management (p. 197)
group.
report-
group
(p. 198)
Deletes a set of GitHub, GitHub Write

DeleteSourceCredentials
Enterprise, or Bitbucket source
credentials.
For an existing AWS CodeBuild Write project*

DeleteWebhook build project that has its source (p. 197)
code stored in a GitHub or
Bitbucket repository, stops
AWS CodeBuild from rebuilding
the source code every time a
code change is pushed to the
repository.
Returns an array of Read report-

DescribeCodeCoverages
CodeCoverage objects. group*
(p. 198)
Returns an array of TestCase Read report-

DescribeTestCasesobjects. group*
(p. 198)
194
AWS CodeBuild

(*required)
Returns a resource policy for Read project

GetResourcePolicythe specified project or report (p. 197)
group.
report-
group
(p. 198)
Imports the source repository Write

ImportSourceCredentials
credentials for an AWS
CodeBuild project that has its
source code stored in a GitHub,
GitHub Enterprise, or Bitbucket
repository.
Resets the cache for a project. Write project*

InvalidateProjectCache (p. 197)
Gets a list of build batch List

ListBuildBatches IDs, with each build batch ID
representing a single build
batch.
Gets a list of build batch IDs for List project*

ListBuildBatchesForProject
the specified build project, with (p. 197)
each build batch ID representing
a single build batch.
ListBuilds Gets a list of build IDs, with each List

build ID representing a single
build.
Gets a list of build IDs for the List project*

ListBuildsForProject
specified build project, with each (p. 197)
build ID representing a single
build.
Lists connected third-party List

ListConnectedOAuthAccounts
OAuth providers. Only used in
[permission the AWS CodeBuild console.
only]
Gets information about Docker List

ListCuratedEnvironmentImages
images that are managed by
AWS CodeBuild.
ListProjects Gets a list of build project List

names, with each build project
name representing a single build
project.
Returns a list of report group List

ListReportGroupsARNs. Each report group ARN
represents one report group.
195
AWS CodeBuild

(*required)
ListReports Returns a list of report ARNs. List

Each report ARN representing
one report.
Returns a list of report ARNs List report-

ListReportsForReportGroup
that belong to the specified group*
report group. Each report ARN (p. 198)
represents one report.
Lists source code repositories List

ListRepositories from a connected third-party
[permission OAuth provider. Only used in the
only] AWS CodeBuild console.
Returns a list of project ARNs List

ListSharedProjectsthat have been shared with the
requester. Each project ARN
represents one project.
Returns a list of report group List

ListSharedReportGroups
ARNs that have been shared
with the requester. Each report
group ARN represents one
report group.
Returns a list of List

ListSourceCredentials
SourceCredentialsInfo objects.
Saves an OAuth token from a Write

PersistOAuthToken
connected third-party OAuth
[permission provider. Only used in the AWS
only] CodeBuild console.
Creates a resource policy for Permissions project

PutResourcePolicythe associated project or report management (p. 197)
group.
report-
group
(p. 198)
RetryBuild Retries a build. Write project*

(p. 197)
Retries a build batch. Write project*

RetryBuildBatch (p. 197)
StartBuild Starts running a build. Write project*

(p. 197)
Starts running a build batch. Write project*

StartBuildBatch (p. 197)
StopBuild Attempts to stop running a Write project*

build. (p. 197)
196
AWS CodeBuild

(*required)
Attempts to stop running a build Write project*

StopBuildBatch batch. (p. 197)
Changes the settings of an Write project*

UpdateProject existing build project. (p. 197)
aws:RequestTag/

${TagKey}
(p. 198)
aws:TagKeys
(p. 198)
UpdateReport Updates information about a Write report-

[permission report. group*
only] (p. 198)
Changes the settings of an Write report-

UpdateReportGroup
existing report group. group*
(p. 198)
aws:RequestTag/

${TagKey}
(p. 198)
aws:TagKeys
(p. 198)
Updates the webhook associated Write project*

UpdateWebhook with an AWS CodeBuild build (p. 197)
project.
Resource types defined by AWS CodeBuild


types
build arn:${Partition}:codebuild:${Region}:
${Account}:build/${BuildId}
build-batch arn:${Partition}:codebuild:${Region}:
${Account}:build-batch/${BuildBatchId}
project arn:${Partition}:codebuild:${Region}: aws:ResourceTag/

${Account}:project/${ProjectName} ${TagKey} (p. 198)
197
AWS CodeCommit

types
report-group arn:${Partition}:codebuild:${Region}: aws:ResourceTag/

${Account}:report-group/${ReportGroupName} ${TagKey} (p. 198)
report arn:${Partition}:codebuild:${Region}:
${Account}:report/${ReportGroupName}:
${ReportId}
Condition keys for AWS CodeBuild

AWS CodeBuild defines the following condition keys that can be used in the Condition element of an

${TagKey}
request

CodeCommit
AWS CodeCommit (service prefix: codecommit) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS CodeCommit (p. 198)
• Resource types defined by AWS CodeCommit (p. 207)
• Condition keys for AWS CodeCommit (p. 208)
Actions defined by AWS CodeCommit

198
AWS CodeCommit
different actions.

(*required)

AssociateApprovalRuleTemplateWithRepository
an approval rule template with a (p. 208)
repository

BatchAssociateApprovalRuleTemplateWithRepositories
an approval rule template with (p. 208)
multiple repositories in a single
operation
Grants permission to get Read repository*

BatchDescribeMergeConflicts
information about multiple (p. 208)
merge conflicts when
attempting to merge two
commits using either the three-
way merge or the squash merge
option
Grants permission to remove the Write repository*

BatchDisassociateApprovalRuleTemplateFromRepositories
association between an approval (p. 208)
rule template and multiple
repositories in a single operation
Grants permission to get return Read repository*

BatchGetCommitsinformation about one or more (p. 208)
commits in an AWS CodeCommit
repository.

BatchGetPullRequests
information about one or (p. 208)
[permission more pull requests in an AWS
only] CodeCommit repository

BatchGetRepositories
information about multiple (p. 208)
repositories
Grants permission to cancel the Read repository*

CancelUploadArchive
uploading of an archive to a (p. 208)
[permission pipeline in AWS CodePipeline
only]
199
AWS CodeCommit

(*required)

CreateApprovalRuleTemplate
approval rule template that will
automatically create approval
rules in pull requests that
match the conditions defined
in the template; does not grant
permission to create approval
rules for individual pull requests
CreateBranch Grants permission to create a Write repository*

branch in an AWS CodeCommit (p. 208)
repository with this API; does
not control Git create branch codecommit:References

actions (p. 208)
Grants permission to add, Write repository*

CreateCommit copy, move or update single or (p. 208)
multiple files in a branch in an
AWS CodeCommit repository, codecommit:References

and generate a commit for the (p. 208)
changes in the specified branch.
Grants permission to create a Write repository*

CreatePullRequestpull request in the specified (p. 208)
repository
Grants permission to create Write repository*

CreatePullRequestApprovalRule
an approval rule specific to an (p. 208)
individual pull request; does
not grant permission to create
approval rule templates
Grants permission to create an Write repository*

CreateRepository AWS CodeCommit repository (p. 208)
aws:RequestTag/

${TagKey}
(p. 208)
aws:TagKeys
(p. 208)
Grants permission to create Write repository*

CreateUnreferencedMergeCommit
an unreferenced commit that (p. 208)
contains the result of merging
two commits using either the codecommit:References

three-way or the squash merge (p. 208)
option; does not control Git
merge actions

DeleteApprovalRuleTemplate
approval rule template
200
AWS CodeCommit

(*required)
DeleteBranch Grants permission to delete a Write repository*

branch in an AWS CodeCommit (p. 208)
repository with this API; does
not control Git delete branch codecommit:References

actions (p. 208)
Grants permission to delete the Write repository*

DeleteCommentContent
content of a comment made on (p. 208)
a change, file, or commit in a
repository
DeleteFile Grants permission to delete a Write repository*

specified file from a specified (p. 208)
branch
codecommit:References

(p. 208)
Grants permission to delete Write repository*

DeletePullRequestApprovalRule
approval rule created for a (p. 208)
pull request if the rule was not
created by an approval rule
template
Grants permission to delete an Write repository*

DeleteRepository AWS CodeCommit repository (p. 208)

DescribeMergeConflicts
information about specific (p. 208)
merge conflicts when
attempting to merge two
commits using either the three-
way or the squash merge option

DescribePullRequestEvents
pull request events
Grants permission to remove the Write repository*

DisassociateApprovalRuleTemplateFromRepository
association between an approval (p. 208)
rule template and a repository
Grants permission to evaluate Read repository*

EvaluatePullRequestApprovalRules
whether a pull request is (p. 208)
mergable based on its current
approval state and approval rule
requirements

GetApprovalRuleTemplate
information about an approval
rule template
201
AWS CodeCommit

(*required)
GetBlob Grants permission to view the Read repository*

encoded content of an individual (p. 208)
file in an AWS CodeCommit
repository from the AWS
CodeCommit console
GetBranch Grants permission to get details Read repository*

about a branch in an AWS (p. 208)
CodeCommit repository with
this API; does not control Git
branch actions
GetComment Grants permission to get the Read repository*

content of a comment made on (p. 208)
a change, file, or commit in a
repository
Grants permission to get the Read repository*

GetCommentReactions
reactions on a comment (p. 208)

GetCommentsForComparedCommit
information about comments (p. 208)
made on the comparison
between two commits

GetCommentsForPullRequest
comments made on a pull (p. 208)
request
GetCommit Grants permission to return Read repository*

information about a commit, (p. 208)
including commit message and
committer information, with
this API; does not control Git log
actions

GetCommitHistory
information about the history of (p. 208)
[permission commits in a repository
only]

GetCommitsFromMergeBase
information about the difference (p. 208)
[permission between commits in the context
only] of a potential merge
Grants permission to view Read repository*

GetDifferences information about the (p. 208)
differences between valid
commit specifiers such as a
branch, tag, HEAD, commit ID, or
other fully qualified reference
202
AWS CodeCommit

(*required)
GetFile Grants permission to return the Read repository*

base-64 encoded contents of a (p. 208)
specified file and its metadata
GetFolder Grants permission to return the Read repository*

contents of a specified folder in (p. 208)
a repository

GetMergeCommitinformation about a merge (p. 208)
commit created by one of the
merge options for pull requests codecommit:References

that creates merge commits. Not (p. 208)
all merge options create merge
commits. This permission does
not control Git merge actions

GetMergeConflictsinformation about merge (p. 208)
conflicts between the before
and after commit IDs for a pull
request in a repository

GetMergeOptionsinformation about merge (p. 208)
options for pull requests that
can be used to merge two
commits; does not control Git
merge actions
Grants permission to resolve Read repository*

GetObjectIdentifier
blobs, trees, and commits to (p. 208)
[permission their identifier
only]

GetPullRequest information about a pull request (p. 208)
in a specified repository
Grants permission to retrieve the Read repository*

GetPullRequestApprovalStates
current approvals on an inputted (p. 208)
pull request

GetPullRequestOverrideState
current override state of a given (p. 208)
pull request
Grants permission to get details Read repository*

GetReferences about references in an AWS (p. 208)
[permission CodeCommit repository; does
only] not control Git reference actions
GetRepository Grants permission to get Read repository*

information about an AWS (p. 208)
CodeCommit repository
203
AWS CodeCommit

(*required)

GetRepositoryTriggers
information about triggers (p. 208)
configured for a repository
GetTree Grants permission to view the Read repository*

[permission contents of a specified tree in (p. 208)
only] an AWS CodeCommit repository
from the AWS CodeCommit
console
Grants permission to get status Read repository*

GetUploadArchiveStatus
information about an archive (p. 208)
[permission upload to a pipeline in AWS
only] CodePipeline
GitPull Grants permission to pull Read repository*

[permission information from an AWS (p. 208)
only] CodeCommit repository to a
local repo
GitPush Grants permission to push Write repository*

[permission information from a local repo to (p. 208)
only] an AWS CodeCommit repository

(p. 208)

ListApprovalRuleTemplates
approval rule templates in
an AWS Region for the AWS
account
Grants permission to list List repository*

ListAssociatedApprovalRuleTemplatesForRepository
approval rule templates that are (p. 208)
associated with a repository
ListBranches Grants permission to list List repository*

branches for an AWS (p. 208)
CodeCommit repository with
this API; does not control Git
branch actions
Grants permission to list List repository*

ListPullRequests pull requests for a specified (p. 208)
repository

ListRepositories information about AWS
CodeCommit repositories in the
current Region for your AWS
account

ListRepositoriesForApprovalRuleTemplate
repositories that are associated
with an approval rule template
204
AWS CodeCommit

(*required)
Grants permission to list List repository

ListTagsForResource
the resource attached to a (p. 208)
CodeCommit resource ARN
Grants permission to merge Write repository*

MergeBranchesByFastForward
two commits into the specified (p. 208)
destination branch using the
fast-forward merge option codecommit:References

(p. 208)

MergeBranchesBySquash
squash merge option codecommit:References

(p. 208)

MergeBranchesByThreeWay
three-way merge option codecommit:References

(p. 208)
Grants permission to close a pull Write repository*

MergePullRequestByFastForward
request and attempt to merge (p. 208)
it into the specified destination
branch for that pull request at codecommit:References

the specified commit using the (p. 208)
fast-forward merge option

MergePullRequestBySquash

squash merge option

MergePullRequestByThreeWay

three-way merge option
Grants permission to override all Write repository*

OverridePullRequestApprovalRules
approval rules for a pull request, (p. 208)
including approval rules created
by a template
Grants permission to post a Write repository*

PostCommentForComparedCommit
comment on the comparison (p. 208)
between two commits

PostCommentForPullRequest
comment on a pull request (p. 208)
205
AWS CodeCommit

(*required)

PostCommentReply
comment in reply to a comment (p. 208)
on a comparison between
commits or a pull request

PutCommentReaction
reaction on a comment (p. 208)
PutFile Grants permission to add or Write repository*

update a file in a branch in an (p. 208)
AWS CodeCommit repository,
and generate a commit for the codecommit:References

addition in the specified branch (p. 208)
Grants permission to create, Write repository*

PutRepositoryTriggers
update, or delete triggers for a (p. 208)
repository
TagResource Grants permission to attach Write repository

resource tags to a CodeCommit (p. 208)
resource ARN
aws:ResourceTag/

${TagKey}
(p. 208)
aws:RequestTag/
${TagKey}
(p. 208)
aws:TagKeys
(p. 208)
Grants permission to test the Write repository*

TestRepositoryTriggers
functionality of repository (p. 208)
triggers by sending information
to the trigger target
Grants permission to Write repository

UntagResource disassociate resource tags from a (p. 208)
CodeCommit resource ARN
aws:TagKeys
(p. 208)

UpdateApprovalRuleTemplateContent
the content of approval rule
templates; does not grant
permission to update content
of approval rules created
specifically for pull requests

UpdateApprovalRuleTemplateDescription
the description of approval rule
templates
206
AWS CodeCommit

(*required)

UpdateApprovalRuleTemplateName
name of approval rule templates
Grants permission to update the Write repository*

UpdateComment contents of a comment if the (p. 208)
identity matches the identity
used to create the comment
Grants permission to change Write repository*

UpdateDefaultBranch
the default branch in an AWS (p. 208)
Grants permission to update Write repository*

UpdatePullRequestApprovalRuleContent
the content for approval (p. 208)
rules created for a specific
pull requests; does not grant
permission to update approval
rule content for rules created
with an approval rule template

UpdatePullRequestApprovalState
approval state for pull requests (p. 208)

UpdatePullRequestDescription
description of a pull request (p. 208)

UpdatePullRequestStatus
status of a pull request (p. 208)

UpdatePullRequestTitle
title of a pull request (p. 208)
Grants permission to change Write repository*

UpdateRepositoryDescription
the description of an AWS (p. 208)
Grants permission to change the Write repository*

UpdateRepositoryName
name of an AWS CodeCommit (p. 208)
repository
Grants permission to the service Write repository*

UploadArchive role for AWS CodePipeline to (p. 208)
[permission upload repository changes into a
only] pipeline
Resource types defined by AWS CodeCommit

207
AWS CodeDeploy

types
repository arn:${Partition}:codecommit:${Region}: aws:ResourceTag/

${Account}:${RepositoryName} ${TagKey} (p. 208)
Condition keys for AWS CodeCommit

AWS CodeCommit defines the following condition keys that can be used in the Condition element of

${TagKey}
request
Filters access by Git reference to specified AWS CodeCommit String

actions

CodeDeploy
AWS CodeDeploy (service prefix: codedeploy) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS CodeDeploy (p. 208)
• Resource types defined by AWS CodeDeploy (p. 213)
• Condition keys for AWS CodeDeploy (p. 213)
Actions defined by AWS CodeDeploy

208
AWS CodeDeploy
different actions.

(*required)
Add tags to one or more on- Tagging instance*

AddTagsToOnPremisesInstances
premises instances. (p. 213)
Gets information about one or Read application*

BatchGetApplicationRevisions
more application revisions. (p. 213)
Get information about multiple Read application*

BatchGetApplications
applications associated with the (p. 213)
IAM user.
Get information about one or Read deploymentgroup*

BatchGetDeploymentGroups
more deployment groups. (p. 213)
Gets information about one or Read deploymentgroup*

BatchGetDeploymentInstances
more instance that are part of a (p. 213)
deployment group.
Returns an array of one or Read

BatchGetDeploymentTargets
more targets associated with
a deployment. This method
works with all compute
types and should be used
instead of the deprecated
BatchGetDeploymentInstances.
The maximum number of
targets that can be returned is
25.
Get information about multiple Read deploymentgroup*

BatchGetDeployments
deployments associated with the (p. 213)
IAM user.
Get information about one or Read instance*

BatchGetOnPremisesInstances
more on-premises instances. (p. 213)
Starts the process of rerouting Write

ContinueDeployment
traffic from instances in the
original environment to
instances in thereplacement
environment without waiting for
a specified wait time to elapse.
209
AWS CodeDeploy

(*required)
Create an application associated Write application*

CreateApplicationwith the IAM user. (p. 213)
aws:RequestTag/

${TagKey}
(p. 214)
aws:TagKeys
(p. 214)
Create CloudFormation Write

CreateCloudFormationDeployment
deployment to cooperate
[permission ochestration for a
only] CloudFormation stack update.
Create a deployment for an Write deploymentgroup*

CreateDeployment
application associated with the (p. 213)
IAM user.
Create a custom deployment Write deploymentconfig*

CreateDeploymentConfig
configuration associated with (p. 213)
the IAM user.
Create a deployment group for Write deploymentgroup*

CreateDeploymentGroup
an application associated with (p. 213)
the IAM user.
aws:RequestTag/

${TagKey}
(p. 214)
aws:TagKeys
(p. 214)
Delete an application associated Write application*

DeleteApplicationwith the IAM user. (p. 213)
Delete a custom deployment Write deploymentconfig*

DeleteDeploymentConfig
configuration associated with (p. 213)
the IAM user.
Delete a deployment group for Write deploymentgroup*

DeleteDeploymentGroup
an application associated with (p. 213)
the IAM user.
Deletes a GitHub account Write

DeleteGitHubAccountToken
connection.
Delete resources associated with Write

DeleteResourcesByExternalId
the given external Id.
Deregister an on-premises Write instance*

DeregisterOnPremisesInstance
instance. (p. 213)
Get information about a single List application*

GetApplication application associated with the (p. 213)
IAM user.
210
AWS CodeDeploy

(*required)
Get information about a single List application*

GetApplicationRevision
application revision for an (p. 213)
application associated with the
IAM user.
Get information about a single List deploymentgroup*

GetDeployment deployment to a deployment (p. 213)
group for an application
associated with the IAM user.
Get information about a single List deploymentconfig*

GetDeploymentConfig
deployment configuration (p. 213)

GetDeploymentGroup
deployment group for an (p. 213)
IAM user.

GetDeploymentInstance
instance in a deployment (p. 213)
Returns information about a Read

GetDeploymentTarget
deployment target.
Get information about a single List instance*

GetOnPremisesInstance
on-premises instance. (p. 213)
Get information about all List application*

ListApplicationRevisions
application revisions for an (p. 213)
IAM user.
Get information about all List

ListApplications applications associated with the
IAM user.
Get information about all List

ListDeploymentConfigs
deployment configurations
Get information about all List application*

ListDeploymentGroups
deployment groups for an (p. 213)
IAM user.
Get information about all List deploymentgroup*

ListDeploymentInstances
instances in a deployment (p. 213)
Returns an array of target List

ListDeploymentTargets
IDs that are associated a
deployment.
211
AWS CodeDeploy

(*required)
Get information about all List deploymentgroup*

ListDeployments deployments to a deployment (p. 213)
group associated with the IAM
user, or to get all deployments
Lists the names of stored List

ListGitHubAccountTokenNames
connections to GitHub accounts.
Get a list of one or more on- List

ListOnPremisesInstances
premises instance names.
Returns a list of tags for the List application

ListTagsForResource
resource identified by a specified (p. 213)
ARN. Tags are used to organize
and categorize your CodeDeploy deploymentgroup

resources. (p. 213)
Notify a lifecycle event hook Write

PutLifecycleEventHookExecutionStatus
execution status for associated
deployment with the IAM user.
Register information about Write application*

RegisterApplicationRevision
an application revision for an (p. 213)
IAM user.
Register an on-premises Write instance*

RegisterOnPremisesInstance
instance. (p. 213)
Remove tags from one or more Tagging instance*

RemoveTagsFromOnPremisesInstances
on-premises instances. (p. 213)
In a blue/green deployment, Write

SkipWaitTimeForInstanceTermination
overrides any specified wait time
and starts terminating instances
immediately after the traffic
routing is complete.
Description for StopDeployment Write

StopDeployment
TagResource Associates the list of tags in Tagging application

the input Tags parameter with (p. 213)
the resource identified by the
ResourceArn input parameter. deploymentgroup

(p. 213)
aws:RequestTag/

${TagKey}
(p. 214)
aws:TagKeys
(p. 214)
212
AWS CodeDeploy

(*required)
Disassociates a resource from Tagging application

UntagResource a list of tags. The resource is (p. 213)
identified by the ResourceArn
input parameter. The tags are deploymentgroup

identfied by the list of keys in (p. 213)
the TagKeys input parameter.
aws:TagKeys
(p. 214)
Description for Write application*

UpdateApplication
UpdateApplication (p. 213)
Change information about a Write deploymentgroup*

UpdateDeploymentGroup
single deployment group for an (p. 213)
IAM user.
Resource types defined by AWS CodeDeploy


types
application arn:${Partition}:codedeploy:${Region}:
${Account}:application:${ApplicationName}
arn:${Partition}:codedeploy:
deploymentconfig${Region}:${Account}:deploymentconfig:
${DeploymentConfigurationName}
arn:${Partition}:codedeploy:
deploymentgroup${Region}:${Account}:deploymentgroup:
${ApplicationName}/${DeploymentGroupName}
instance arn:${Partition}:codedeploy:${Region}:
${Account}:instance:${InstanceName}
Condition keys for AWS CodeDeploy

AWS CodeDeploy defines the following condition keys that can be used in the Condition element of
213
Amazon CodeGuru

${TagKey}
request

CodeGuru
Amazon CodeGuru (service prefix: codeguru) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon CodeGuru (p. 214)
• Resource types defined by Amazon CodeGuru (p. 215)
• Condition keys for Amazon CodeGuru (p. 215)
Actions defined by Amazon CodeGuru

different actions.
214
Amazon CodeGuru Profiler

(*required)
Gets free trial summary for the Read

GetCodeGuruFreeTrialSummary
CodeGuru service which includes
[permission expiration date.
only]
Resource types defined by Amazon CodeGuru

Amazon CodeGuru does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Amazon CodeGuru, specify “Resource”: “*” in your policy.
Condition keys for Amazon CodeGuru

CodeGuru has no service-specific context keys that can be used in the Condition element of policy
conditions.

CodeGuru Profiler
Amazon CodeGuru Profiler (service prefix: codeguru-profiler) provides the following service-specific
References:

Topics
• Actions defined by Amazon CodeGuru Profiler (p. 215)
• Resource types defined by Amazon CodeGuru Profiler (p. 218)
• Condition keys for Amazon CodeGuru Profiler (p. 218)
Actions defined by Amazon CodeGuru Profiler

different actions.
215

(*required)
Grants permission to add up to 2 Write ProfilingGroup*

AddNotificationChannels
topic ARNs of existing AWS SNS (p. 218)
topics to publish notifications
Grants permission to get the List ProfilingGroup*

BatchGetFrameMetricData
frame metric data for a Profiling (p. 218)
Group
Grants permission for an Write ProfilingGroup*

ConfigureAgent agent to register with the (p. 218)
[permission orchestration service and
only] retrieve profiling configuration
information
Grants permission to create a Write aws:TagKeys

CreateProfilingGroup
profiling group (p. 218)
aws:RequestTag/
${TagKey}
(p. 218)
Grants permission to delete a Write ProfilingGroup*

DeleteProfilingGroup
Grants permission to describe a Read ProfilingGroup*

DescribeProfilingGroup

GetFindingsReportAccountSummary
get a summary of recent
recommendations for each
profiling group in the account
Grants permission to get the Read ProfilingGroup*

GetNotificationConfiguration
notification configuration (p. 218)
GetPolicy Grants permission to get the Read ProfilingGroup*

resource policy associated with (p. 218)
the specified Profiling Group.
GetProfile Grants permission to get Read ProfilingGroup*

aggregated profiles for a specific (p. 218)
profiling group
Grants permission to get Read ProfilingGroup*

GetRecommendations
recommendations (p. 218)
Grants permission to list the List ProfilingGroup*

ListFindingsReports
available recommendations (p. 218)
reports for a specific profiling
group
216

(*required)
Grants permission to list the List ProfilingGroup*

ListProfileTimes start times of the available (p. 218)
aggregated profiles for a specific
profiling group

ListProfilingGroups
profiling groups in the account
Grants permission to list tags for Tagging ProfilingGroup*

ListTagsForResource
a Profiling Group (p. 218)
Grants permission to submit a Write ProfilingGroup*

PostAgentProfile profile collected by an agent (p. 218)
[permission belonging to a specific profiling
only] group for aggregation
PutPermission Grants permission to update Permissions ProfilingGroup*

the list of principals allowed for management (p. 218)
an action group in the resource
policy associated with the
specified Profiling Group.
Grants permission to delete an Write ProfilingGroup*

RemoveNotificationChannel
already configured SNStopic (p. 218)
arn from the notification
configuration
Grants permission to remove the Permissions ProfilingGroup*

RemovePermission
permission of specified Action management (p. 218)
Group from the resource policy
Profiling Group.
Grants permission to submit Write ProfilingGroup*

SubmitFeedback user feedback for useful or non (p. 218)
useful anomaly
TagResource Grants permission to add or Tagging ProfilingGroup*

overwrite tags to a Profiling (p. 218)
Group
aws:TagKeys
(p. 218)
aws:RequestTag/
${TagKey}
(p. 218)
Grants permission to remove Tagging ProfilingGroup*

UntagResource tags from a Profiling Group (p. 218)
217

(*required)
aws:TagKeys
(p. 218)
aws:RequestTag/
${TagKey}
(p. 218)
Grants permission to update a Write ProfilingGroup*

UpdateProfilingGroup
specific profiling group (p. 218)
Resource types defined by Amazon CodeGuru Profiler


types
arn:${Partition}:codeguru-profiler: aws:ResourceTag/
ProfilingGroup ${Region}:${Account}:profilingGroup/ ${TagKey} (p. 218)
${profilingGroupName}
Condition keys for Amazon CodeGuru Profiler

Amazon CodeGuru Profiler defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request
218
Amazon CodeGuru Reviewer

CodeGuru Reviewer
Amazon CodeGuru Reviewer (service prefix: codeguru-reviewer) provides the following service-
References:

Topics
• Actions defined by Amazon CodeGuru Reviewer (p. 219)
• Resource types defined by Amazon CodeGuru Reviewer (p. 220)
• Condition keys for Amazon CodeGuru Reviewer (p. 221)
Actions defined by Amazon CodeGuru Reviewer

different actions.

(*required)
Grants permission to associates Write repository codecommit:ListReposito

AssociateRepository
a repository with Amazon (p. 221)
CodeGuru Reviewer. codecommit:TagResource
events:PutRule
events:PutTargets
Grants permission to perform Read

CreateConnectionToken
webbased oauth handshake for
3rd party providers.
219
Amazon CodeGuru Reviewer

(*required)
[permission
only]
Grants permission to describe a Read codereview*

DescribeCodeReview
code review. (p. 221)
Grants permission to describe a Read codereview*

DescribeRecommendationFeedback
recommendation feedback on a (p. 221)
code review.
Grants permission to describe a Read association*

DescribeRepositoryAssociation
repository association. (p. 221)
Grants permission to Write association* codecommit:UntagResour

DisassociateRepository
disassociate a repository with (p. 221)
Amazon CodeGuru Reviewer. events:DeleteRule
events:RemoveTargets
Grants permission to view pull Read

GetMetricsData request metrics in console.
[permission
only]

ListCodeReviews summary of code reviews.
Grants permission to list List codereview*

ListRecommendationFeedback
summary of recommendation (p. 221)
feedback on a code review.
Grants permission to list List codereview*

ListRecommendations
summary of recommendations (p. 221)
on a code review

ListRepositoryAssociations
summary of repository
associations.
Grants permission to list 3rd Read

ListThirdPartyRepositories
party providers repositories in
[permission console.
only]
Grants permission to put Write codereview*

PutRecommendationFeedback
feedback for a recommendation (p. 221)
on a code review.
Resource types defined by Amazon CodeGuru Reviewer

220
AWS CodePipeline

types
association arn:${Partition}:codeguru-reviewer::
${Account}:association:${ResourceId}
codereview arn:${Partition}:codeguru-reviewer::
${Account}:.+:.+
repository arn:${Partition}:codecommit:${Region}: aws:ResourceTag/

${Account}:${RepositoryName} ${TagKey} (p. 221)
Condition keys for Amazon CodeGuru Reviewer

Amazon CodeGuru Reviewer defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}

CodePipeline
AWS CodePipeline (service prefix: codepipeline) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS CodePipeline (p. 221)
• Resource types defined by AWS CodePipeline (p. 226)
• Condition keys for AWS CodePipeline (p. 226)
Actions defined by AWS CodePipeline

221
AWS CodePipeline
different actions.

(*required)
Grants permission to view Write

AcknowledgeJob information about a specified
job and whether that job has
been received by the job worker
Grants permission to confirm Write

AcknowledgeThirdPartyJob
that a job worker has received
the specified job (partner actions
only)
Grants permission to create a Tagging actiontype*

CreateCustomActionType
custom action that you can use (p. 226)
in the pipelines associated with
your AWS account aws:RequestTag/

${TagKey}
(p. 226)
aws:TagKeys
(p. 226)
Grants permission to create a Tagging pipeline*

CreatePipeline uniquely named pipeline (p. 226)
aws:RequestTag/

${TagKey}
(p. 226)
aws:TagKeys
(p. 226)
Grants permission to delete a Write actiontype*

DeleteCustomActionType
custom action (p. 226)
Grants permission to delete a Write pipeline*

DeletePipeline specified pipeline (p. 226)
Grants permission to delete a Write webhook*

DeleteWebhook specified webhook (p. 226)
Grants permission to remove the Write webhook*

DeregisterWebhookWithThirdParty
registration of a webhook with (p. 226)
222
AWS CodePipeline

(*required)
the third party specified in its
configuration
Grants permission to prevent Write stage*

DisableStageTransition
revisions from transitioning to (p. 226)
the next stage in a pipeline
Grants permission to allow Write stage*

EnableStageTransition
revisions to transition to the (p. 226)
next stage in a pipeline
GetJobDetails Grants permission to view Read

information about a job (custom
actions only)
GetPipeline Grants permission to retrieve Read pipeline*

information about a pipeline (p. 226)
structure
Grants permission to view Read pipeline*

GetPipelineExecution
information about an execution (p. 226)
of a pipeline, including details
about artifacts, the pipeline
execution ID, and the name,
version, and status of the
pipeline
Grants permission to view Read pipeline*

GetPipelineState information about the current (p. 226)
state of the stages and actions
of a pipeline
Grants permission to view the Read

GetThirdPartyJobDetails
details of a job for a third-party
action (partner actions only)
Grants permission to list the Read pipeline*

ListActionExecutions
action executions that have (p. 226)
occurred in a pipeline
Grants permission to list a Read

ListActionTypes summary of all the action types
available for pipelines in your
account
Grants permission to list a List pipeline*

ListPipelineExecutions
summary of the most recent (p. 226)
executions for a pipeline
ListPipelines Grants permission to list a List

summary of all the pipelines
associated with your AWS
account
223
AWS CodePipeline

(*required)
Grants permission to list tags for Read actiontype

ListTagsForResource
a CodePipeline resource (p. 226)
pipeline
(p. 226)
webhook
(p. 226)
ListWebhooks Grants permission to list all of List webhook*

the webhooks associated with (p. 226)
your AWS account
PollForJobs Grants permission to view Write actiontype*

information about any jobs for (p. 226)
CodePipeline to act on
Grants permission to determine Write

PollForThirdPartyJobs
whether there are any third-
party jobs for a job worker to act
on (partner actions only)
Grants permission to edit actions Write action*

PutActionRevisionin a pipeline (p. 226)
Grants permission to provide a Write action*

PutApprovalResult
response (Approved or Rejected) (p. 226)
to a manual approval request in
CodePipeline
Grants permission to represent Write

PutJobFailureResult
the failure of a job as returned
to the pipeline by a job worker
(custom actions only)

PutJobSuccessResult
the success of a job as returned
to the pipeline by a job worker
(custom actions only)

PutThirdPartyJobFailureResult
the failure of a third-party job as
returned to the pipeline by a job
worker (partner actions only)

PutThirdPartyJobSuccessResult
the success of a third-party job
as returned to the pipeline by a
job worker (partner actions only)
PutWebhook Grants permission to create or Tagging pipeline*

update a webhook (p. 226)
webhook*
(p. 226)
224
AWS CodePipeline

(*required)
aws:RequestTag/

${TagKey}
(p. 226)
aws:TagKeys
(p. 226)
Grants permission to register a Write webhook*

RegisterWebhookWithThirdParty
webhook with the third party (p. 226)
specified in its configuration
Grants permission to resume the Write stage*

RetryStageExecution
pipeline execution by retrying (p. 226)
the last failed actions in a stage
Grants permission to run the Write pipeline*

StartPipelineExecution
most recent revision through the (p. 226)
pipeline
Grants permission to stop an in- Write pipeline*

StopPipelineExecution
progress pipeline execution (p. 226)
TagResource Grants permission to tag a Tagging actiontype

CodePipeline resource (p. 226)
pipeline
(p. 226)
webhook
(p. 226)
aws:RequestTag/

${TagKey}
(p. 226)
aws:TagKeys
(p. 226)
Grants permission to remove Tagging actiontype

UntagResource a tag from a CodePipeline (p. 226)
resource
pipeline
(p. 226)
webhook
(p. 226)
aws:TagKeys
(p. 226)
Grants permission to update Write pipeline*

UpdatePipeline a pipeline with changes to the (p. 226)
structure of the pipeline
225
AWS CodeStar
Resource types defined by AWS CodePipeline


types
action arn:${Partition}:codepipeline:${Region}: aws:ResourceTag/

${Account}:${PipelineName}/${StageName}/ ${TagKey} (p. 226)
${ActionName}
actiontype arn:${Partition}:codepipeline:${Region}: aws:ResourceTag/

${Account}:actiontype:${Owner}/${Category}/ ${TagKey} (p. 226)
${Provider}/${Version}
pipeline arn:${Partition}:codepipeline:${Region}: aws:ResourceTag/

${Account}:${PipelineName} ${TagKey} (p. 226)
stage arn:${Partition}:codepipeline:${Region}: aws:ResourceTag/

${Account}:${PipelineName}/${StageName} ${TagKey} (p. 226)
webhook arn:${Partition}:codepipeline:${Region}: aws:ResourceTag/

${Account}:webhook:${WebhookName} ${TagKey} (p. 226)
Condition keys for AWS CodePipeline

AWS CodePipeline defines the following condition keys that can be used in the Condition element of

${TagKey}
request

CodeStar
AWS CodeStar (service prefix: codestar) provides the following service-specific resources, actions, and
226
AWS CodeStar
References:

Topics
• Actions defined by AWS CodeStar (p. 227)
• Resource types defined by AWS CodeStar (p. 229)
• Condition keys for AWS CodeStar (p. 229)
Actions defined by AWS CodeStar

different actions.

(*required)
Adds a user to the team for an Permissions project*

AssociateTeamMember
AWS CodeStar project. management (p. 229)
CreateProject Creates a project with minimal Permissions aws:RequestTag/

structure, customer policies, and management ${TagKey}
no resources. (p. 230)
aws:TagKeys
(p. 230)
Creates a profile for a user Write user*

CreateUserProfilethat includes user preferences, (p. 229)
display name, and email.
Grants access to extended delete Write project*

DeleteExtendedAccess
APIs. (p. 229)
[permission
only]
DeleteProject Deletes a project, including Permissions project*

project resources. Does not management (p. 229)
delete users associated with the
227
AWS CodeStar

(*required)
project, but does delete the IAM
roles that allowed access to the
project.
Deletes a user profile in AWS Write user*

DeleteUserProfileCodeStar, including all personal (p. 229)
preference data associated with
that profile, such as display
name and email address. It does
not delete the history of that
user, for example the history of
commits made by that user.
Describes a project and its Read project*

DescribeProject resources. (p. 229)
Describes a user in AWS Read

DescribeUserProfile
CodeStar and the user attributes
across all projects.
Removes a user from a project. Permissions project*

DisassociateTeamMember
Removing a user from a project management (p. 229)
also removes the IAM policies
from that user that allowed
access to the project and its
resources.
Grants access to extended read Read project*

GetExtendedAccess
APIs. (p. 229)
[permission
only]
ListProjects Lists all projects in CodeStar List

associated with your AWS
account.
ListResources Lists all resources associated List project*

with a project in CodeStar. (p. 229)
Lists the tags associated with a List project*

ListTagsForProjectproject in CodeStar. (p. 229)
Lists all team members List project*

ListTeamMembersassociated with a project. (p. 229)
Lists user profiles in AWS List

ListUserProfiles CodeStar.
Grants access to extended write Write project*

PutExtendedAccess
APIs. (p. 229)
[permission
only]
TagProject Adds tags to a project in Tagging project*

CodeStar. (p. 229)
228
AWS CodeStar

(*required)
aws:RequestTag/

${TagKey}
(p. 230)
aws:TagKeys
(p. 230)
UntagProject Removes tags from a project in Tagging project*

CodeStar. (p. 229)
aws:TagKeys
(p. 230)
Updates a project in CodeStar. Write project*

UpdateProject (p. 229)
Updates team member Permissions project*

UpdateTeamMember
attributes within a CodeStar management (p. 229)
project.
Updates a profile for a user Write user*

UpdateUserProfilethat includes user preferences, (p. 229)
display name, and email.
Resource types defined by AWS CodeStar


types
project arn:${Partition}:codestar:${Region}: aws:ResourceTag/

${Account}:project/${ProjectId} ${TagKey} (p. 230)
user arn:${Partition}:iam::${Account}:user/ iam:ResourceTag/

${aws:username} ${TagKey} (p. 230)
Condition keys for AWS CodeStar

AWS CodeStar defines the following condition keys that can be used in the Condition element of an
229
AWS CodeStar Connections

${TagKey} resource.

iam:ResourceTag/ String
${TagKey}

CodeStar Connections
AWS CodeStar Connections (service prefix: codestar-connections) provides the following service-
References:

Topics
• Actions defined by AWS CodeStar Connections (p. 230)
• Resource types defined by AWS CodeStar Connections (p. 233)
• Condition keys for AWS CodeStar Connections (p. 233)
Actions defined by AWS CodeStar Connections

different actions.
230

(*required)

CreateConnectionConnection resource ${TagKey}
(p. 234)
aws:TagKeys
(p. 234)
codestar-
connections:ProviderType
(p. 234)
CreateHost Grants permission to create a Write codestar-

host resource connections:ProviderType
(p. 234)
Grants permission to delete a Write Connection*

DeleteConnectionConnection resource (p. 233)
DeleteHost Grants permission to delete a Write Host*

host resource (p. 233)
Grants permission to get details Read Connection*

GetConnection about a Connection resource (p. 233)
GetHost Grants permission to get details Read Host*

about a host resource (p. 233)
Grants permission to associate a Read codestar- codestar-

GetIndividualAccessToken
third party, such as a Bitbucket connections:ProviderType
connections:StartOAuthH
[permission App installation, with a (p. 234)
only] Connection
Grants permission to associate a Read codestar-

GetInstallationUrlthird party, such as a Bitbucket connections:ProviderType
only] Connection
Grants permission to list List codestar-

ListConnections Connection resources connections:ProviderTypeFilter
(p. 234)
ListHosts Grants permission to list host List codestar-

resources connections:ProviderTypeFilter
(p. 234)
Grants permission to associate a List codestar-

ListInstallationTargets
third party, such as a Bitbucket connections:GetIndividua
[permission App installation, with a
only] Connection codestar-
Gets the set of key-value pairs List Connection*

ListTagsForResource
that are used to manage the (p. 233)
resource
231

(*required)
Grants permission to pass a Read Connection*

PassConnection Connection resource to an (p. 233)
[permission AWS service that accepts a
only] Connection ARN as input, such codestar-
as codepipeline:CreatePipeline connections:PassedToService
(p. 234)
Grants permission to associate Read codestar-

RegisterAppCode a third party server, such as connections:HostArn
[permission a GitHub Enterprise Server (p. 234)
only] instance, with a Host
Grants permission to associate Read codestar-

StartAppRegistrationHandshake
a third party server, such as connections:HostArn
[permission a GitHub Enterprise Server (p. 234)
only] instance, with a Host
Grants permission to associate a Read codestar-

StartOAuthHandshake
third party, such as a Bitbucket connections:ProviderType
only] Connection
TagResource Adds to or modifies the tags of Tagging Connection*

the given resource (p. 233)
aws:TagKeys
(p. 234)
aws:RequestTag/
${TagKey}
(p. 234)
Removes tags from an AWS Tagging Connection*

UntagResource resource (p. 233)
aws:RequestTag/

${TagKey}
(p. 234)
aws:TagKeys
(p. 234)
Grants permission to update a Write Connection* codestar-

UpdateConnectionInstallation
Connection resource with an (p. 233) connections:GetIndividua
installation of the CodeStar
Connections App codestar-
connections:GetInstallatio
codestar-
connections:ListInstallatio
codestar-
232

(*required)
codestar-
connections:InstallationId
(p. 234)
UpdateHost Grants permission to update a Write Host*

host resource (p. 233)
Grants permission to use a Read Connection*

UseConnection Connection resource to call (p. 233)
[permission provider actions
only] codestar-
connections:FullRepositoryId
(p. 234)
codestar-
connections:ProviderAction
(p. 234)
codestar-
connections:ProviderPermissionsRequi
(p. 234)
Resource types defined by AWS CodeStar Connections


types
Connection arn:${Partition}:codestar-connections:
${Region}:${Account}:connection/
${ConnectionId}
Host arn:${Partition}:codestar-connections:
${Region}:${Account}:host/${HostId}
Condition keys for AWS CodeStar Connections

AWS CodeStar Connections defines the following condition keys that can be used in the Condition
table (p. 2).
233
${TagKey} request

${TagKey}
request
codestar- Filters access by the branch name that is passed in the String
connections:BranchName
request. Applies only to UseConnection requests for access
to a specific repository branch
codestar- Filters access by the repository that is passed in the request. String
connections:FullRepositoryId
Applies only to UseConnection requests for access to a
specific repository
codestar- Filters access by the host resource associated with the String
connections:HostArn connection used in the request
codestar- Filters access by the third-party ID (such as the Bitbucket String

connections:InstallationId
App installation ID for CodeStar Connections) that is used
to update a Connection. Allows you to restrict which third-
party App installations can be used to make a Connection
codestar- Filters access by the owner of the third-party repository. String

connections:OwnerIdApplies only to UseConnection requests for access to
repositories owned by a specific user
codestar- Filters access by the service to which the principal is allowed String
connections:PassedToService
to pass a Connection
codestar- Filters access by the provider action in a UseConnection String

connections:ProviderAction
request such as ListRepositories. See documentation for all
valid values
codestar- Filters access by the write permissions of a provider action in String

connections:ProviderPermissionsRequired
a UseConnection request. Valid types include read_only and
read_write
codestar- Filters access by the type of third-party provider passed in String

connections:ProviderType
the request
codestar- Filters access by the type of third-party provider used to String

connections:ProviderTypeFilter
filter results
codestar- Filters access by the repository name that is passed in the String
connections:RepositoryName
request. Applies only to UseConnection requests for creating
new repositories
234
AWS CodeStar Notifications

CodeStar Notifications
AWS CodeStar Notifications (service prefix: codestar-notifications) provides the following service-
References:

Topics
• Actions defined by AWS CodeStar Notifications (p. 235)
• Resource types defined by AWS CodeStar Notifications (p. 238)
• Condition keys for AWS CodeStar Notifications (p. 239)
Actions defined by AWS CodeStar Notifications

different actions.

(*required)
Grants permission to create a Write notificationrule*

CreateNotificationRule
notification rule for a resource (p. 239)
aws:RequestTag/

${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
codestar-
notifications:NotificationsForResource
(p. 239)
235

(*required)
Grants permission to delete a Write notificationrule*

DeleteNotificationRule
aws:ResourceTag/

${TagKey}
(p. 239)
aws:RequestTag/
${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
codestar-
(p. 239)
DeleteTarget Grants permission to delete a Write aws:RequestTag/

target for a notification rule ${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
Grants permission to get Read notificationrule*

DescribeNotificationRule
information about a notification (p. 239)
rule
aws:ResourceTag/

${TagKey}
(p. 239)
aws:RequestTag/
${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
codestar-
(p. 239)

ListEventTypes notifications event types

ListNotificationRules
notification rules in an AWS
account
Grants permission to list the List notificationrule*

ListTagsForResource
tags attached to a notification (p. 239)
rule resource ARN
236

(*required)
aws:RequestTag/

${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
ListTargets Grants permission to list the List aws:RequestTag/

notification rule targets for an ${TagKey}
AWS account (p. 239)
aws:TagKeys
(p. 239)
Subscribe Grants permission to create Write notificationrule*

an association between a (p. 239)
notification rule and an Amazon
SNS topic aws:ResourceTag/

${TagKey}
(p. 239)
aws:RequestTag/
${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
codestar-
(p. 239)
TagResource Grants permission to attach Tagging notificationrule*

resource tags to a notification (p. 239)
rule resource ARN
aws:ResourceTag/

${TagKey}
(p. 239)
aws:RequestTag/
${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
Unsubscribe Grants permission to remove Write notificationrule*

an association between a (p. 239)
notification rule and an Amazon
SNS topic
237

(*required)
aws:ResourceTag/

${TagKey}
(p. 239)
aws:RequestTag/
${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
codestar-
(p. 239)
Grants permission to Tagging notificationrule*

UntagResource disassociate resource tags from a (p. 239)
notification rule resource ARN
aws:RequestTag/

${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
Grants permission to change a Write notificationrule*

UpdateNotificationRule
aws:ResourceTag/

${TagKey}
(p. 239)
aws:RequestTag/
${TagKey}
(p. 239)
aws:TagKeys
(p. 239)
codestar-
(p. 239)
Resource types defined by AWS CodeStar Notifications

238
Amazon Cognito Identity

types
arn:${Partition}:codestar-notifications: aws:ResourceTag/
notificationrule ${Region}:${Account}:notificationrule/ ${TagKey} (p. 239)
${NotificationRuleId}
Condition keys for AWS CodeStar Notifications

AWS CodeStar Notifications defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request
codestar- Filters access based on the ARN of the resource for which ARN
notifications are configured

Cognito Identity
Amazon Cognito Identity (service prefix: cognito-identity) provides the following service-specific
References:

Topics
• Actions defined by Amazon Cognito Identity (p. 240)
• Resource types defined by Amazon Cognito Identity (p. 242)
• Condition keys for Amazon Cognito Identity (p. 242)
239
Actions defined by Amazon Cognito Identity

different actions.

(*required)
Creates a new identity pool. Write aws:RequestTag/

CreateIdentityPool ${TagKey}
(p. 243)
aws:TagKeys
(p. 243)
aws:ResourceTag/
${TagKey}
(p. 243)
Deletes identities from an Write

DeleteIdentities identity pool. You can specify a
list of 1-60 identities that you
want to delete.
Deletes a user pool. Once a pool Write identitypool*

DeleteIdentityPool
is deleted, users will not be able (p. 242)
to authenticate with the pool.
Returns metadata related to the Read

DescribeIdentity given identity, including when
the identity was created and any
associated linked logins.
Gets details about a particular Read identitypool*

DescribeIdentityPool
identity pool, including the pool (p. 242)
name, ID description, creation
date, and current number of
users.
Returns credentials for the Read

GetCredentialsForIdentity
provided identity ID.
GetId Generates (or retrieves) a Write

Cognito ID. Supplying multiple
240

(*required)
logins will create an implicit
linked account.
Gets the roles for an identity Read identitypool*

GetIdentityPoolRoles
pool. (p. 242)
Gets an OpenID token, using a Read

GetOpenIdToken known Cognito ID.
Registers (or retrieves) a Cognito Read identitypool*

GetOpenIdTokenForDeveloperIdentity
IdentityId and an OpenID (p. 242)
Connect token for a user
authenticated by your backend
authentication process.
ListIdentities Lists the identities in a pool. List identitypool*

(p. 242)
Lists all of the Cognito identity List

ListIdentityPools pools registered for your
account.
Lists the tags that are assigned List identitypool

ListTagsForResource
to an Amazon Cognito identity (p. 242)
pool.
aws:ResourceTag/

${TagKey}
(p. 243)
Retrieves the IdentityID Read identitypool*

LookupDeveloperIdentity
associated with a (p. 242)
DeveloperUserIdentifier or the
list of DeveloperUserIdentifiers
associated with an IdentityId for
an existing identity.
Merges two users having Write identitypool*

MergeDeveloperIdentities
different IdentityIds, existing (p. 242)
in the same identity pool, and
identified by the same developer
provider.
Sets the roles for an identity Write

SetIdentityPoolRoles
pool. These roles are used
when making calls to
GetCredentialsForIdentity
action.
TagResource Assigns a set of tags to an Tagging identitypool

Amazon Cognito identity pool. (p. 242)
241

(*required)
aws:RequestTag/

${TagKey}
(p. 243)
aws:TagKeys
(p. 243)
aws:ResourceTag/
${TagKey}
(p. 243)
Unlinks a Write identitypool*

UnlinkDeveloperIdentity
DeveloperUserIdentifier from an (p. 242)
existing identity.
UnlinkIdentity Unlinks a federated identity Write

from an existing account.
Removes the specified tags from Tagging identitypool

UntagResource an Amazon Cognito identity (p. 242)
pool.
aws:TagKeys
(p. 243)
aws:ResourceTag/
${TagKey}
(p. 243)
Updates a user pool. Write identitypool*

UpdateIdentityPool (p. 242)
Resource types defined by Amazon Cognito Identity


types
identitypool arn:${Partition}:cognito-identity:${Region}: aws:ResourceTag/

${Account}:identitypool/${IdentityPoolId} ${TagKey} (p. 243)
Condition keys for Amazon Cognito Identity

Amazon Cognito Identity defines the following condition keys that can be used in the Condition
table (p. 2).
242
Amazon Cognito Sync

${TagKey}
aws:TagKeys Filters access by a key that is present in the request. String

Cognito Sync
Amazon Cognito Sync (service prefix: cognito-sync) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Cognito Sync (p. 243)
• Resource types defined by Amazon Cognito Sync (p. 245)
• Condition keys for Amazon Cognito Sync (p. 245)
Actions defined by Amazon Cognito Sync

different actions.
243
Amazon Cognito Sync

(*required)
BulkPublish Initiates a bulk publish of all Write identitypool*

existing datasets for an Identity (p. 245)
Pool to the configured stream.
DeleteDataset Deletes the specific dataset. Write dataset*

(p. 245)
Gets meta data about a dataset Read dataset*

DescribeDataset by identity and dataset name. (p. 245)
Gets usage details (for example, Read identitypool*

DescribeIdentityPoolUsage
data storage) about a particular (p. 245)
identity pool.
Gets usage information for an Read identity*

DescribeIdentityUsage
identity, including number of (p. 245)
datasets and data usage.
Get the status of the last Read identitypool*

GetBulkPublishDetails
BulkPublish operation for an (p. 245)
identity pool.
Gets the events and the Read identitypool*

GetCognitoEventscorresponding Lambda functions (p. 245)
associated with an identity pool.
Gets the configuration settings Read identitypool*

GetIdentityPoolConfiguration
of an identity pool. (p. 245)
ListDatasets Lists datasets for an identity. List dataset*

(p. 245)
Gets a list of identity pools Read identitypool*

ListIdentityPoolUsage
registered with Cognito. (p. 245)
ListRecords Gets paginated records, Read dataset*

optionally changed after a (p. 245)
particular sync count for a
dataset and identity.
QueryRecords A permission that grants the Read

[permission ability to query records.
only]
Registers a device to receive Write identity*

RegisterDevice push sync notifications. (p. 245)
Sets the AWS Lambda function Write identitypool*

SetCognitoEventsfor a given event type for an (p. 245)
identity pool.
A permission that grants ability Write dataset*

SetDatasetConfiguration
to configure datasets. (p. 245)
[permission
only]
244
Amazon Cognito User Pools

(*required)
Sets the necessary configuration Write identitypool*

SetIdentityPoolConfiguration
for push sync. (p. 245)
Subscribes to receive Write dataset*

SubscribeToDataset
notifications when a dataset is (p. 245)
modified by another device.
Unsubscribes from receiving Write dataset*

UnsubscribeFromDataset
notifications when a dataset is (p. 245)
modified by another device.
Posts updates to records and Write dataset*

UpdateRecords adds and deletes records for a (p. 245)
dataset and user.
Resource types defined by Amazon Cognito Sync


types
dataset arn:${Partition}:cognito-sync:${Region}:
${Account}:identitypool/${IdentityPoolId}/
identity/${IdentityId}/dataset/
${DatasetName}
identity arn:${Partition}:cognito-sync:${Region}:
${Account}:identitypool/${IdentityPoolId}/
identity/${IdentityId}
identitypool arn:${Partition}:cognito-sync:${Region}:
${Account}:identitypool/${IdentityPoolId}
Condition keys for Amazon Cognito Sync

Cognito Sync has no service-specific context keys that can be used in the Condition element of policy
conditions.

Cognito User Pools
Amazon Cognito User Pools (service prefix: cognito-idp) provides the following service-specific
245
References:

Topics
• Actions defined by Amazon Cognito User Pools (p. 246)
• Resource types defined by Amazon Cognito User Pools (p. 253)
• Condition keys for Amazon Cognito User Pools (p. 253)
Actions defined by Amazon Cognito User Pools

different actions.

(*required)
Adds additional user attributes Write userpool*

AddCustomAttributes
to the user pool schema. (p. 253)
Adds the specified user to the Write userpool*

AdminAddUserToGroup
specified group. (p. 253)
Confirms user registration Write userpool*

AdminConfirmSignUp
as an admin without using a (p. 253)
confirmation code. Works on any
user.
Creates a new user in the Write userpool*

AdminCreateUserspecified user pool and sends a (p. 253)
welcome message via email or
phone (SMS).
Deletes a user as an Write userpool*

AdminDeleteUseradministrator. Works on any (p. 253)
user.
246

(*required)
Deletes the user attributes in a Write userpool*

AdminDeleteUserAttributes
user pool as an administrator. (p. 253)
Works on any user.
Disables the user from signing Write userpool*

AdminDisableProviderForUser
in with the specified external (p. 253)
(SAML or social) identity
provider.
Disables the specified user as Write userpool*

AdminDisableUseran administrator. Works on any (p. 253)
user.
Enables the specified user as Write userpool*

AdminEnableUseran administrator. Works on any (p. 253)
user.
Forgets the device, as an Write userpool*

AdminForgetDevice
administrator. (p. 253)
Gets the device, as an Read userpool*

AdminGetDevice administrator. (p. 253)
Gets the specified user by Read userpool*

AdminGetUser user name in a user pool as an (p. 253)
administrator. Works on any
user.
Authenticates a user in a user Write userpool*

AdminInitiateAuthpool as an administrator. Works (p. 253)
on any user.
Links an existing user account Write userpool*

AdminLinkProviderForUser
in a user pool (DestinationUser) (p. 253)
to an identity from an external
identity provider (SourceUser)
based on a specified attribute
name and value from the
external identity provider.
Lists devices, as an List userpool*

AdminListDevicesadministrator. (p. 253)
Lists the groups that the user List userpool*

AdminListGroupsForUser
belongs to. (p. 253)
Lists the authentication events Read userpool*

AdminListUserAuthEvents
for the user. (p. 253)
Removes the specified user from Write userpool*

AdminRemoveUserFromGroup
the specified group. (p. 253)
247

(*required)
Resets the specified user's Write userpool*

AdminResetUserPassword
password in a user pool as an (p. 253)
user.
Responds to an authentication Write userpool*

AdminRespondToAuthChallenge
challenge, as an administrator. (p. 253)
Sets MFA preference for the user Write userpool*

AdminSetUserMFAPreference
in the userpool (p. 253)
Sets the specified user's Write userpool*

AdminSetUserPassword
password in a user pool as an (p. 253)
user.
Sets all the user settings for a Write userpool*

AdminSetUserSettings
specified user name. Works on (p. 253)
any user.
Updates the feedback for the Write userpool*

AdminUpdateAuthEventFeedback
user authentication event (p. 253)
Updates the device status as an Write userpool*

AdminUpdateDeviceStatus
administrator. (p. 253)
Updates the specified user's Write userpool*

AdminUpdateUserAttributes
attributes, including developer (p. 253)
attributes, as an administrator.
Signs out users from all devices, Write userpool*

AdminUserGlobalSignOut
as an administrator. (p. 253)
Returns a unique generated Write

AssociateSoftwareToken
shared secret key code for the
user account.
Changes the password for a Write

ChangePassword specified user in a user pool.
Confirms tracking of the device. Write

ConfirmDevice This API call is the call that
begins device tracking.
Allows a user to enter a Write

ConfirmForgotPassword
confirmation code to reset a
forgotten password.
Confirms registration of a user Write

ConfirmSignUp and handles the existing alias
from a previous user.
CreateGroup Creates a new group in the Write userpool*

specified user pool. (p. 253)
248

(*required)
Creates an identity provider for a Write userpool*

CreateIdentityProvider
user pool. (p. 253)
Creates a new OAuth2.0 Write userpool*

CreateResourceServer
resource server and defines (p. 253)
custom scopes in it.
Creates the user import job. Write userpool*

CreateUserImportJob (p. 253)
Creates a new Amazon Cognito Write aws:RequestTag/

CreateUserPool user pool and sets the password ${TagKey}
policy for the pool. (p. 253)
aws:TagKeys
(p. 254)
aws:ResourceTag/
${TagKey}
(p. 254)
Creates the user pool client. Write userpool*

CreateUserPoolClient (p. 253)
Creates a new domain for a user Write userpool*

CreateUserPoolDomain
pool. (p. 253)
DeleteGroup Deletes a group. Currently only Write userpool*

groups with no members can be (p. 253)
deleted.
Deletes an identity provider for a Write userpool*

DeleteIdentityProvider
user pool. (p. 253)
Deletes a resource server. Write userpool*

DeleteResourceServer (p. 253)
DeleteUser Allows a user to delete one's self. Write
Deletes the attributes for a user. Write

DeleteUserAttributes
Deletes the specified Amazon Write userpool*

DeleteUserPool Cognito user pool. (p. 253)
Allows the developer to delete Write userpool*

DeleteUserPoolClient
the user pool client. (p. 253)
Deletes a domain for a user Write userpool*

DeleteUserPoolDomain
pool. (p. 253)
Gets information about a Read userpool*

DescribeIdentityProvider
specific identity provider. (p. 253)
Describes a resource server. Read userpool*

DescribeResourceServer (p. 253)
249

(*required)
Describes the risk configuration Read userpool*

DescribeRiskConfiguration
setting for the userpool / (p. 253)
userpool client
Describes the user import job. Read userpool*

DescribeUserImportJob (p. 253)
Returns the configuration Read userpool*

DescribeUserPoolinformation and metadata of (p. 253)
the specified user pool.
Client method for returning the Read userpool*

DescribeUserPoolClient
configuration information and (p. 253)
metadata of the specified user
pool client.
Gets information about a Read

DescribeUserPoolDomain
domain.
ForgetDevice Forgets the specified device. Write
Calling this API causes a Write

ForgotPassword message to be sent to the end
user with a confirmation code
that is required to change the
user's password.
Gets the header information for Read userpool*

GetCSVHeader the .csv file to be used as input (p. 253)
for the user import job.
GetDevice Gets the device. Read
GetGroup Gets a group. Read userpool*

(p. 253)
Gets the specified identity Read userpool*

GetIdentityProviderByIdentifier
provider. (p. 253)
Returns the signing certificate. Read userpool*

GetSigningCertificate (p. 253)
Gets the UI Customization Read userpool*

GetUICustomization
information for a particular (p. 253)
app client's app UI, if there is
something set.
GetUser Gets the user attributes and Read

metadata for a user.
Gets the user attribute Read

GetUserAttributeVerificationCode
verification code for the
specified attribute name.
Gets the MFA configuration for Read userpool*

GetUserPoolMfaConfig
the userpool (p. 253)
250

(*required)
Signs out users from all devices. Write

GlobalSignOut
InitiateAuth Initiates the authentication flow. Write
ListDevices Lists the devices. List
ListGroups Lists the groups associated with List userpool*

a user pool. (p. 253)
Lists information about all List userpool*

ListIdentityProviders
identity providers for a user (p. 253)
pool.
Lists the resource servers for a List userpool*

ListResourceServers
user pool. (p. 253)
Lists the tags that are assigned List userpool

ListTagsForResource
to an Amazon Cognito user pool. (p. 253)
Lists the user import jobs.. List userpool*

ListUserImportJobs (p. 253)
Lists the clients that have been List userpool*

ListUserPoolClients
created for the specified user (p. 253)
pool.
ListUserPools Lists the user pools associated List

with an AWS account.
ListUsers Lists the users in the Amazon List userpool*

Cognito user pool. (p. 253)
Lists the users in the specified List userpool*

ListUsersInGroup group. (p. 253)
Resends the confirmation (for Write

ResendConfirmationCode
confirmation of registration) to a
specific user in the user pool.
Responds to the authentication Write

RespondToAuthChallenge
challenge.
sets the risk configuration Write userpool*

SetRiskConfiguration
setting for the userpool / (p. 253)
userpool client
Sets the UI customization Write userpool*

SetUICustomization
information for a user pool's (p. 253)
built-in app UI.
Sets MFA preference for the user Write

SetUserMFAPreference
in the userpool
Sets the MFA configuration for Write userpool*

SetUserPoolMfaConfig
the userpool (p. 253)
251

(*required)
Sets the user settings like multi- Write

SetUserSettings factor authentication (MFA).
SignUp Registers the user in the Write

specified user pool and creates
a user name, password, and user
attributes.
Starts the user import. Write userpool*

StartUserImportJob (p. 253)
Stops the user import job. Write userpool*

StopUserImportJob (p. 253)
TagResource Assigns a set of tags to an Tagging userpool

Amazon Cognito user pool. (p. 253)
aws:RequestTag/

${TagKey}
(p. 253)
aws:TagKeys
(p. 254)
Removes the specified tags from Tagging userpool

UntagResource an Amazon Cognito user pool. (p. 253)
aws:TagKeys
(p. 254)
Updates the feedback for the Write userpool*

UpdateAuthEventFeedback
user authentication event (p. 253)
Updates the device status. Write

UpdateDeviceStatus
UpdateGroup Updates the specified group Write userpool*

with the specified attributes. (p. 253)
Updates identity provider Write userpool*

UpdateIdentityProvider
information for a user pool. (p. 253)
Updates the name and scopes of Write userpool*

UpdateResourceServer
resource server. (p. 253)
Allows a user to update a Write

UpdateUserAttributes
specific attribute (one at a time).
Updates the specified user pool Write userpool*

UpdateUserPool with the specified attributes. (p. 253)
252

(*required)
aws:RequestTag/

${TagKey}
(p. 253)
aws:TagKeys
(p. 254)
Allows the developer to update Write userpool*

UpdateUserPoolClient
the specified user pool client (p. 253)
and password policy.
Updates the Secure Sockets Write userpool*

UpdateUserPoolDomain
Layer (SSL) certificate for the (p. 253)
custom domain for your user
pool.
Registers a user's entered Write

VerifySoftwareToken
TOTP code and mark the user's
software token MFA status as
verified if successful.
Verifies a user attribute using a Write

VerifyUserAttribute
one time verification code.
Resource types defined by Amazon Cognito User Pools


types
userpool arn:${Partition}:cognito-idp:${Region}: aws:ResourceTag/

${Account}:userpool/${UserPoolId} ${TagKey} (p. 254)
Condition keys for Amazon Cognito User Pools

Amazon Cognito User Pools defines the following condition keys that can be used in the Condition
table (p. 2).
253
Amazon Comprehend

${TagKey}
aws:TagKeys Filters access by a key that is present in the request. String

Comprehend
Amazon Comprehend (service prefix: comprehend) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Comprehend (p. 254)
• Resource types defined by Amazon Comprehend (p. 262)
• Condition keys for Amazon Comprehend (p. 263)
Actions defined by Amazon Comprehend

different actions.

(*required)
Grants permission to detect the Read

BatchDetectDominantLanguage
language or languages present
in the list of text documents
254
Amazon Comprehend

(*required)
Grants permission to detect Read

BatchDetectEntities
the named entities ("People",
"Places", "Locations", etc) within
the given list of text documents

BatchDetectKeyPhrases
the phrases in the list of text
documents that are most
indicative of the content

BatchDetectSentiment
sentiment of a text in the list of
documents (Positive, Negative,
Neutral, or Mixed)

BatchDetectSyntax
syntactic information (like Part
of Speech, Tokens) in a list of
text documents
Grants permission to create a Read document-

ClassifyDocumentnew document classification classifier-
request to analyze a single endpoint*
document in real-time, using a (p. 263)
previously created and trained
custom model and an endpoint

CreateDocumentClassifier
a new document classifier ${TagKey}
that you can use to categorize (p. 263)
documents
aws:TagKeys
(p. 263)
comprehend:VolumeKmsKey
(p. 263)
comprehend:OutputKmsKey
(p. 263)
comprehend:VpcSecurityGroupIds
(p. 263)
comprehend:VpcSubnets
(p. 263)
Grants permission to create a Write document-

CreateEndpoint model-specific endpoint for classifier*
synchronous inference for a (p. 262)
previously trained custom model
entity-
recognizer*
(p. 263)
255
Amazon Comprehend

(*required)
aws:RequestTag/

${TagKey}
(p. 263)
aws:TagKeys
(p. 263)

CreateEntityRecognizer
an entity recognizer using ${TagKey}
submitted files (p. 263)
aws:TagKeys
(p. 263)
(p. 263)
(p. 263)
(p. 263)
Grants permission to delete a Write document-

DeleteDocumentClassifier
previously created document classifier*
classifier (p. 262)
Grants permission to delete a Write document-

DeleteEndpoint model-specific endpoint for classifier-
a previously-trained custom endpoint*
model. All endpoints must be (p. 263)
deleted in order for the model
to be deleted entity-
recognizer-
endpoint*
(p. 263)
Grants permission to delete a Write entity-

DeleteEntityRecognizer
submitted entity recognizer recognizer*
(p. 263)

DescribeDocumentClassificationJob
properties associated with a
document classification job
Grants permission to get the Read document-

DescribeDocumentClassifier
properties associated with a classifier*
document classifier (p. 262)

DescribeDominantLanguageDetectionJob
dominant language detection
job
256
Amazon Comprehend

(*required)
Grants permission to get the Read document-

DescribeEndpointproperties associated with classifier-
a specific endpoint. Use this endpoint*
operation to get the status of an (p. 263)
endpoint
entity-
recognizer-
endpoint*
(p. 263)

DescribeEntitiesDetectionJob
properties associated with an
entities detection job
Grants permission to provide Read entity-

DescribeEntityRecognizer
details about an entity recognizer*
recognizer including status, S3 (p. 263)
buckets containing training data,
recognizer metadata, metrics,
and so on

DescribeEventsDetectionJob
properties associated with an
Events detection job

DescribeKeyPhrasesDetectionJob
properties associated with a key
phrases detection job

DescribePiiEntitiesDetectionJob
properties associated with a PII

DescribeSentimentDetectionJob
sentiment detection job

DescribeTopicsDetectionJob
topic detection job

DetectDominantLanguage
language or languages present
in the text
DetectEntities Grants permission to detect Read entity-

the named entities ("People", recognizer-
"Places", "Locations", etc) within endpoint
the given text document (p. 263)

DetectKeyPhrasesphrases in the text that are most
indicative of the content
257
Amazon Comprehend

(*required)

DetectPiiEntities the personally identifiable
information entities ("Name",
"SSN", "PIN", etc) within the
given text document

DetectSentiment the sentiment of a text in a
document (Positive, Negative,
Neutral, or Mixed)
DetectSyntax Grants permission to detect Read

syntactic information (like Part
of Speech, Tokens) in a text
document
Grants permission to get a list of List

ListDocumentClassificationJobs
the document classification jobs
that you have submitted
Grants permission to get a list List

ListDocumentClassifiers
of the document classifiers that
you have created
Grants permission to get a List

ListDominantLanguageDetectionJobs
list of the dominant language
detection jobs that you have
submitted
ListEndpoints Grants permission to get a list List

of all existing endpoints that
you've created

ListEntitiesDetectionJobs
of the entity detection jobs that
you have submitted

ListEntityRecognizers
of the properties of all entity
recognizers that you created,
including recognizers currently
in training

ListEventsDetectionJobs
Events detection jobs that you
have submitted

ListKeyPhrasesDetectionJobs
key phrase detection jobs that
you have submitted

ListPiiEntitiesDetectionJobs
PII entities detection jobs that
you have submitted
258
Amazon Comprehend

(*required)

ListSentimentDetectionJobs
of sentiment detection jobs that
you have submitted
Grants permission to list tags for List document-

ListTagsForResource
a resource classifier
(p. 262)
document-
classifier-
endpoint
(p. 263)
entity-
recognizer
(p. 263)
entity-
recognizer-
endpoint
(p. 263)

ListTopicsDetectionJobs
the topic detection jobs that you
have submitted
Grants permission to start Write document-

StartDocumentClassificationJob
an asynchronous document classifier*
classification job (p. 262)

(p. 263)
(p. 263)
(p. 263)
(p. 263)
Grants permission to start Write comprehend:VolumeKmsKey

StartDominantLanguageDetectionJob
an asynchronous dominant (p. 263)
language detection job for a
collection of documents comprehend:OutputKmsKey
(p. 263)
(p. 263)
(p. 263)
259
Amazon Comprehend

(*required)
Grants permission to start Write entity-

StartEntitiesDetectionJob
an asynchronous entity recognizer
detection job for a collection of (p. 263)
documents

(p. 263)
(p. 263)
(p. 263)
(p. 263)
Grants permission to start Write comprehend:OutputKmsKey

StartEventsDetectionJob
an asynchronous Events (p. 263)
detection job for a collection of
documents

StartKeyPhrasesDetectionJob
an asynchronous key phrase (p. 263)
documents comprehend:OutputKmsKey
(p. 263)
(p. 263)
(p. 263)
Grants permission to start Write comprehend:OutputKmsKey

StartPiiEntitiesDetectionJob
an asynchronous PII entities (p. 263)
documents

StartSentimentDetectionJob
an asynchronous sentiment (p. 263)
documents comprehend:OutputKmsKey
(p. 263)
(p. 263)
(p. 263)
260
Amazon Comprehend

(*required)
Grants permission to start an Write comprehend:VolumeKmsKey

StartTopicsDetectionJob
asynchronous job to detect the (p. 263)
most common topics in the
collection of documents and the comprehend:OutputKmsKey
phrases associated with each (p. 263)
topic
(p. 263)
(p. 263)
Grants permission to stop a Write

StopDominantLanguageDetectionJob
dominant language detection
job
Grants permission to stop an Write

StopEntitiesDetectionJob
entity detection job
Grants permission to stop an Write

StopEventsDetectionJob
Events detection job
Grants permission to stop a key Write

StopKeyPhrasesDetectionJob
phrase detection job
Grants permission to stop a PII Write

StopPiiEntitiesDetectionJob
Grants permission to stop a Write

StopSentimentDetectionJob
sentiment detection job
Grants permission to stop a Write document-

StopTrainingDocumentClassifier
previously created document classifier*
classifier training job (p. 262)
Grants permission to stop Write entity-

StopTrainingEntityRecognizer
a previously created entity recognizer*
recognizer training job (p. 263)
TagResource Grants permission to tag a Tagging document-

resource with given key value classifier
pairs (p. 262)
document-
classifier-
endpoint
(p. 263)
entity-
recognizer
(p. 263)
entity-
recognizer-
endpoint
(p. 263)
261
Amazon Comprehend

(*required)
aws:RequestTag/

${TagKey}
(p. 263)
aws:TagKeys
(p. 263)
Grants permission to untag a Tagging document-

UntagResource resource with given key classifier
(p. 262)
document-
classifier-
endpoint
(p. 263)
entity-
recognizer
(p. 263)
entity-
recognizer-
endpoint
(p. 263)
aws:TagKeys
(p. 263)
Grants permission to update Write document-

UpdateEndpoint information about the specified classifier-
endpoint endpoint*
(p. 263)
entity-
recognizer-
endpoint*
(p. 263)
Resource types defined by Amazon Comprehend


types
document- arn:${Partition}:comprehend:${Region}: aws:ResourceTag/

classifier ${Account}:document-classifier/ ${TagKey} (p. 263)
${DocumentClassifierName}
262
Comprehend Medical

types
document- arn:${Partition}:comprehend:${Region}: aws:ResourceTag/

classifier- ${Account}:document-classifier-endpoint/ ${TagKey} (p. 263)
endpoint ${DocumentClassifierEndpointName}
entity- arn:${Partition}:comprehend:${Region}: aws:ResourceTag/

recognizer ${Account}:entity-recognizer/ ${TagKey} (p. 263)
${EntityRecognizerName}
entity- arn:${Partition}:comprehend:${Region}: aws:ResourceTag/

recognizer- ${Account}:entity-recognizer-endpoint/ ${TagKey} (p. 263)
endpoint ${EntityRecognizerEndpointName}
Condition keys for Amazon Comprehend

Amazon Comprehend defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters access to create requests based on the allowed set of String
${TagKey} values for each of the mandatory tags
Filters access to actions based on the tag value associated String

aws:ResourceTag/ with the resource
${TagKey}
aws:TagKeys Filters access to create requests based on the presence of String

mandatory tags in the request
Filters access by the output KMS key associated with the ARN
resource in the request.
Filters access by the volume KMS key associated with the ARN
Filters access by the list of all VPC security group ids ArrayOfString
associated with the resource in the request.
Filters access by the list of all VPC subnets associated with ArrayOfString
the resource in the request.
Actions, resources, and condition keys for

Comprehend Medical
Comprehend Medical (service prefix: comprehendmedical) provides the following service-specific
References:
263
Comprehend Medical

Topics
• Actions defined by Comprehend Medical (p. 264)
• Resource types defined by Comprehend Medical (p. 264)
• Condition keys for Comprehend Medical (p. 264)
Actions defined by Comprehend Medical

different actions.

(*required)
DetectEntities Inspects the specified text for Read

the specified type of entities and
returns information about them.
DetectPHI Inspects the specified text Read

for PHI entities and returns
information about them.
Resource types defined by Comprehend Medical

Comprehend Medical does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Comprehend Medical, specify “Resource”: “*” in your policy.
Condition keys for Comprehend Medical

ComprehendMedical has no service-specific context keys that can be used in the Condition element of
264
Compute Optimizer
Actions, resources, and condition keys for Compute

Optimizer
Compute Optimizer (service prefix: compute-optimizer) provides the following service-specific
References:

Topics
• Actions defined by Compute Optimizer (p. 265)
• Resource types defined by Compute Optimizer (p. 266)
• Condition keys for Compute Optimizer (p. 266)
Actions defined by Compute Optimizer

different actions.

(*required)
Grants permission to view the List

DescribeRecommendationExportJobs
status of recommendation
export jobs.

ExportAutoScalingGroupRecommendations
export autoscaling group
recommendations to S3 for the
provided accounts.
Grants permission to export EC2 Write

ExportEC2InstanceRecommendations
instance recommendations to S3
for the provided accounts.
265
AWS Config

(*required)
Grants permission to get List

GetAutoScalingGroupRecommendations
recommendations for the
provided autoscaling groups.

GetEBSVolumeRecommendations
provided ebs volumes.

GetEC2InstanceRecommendations
provided EC2 instances.
Grants permission to get the List

GetEC2RecommendationProjectedMetrics
recommendation projected
metrics of the specified instance.

GetEnrollmentStatus
enrollment status for the
specified account.

GetRecommendationSummaries
recommendation summaries for
the specified account(s).

UpdateEnrollmentStatus
enrollment status.
Resource types defined by Compute Optimizer

Compute Optimizer does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Compute Optimizer, specify “Resource”: “*” in your policy.
Condition keys for Compute Optimizer

Compute Optimizer has no service-specific context keys that can be used in the Condition element of
Actions, resources, and condition keys for AWS Config

AWS Config (service prefix: config) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Config (p. 267)
266
AWS Config
• Resource types defined by AWS Config (p. 274)

• Condition keys for AWS Config (p. 275)
Actions defined by AWS Config

different actions.

(*required)
Returns the current Read ConfigurationAggregator*

BatchGetAggregateResourceConfig
configuration items for (p. 274)
resources that are present in
your AWS Config aggregator
Returns the current Read

BatchGetResourceConfig
configuration for one or more
requested resources
Deletes the authorization Write AggregationAuthorization*

DeleteAggregationAuthorization
granted to the specified (p. 274)
configuration aggregator
account in a specified region
Deletes the specified AWS Write ConfigRule*

DeleteConfigRuleConfig rule and all of its (p. 275)
evaluation results
Deletes the specified Write ConfigurationAggregator*

DeleteConfigurationAggregator
configuration aggregator and (p. 274)
the aggregated data associated
with the aggregator
Deletes the configuration Write

DeleteConfigurationRecorder
recorder
Deletes the specified Write

DeleteConformancePack
conformance pack and all
the AWS Config rules and all
evaluation results within that
conformance pack.
267
AWS Config

(*required)
Deletes the delivery channel Write

DeleteDeliveryChannel
Deletes the evaluation results Write ConfigRule*

DeleteEvaluationResults
for the specified Config rule (p. 275)

DeleteOrganizationConfigRule
organization config rule and all
of its evaluation results from
all member accounts in that
organization.

DeleteOrganizationConformancePack
organization conformance pack
and all of its evaluation results
from all member accounts in
that organization.
Deletes pending authorization Write

DeletePendingAggregationRequest
requests for a specified
aggregator account in a
specified region
Deletes the remediation Write RemediationConfiguration*

DeleteRemediationConfiguration
Deletes one or more remediation Write

DeleteRemediationExceptions
exceptions for specific resource
keys for a specific AWS Config
Rule.
Records the configuration state Write

DeleteResourceConfig
for a custom resource that has
been deleted.
Deletes the retention Write

DeleteRetentionConfiguration
configuration
Schedules delivery of a Read

DeliverConfigSnapshot
configuration snapshot to
the Amazon S3 bucket in the
specified delivery channel
Returns a list of compliant List ConfigurationAggregator*

DescribeAggregateComplianceByConfigRules
and noncompliant rules with (p. 274)
the number of resources for
compliant and noncompliant
rules
Returns a list of authorizations List

DescribeAggregationAuthorizations
granted to various aggregator
accounts and regions
Indicates whether the specified List ConfigRule*

DescribeComplianceByConfigRule
AWS Config rules are compliant (p. 275)
268
AWS Config

(*required)
Indicates whether the specified List

DescribeComplianceByResource
AWS resources are compliant
Returns status information for List ConfigRule*

DescribeConfigRuleEvaluationStatus
each of your AWS managed (p. 275)
Config rules
Returns details about your AWS List ConfigRule*

DescribeConfigRules
Config rules (p. 275)
Returns status information for List ConfigurationAggregator*

DescribeConfigurationAggregatorSourcesStatus
sources within an aggregator (p. 274)
Returns the details of one or List

DescribeConfigurationAggregators
more configuration aggregators
Returns the current status of the List

DescribeConfigurationRecorderStatus
specified configuration recorder
Returns the name of one or List

DescribeConfigurationRecorders
more specified configuration
recorders
Returns compliance information Read

DescribeConformancePackCompliance
for each rule in that
conformance pack.
Provides one or more Read

DescribeConformancePackStatus
conformance packs deployment
status.
Returns a list of one or more Read

DescribeConformancePacks
conformance packs.
Returns the current status of the List

DescribeDeliveryChannelStatus
Returns details about the List

DescribeDeliveryChannels
Provides organization config Read

DescribeOrganizationConfigRuleStatuses
rule deployment status for an
organization.
Returns a list of organization Read

DescribeOrganizationConfigRules
config rules.
Provides organization Read

DescribeOrganizationConformancePackStatuses
conformance pack deployment
status for an organization.
Returns a list of organization Read

DescribeOrganizationConformancePacks
conformance packs.
Returns a list of all pending List

DescribePendingAggregationRequests
aggregation requests
269
AWS Config

(*required)
Returns the details of one or List RemediationConfiguration*

DescribeRemediationConfigurations
more remediation configurations (p. 275)

DescribeRemediationExceptions
more remediation exceptions.
Provides a detailed view of List RemediationConfiguration*

DescribeRemediationExecutionStatus
a Remediation Execution for (p. 275)
a set of resources including
state, timestamps and any error
messages for steps that have
failed

DescribeRetentionConfigurations
more retention configurations
Returns the evaluation results Read ConfigurationAggregator*

GetAggregateComplianceDetailsByConfigRule
for the specified AWS Config (p. 274)
rule for a specific resource in a
rule
Returns the number of Read ConfigurationAggregator*

GetAggregateConfigRuleComplianceSummary
compliant and noncompliant (p. 274)
rules for one or more accounts
and regions in an aggregator
Returns the resource counts Read ConfigurationAggregator*

GetAggregateDiscoveredResourceCounts
across accounts and regions that (p. 274)
are present in your AWS Config
aggregator
Returns configuration item that Read ConfigurationAggregator*

GetAggregateResourceConfig
is aggregated for your specific (p. 274)
resource in a specific source
account and region
Returns the evaluation results Read ConfigRule*

GetComplianceDetailsByConfigRule
rule
Returns the evaluation results Read

GetComplianceDetailsByResource
for the specified AWS resource
Returns the number of AWS Read

GetComplianceSummaryByConfigRule
Config rules that are compliant
and noncompliant, up to a
maximum of 25 for each
Returns the number of resources Read

GetComplianceSummaryByResourceType
that are compliant and the
number that are noncompliant
270
AWS Config

(*required)
Returns compliance details of a Read

GetConformancePackComplianceDetails
conformance pack for all AWS
resources that are monitered by
conformance pack.
Provides compliance summary Read

GetConformancePackComplianceSummary
for one or more conformance
packs.
Returns the resource types, Read

GetDiscoveredResourceCounts
the number of each resource
type, and the total number of
resources that AWS Config is
recording in this region for your
AWS account
Returns detailed status for Read

GetOrganizationConfigRuleDetailedStatus
each member account within
an organization for a given
organization config rule.
Returns detailed status for Read

GetOrganizationConformancePackDetailedStatus
each member account within
an organization for a given
organization conformance pack.
Returns a list of configuration Read

GetResourceConfigHistory
items for the specified resource
Accepts a resource type and List ConfigurationAggregator*

ListAggregateDiscoveredResources
returns a list of resource (p. 274)
identifiers that are aggregated
for a specific resource type
across accounts and regions
Accepts a resource type and List

ListDiscoveredResources
returns a list of resource
identifiers for the resources of
that type
List the tags for AWS Config List AggregationAuthorization

ListTagsForResource
resource (p. 274)
ConfigRule
(p. 275)
ConfigurationAggregator

(p. 274)
Authorizes the aggregator Write AggregationAuthorization*

PutAggregationAuthorization
account and region to collect (p. 274)
data from the source account
and region
271
AWS Config

(*required)
aws:RequestTag/

${TagKey}
(p. 275)
aws:TagKeys
(p. 275)
Adds or updates an AWS Config Write ConfigRule*

PutConfigRule rule for evaluating whether your (p. 275)
AWS resources comply with your
desired configurations aws:RequestTag/

${TagKey}
(p. 275)
aws:TagKeys
(p. 275)
Creates and updates the Write ConfigurationAggregator*

PutConfigurationAggregator
configuration aggregator with (p. 274)
the selected source accounts and
regions aws:RequestTag/

${TagKey}
(p. 275)
aws:TagKeys
(p. 275)
Creates a new configuration Write

PutConfigurationRecorder
recorder to record the selected
resource configurations
Creates or updates a Write

PutConformancePack
conformance pack.
Creates a delivery channel Write

PutDeliveryChannel
object to deliver configuration
information to an Amazon S3
bucket and Amazon SNS topic
Used by an AWS Lambda Write

PutEvaluations function to deliver evaluation
results to AWS Config
Adds or updates organization Write

PutOrganizationConfigRule
config rule for your entire
organization evaluating whether
your AWS resources comply with
your desired configurations.
Adds or updates organization Write

PutOrganizationConformancePack
conformance pack for your
entire organization evaluating
whether your AWS resources
comply with your desired
configurations.
272
AWS Config

(*required)
Adds or updates the remediation Write RemediationConfiguration*

PutRemediationConfigurations
configuration with a specific (p. 275)
AWS Config rule with the
selected target or action
Adds or updates remediation Write

PutRemediationExceptions
exceptions for specific resources
for a specific AWS Config rule.
Records the configuration state Write

PutResourceConfig
for the resource provided in the
request.
Creates and updates the Write

PutRetentionConfiguration
retention configuration with
details about retention period
(number of days) that AWS
Config stores your historical
information
Accepts a structured query Read

SelectAggregateResourceConfig
language (SQL) SELECT
command and an aggregator
to query configuration state of
AWS resources across multiple
accounts and regions, performs
the corresponding search, and
returns resource configurations
matching the properties.
Accepts a structured query Read

SelectResourceConfig
language (SQL) SELECT
command, performs the
corresponding search, and
returns resource configurations
matching the properties
Evaluates your resources against Write ConfigRule*

StartConfigRulesEvaluation
the specified Config rules (p. 275)
Starts recording configurations Write

StartConfigurationRecorder
of the AWS resources you have
selected to record in your AWS
account
Runs an on-demand remediation Write RemediationConfiguration*

StartRemediationExecution
rules against the last known
remediation configuration
Stops recording configurations Write

StopConfigurationRecorder
of the AWS resources you have
selected to record in your AWS
account
273
AWS Config

(*required)
TagResource Associates the specified tags to Tagging AggregationAuthorization

a resource with the specified (p. 274)
resourceArn
ConfigRule
(p. 275)

(p. 274)
ConformancePack

(p. 275)
aws:RequestTag/

${TagKey}
(p. 275)
aws:TagKeys
(p. 275)
Deletes specified tags from a Tagging AggregationAuthorization

ConfigRule
(p. 275)

(p. 274)
ConformancePack

(p. 275)
aws:TagKeys
(p. 275)
Resource types defined by AWS Config


types
arn:${Partition}:config:${Region}: aws:ResourceTag/
AggregationAuthorization
${Account}:aggregation-authorization/ ${TagKey} (p. 275)
${AggregatorAccount}/${AggregatorRegion}
${Account}:config-aggregator/${AggregatorId} ${TagKey} (p. 275)
274
Amazon Connect

types
ConfigRule arn:${Partition}:config:${Region}: aws:ResourceTag/

${Account}:config-rule/${ConfigRuleId} ${TagKey} (p. 275)
ConformancePack${Account}:conformance-pack/ ${TagKey} (p. 275)
${ConformancePackName}/${ConformancePackId}
arn:${Partition}:config:${Region}:
OrganizationConfigRule
${Account}:organization-config-rule/
${OrganizationConfigRuleId}
OrganizationConformancePack
${Account}:organization-conformance-pack/
${OrganizationConformancePackId}
RemediationConfiguration
${Account}:remediation-configuration/
${RemediationConfigurationId}
Condition keys for AWS Config

AWS Config defines the following condition keys that can be used in the Condition element of an IAM
${TagKey} the tags

${TagKey}

the request

Connect
Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and
References:

275
Amazon Connect
Topics
• Actions defined by Amazon Connect (p. 276)
• Resource types defined by Amazon Connect (p. 288)
• Condition keys for Amazon Connect (p. 289)
Actions defined by Amazon Connect

different actions.

(*required)
Grants permissions to associate Write instance*

AssociateApprovedOrigin
approved origin for an existing (p. 288)
Amazon Connect instance. The
associated required actions
grant permission to modify the
settings for the instance.
Grants permissions to associate Write instance* ds:DescribeDirectories

AssociateInstanceStorageConfig
instance storage for an existing (p. 288)
Amazon Connect instance. The firehose:DescribeDelivery
grant permission to modify the iam:AttachRolePolicy
iam:PutRolePolicy
kinesis:DescribeStream
kms:CreateGrant
kms:DescribeKey
s3:GetBucketAcl
s3:GetBucketLocation
connect:StorageResourceType

(p. 289)
276
Amazon Connect

(*required)
Grants permissions to associate Write instance* lambda:AddPermission

AssociateLambdaFunction
a Lambda function for an (p. 288)
existing Amazon Connect
instance. The associated
required actions grant
permission to modify the
Grants permissions to associate Write instance* iam:AttachRolePolicy

AssociateLexBot a Lex bot for an existing (p. 288)
Amazon Connect instance. The iam:CreateServiceLinkedR
grant permission to modify the iam:PutRolePolicy
lex:GetBot
Grants permissions to associate Write queue*

AssociateRoutingProfileQueues
queues with a routing profile in (p. 289)
an Amazon Connect instance.
routing-
profile*
(p. 289)
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to associate Write instance*

AssociateSecurityKey
a security key for an existing (p. 288)
Grants permissions to create Write contact-

CreateContactFlow
a contact flow in an Amazon flow*
Connect instance. (p. 289)
aws:RequestTag/

${TagKey}
(p. 289)
aws:TagKeys
(p. 289)
277
Amazon Connect

(*required)
Grants permissions to create a Write ds:AuthorizeApplication

CreateInstance new Amazon Connect instance.
The associated required actions ds:CheckAlias
grant permissions to configure
instance settings. ds:CreateAlias
ds:CreateDirectory
ds:CreateIdentityPoolDire
ds:DescribeDirectories
ds:UnauthorizeApplicatio
firehose:DescribeDelivery
firehose:ListDeliveryStrea
iam:AttachRolePolicy
iam:PutRolePolicy
kinesis:ListStreams
kms:CreateGrant
kms:DescribeKey
kms:ListAliases
kms:RetireGrant
logs:CreateLogGroup
s3:CreateBucket
s3:ListAllMyBuckets
Grants permission to create a Write queue*

CreateRoutingProfile
routing profile in an Amazon (p. 289)
Connect instance.
routing-
profile*
(p. 289)
aws:RequestTag/

${TagKey}
(p. 289)
aws:TagKeys
(p. 289)
278
Amazon Connect

(*required)
CreateUser Grants permission to create a Write routing-

user for the specified Amazon profile*
security-
profile*
(p. 289)
user*
(p. 288)
hierarchy-
group
(p. 289)
aws:RequestTag/

${TagKey}
(p. 289)
aws:TagKeys
(p. 289)
Grants permissions to create Write hierarchy-

CreateUserHierarchyGroup
a user hierarchy group in an group
Amazon Connect instance. (p. 289)
Grants permissions to delete an Write instance* ds:DeleteDirectory

DeleteInstance Amazon Connect instance. When (p. 288)
you remove an instance, the link ds:DescribeDirectories
to an existing AWS directory is
also removed. ds:UnauthorizeApplicatio
DeleteUser Grants permissions to delete Write user*

a user in an Amazon Connect (p. 288)
instance.
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to delete Write hierarchy-

DeleteUserHierarchyGroup
a user hierarchy group in an group*
Grants permissions to describe Read contact-

DescribeContactFlow
a contact flow in an Amazon flow*
aws:ResourceTag/

${TagKey}
(p. 289)
279
Amazon Connect

(*required)
Grants permissions to view Read instance* ds:DescribeDirectories

DescribeInstance details of an Amazon Connect (p. 288)
instance. This is required to firehose:DescribeDelivery
create an instance.
firehose:ListDeliveryStrea
kinesis:ListStreams
kms:DescribeKey
kms:ListAliases
s3:ListAllMyBuckets
Grants permissions to view the Read instance*

DescribeInstanceAttribute
attribute details of an existing (p. 288)
Amazon Connect instance.
connect:AttributeType

(p. 289)
Grants permissions to view the Read instance*

DescribeInstanceStorageConfig
instance storage configuration (p. 288)
for an existing Amazon Connect
instance. connect:StorageResourceType

(p. 289)
Grants permissions to describe Read routing-

DescribeRoutingProfile
a routing profile in an Amazon profile*
aws:ResourceTag/

${TagKey}
(p. 289)
DescribeUser Grants permissions to describe Read user*

a user in an Amazon Connect (p. 288)
instance.
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to describe a Read hierarchy-

DescribeUserHierarchyGroup
hierarchy group for an Amazon group*
Grants permissions to describe Read instance*

DescribeUserHierarchyStructure
the hierarchy structure for an (p. 288)
Grants permissions to delete an Write instance*

DestroyInstance Amazon Connect instance. When (p. 288)
you remove an instance, the link
to an existing AWS directory is
also removed.
280
Amazon Connect

(*required)
Grants permissions to Write instance*

DisassociateApprovedOrigin
disassociate approved origin for (p. 288)
an existing Amazon Connect
required actions grant

DisassociateInstanceStorageConfig
disassociate instance storage (p. 288)
for an existing Amazon Connect
instance. The associated connect:StorageResourceType

required actions grant (p. 289)
Grants permissions to Write instance* lambda:RemovePermissio

DisassociateLambdaFunction
disassociate a Lambda (p. 288)
function for an existing
Grants permissions to Write instance* iam:AttachRolePolicy

DisassociateLexBot
disassociate a Lex bot for an (p. 288)
existing Amazon Connect iam:CreateServiceLinkedR
required actions grant iam:PutRolePolicy
Grants permissions to Write routing-

DisassociateRoutingProfileQueues
disassociate queues from a profile*
routing profile in an Amazon (p. 289)
Connect instance.
aws:ResourceTag/

${TagKey}
(p. 289)

DisassociateSecurityKey
disassociate the security (p. 288)
key for an existing Amazon
Connect instance. The
Grants permissions to retrieve Read contact*

GetContactAttributes
the contact attributes for the (p. 288)
specified contact.
281
Amazon Connect

(*required)
Grants permissions to retrieve Read queue*

GetCurrentMetricData
current metric data for the (p. 289)
queues in an Amazon Connect
instance.
Allows federation into an Read instance*

GetFederationToken
instance when using SAML- (p. 288)
based authentication for identity
management.
Grants permissions to federate Write instance* connect:DescribeInstance

GetFederationTokens
in to an Amazon Connect (p. 288)
instance (Log in as administrator connect:ListInstances
functionality in the AWS
console). ds:DescribeDirectories
Grants permissions to retrieve Read queue*

GetMetricData historical metric data for queues (p. 289)
in an Amazon Connect instance.
Grants permissions to view List instance*

ListApprovedOrigins
approved origins of an existing (p. 288)
Grants permissions to list List instance*

ListContactFlows contact flow resources in an (p. 288)
Grants permissions to list hours List instance*

ListHoursOfOperations
of operation resources in an (p. 288)
Grants permissions to view the List instance*

ListInstanceAttributes
attributes of an existing Amazon (p. 288)
Connect instance.

ListInstanceStorageConfigs
storage configurations of an (p. 288)
existing Amazon Connect
instance.
ListInstances Grants permissions to view List ds:DescribeDirectories

the Amazon Connect instances
associated with an AWS account.
Grants permissions to view the List instance*

ListLambdaFunctions
Lambda functions of an existing (p. 288)
ListLexBots Grants permissions to view the List instance*

Lex bots of an existing Amazon (p. 288)
Connect instance.
282
Amazon Connect

(*required)
Grants permissions to list phone List instance*

ListPhoneNumbers
number resources in an Amazon (p. 288)
Connect instance.
ListPrompts Grants permissions to list List instance*

prompt resources in an Amazon (p. 288)
Connect instance.
ListQueues Grants permissions to list queue List instance*

resources in an Amazon Connect (p. 288)
instance.
Grants permissions to list queue Read routing-

ListRoutingProfileQueues
resources in a routing profile in profile*
an Amazon Connect instance. (p. 289)
aws:ResourceTag/

${TagKey}
(p. 289)

ListRoutingProfiles
routing profile resources in an (p. 288)

ListSecurityKeys the security keys of an existing (p. 288)

ListSecurityProfiles
security profile resources in an (p. 288)
Grants permissions to list Read contact-

ListTagsForResource
tags for an Amazon Connect flow
resource. (p. 289)
routing-
profile
(p. 289)
user
(p. 288)
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to list the List instance*

ListUserHierarchyGroups
hierarchy group resources in an (p. 288)
ListUsers Grants permissions to list user List instance*

resources in an Amazon Connect (p. 288)
instance.
283
Amazon Connect

(*required)
Grants permissions to modify Write instance* firehose:DescribeDelivery

ModifyInstance configuration settings for (p. 288)
an existing Amazon Connect firehose:ListDeliveryStrea
required actions grant kinesis:DescribeStream
kinesis:ListStreams
kms:CreateGrant
kms:DescribeKey
kms:ListAliases
kms:RetireGrant
s3:CreateBucket
s3:ListAllMyBuckets
Grants permissions to resume Write contact*

ResumeContactRecording
recording for the specified (p. 288)
contact.
Grants permissions to initiate a Write contact-

StartChatContactchat using the Amazon Connect flow*
API. (p. 289)
Grants permissions to start Write contact*

StartContactRecording
contact.
Grants permissions to initiate Write contact*

StartOutboundVoiceContact
outbound calls using the (p. 288)
Amazon Connect API.
Grants permissions to initiate a Write contact-

StartTaskContact task using the Amazon Connect flow*
API. (p. 289)
StopContact Grants permissions to stop Write contact*

contacts that were initiated (p. 288)
using the Amazon Connect API.
If you use this operation on an
active contact the contact ends,
even if the agent is active on a
call with a customer.
Grants permissions to stop Write contact*

StopContactRecording
contact.
284
Amazon Connect

(*required)
Grants permissions to suspend Write contact*

SuspendContactRecording
contact.
TagResource Grants permissions to tag an Tagging contact-

Amazon Connect resource. flow
(p. 289)
routing-
profile
(p. 289)
user
(p. 288)
aws:TagKeys
(p. 289)
aws:RequestTag/
${TagKey}
(p. 289)
aws:ResourceTag/
${TagKey}
(p. 289)
Grants permissions to untag an Tagging contact-

UntagResource Amazon Connect resource. flow
(p. 289)
routing-
profile
(p. 289)
user
(p. 288)
aws:TagKeys
(p. 289)
aws:ResourceTag/
${TagKey}
(p. 289)
Grants permissions to create or Write contact*

UpdateContactAttributes
update the contact attributes (p. 288)
contact.
Grants permissions to update Write contact-

UpdateContactFlowContent
contact flow content in an flow*
285
Amazon Connect

(*required)
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to update Write contact-

UpdateContactFlowName
the name and description of flow*
a contact flow in an Amazon (p. 289)
Connect instance.
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to update Write instance* ds:DescribeDirectories

UpdateInstanceAttribute
the attribute for an existing (p. 288)
Amazon Connect instance. The iam:AttachRolePolicy
grant permission to modify the iam:CreateServiceLinkedR
iam:PutRolePolicy
logs:CreateLogGroup

(p. 289)
Grants permissions to update Write instance* ds:DescribeDirectories

UpdateInstanceStorageConfig
the storage configuration for (p. 288)
an existing Amazon Connect firehose:DescribeDelivery
required actions grant iam:AttachRolePolicy
iam:PutRolePolicy
kms:CreateGrant
kms:DescribeKey
s3:GetBucketAcl

(p. 289)
Grants permissions to update Write routing-

UpdateRoutingProfileConcurrency
the concurrency in a routing profile*
profile in an Amazon Connect (p. 289)
instance.
aws:ResourceTag/

${TagKey}
(p. 289)
286
Amazon Connect

(*required)
Grants permissions to update Write queue*

UpdateRoutingProfileDefaultOutboundQueue
the outbound queue in a routing (p. 289)
profile in an Amazon Connect
instance. routing-
profile*
(p. 289)
aws:ResourceTag/

${TagKey}
(p. 289)

UpdateRoutingProfileName
a routing profile name and profile*
description in an Amazon (p. 289)
Connect instance.
aws:ResourceTag/

${TagKey}
(p. 289)

UpdateRoutingProfileQueues
the queues in routing profile in profile*
an Amazon Connect instance. (p. 289)
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to update a Write user*

UpdateUserHierarchy
hierarchy group for a user in an (p. 288)
hierarchy-
group
(p. 289)
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to update a Write hierarchy-

UpdateUserHierarchyGroupName
user hierarchy group name in an group*
Grants permissions to update Write instance*

UpdateUserHierarchyStructure
user hierarchy structure in an (p. 288)
Grants permissions to update Write user*

UpdateUserIdentityInfo
identity information for a user in (p. 288)
an Amazon Connect instance.
aws:ResourceTag/

${TagKey}
(p. 289)
287
Amazon Connect

(*required)
Grants permissions to update Write user*

UpdateUserPhoneConfig
phone configuration settings for (p. 288)
a user in an Amazon Connect
instance. aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to update a Write routing-

UpdateUserRoutingProfile
routing profile for a user in an profile*
user*
(p. 288)
aws:ResourceTag/

${TagKey}
(p. 289)
Grants permissions to update Write security-

UpdateUserSecurityProfiles
security profiles for a user in an profile*
user*
(p. 288)
aws:ResourceTag/

${TagKey}
(p. 289)
Resource types defined by Amazon Connect


types
instance arn:${Partition}:connect:${Region}:
${Account}:instance/${InstanceId}
contact arn:${Partition}:connect:${Region}:
${Account}:instance/${InstanceId}/contact/
${ContactId}
user arn:${Partition}:connect:${Region}: aws:ResourceTag/

${Account}:instance/${InstanceId}/agent/ ${TagKey} (p. 289)
${UserId}
288
Amazon Connect

types
routing- arn:${Partition}:connect:${Region}: aws:ResourceTag/

profile ${Account}:instance/${InstanceId}/routing- ${TagKey} (p. 289)
profile/${RoutingProfileId}
security- arn:${Partition}:connect:${Region}:
profile ${Account}:instance/${InstanceId}/security-
profile/${SecurityProfileId}
hierarchy- arn:${Partition}:connect:${Region}:
group ${Account}:instance/${InstanceId}/agent-
group/${HierarchyGroupId}
queue arn:${Partition}:connect:${Region}:
${Account}:instance/${InstanceId}/queue/
${QueueId}
contact-flow arn:${Partition}:connect:${Region}: aws:ResourceTag/

${Account}:instance/${InstanceId}/contact- ${TagKey} (p. 289)
flow/${ContactFlowId}
hours-of- arn:${Partition}:connect:${Region}:
operation ${Account}:instance/${InstanceId}/operating-
hours/${HoursOfOperationId}
phone- arn:${Partition}:connect:${Region}:
number ${Account}:instance/${InstanceId}/phone-
numbers/${PhoneNumberId}
Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of

${TagKey}
request.
Filters access by the attribute type of the Amazon Connect String

instance.
Filters access by restricting the storage resource type of the String

Amazon Connect instance storage configuration.
289
Amazon Connect Customer Profiles

Connect Customer Profiles
Amazon Connect Customer Profiles (service prefix: profile) provides the following service-specific
References:

Topics
• Actions defined by Amazon Connect Customer Profiles (p. 290)
• Resource types defined by Amazon Connect Customer Profiles (p. 293)
• Condition keys for Amazon Connect Customer Profiles (p. 293)
Actions defined by Amazon Connect Customer Profiles

different actions.

(*required)
AddProfileKey Grants permission to add a Write domains*

profile key (p. 293)
CreateDomain Grants permission to create a Write aws:RequestTag/

Domain ${TagKey}
(p. 294)
aws:TagKeys
(p. 294)
CreateProfile Grants permission to create a Write domains*

profile in the domain (p. 293)
DeleteDomain Grants permission to delete a Write domains*

Domain (p. 293)
290

(*required)
Grants permission to delete a Write domains*

DeleteIntegrationintegration in a domain (p. 293)
integrations*
(p. 293)
DeleteProfile Grants permission to delete a Write domains*

profile (p. 293)

DeleteProfileKey profile key (p. 293)

DeleteProfileObject
profile object (p. 293)
object-
types*
(p. 293)

DeleteProfileObjectType
specific profile object type in the (p. 293)
domain
object-
types*
(p. 293)
GetDomain Grants permission to get a Read domains*

specific domain in an account (p. 293)
Grants permission to get a Read domains*

GetIntegration specific integrations in a domain (p. 293)
integrations*
(p. 293)
Grants permission to get a Read domains*

GetProfileObjectType
domain
object-
types*
(p. 293)

GetProfileObjectTypeTemplate
specific object type template

ListAccountIntegrations
integrations in the account
ListDomains Grants permission to list all the List

domains in an account
Grants permission to list all the List domains*

ListIntegrations integrations in a specific domain (p. 293)
291

(*required)

ListProfileObjectTypeTemplates
profile object type templates in
the account
Grants permission to list all List domains*

ListProfileObjectTypes
the profile object types in the (p. 293)
domain
Grants permission to list all the List domains*

ListProfileObjectsprofile objects for a profile (p. 293)
object-
types*
(p. 293)
Grants permission to list tags for List

ListTagsForResource
a resource
Grants permission to put a Write domains*

PutIntegration integration in a domain (p. 293)
integrations*
(p. 293)
aws:RequestTag/

${TagKey}
(p. 294)
aws:TagKeys
(p. 294)
Grants permission to put an Write domains*

PutProfileObject object for a profile (p. 293)
object-
types*
(p. 293)
Grants permission to put a Write domains*

PutProfileObjectType
domain
object-
types*
(p. 293)
aws:RequestTag/

${TagKey}
(p. 294)
aws:TagKeys
(p. 294)
SearchProfiles Grants permission to search for Read domains*

profiles in a domain (p. 293)
292

(*required)
TagResource Grants permission to adds tags Tagging aws:RequestTag/

to a resource ${TagKey}
(p. 294)
aws:TagKeys
(p. 294)
Grants permission to remove Tagging aws:RequestTag/

UntagResource tags from a resource ${TagKey}
(p. 294)
aws:TagKeys
(p. 294)
Grants permission to update a Write domains*

UpdateDomain Domain (p. 293)
UpdateProfile Grants permission to update a Write domains*

profile in the domain (p. 293)
Resource types defined by Amazon Connect Customer Profiles


types
domains arn:${Partition}:profile:${Region}: aws:ResourceTag/

${Account}:domains/${DomainName} ${TagKey} (p. 294)
object-types arn:${Partition}:profile:${Region}: aws:ResourceTag/

${Account}:domains/${DomainName}/object- ${TagKey} (p. 294)
types/${ObjectTypeName}
integrations arn:${Partition}:profile:${Region}: aws:ResourceTag/

${Account}:domains/${DomainName}/ ${TagKey} (p. 294)
integrations/${Uri}
Condition keys for Amazon Connect Customer Profiles

Amazon Connect Customer Profiles defines the following condition keys that can be used in the
Condition element of an IAM policy. You can use these keys to further refine the conditions under
which the policy statement applies. For details about the columns in the following table, see The
293
AWS Connector Service
aws:RequestTag/ Filters access by a key that is present in the request the user String
${TagKey} makes to the pinpoint service.
Filters access by a tag key and value pair. String

aws:ResourceTag/
${TagKey}
aws:TagKeys Filters access by the list of all the tag key names present in String
the request the user makes to the pinpoint service.

Connector Service
AWS Connector Service (service prefix: awsconnector) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Connector Service (p. 294)
• Resource types defined by AWS Connector Service (p. 295)
• Condition keys for AWS Connector Service (p. 295)
Actions defined by AWS Connector Service

different actions.
294
AWS Cost and Usage Report

(*required)
Retrieves all health metrics that Read

GetConnectorHealth
were published from the Server
[permission Migration Connector.
only]
Registers AWS Connector with Write

RegisterConnectorAWS Connector Service.
[permission
only]
Validates Server Migration Read

ValidateConnectorId
Connector Id that was registered
[permission with AWS Connector Service.
only]
Resource types defined by AWS Connector Service

AWS Connector Service does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to AWS Connector Service, specify “Resource”: “*” in your policy.
Condition keys for AWS Connector Service

Connector Service has no service-specific context keys that can be used in the Condition element of
Actions, resources, and condition keys for AWS Cost

and Usage Report
AWS Cost and Usage Report (service prefix: cur) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Cost and Usage Report (p. 295)
• Resource types defined by AWS Cost and Usage Report (p. 296)
• Condition keys for AWS Cost and Usage Report (p. 296)
Actions defined by AWS Cost and Usage Report

295
AWS Cost Explorer Service
different actions.

(*required)
Delete Cost and Usage Report Write cur*

DeleteReportDefinition
Definition (p. 296)
Get Cost and Usage Report Read

DescribeReportDefinitions
Definitions
Modify Cost and Usage Report Write cur*

ModifyReportDefinition
Write Cost and Usage Report Write cur*

PutReportDefinition
Resource types defined by AWS Cost and Usage Report


types
cur arn:${Partition}:cur:${Region}:
${Account}:definition/${ReportName}
Condition keys for AWS Cost and Usage Report

Cost and Usage Report has no service-specific context keys that can be used in the Condition element
Actions, resources, and condition keys for AWS Cost

Explorer Service
AWS Cost Explorer Service (service prefix: ce) provides the following service-specific resources, actions,
296
References:

Topics
• Actions defined by AWS Cost Explorer Service (p. 297)
• Resource types defined by AWS Cost Explorer Service (p. 300)
• Condition keys for AWS Cost Explorer Service (p. 300)
Actions defined by AWS Cost Explorer Service

different actions.

(*required)

CreateAnomalyMonitor
new Anomaly Monitor

CreateAnomalySubscription
new Anomaly Subscription

CreateCostCategoryDefinition
new Cost Category with the
requested name and rules

CreateNotificationSubscription
Reservation expiration alerts
[permission
only]
CreateReport Grants permission to create Cost Write

[permission Explorer Reports
only]

DeleteAnomalyMonitor
Anomaly Monitor
297

(*required)

DeleteAnomalySubscription
Anomaly Subscription

DeleteCostCategoryDefinition
Cost Category

DeleteNotificationSubscription
[permission
only]
DeleteReport Grants permission to delete Cost Write

[permission Explorer Reports
only]

DescribeCostCategoryDefinition
descriptions such as the name,
ARN, rules, definition, and
effective dates of a Cost
Category
Grants permission to view Read

DescribeNotificationSubscription
[permission
only]
Grants permission to view Cost Read

DescribeReport Explorer Reports page
[permission
only]
GetAnomalies Grants permission to retrieve Read

anomalies
Grants permission to query Read

GetAnomalyMonitors
Anomaly Monitors
Grants permission to query Read

GetAnomalySubscriptions
Anomaly Subscriptions
Grants permission to retrieve the Read

GetCostAndUsagecost and usage metrics for your
account

GetCostAndUsageWithResources
the cost and usage metrics with
resources for your account

GetCostForecast cost forecast for a forecast time
period
Grants permission to retrieve all Read

GetDimensionValues
available filter values for a filter
for a period of time
298

(*required)
Grants permission to view Cost Read

GetPreferences Explorer Preferences page
[permission
only]

GetReservationCoverage
reservation coverage for your
account

GetReservationPurchaseRecommendation
reservation recommendations
for your account

GetReservationUtilization
reservation utilization for your
account

GetRightsizingRecommendation
rightsizing recommendations for
your account

GetSavingsPlansCoverage
Savings Plans coverage for your
account

GetSavingsPlansPurchaseRecommendation
Savings Plans recommendations
for your account

GetSavingsPlansUtilization
Savings Plans utilization for your
account

GetSavingsPlansUtilizationDetails
Savings Plans utilization details
for your account
GetTags Grants permission to query tags Read

for a specified time period

GetUsageForecasta usage forecast for a forecast
time period
Grants permission to retrieve List

ListCostCategoryDefinitions
names, ARN, and effective dates
for all Cost Categories
Grants permission to provide Write

ProvideAnomalyFeedback
feedback on detected anomalies
Grants permission to update an Write

UpdateAnomalyMonitor
existing Anomaly Monitor

UpdateAnomalySubscription
existing Anomaly Subscription
299
AWS Data Exchange

(*required)

UpdateCostCategoryDefinition
existing Cost Category

UpdateNotificationSubscription
[permission
only]
Grants permission to edit Cost Write

UpdatePreferences
Explorer Preferences page
[permission
only]
UpdateReport Grants permission to update Write

[permission Cost Explorer Reports
only]
Resource types defined by AWS Cost Explorer Service

AWS Cost Explorer Service does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to AWS Cost Explorer Service, specify “Resource”: “*” in your
policy.
Condition keys for AWS Cost Explorer Service

Cost Explorer Service has no service-specific context keys that can be used in the Condition element of
Actions, resources, and condition keys for AWS Data

Exchange
AWS Data Exchange (service prefix: dataexchange) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Data Exchange (p. 301)
• Resource types defined by AWS Data Exchange (p. 303)
• Condition keys for AWS Data Exchange (p. 304)
300
AWS Data Exchange
Actions defined by AWS Data Exchange

different actions.

(*required)
CancelJob Grants permissions to cancel a Write jobs*

job. (p. 303)
CreateAsset Grants permission to create an Write aws:RequestTag/

asset (for example, in a Job). ${TagKey}
(p. 304)
aws:ResourceTag/
${TagKey}
(p. 304)
aws:TagKeys
(p. 304)

CreateDataSet data set. ${TagKey}
(p. 304)
aws:ResourceTag/
${TagKey}
(p. 304)
aws:TagKeys
(p. 304)
CreateJob Grants permissions to create a Write jobs*

job to import or export assets. (p. 303)

CreateRevision revision. ${TagKey}
(p. 304)
aws:ResourceTag/
${TagKey}
(p. 304)
301
AWS Data Exchange

(*required)
aws:TagKeys
(p. 304)
DeleteAsset Grants permissions to delete an Write assets*

asset. (p. 303)
Grants permissions to delete a Write data-sets*

DeleteDataSet data set. (p. 303)
Grants permissions to delete a Write revisions*

DeleteRevision revision. (p. 303)
GetAsset Grants permissions to get Read assets*

information about an asset and (p. 303)
to export it (for example, in a
Job).
GetDataSet Grants permission to get Read data-sets*

information about a data set. (p. 303)
GetJob Grants permissions to get Write jobs*

information about a job. (p. 303)
GetRevision Grants permission to get Read revisions*

information about a revision. (p. 303)
Grants permissions to list the List revisions*

ListDataSetRevisions
revisions of a data set. (p. 303)
ListDataSets Grants permission to list data List data-sets*

sets for the account. (p. 303)
ListJobs Grants permissions to list jobs List jobs*

for the account. (p. 303)
Grants permissions to get list List assets*

ListRevisionAssetsthe assets of a revision. (p. 303)
Grants permission to list the Read data-sets

ListTagsForResource
tags that you associated with (p. 303)
the specified resource.
revisions
(p. 303)
StartJob Grants permissions to start a Write jobs*

job. (p. 303)
TagResource Grants permission to add one Tagging data-sets

or more tags to a specified (p. 303)
resource.
revisions
(p. 303)
302
AWS Data Exchange

(*required)
aws:RequestTag/

${TagKey}
(p. 304)
aws:TagKeys
(p. 304)
Grants permission to remove Tagging data-sets

UntagResource one or more tags from a (p. 303)
specified resource.
revisions
(p. 303)
aws:TagKeys
(p. 304)
UpdateAsset Grants permissions to get Write assets*

update information about an (p. 303)
asset.
Grants permissions to update Write data-sets*

UpdateDataSet information about a data set. (p. 303)
Grants permissions to update Write revisions*

UpdateRevision information about a revision. (p. 303)
Resource types defined by AWS Data Exchange


types
jobs arn:${Partition}:dataexchange:${Region}: dataexchange:JobType

${Account}:jobs/${JobId} (p. 304)
data-sets arn:${Partition}:dataexchange:${Region}:
${Account}:data-sets/${DataSetId}
revisions arn:${Partition}:dataexchange:${Region}:
${Account}:data-sets/${DataSetId}/revisions/
${RevisionId}
assets arn:${Partition}:dataexchange:${Region}:
${Account}:data-sets/${DataSetId}/revisions/
${RevisionId}/assets/${AssetId}
303
Amazon Data Lifecycle Manager
Condition keys for AWS Data Exchange

AWS Data Exchange defines the following condition keys that can be used in the Condition element of
${TagKey} each of the mandatory tags.
Filters actions based on the tag value associated with the String
${TagKey}

Indicates that the action can only be performed on the String

dataexchange:JobType
specified job type.

Data Lifecycle Manager
Amazon Data Lifecycle Manager (service prefix: dlm) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Data Lifecycle Manager (p. 304)
• Resource types defined by Amazon Data Lifecycle Manager (p. 305)
• Condition keys for Amazon Data Lifecycle Manager (p. 306)
Actions defined by Amazon Data Lifecycle Manager

different actions.
304
Amazon Data Lifecycle Manager

(*required)
Create a data lifecycle policy to Write aws:RequestTag/

CreateLifecyclePolicy
manage the scheduled creation ${TagKey}
and retention of Amazon EBS (p. 306)
snapshots. You may have up to
100 policies. aws:TagKeys
(p. 306)
Delete an existing data lifecycle Write policy*

DeleteLifecyclePolicy
policy. In addition, this action (p. 305)
halts the creation and deletion
of snapshots that the policy
specified. Existing snapshots are
not affected.
Returns a list of summary List

GetLifecyclePolicies
descriptions of data lifecycle
policies.
Returns a complete description Read policy*

GetLifecyclePolicyof a single data lifecycle policy. (p. 305)
Grants permission to list the Read policy*

ListTagsForResource
tags associated with a resource. (p. 305)
TagResource Grants permission to add or Tagging policy*

update tags of a resource. (p. 305)
Grants permission to remove Tagging policy*

UntagResource associated with a resource. (p. 305)
Updates an existing data Write policy*

UpdateLifecyclePolicy
lifecycle policy. (p. 305)
Resource types defined by Amazon Data Lifecycle Manager


types
policy arn:${Partition}:dlm:${Region}: aws:ResourceTag/

${Account}:policy/${ResourceName} ${TagKey} (p. 306)
305
Data Pipeline
Condition keys for Amazon Data Lifecycle Manager

Amazon Data Lifecycle Manager defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request
Actions, resources, and condition keys for Data

Pipeline
Data Pipeline (service prefix: datapipeline) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Data Pipeline (p. 306)
• Resource types defined by Data Pipeline (p. 309)
• Condition keys for Data Pipeline (p. 309)
Actions defined by Data Pipeline

different actions.
306
Data Pipeline

(*required)
Validates the specified pipeline Write datapipeline:PipelineCreator

ActivatePipeline and starts processing pipeline (p. 309)
tasks. If the pipeline does not
pass validation, activation fails. datapipeline:Tag
(p. 309)
datapipeline:workerGroup
(p. 309)
AddTags Adds or modifies tags for the Tagging datapipeline:PipelineCreator

specified pipeline. (p. 309)
datapipeline:Tag
(p. 309)
Creates a new, empty pipeline. Write datapipeline:Tag

CreatePipeline (p. 309)
Deactivates the specified Write datapipeline:PipelineCreator

DeactivatePipeline
running pipeline. (p. 309)
datapipeline:Tag
(p. 309)
(p. 309)
Deletes a pipeline, its pipeline Write datapipeline:PipelineCreator

DeletePipeline definition, and its run history. (p. 309)
datapipeline:Tag
(p. 309)
Gets the object definitions for Read datapipeline:PipelineCreator

DescribeObjects a set of objects associated with (p. 309)
the pipeline.
datapipeline:Tag
(p. 309)
Retrieves metadata about one or List datapipeline:PipelineCreator

DescribePipelinesmore pipelines. (p. 309)
datapipeline:Tag
(p. 309)
Task runners call Read datapipeline:PipelineCreator

EvaluateExpression
EvaluateExpression to evaluate (p. 309)
a string in the context of the
specified object. datapipeline:Tag
(p. 309)
307
Data Pipeline

(*required)
Description for List

GetAccountLimitsGetAccountLimits
Gets the definition of the Read datapipeline:PipelineCreator

GetPipelineDefinition
datapipeline:Tag
(p. 309)
(p. 309)
ListPipelines Lists the pipeline identifiers for List

all active pipelines that you have
permission to access.
PollForTask Task runners call PollForTask to Write datapipeline:workerGroup

receive a task to perform from (p. 309)
AWS Data Pipeline.
Description for PutAccountLimits Write

PutAccountLimits
Adds tasks, schedules, and Write datapipeline:PipelineCreator

PutPipelineDefinition
preconditions to the specified (p. 309)
pipeline.
datapipeline:Tag
(p. 309)
(p. 309)
QueryObjects Queries the specified pipeline Read datapipeline:PipelineCreator

for the names of objects that (p. 309)
match the specified set of
conditions. datapipeline:Tag
(p. 309)
RemoveTags Removes existing tags from the Tagging datapipeline:PipelineCreator

datapipeline:Tag
(p. 309)
Task runners call Write

ReportTaskProgress
ReportTaskProgress when
assigned a task to acknowledge
that it has the task.
Task runners call Write

ReportTaskRunnerHeartbeat
ReportTaskRunnerHeartbeat
every 15 minutes to indicate
that they are operational.
308
AWS Database Migration Service

(*required)
SetStatus Requests that the status of the Write datapipeline:PipelineCreator

specified physical or logical (p. 309)
pipeline objects be updated in
the specified pipeline. datapipeline:Tag
(p. 309)
SetTaskStatus Task runners call SetTaskStatus Write

to notify AWS Data Pipeline
that a task is completed and
provide information about the
final status.
Validates the specified pipeline Read datapipeline:PipelineCreator

ValidatePipelineDefinition
definition to ensure that it is (p. 309)
well formed and can be run
without error. datapipeline:Tag
(p. 309)
(p. 309)
Resource types defined by Data Pipeline

Data Pipeline does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to Data Pipeline, specify “Resource”: “*” in your policy.
Condition keys for Data Pipeline

Data Pipeline defines the following condition keys that can be used in the Condition element of an IAM
The IAM user that created the pipeline. ARN

datapipeline:PipelineCreator
datapipeline:Tag A customer-specified key/value pair that can be attached to ARN

a resource.
The name of a worker group for which a Task Runner ARN

retrieves work.

Database Migration Service
AWS Database Migration Service (service prefix: dms) provides the following service-specific resources,
309
References:

Topics
• Actions defined by AWS Database Migration Service (p. 310)
• Resource types defined by AWS Database Migration Service (p. 316)
• Condition keys for AWS Database Migration Service (p. 317)
Actions defined by AWS Database Migration Service

different actions.

(*required)
Grants permission to add Tagging Certificate

AddTagsToResource
metadata tags to DMS resources, (p. 317)
including replication instances,
endpoints, security groups, and Endpoint
migration tasks (p. 317)
EventSubscription

(p. 317)
ReplicationInstance

(p. 317)
ReplicationSubnetGroup

(p. 317)
ReplicationTask

(p. 317)
aws:RequestTag/

${TagKey}
(p. 318)
310

(*required)
aws:TagKeys
(p. 318)
dms:req-
tag/
${TagKey}
(p. 318)
Grants permission to apply a Write ReplicationInstance*

ApplyPendingMaintenanceAction
pending maintenance action (p. 317)
to a resource (for example, to a
replication instance)
Grants permission to cancel a Write ReplicationTaskAssessmentRun*

CancelReplicationTaskAssessmentRun
single premigration assessment (p. 317)
run

CreateEndpoint endpoint using the provided ${TagKey}
settings (p. 318)
aws:TagKeys
(p. 318)
dms:req-
tag/
${TagKey}
(p. 318)

CreateEventSubscription
AWS DMS event notification ${TagKey}
subscription (p. 318)
aws:TagKeys
(p. 318)
dms:req-
tag/
${TagKey}
(p. 318)

CreateReplicationInstance
replication instance using the ${TagKey}
specified parameters (p. 318)
aws:TagKeys
(p. 318)
dms:req-
tag/
${TagKey}
(p. 318)
311

(*required)

CreateReplicationSubnetGroup
replication subnet group given a ${TagKey}
list of the subnet IDs in a VPC (p. 318)
aws:TagKeys
(p. 318)
dms:req-
tag/
${TagKey}
(p. 318)
Grants permission to create Write Endpoint*

CreateReplicationTask
a replication task using the (p. 317)
specified parameters
ReplicationInstance*

(p. 317)
aws:RequestTag/

${TagKey}
(p. 318)
aws:TagKeys
(p. 318)
dms:req-
tag/
${TagKey}
(p. 318)
Grants permission to delete the Write Certificate*

DeleteCertificate specified certificate (p. 317)
Grants permission to delete the Write Endpoint*

DeleteEndpoint specified endpoint (p. 317)
Grants permission to delete an Write EventSubscription*

DeleteEventSubscription
AWS DMS event subscription (p. 317)
Grants permission to delete the Write ReplicationInstance*

DeleteReplicationInstance
specified replication instance (p. 317)
Grants permission to deletes a Write ReplicationSubnetGroup*

DeleteReplicationSubnetGroup
subnet group (p. 317)
Grants permission to delete the Write ReplicationTask*

DeleteReplicationTask
specified replication task (p. 317)
Grants permission to delete the Write ReplicationTaskAssessmentRun*

DeleteReplicationTaskAssessmentRun
record of a single premigration (p. 317)
assessment run
Grants permission to list all of Read

DescribeAccountAttributes
the AWS DMS attributes for a
customer account
312

(*required)
Grants permission to list Read ReplicationInstance

DescribeApplicableIndividualAssessments
individual assessments that (p. 317)
you can specify for a new
premigration assessment run ReplicationTask

(p. 317)
Grants permission to provide a Read

DescribeCertificates
description of the certificate

DescribeConnections
the status of the connections
that have been made between
the replication instance and an
endpoint

DescribeEndpointTypes
information about the type of
endpoints available

DescribeEndpointsinformation about the endpoints
for your account in the current
region
Grants permission to list Read

DescribeEventCategories
categories for all event source
types, or, if specified, for a
specified source type
Grants permission to list all Read

DescribeEventSubscriptions
the event subscriptions for a
customer account
Grants permission to list events Read

DescribeEvents for a given source identifier and
source type

DescribeOrderableReplicationInstances
replication instance types that
can be created in the specified
region
Grants permission to returns the Read Endpoint*

DescribeRefreshSchemasStatus
status of the RefreshSchemas (p. 317)
operation
Grants permission to return Read ReplicationInstance*

DescribeReplicationInstanceTaskLogs
information about the task logs (p. 317)
for the specified task
313

(*required)
aws:ResourceTag/

${TagKey}
(p. 318)
aws:TagKeys
(p. 318)

DescribeReplicationInstances
information about replication
instances for your account in the
current region

DescribeReplicationSubnetGroups
replication subnet groups
Grants permission to return the Read ReplicationTask

DescribeReplicationTaskAssessmentResults
latest task assessment results (p. 317)
from Amazon S3
Grants permission to return a Read ReplicationInstance

DescribeReplicationTaskAssessmentRuns
paginated list of premigration (p. 317)
assessment runs based on filter
settings ReplicationTask

(p. 317)
ReplicationTaskAssessmentRun

(p. 317)
Grants permission to return Read ReplicationTask

DescribeReplicationTaskIndividualAssessments
a paginated list of individual (p. 317)
assessments based on filter
settings ReplicationTaskAssessmentRun

(p. 317)

DescribeReplicationTasks
information about replication
tasks for your account in the
current region
Grants permission to return Read Endpoint*

DescribeSchemas information about the schema (p. 317)
for the specified endpoint
Grants permission to return Read ReplicationTask*

DescribeTableStatistics
table statistics on the database (p. 317)
migration task, including table
name, rows inserted, rows
updated, and rows deleted
314

(*required)
Grants permission to upload the Write aws:RequestTag/

ImportCertificate specified certificate ${TagKey}
(p. 318)
aws:TagKeys
(p. 318)
Grants permission to list all tags List Certificate

ListTagsForResource
for an AWS DMS resource (p. 317)
Endpoint
(p. 317)
EventSubscription

(p. 317)
ReplicationInstance

(p. 317)

(p. 317)
ReplicationTask

(p. 317)
Grants permission to modify the Write Endpoint*

ModifyEndpoint specified endpoint (p. 317)
Certificate
(p. 317)

ModifyEventSubscription
an existing AWS DMS event
notification subscription
Grants permission to modify Write ReplicationInstance*

ModifyReplicationInstance
the replication instance to apply (p. 317)
new settings

ModifyReplicationSubnetGroup
the settings for the specified
replication subnet group
Grants permission to modify the Write ReplicationTask*

ModifyReplicationTask
specified replication task (p. 317)
Grants permission to reboot a Write ReplicationInstance*

RebootReplicationInstance
replication instance. Rebooting (p. 317)
results in a momentary outage,
until the replication instance
becomes available again
Grants permission to populate Write Endpoint*

RefreshSchemas the schema for the specified (p. 317)
endpoint
315

(*required)
ReplicationInstance*

(p. 317)
ReloadTables Grants permission to reload the Write ReplicationTask*

target database table with the (p. 317)
source data
Grants permission to remove Tagging Certificate

metadata tags from a DMS (p. 317)
resource
Endpoint
(p. 317)
EventSubscription

(p. 317)
ReplicationInstance

(p. 317)

(p. 317)
ReplicationTask

(p. 317)
aws:TagKeys
(p. 318)
Grants permission to start the Write ReplicationTask*

StartReplicationTask
replication task (p. 317)
Grants permission to start the Write ReplicationTask*

StartReplicationTaskAssessment
replication task assessment for (p. 317)
unsupported data types in the
source database
Grants permission to start a Write ReplicationTask*

StartReplicationTaskAssessmentRun
new premigration assessment (p. 317)
run for one or more individual
assessments of a migration task
Grants permission to stop the Write ReplicationTask*

StopReplicationTask
replication task (p. 317)
Grants permission to test Read Endpoint*

TestConnection the connection between the (p. 317)
replication instance and the
endpoint ReplicationInstance*

(p. 317)
Resource types defined by AWS Database Migration Service

316

types
Certificate arn:${Partition}:dms:${Region}: aws:ResourceTag/

${Account}:cert:* ${TagKey} (p. 318)
dms:cert-tag/
${TagKey} (p. 318)
Endpoint arn:${Partition}:dms:${Region}: aws:ResourceTag/

${Account}:endpoint:* ${TagKey} (p. 318)
dms:endpoint-tag/
${TagKey} (p. 318)
arn:${Partition}:dms:${Region}: aws:ResourceTag/
EventSubscription${Account}:es:* ${TagKey} (p. 318)
dms:es-tag/${TagKey}
(p. 318)
ReplicationInstance
${Account}:rep:* ${TagKey} (p. 318)
dms:rep-tag/${TagKey}
(p. 318)
${Account}:subgrp:* ${TagKey} (p. 318)
dms:subgrp-tag/
${TagKey} (p. 318)
ReplicationTask ${Account}:task:* ${TagKey} (p. 318)
dms:task-tag/
${TagKey} (p. 318)
arn:${Partition}:dms:${Region}:
ReplicationTaskAssessmentRun
${Account}:assessment-run:*
arn:${Partition}:dms:${Region}:
ReplicationTaskIndividualAssessment
${Account}:individual-assessment:*
Condition keys for AWS Database Migration Service

AWS Database Migration Service defines the following condition keys that can be used in the Condition
table (p. 2).
317
Database Query Metadata Service

${TagKey}
aws:TagKeys Filters access based on the presence of tag keys in the String
request
dms:cert-tag/ Filters access based on the presence of tag keys in the String
${TagKey} request for Certificate
dms:endpoint- Filters access based on the presence of tag keys in the String
tag/${TagKey} request for Endpoint
dms:es-tag/ Filters access based on the presence of tag keys in the String
${TagKey} request for EventSubscription
dms:rep-tag/ Filters access based on the presence of tag keys in the String
${TagKey} request for ReplicationInstance
dms:req-tag/ Filters access based on the presence of tag key-value pairs in String
${TagKey} the request
dms:subgrp-tag/ Filters access based on the presence of tag keys in the String
${TagKey} request for ReplicationSubnetGroup
dms:task-tag/ Filters access based on the presence of tag keys in the String
${TagKey} request for ReplicationTask
Actions, resources, and condition keys for Database

Query Metadata Service
Database Query Metadata Service (service prefix: dbqms) provides the following service-specific
References:

Topics
• Actions defined by Database Query Metadata Service (p. 319)
• Resource types defined by Database Query Metadata Service (p. 319)
• Condition keys for Database Query Metadata Service (p. 320)
318
Database Query Metadata Service
Actions defined by Database Query Metadata Service

different actions.

(*required)
Creates a new favorite query Write

CreateFavoriteQuery
Add a query to the history Write

CreateQueryHistory
Delete saved queries Write

DeleteFavoriteQueries
Delete a historical query Write

DeleteQueryHistory
List saved queries and associated List

DescribeFavoriteQueries
metadata
List history of queries that were List

DescribeQueryHistory
run
Retrieve favorite or history Read

GetQueryString query string by id
Update saved query and Write

UpdateFavoriteQuery
description
Update the query history Write

UpdateQueryHistory
Resource types defined by Database Query Metadata Service

Database Query Metadata Service does not support specifying a resource ARN in the Resource element
of an IAM policy statement. To allow access to Database Query Metadata Service, specify “Resource”:
319
DataSync
Condition keys for Database Query Metadata Service

DBQMS has no service-specific context keys that can be used in the Condition element of policy
conditions.
Note
${ConceptsDocRoot}
Actions, resources, and condition keys for DataSync

DataSync (service prefix: datasync) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by DataSync (p. 320)
• Resource types defined by DataSync (p. 323)
• Condition keys for DataSync (p. 324)
Actions defined by DataSync

different actions.

(*required)
Cancels execution of a sync task. Write taskexecution*

CancelTaskExecution (p. 324)
CreateAgent Activates an agent that you have Write aws:RequestTag/

deployed on your host. ${TagKey}
(p. 324)
320
DataSync

(*required)
aws:TagKeys
(p. 324)
Creates an endpoint for an Write aws:RequestTag/

CreateLocationEfsAmazon EFS file system. ${TagKey}
(p. 324)
aws:TagKeys
(p. 324)

CreateLocationFsxWindows
Amazon FSx Windows File ${TagKey}
Server file system. (p. 324)
aws:TagKeys
(p. 324)
Creates an endpoint for a NFS Write aws:RequestTag/

CreateLocationNfsfile system. ${TagKey}
(p. 324)
aws:TagKeys
(p. 324)
Creates an endpoint for a self- Write aws:RequestTag/

CreateLocationObjectStorage
managed object storage bucket. ${TagKey}
(p. 324)
aws:TagKeys
(p. 324)

CreateLocationS3Amazon S3 bucket. ${TagKey}
(p. 324)
aws:TagKeys
(p. 324)
Creates an endpoint for an SMB Write aws:RequestTag/

CreateLocationSmb
file system. ${TagKey}
(p. 324)
aws:TagKeys
(p. 324)
CreateTask Creates a sync task. Write aws:RequestTag/

${TagKey}
(p. 324)
aws:TagKeys
(p. 324)
DeleteAgent Deletes an agent. Write agent*

(p. 324)
321
DataSync

(*required)
Deletes the configuration of a Write location*

DeleteLocation location used by AWS DataSync. (p. 324)
DeleteTask Deletes a sync task. Write task*

(p. 324)
Returns metadata such as name, Read agent*

DescribeAgent network interfaces, and the (p. 324)
status (that is, whether the
agent is running or not) about a
sync agent.
Returns metadata, such as the Read location*

DescribeLocationEfs
path information about an (p. 324)
Amazon EFS sync location.

DescribeLocationFsxWindows
path information about an (p. 324)
Amazon FSx Windows sync
location.

DescribeLocationNfs
path information, about a NFS (p. 324)
sync location.
Returns metadata about a self- Read location*

DescribeLocationObjectStorage
managed object storage server (p. 324)
location.
Returns metadata, such as Read location*

DescribeLocationS3
bucket name, about an Amazon (p. 324)
S3 bucket sync location.

DescribeLocationSmb
path information, about an SMB (p. 324)
sync location.
DescribeTask Returns metadata about a sync Read task*

task. (p. 324)
Returns detailed metadata Read taskexecution*

DescribeTaskExecution
about a sync task that is being (p. 324)
executed.
ListAgents Returns a list of agents owned List

by an AWS account in a region
specified in the request.
ListLocations Returns a lists of source and List

destination sync locations.
This operation lists the tags Read agent

ListTagsForResource
that have been added to the (p. 324)
location
(p. 324)
322
DataSync

(*required)
task
(p. 324)
Returns a list of executed sync List

ListTaskExecutions
tasks.
ListTasks Returns a list of all the sync List

tasks.
Starts a specific invocation of a Write task*

StartTaskExecution
sync task. (p. 324)
TagResource Applies a key-value pair to an Write agent

AWS resource. (p. 324)
location
(p. 324)
task
(p. 324)
aws:RequestTag/

${TagKey}
(p. 324)
aws:TagKeys
(p. 324)
This operation removes one or Tagging agent

UntagResource more tags from the specified (p. 324)
resource.
location
(p. 324)
task
(p. 324)
aws:TagKeys
(p. 324)
UpdateAgent Updates the name of an agent. Write agent*

(p. 324)
UpdateTask Updates the metadata Write task*

associated with a sync task. (p. 324)
Resource types defined by DataSync

323
AWS DeepComposer

types
agent arn:${Partition}:datasync:${Region}: aws:ResourceTag/

${AccountId}:agent/${AgentId} ${TagKey} (p. 324)
location arn:${Partition}:datasync:${Region}: aws:ResourceTag/

${AccountId}:location/${LocationId} ${TagKey} (p. 324)
task arn:${Partition}:datasync:${Region}: aws:ResourceTag/

${AccountId}:task/${TaskId} ${TagKey} (p. 324)
taskexecution arn:${Partition}:datasync:${Region}:
${AccountId}:task/${TaskId}/execution/
${ExecutionId}
Condition keys for DataSync

DataSync defines the following condition keys that can be used in the Condition element of an IAM

${TagKey} resource.


DeepComposer
AWS DeepComposer (service prefix: deepcomposer) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS DeepComposer (p. 325)
• Resource types defined by AWS DeepComposer (p. 327)
324
AWS DeepComposer
• Condition keys for AWS DeepComposer (p. 328)
Actions defined by AWS DeepComposer

different actions.

(*required)
Associates a DeepComposer Write

AssociateCoupon coupon (or DSN) with the
[permission account associated with the
only] sender of the request.
CreateAudio Creates an audio file by Write composition*

[permission converting the midi composition (p. 327)
only] into a wav or mp3 file.
Creates a multi-track midi Write aws:RequestTag/

CreateComposition
composition. ${TagKey}
only]
aws:TagKeys
(p. 328)
CreateModel Starts creating/training a Write aws:RequestTag/

[permission generative-model that is able ${TagKey}
only] to perform inference against (p. 328)
the user-provided piano-melody
to create a multi-track midi aws:TagKeys
composition. (p. 328)
Deletes the composition. Write composition*

DeleteComposition (p. 327)
[permission
only]
DeleteModel Deletes the model. Write model*

(p. 327)
Returns information about the Read composition*

GetComposition composition. (p. 327)
325
AWS DeepComposer

(*required)
[permission aws:ResourceTag/

only] ${TagKey}
(p. 328)
GetModel Returns information about the Read model*

[permission model. (p. 327)
only]
aws:ResourceTag/

${TagKey}
(p. 328)
Returns information about Read

GetSampleModel the sample/pre-trained
[permission DeepComposer model.
only]
Returns a list of all the List

ListCompositions compositions owned by the
[permission sender of the request.
only]
ListModels Returns a list of all the models List

[permission owned by the sender of the
only] request.
Returns a list of all the sample/ List

ListSampleModelspre-trained models provided by
[permission the DeepComposer service.
only]
Grants permission to lists tag for List composition

ListTagsForResource
a resource. (p. 327)
model
(p. 327)
aws:ResourceTag/

${TagKey}
(p. 328)
Returns a list of all the training List

ListTrainingTopicsoptions or topic for creating/
[permission training a model.
only]
TagResource Grants permission to tag a Tagging composition

resource. (p. 327)
model
(p. 327)
326
AWS DeepComposer

(*required)
aws:TagKeys
(p. 328)
aws:RequestTag/
${TagKey}
(p. 328)
aws:ResourceTag/
${TagKey}
(p. 328)
Grants permission to untag a Tagging composition

model
(p. 327)
aws:TagKeys
(p. 328)
aws:RequestTag/
${TagKey}
(p. 328)
aws:ResourceTag/
${TagKey}
(p. 328)
Modifies the mutable properties Write composition*

UpdateComposition
associated with a composition. (p. 327)
[permission
only]
UpdateModel Modifies the mutable properties Write model*

[permission associated with a model. (p. 327)
only]
Resource types defined by AWS DeepComposer


types
model arn:${Partition}:deepcomposer:${Region}: aws:ResourceTag/

${Account}:model/${ModelId} ${TagKey} (p. 328)
composition arn:${Partition}:deepcomposer:${Region}: aws:ResourceTag/

${Account}:composition/${CompositionId} ${TagKey} (p. 328)
327
AWS DeepLens

types
audio arn:${Partition}:deepcomposer:${Region}:
${Account}:audio/${AudioId}
Condition keys for AWS DeepComposer

AWS DeepComposer defines the following condition keys that can be used in the Condition element of

${TagKey}
request

DeepLens
AWS DeepLens (service prefix: deeplens) provides the following service-specific resources, actions, and
Topics
• Actions defined by AWS DeepLens (p. 328)
• Resource types defined by AWS DeepLens (p. 330)
• Condition keys for AWS DeepLens (p. 331)
Actions defined by AWS DeepLens

different actions.
328
AWS DeepLens

(*required)
Associates the user's account Permissions

AssociateServiceRoleToAccount
with IAM roles controlling management
various permissions needed
by AWS DeepLens for proper
functionality.
Retrieves a list of AWS DeepLens Read device*

BatchGetDevice devices. (p. 330)
Retrieves a list of AWS DeepLens Read model*

BatchGetModel Models. (p. 331)
Retrieves a list of AWS DeepLens Read project*

BatchGetProject Projects. (p. 330)
Creates a certificate package Write

CreateDeviceCertificates
that is used to successfully
authenticate and Register an
AWS DeepLens device.
CreateModel Creates a new AWS DeepLens Write

Model.
CreateProject Creates a new AWS DeepLens Write

Project.
DeleteModel Deletes an AWS DeepLens Write model*

Model. (p. 331)
DeleteProject Deletes an AWS DeepLens Write project*

Project. (p. 330)
DeployProject Deploys an AWS DeepLens Write device*

project to a registered AWS (p. 330)
DeepLens device.
project*
(p. 330)
Begins a device de-registration Write device*

DeregisterDevice workflow for a registered AWS (p. 330)
DeepLens device.
Retrieves the account level Read

GetAssociatedResources
resources associated with the
user's account.
Retrieves the the deployment Read

GetDeploymentStatus
status of a particular AWS
DeepLens device, along with any
associated metadata.
329
AWS DeepLens

(*required)
GetDevice Retrieves information about an Read device*

AWS DeepLens device. (p. 330)
GetModel Retrieves an AWS DeepLens Read model*

Model. (p. 331)
GetProject Retrieves an AWS DeepLens Read project*

Project. (p. 330)
Creates a new AWS DeepLens Write

ImportProjectFromTemplate
project from a sample project
template.
Retrieves a list of AWS DeepLens List

ListDeployments Deployment identifiers.
ListDevices Retrieves a list of AWS DeepLens List

device identifiers.
ListModels Retrieves a list of AWS DeepLens List

Model identifiers.
ListProjects Retrieves a list of AWS DeepLens List

Project identifiers.
RegisterDevice Begins a device registration Write

workflow for an AWS DeepLens
device.
Removes a deployed AWS Write device*

RemoveProject DeepLens project from an AWS (p. 330)
DeepLens device.
UpdateProject Updates an existing AWS Write project*

DeepLens Project. (p. 330)
Resource types defined by AWS DeepLens


types
device arn:${Partition}:deeplens:${Region}:
${Account}:device/${DeviceName}
project arn:${Partition}:deeplens:${Region}:
${Account}:project/${ProjectName}
330
AWS DeepRacer

types
model arn:${Partition}:deeplens:${Region}:
${Account}:model/${ModelName}
Condition keys for AWS DeepLens

DeepLens has no service-specific context keys that can be used in the Condition element of policy
conditions.

DeepRacer
AWS DeepRacer (service prefix: deepracer) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS DeepRacer (p. 331)
• Resource types defined by AWS DeepRacer (p. 334)
• Condition keys for AWS DeepRacer (p. 335)
Actions defined by AWS DeepRacer

different actions.
331
AWS DeepRacer

(*required)
Grants permission to clone Write reinforcement_learning_model*

CloneReinforcementLearningModel
existing DeepRacer models (p. 334)
[permission
only] track*
(p. 334)

CreateAccountResources
resources needed by DeepRacer
[permission on behalf of the user
only]
Grants permission to submit Write leaderboard*

CreateLeaderboardSubmission
DeepRacer models to be (p. 334)
[permission evaluated for leaderboards
only] reinforcement_learning_model*

(p. 334)
Grants permission to create Write track*

CreateReinforcementLearningModel
reinforcement learning models (p. 334)
[permission for DeepRacer
only]

DeleteAccountResources
resources created by DeepRacer
only]
DeleteModel Grants permission to delete Write reinforcement_learning_model*

[permission DeepRacer models (p. 334)
only]

GetAccountResources
resources created by DeepRacer
only]
GetAlias Grants permission to retrieve Read

[permission the user's alias for submitting
only] DeepRacer models to
leaderboards
GetEvaluation Grants permission to retrieve Read evaluation_job*

[permission information about existing (p. 334)
only] DeepRacer models' evaluation
jobs
Grants permission to retrieve Read leaderboard*

GetLatestUserSubmission
information about how the (p. 334)
[permission latest submitted DeepRacer
only] model for a user performed on a
leaderboard

GetLeaderboard information about leaderboards (p. 334)
332
AWS DeepRacer

(*required)
[permission
only]
GetModel Grants permission to retrieve Read reinforcement_learning_model*

[permission information about existing (p. 334)
only] DeepRacer models

GetRankedUserSubmission
information about the (p. 334)
[permission performance of a user's
only] DeepRacer model that got
placed on a leaderboard
GetTrack Grants permission to retrieve Read track*

[permission information about DeepRacer (p. 334)
only] tracks
Grants permission to retrieve Read training_job*

GetTrainingJob information about existing (p. 334)
[permission DeepRacer models' training job
only]
Grants permission to list List reinforcement_learning_model*

ListEvaluations DeepRacer models' evaluation (p. 334)
[permission jobs
only]
Grants permission to list all List leaderboard*

ListLeaderboardSubmissions
the submissions of DeepRacer (p. 334)
[permission models of a user on a
only] leaderboard

ListLeaderboards available leaderboards
[permission
only]
ListModels Grants permission to list all List

[permission existing DeepRacer models
only]
ListTracks Grants permission to list all List

[permission DeepRacer tracks
only]
Grants permission to list List reinforcement_learning_model*

ListTrainingJobs DeepRacer models' training jobs (p. 334)
[permission
only]
SetAlias Grants permission to set the Write

[permission user's alias for submitting
only] DeepRacer models to
leaderboards
333
AWS DeepRacer

(*required)
Grants permission to evaluate Write reinforcement_learning_model*

StartEvaluation DeepRacer models in a (p. 334)
[permission simulated environment
only] track*
(p. 334)
Grants permission to stop Write evaluation_job*

StopEvaluation DeepRacer model evaluations (p. 334)
[permission
only]
Grants permission to stop Write reinforcement_learning_model*

StopTrainingReinforcementLearningModel
training DeepRacer models (p. 334)
[permission
only]
Grants permission to test reward Write

TestRewardFunction
functions for correctness
[permission
only]
Resource types defined by AWS DeepRacer


types
arn:${Partition}:deepracer:${Region}:
reinforcement_learning_model
${Account}:model/reinforcement_learning/
${ResourceId}
training_job arn:${Partition}:deepracer:${Region}:
${Account}:training_job/${ResourceId}
evaluation_job ${Account}: evaluation_job/${ResourceId}
leaderboard_evaluation_job
${Account}:leaderboard_evaluation_job/
${ResourceId}
track arn:${Partition}:deepracer:${Region}::track/
${ResourceId}
leaderboard arn:${Partition}:deepracer:
${Region}::leaderboard/${ResourceId}
334
Amazon Detective
Condition keys for AWS DeepRacer

DeepRacer has no service-specific context keys that can be used in the Condition element of policy
conditions.

Detective
Amazon Detective (service prefix: detective) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Detective (p. 335)
• Resource types defined by Amazon Detective (p. 337)
• Condition keys for Amazon Detective (p. 337)
Actions defined by Amazon Detective

different actions.

(*required)
Grants permission to accept an Write Graph*

AcceptInvitation invitation to become a member (p. 337)
of a behavior graph
CreateGraph Grants permission to create a Write

behavior graph and begin to
aggregate security information
335
Amazon Detective

(*required)
Grants permission to request Write Graph*

CreateMembers the membership of one or more (p. 337)
accounts in a behavior graph
managed by this account
DeleteGraph Grants permission to delete Write Graph*

a behavior graph and stop (p. 337)
aggregating security information
Grants permission to remove Write Graph*

DeleteMembers member accounts from a (p. 337)
behavior graph managed by this
account
Grants permission to remove the Write Graph*

DisassociateMembership
association of this account with (p. 337)
a behavior graph
Grants permission to retrieve a Read Graph*

GetFreeTrialEligibility
behavior graph's eligibility for a (p. 337)
[permission free trial period
only]
Grants permission to retrieve Read Graph*

GetGraphIngestState
the data ingestion state of a (p. 337)
[permission behavior graph
only]
GetMembers Grants permission to retrieve Read Graph*

details on specified members of (p. 337)
a behavior graph

GetPricingInformation
information about Amazon
[permission Detective's pricing
only]
Grants permission to list usage Read Graph*

GetUsageInformation
information of a behavior graph (p. 337)
[permission
only]
ListGraphs Grants permission to list List

behavior graphs managed by
this account
ListInvitations Grants permission to retrieve List

details on the behavior graphs
to which this account has been
invited to join
ListMembers Grants permission to retrieve List Graph*

details on all members of a (p. 337)
behavior graph
336
AWS Device Farm

(*required)
Grants permission to reject an Write Graph*

RejectInvitation invitation to become a member (p. 337)
of a behavior graph
SearchGraph Grants permission to search the Read Graph*

[permission data stored in a behavior graph (p. 337)
only]
Grants permission to start Write Graph*

StartMonitoringMember
data ingest for a member (p. 337)
account that has a status of
ACCEPTED_BUT_DISABLED.
Resource types defined by Amazon Detective


types
Graph arn:${Partition}:detective:${Region}:
${Account}:graph:${ResourceId}
Condition keys for Amazon Detective

Detective has no service-specific context keys that can be used in the Condition element of policy
conditions.
Actions, resources, and condition keys for AWS Device

Farm
AWS Device Farm (service prefix: devicefarm) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS Device Farm (p. 338)
• Resource types defined by AWS Device Farm (p. 346)
337
AWS Device Farm
• Condition keys for AWS Device Farm (p. 347)
Actions defined by AWS Device Farm

different actions.

(*required)
Grants permission to create a Write project*

CreateDevicePooldevice pool within a project (p. 346)

CreateInstanceProfile
device instance profile

CreateNetworkProfile
network profile within a project (p. 346)
CreateProject Grants permission to create a Tagging aws:RequestTag/

project for mobile testing ${TagKey}
(p. 347)
aws:TagKeys
(p. 347)
Grants permission to start a Write device*

CreateRemoteAccessSession
remote access session to a (p. 347)
device instance
project*
(p. 346)
deviceinstance

(p. 346)
upload
(p. 346)

CreateTestGridProject
project for desktop testing
Grants permission to generate Write testgrid-

CreateTestGridUrla new pre-signed url used to project*
access our test grid service (p. 347)
338
AWS Device Farm

(*required)
CreateUpload Grants permission to upload a Write project*

new file or app within a project (p. 346)

CreateVPCEConfiguration
Amazon Virtual Private Cloud
(VPC) endpoint configuration
Grants permission to delete a Write devicepool*

DeleteDevicePooluser-generated device pool (p. 347)
Grants permission to delete a Write instanceprofile*

DeleteInstanceProfile
user-generated instance profile (p. 347)
Grants permission to delete a Write networkprofile*

DeleteNetworkProfile
user-generated network profile (p. 346)
DeleteProject Grants permission to delete a Write project*

mobile testing project (p. 346)
Grants permission to delete Write session*

DeleteRemoteAccessSession
a completed remote access (p. 347)
session and its results
DeleteRun Grants permission to delete a Write run*

run (p. 346)
Grants permission to delete a Write testgrid-

DeleteTestGridProject
desktop testing project project*
(p. 347)
DeleteUpload Grants permission to delete a Write upload*

user-uploaded file (p. 346)
Grants permission to delete an Write vpceconfiguration*

DeleteVPCEConfiguration
Amazon Virtual Private Cloud (p. 347)
(VPC) endpoint configuration

GetAccountSettings
number of unmetered iOS and/
or unmetered Android devices
purchased by the account
GetDevice Grants permission to retrieve the Read device*

information of a unique device (p. 347)
type
Grants permission to retireve the Read deviceinstance*

GetDeviceInstanceinformation of a device instance (p. 346)
Grants permission to retireve the Read devicepool*

GetDevicePool information of a device pool (p. 347)
Grants permission to retrieve Read devicepool*

GetDevicePoolCompatibility
information about the (p. 347)
compatibility of a test and/or
app with a device pool
339
AWS Device Farm

(*required)
upload
(p. 346)
Grants permission to retireve Read instanceprofile*

GetInstanceProfilethe information of an instance (p. 347)
profile
GetJob Grants permission to retireve the Read job*

information of a job (p. 346)
Grants permission to retireve the Read networkprofile*

GetNetworkProfile
information of a network profile (p. 346)

GetOfferingStatuscurrent status and future status
of all offerings purchased by an
AWS account
GetProject Grants permission to retrieve Read project*

information about a mobile (p. 346)
testing project
Grants permission to retireve Read session*

GetRemoteAccessSession
the link to a currently running (p. 347)
remote access session
GetRun Grants permission to retireve the Read run*

information of a run (p. 346)
GetSuite Grants permission to retireve the Read suite*

information of a testing suite (p. 346)
GetTest Grants permission to retireve the Read test*

information of a test case (p. 346)
Grants permission to retrieve Read testgrid-

GetTestGridProject
information about a desktop project*
testing project (p. 347)
Grants permission to retireve Read testgrid-

GetTestGridSession
the information of a test grid project
session (p. 347)
testgrid-
session
(p. 347)
GetUpload Grants permission to retireve the Read upload*

information of an uploaded file (p. 346)
Grants permission to retireve Read vpceconfiguration*

GetVPCEConfiguration
the information of an Amazon (p. 347)
Virtual Private Cloud (VPC)
endpoint configuration
340
AWS Device Farm

(*required)
Grants permission to install Write session*

InstallToRemoteAccessSession
an application to a device in a (p. 347)
remote access session
upload*
(p. 346)
ListArtifacts Grants permission to list the List job

artifacts in a project (p. 346)
run
(p. 346)
suite
(p. 346)
test
(p. 346)

ListDeviceInstances
information of device instances
Grants permission to list the List project*

ListDevicePools information of device pools (p. 346)
ListDevices Grants permission to list the List

information of unique device
types

ListInstanceProfiles
information of device instance
profiles
ListJobs Grants permission to list the List run*

information of jobs within a run (p. 346)

ListNetworkProfiles
information of network profiles (p. 346)
within a project

ListOfferingPromotions
offering promotions

ListOfferingTransactions
of the historical purchases,
renewals, and system renewal
transactions for an AWS account
ListOfferings Grants permission to list the List

products or offerings that the
user can manage through the
API
ListProjects Grants permission to list the List

information of mobile testing
projects for an AWS account
341
AWS Device Farm

(*required)

ListRemoteAccessSessions
information of currently running (p. 346)
remote access sessions
ListRuns Grants permission to list the List project*

information of runs within a (p. 346)
project
ListSamples Grants permission to list the List job*

information of samples within a (p. 346)
project
ListSuites Grants permission to list the List job*

information of testing suites (p. 346)
within a job
Grants permission to list the List device

ListTagsForResource
tags of a resource (p. 347)
deviceinstance

(p. 346)
devicepool
(p. 347)
instanceprofile

(p. 347)
networkprofile

(p. 346)
project
(p. 346)
run
(p. 346)
session
(p. 347)
testgrid-
project
(p. 347)
testgrid-
session
(p. 347)
vpceconfiguration

(p. 347)

ListTestGridProjects
information of desktop testing
projects for an AWS account
342
AWS Device Farm

(*required)
Grants permission to list the List testgrid-

ListTestGridSessionActions
session actions performed session*
during a test grid session (p. 347)

ListTestGridSessionArtifacts
artifacts generated by a test grid session*
session (p. 347)

ListTestGridSessions
sessions within a test grid project*
project (p. 347)
ListTests Grants permission to list the List suite*

information of tests within a (p. 346)
testing suite
Grants permission to list the List run*

ListUniqueProblems
information of unique problems (p. 346)
within a run
ListUploads Grants permission to list the List project*

information of uploads within a (p. 346)
project

ListVPCEConfigurations
information of Amazon Virtual
Private Cloud (VPC) endpoint
configurations
Grants permission to purchase Write

PurchaseOffering offerings for an AWS account
Grants permission to set the Write

RenewOffering quantity of devices to renew for
an offering
ScheduleRun Grants permission to schedule a Write project*

run (p. 346)
devicepool
(p. 347)
upload
(p. 346)
SCENARIO: Device Pool as filter devicepool*

(p. 347)
project*
(p. 346)
upload
(p. 346)
343
AWS Device Farm

(*required)
SCENARIO: Device Selection project*

Configuration as filter (p. 346)
upload
(p. 346)
StopJob Grants permission to terminate a Write job*

running job (p. 346)
Grants permission to terminate a Write session*

StopRemoteAccessSession
running remote access session (p. 347)
StopRun Grants permission to terminate a Write run*

running test run (p. 346)
TagResource Grants permission to add tags to Tagging device

a resource (p. 347)
deviceinstance

(p. 346)
devicepool
(p. 347)
instanceprofile

(p. 347)
networkprofile

(p. 346)
project
(p. 346)
run
(p. 346)
session
(p. 347)
testgrid-
project
(p. 347)
testgrid-
session
(p. 347)
vpceconfiguration

(p. 347)
aws:RequestTag/

${TagKey}
(p. 347)
aws:TagKeys
(p. 347)
344
AWS Device Farm

(*required)
Grants permission to remove Tagging device

UntagResource tags from a resource (p. 347)
deviceinstance

(p. 346)
devicepool
(p. 347)
instanceprofile

(p. 347)
networkprofile

(p. 346)
project
(p. 346)
run
(p. 346)
session
(p. 347)
testgrid-
project
(p. 347)
testgrid-
session
(p. 347)
vpceconfiguration

(p. 347)
aws:TagKeys
(p. 347)
Grants permission to modify an Write deviceinstance*

UpdateDeviceInstance
existing device instance (p. 346)
instanceprofile

(p. 347)
Grants permission to modify an Write devicepool*

UpdateDevicePoolexisting device pool (p. 347)
Grants permission to modify an Write instanceprofile*

UpdateInstanceProfile
existing instance profile (p. 347)
Grants permission to modify an Write networkprofile*

UpdateNetworkProfile
existing network profile (p. 346)
Grants permission to modify an Write project*

UpdateProject existing mobile testing project (p. 346)
345
AWS Device Farm

(*required)
Grants permission to modify an Write testgrid-

UpdateTestGridProject
existing desktop testing project project*
(p. 347)
Grants permission to modify an Write upload*

UpdateUpload existing upload (p. 346)
Grants permission to modify Write vpceconfiguration*

UpdateVPCEConfiguration
an existing Amazon Virtual (p. 347)
Private Cloud (VPC) endpoint
configuration
Resource types defined by AWS Device Farm


types
project arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/

${Account}:project:${ResourceId} ${TagKey} (p. 347)
run arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/

${Account}:run:${ResourceId} ${TagKey} (p. 347)
job arn:${Partition}:devicefarm:${Region}:
${Account}:job:${ResourceId}
suite arn:${Partition}:devicefarm:${Region}:
${Account}:suite:${ResourceId}
test arn:${Partition}:devicefarm:${Region}:
${Account}:test:${ResourceId}
upload arn:${Partition}:devicefarm:${Region}:
${Account}:upload:${ResourceId}
artifact arn:${Partition}:devicefarm:${Region}:
${Account}:artifact:${ResourceId}
sample arn:${Partition}:devicefarm:${Region}:
${Account}:sample:${ResourceId}
arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/
networkprofile ${Account}:networkprofile:${ResourceId} ${TagKey} (p. 347)
arn:${Partition}:devicefarm: aws:ResourceTag/
deviceinstance ${Region}::deviceinstance:${ResourceId} ${TagKey} (p. 347)
346
Amazon DevOps Guru

types
session arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/

${Account}:session:${ResourceId} ${TagKey} (p. 347)
devicepool arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/

${Account}:devicepool:${ResourceId} ${TagKey} (p. 347)
device arn:${Partition}:devicefarm: aws:ResourceTag/

${Region}::device:${ResourceId} ${TagKey} (p. 347)
instanceprofile ${Account}:instanceprofile:${ResourceId} ${TagKey} (p. 347)
vpceconfiguration${Account}:vpceconfiguration:${ResourceId} ${TagKey} (p. 347)
testgrid- arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/

project ${Account}:testgrid-project:${ResourceId} ${TagKey} (p. 347)
testgrid- arn:${Partition}:devicefarm:${Region}: aws:ResourceTag/

session ${Account}:testgrid-session:${ResourceId} ${TagKey} (p. 347)
Condition keys for AWS Device Farm

AWS Device Farm defines the following condition keys that can be used in the Condition element of
${TagKey} the tags

${TagKey}

the request

DevOps Guru
Amazon DevOps Guru (service prefix: devops-guru) provides the following service-specific resources,
References:

347
Amazon DevOps Guru
Topics
• Actions defined by Amazon DevOps Guru (p. 348)
• Resource types defined by Amazon DevOps Guru (p. 349)
• Condition keys for Amazon DevOps Guru (p. 350)
Actions defined by Amazon DevOps Guru

different actions.

(*required)
Grants permission to add a Write topic* sns:GetTopicAttributes

AddNotificationChannel
notification channel to DevOps (p. 350)
Guru sns:SetTopicAttributes

DescribeAccountHealth
health of operations in your
AWS account

DescribeAccountOverview
health of operations within a
time range in your AWS account
Grants permission to list the Read

DescribeAnomaly details of a specified anomaly

DescribeInsight details of a specified insight

DescribeResourceCollectionHealth
health of operations for each
AWS CloudFormation stack
specified in DevOps Guru

DescribeServiceIntegration
integration status of services
that can be integrated with
DevOps Guru
348
Amazon DevOps Guru

(*required)
Grants permission to list AWS Read

GetResourceCollection
CloudFormation stacks that
DevOps Guru is configured to
use

ListAnomaliesForInsight
anomalies of a given insight in
your account
ListEvents Grants permission to list List

resource events that are
evaluated by DevOps Guru
ListInsights Grants permission to list insights List

in your account

ListNotificationChannels
notification channels configured
for DevOps Guru in your account
Grants permission to List

ListRecommendations
list a specified insight's
recommendations
PutFeedback Grants permission to submit a Write

feedback to DevOps Guru
Grants permission to remove Write topic* sns:GetTopicAttributes

RemoveNotificationChannel
a notification channel from (p. 350)
DevOps Guru sns:SetTopicAttributes
Grants permission to search List

SearchInsights insights in your account

UpdateResourceCollection
the list of AWS CloudFormation
stacks that are used to specify
which AWS resources in your
account are analyzed by DevOps
Guru
Grants permissions to enable or Write

UpdateServiceIntegration
disable a service that integrates
with DevOps Guru
Resource types defined by Amazon DevOps Guru

349
AWS Direct Connect

types
topic arn:${Partition}:sns:${Region}:${Account}:
${TopicName}
Condition keys for Amazon DevOps Guru

DevOps Guru has no service-specific context keys that can be used in the Condition element of policy
conditions.
Actions, resources, and condition keys for AWS Direct

Connect
AWS Direct Connect (service prefix: directconnect) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Direct Connect (p. 350)
• Resource types defined by AWS Direct Connect (p. 357)
• Condition keys for AWS Direct Connect (p. 357)
Actions defined by AWS Direct Connect

different actions.
350
AWS Direct Connect

(*required)
Accepts a proposal request to Write dx-

AcceptDirectConnectGatewayAssociationProposal
attach a virtual private gateway gateway*
to a Direct Connect gateway. (p. 357)
Creates a hosted connection on Write dxcon*

AllocateConnectionOnInterconnect
an interconnect. (p. 357)
Creates a new hosted connection Write dxcon

AllocateHostedConnection
between a AWS Direct Connect (p. 357)
partner's network and a specific
AWS Direct Connect location. dxlag
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Provisions a private virtual Write dxcon

AllocatePrivateVirtualInterface
interface to be owned by a (p. 357)
different customer.
dxlag
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Provisions a public virtual Write dxcon

AllocatePublicVirtualInterface
dxlag
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Provisions a transit virtual Write dxcon

AllocateTransitVirtualInterface
dxlag
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
351
AWS Direct Connect

(*required)
aws:TagKeys
(p. 358)
Associates a connection with a Write dxcon*

AssociateConnectionWithLag
LAG. (p. 357)
dxlag*
(p. 357)
Associates a hosted connection Write dxcon*

AssociateHostedConnection
and its virtual interfaces with a (p. 357)
link aggregation group (LAG) or
interconnect. dxcon
(p. 357)
dxlag
(p. 357)
Associates a virtual interface Write dxvif*

AssociateVirtualInterface
with a specified link aggregation (p. 357)
group (LAG) or connection.
dxcon
(p. 357)
dxlag
(p. 357)
Confirm the creation of a hosted Write dxcon*

ConfirmConnection
connection on an interconnect. (p. 357)
Accept ownership of a private Write dxvif*

ConfirmPrivateVirtualInterface
virtual interface created by (p. 357)
another customer.
Accept ownership of a public Write dxvif*

ConfirmPublicVirtualInterface
another customer
Accept ownership of a transit Write dxvif*

ConfirmTransitVirtualInterface
another customer
Creates a BGP peer on the Write dxvif*

CreateBGPPeer specified virtual interface. (p. 357)
Creates a new connection Write dxlag

CreateConnectionbetween the customer network (p. 357)
and a specific AWS Direct
Connect location. aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
352
AWS Direct Connect

(*required)
Creates a Direct Connect Write

CreateDirectConnectGateway
gateway, which is an
intermediate object that enables
you to connect a set of virtual
interfaces and virtual private
gateways.
Creates an association between Write dx-

CreateDirectConnectGatewayAssociation
a Direct Connect gateway and a gateway*
virtual private gateway. (p. 357)
Creates a proposal to associate Write dx-

CreateDirectConnectGatewayAssociationProposal
the specified virtual private gateway*
gateway with the specified (p. 357)
Direct Connect gateway.
Creates a new interconnect Write dxlag

CreateInterconnect
between a AWS Direct Connect (p. 357)
partner's network and a specific
AWS Direct Connect location. aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
CreateLag Creates a link aggregation group Write dxcon

(LAG) with the specified number (p. 357)
of bundled physical connections
between the customer network aws:RequestTag/

and a specific AWS Direct ${TagKey}
Connect location. (p. 358)
aws:TagKeys
(p. 358)
Creates a new private virtual Write dxcon

CreatePrivateVirtualInterface
interface. (p. 357)
dxlag
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Creates a new public virtual Write dxcon

CreatePublicVirtualInterface
interface. (p. 357)
dxlag
(p. 357)
353
AWS Direct Connect

(*required)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Creates a new transit virtual Write dxcon

CreateTransitVirtualInterface
interface. (p. 357)
dxlag
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Deletes the specified BGP peer Write dxvif*

DeleteBGPPeer on the specified virtual interface (p. 357)
with the specified customer
address and ASN.
Deletes the connection. Write dxcon*

DeleteConnection (p. 357)
Deletes the specified Direct Write dx-

DeleteDirectConnectGateway
Connect gateway. gateway*
(p. 357)
Deletes the association between Write dx-

DeleteDirectConnectGatewayAssociation
the specified Direct Connect gateway*
gateway and virtual private (p. 357)
gateway.
Deletes the association proposal Write

DeleteDirectConnectGatewayAssociationProposal
request between the specified
Direct Connect gateway and
virtual private gateway.
Deletes the specified Write dxcon*

DeleteInterconnect
interconnect. (p. 357)
DeleteLag Deletes the specified link Write dxlag*

aggregation group (LAG). (p. 357)
Deletes a virtual interface. Write dxvif*

DeleteVirtualInterface (p. 357)
Returns the LOA-CFA for a Read dxcon*

DescribeConnectionLoa
Connection. (p. 357)
Displays all connections in this Read dxcon

DescribeConnections
region. (p. 357)
354
AWS Direct Connect

(*required)
Return a list of connections that Read dxcon*

DescribeConnectionsOnInterconnect
have been provisioned on the (p. 357)
given interconnect.
Describes one or more Read dx-

DescribeDirectConnectGatewayAssociationProposals
association proposals for gateway
connection between a virtual (p. 357)
private gateway and a Direct
Connect gateway.
Lists the associations between Read dx-

DescribeDirectConnectGatewayAssociations
your Direct Connect gateways gateway
and virtual private gateways. (p. 357)
Lists the attachments between Read dx-

DescribeDirectConnectGatewayAttachments
your Direct Connect gateways gateway
and virtual interfaces. (p. 357)
Lists all your Direct Connect Read dx-

DescribeDirectConnectGateways
gateways or only the specified gateway
Direct Connect gateway. (p. 357)
Lists the hosted connections Read dxcon

DescribeHostedConnections
that have been provisioned on (p. 357)
the specified interconnect or link
aggregation group (LAG). dxlag
(p. 357)
Returns the LOA-CFA for an Read dxcon*

DescribeInterconnectLoa
Interconnect. (p. 357)
Returns a list of interconnects Read dxcon

DescribeInterconnects
owned by the AWS account. (p. 357)
DescribeLags Describes all your link Read dxlag

aggregation groups (LAG) or the (p. 357)
specified LAG.
DescribeLoa Gets the LOA-CFA for a Read dxcon

connection, interconnect, or link (p. 357)
aggregation group (LAG).
dxlag
(p. 357)
Returns the list of AWS Direct List

DescribeLocationsConnect locations in the current
AWS region.
DescribeTags Describes the tags associated Read dxcon

with the specified AWS Direct (p. 357)
Connect resources.
dxlag
(p. 357)
dxvif
(p. 357)
355
AWS Direct Connect

(*required)
Returns a list of virtual private Read

DescribeVirtualGateways
gateways owned by the AWS
account.
Displays all virtual interfaces for Read dxcon

DescribeVirtualInterfaces
an AWS account. (p. 357)
dxlag
(p. 357)
dxvif
(p. 357)
Disassociates a connection from Write dxcon*

DisassociateConnectionFromLag
a link aggregation group (LAG). (p. 357)
dxlag*
(p. 357)
Lists the virtual interface List dxvif*

ListVirtualInterfaceTestHistory
failover test history. (p. 357)
Starts the virtual interface Write dxvif*

StartBgpFailoverTest
failover test that verifies your (p. 357)
configuration meets your
resiliency requirements by
placing the BGP peering session
in the DOWN state. You can then
send traffic to verify that there
are no outages.
Stops the virtual interface Write dxvif*

StopBgpFailoverTest
failover test. (p. 357)
TagResource Adds the specified tags to the Tagging dxcon

specified AWS Direct Connect (p. 357)
resource. Each resource can have
a maximum of 50 tags. dxlag
(p. 357)
dxvif
(p. 357)
aws:RequestTag/

${TagKey}
(p. 358)
aws:TagKeys
(p. 358)
Removes one or more tags Tagging dxcon

UntagResource from the specified AWS Direct (p. 357)
Connect resource.
dxlag
(p. 357)
356
AWS Direct Connect

(*required)
dxvif
(p. 357)
aws:TagKeys
(p. 358)
Updates the specified attributes Write

UpdateDirectConnectGatewayAssociation
of the Direct Connect gateway
association.
UpdateLag Updates the attributes of the Write dxlag*

specified link aggregation group (p. 357)
(LAG).
Updates the specified attributes Write dxvif*

UpdateVirtualInterfaceAttributes
of the specified virtual private (p. 357)
interface.
Resource types defined by AWS Direct Connect


types
dxcon arn:${Partition}:directconnect:${Region}: aws:ResourceTag/

${Account}:dxcon/${ConnectionId} ${TagKey} (p. 358)
dxlag arn:${Partition}:directconnect:${Region}: aws:ResourceTag/

${Account}:dxlag/${LagId} ${TagKey} (p. 358)
dxvif arn:${Partition}:directconnect:${Region}: aws:ResourceTag/

${Account}:dxvif/${VirtualInterfaceId} ${TagKey} (p. 358)
dx-gateway arn:${Partition}:directconnect::
${Account}:dx-gateway/
${DirectConnectGatewayId}
Condition keys for AWS Direct Connect

AWS Direct Connect defines the following condition keys that can be used in the Condition element of
357
AWS Directory Service

${TagKey}
request

Directory Service
AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Directory Service (p. 358)
• Resource types defined by AWS Directory Service (p. 365)
• Condition keys for AWS Directory Service (p. 365)
Actions defined by AWS Directory Service

different actions.
358

(*required)
Accepts a directory sharing Write directory*

AcceptSharedDirectory
request that was sent from the (p. 365)
directory owner account.
AddIpRoutes Adds a CIDR address block to Write directory* ec2:AuthorizeSecurityGro

correctly route traffic to and (p. 365)
from your Microsoft AD on ec2:AuthorizeSecurityGro
Amazon Web Services
ec2:DescribeSecurityGrou
Adds or overwrites one or more Tagging directory* ec2:CreateTags

AddTagsToResource
tags for the specified Amazon (p. 365)
Directory Services directory.
aws:RequestTag/

${TagKey}
(p. 365)
aws:TagKeys
(p. 365)
Authorizes an application for Write directory*

AuthorizeApplication
your AWS Directory. (p. 365)
[permission
only]
Cancels an in-progress schema Write directory*

CancelSchemaExtension
extension to a Microsoft AD (p. 365)
directory.
CheckAlias Verifies that the alias is available Read

[permission for use.
only]
Creates an AD Connector to Tagging aws:RequestTag/

ec2:AuthorizeSecurityGro
ConnectDirectoryconnect to an on-premises ${TagKey}
directory. (p. 365) ec2:AuthorizeSecurityGro
aws:TagKeys ec2:CreateNetworkInterfa
(p. 365)
ec2:CreateSecurityGroup
ec2:CreateTags
ec2:DescribeNetworkInter
ec2:DescribeSubnets
ec2:DescribeVpcs
CreateAlias Creates an alias for a directory Write directory*

and assigns the alias to the (p. 365)
directory.
Creates a computer account in Write directory*

CreateComputer the specified directory, and joins (p. 365)
the computer to the directory.
359

(*required)
Creates a conditional forwarder Write directory*

CreateConditionalForwarder
associated with your AWS (p. 365)
directory.
Creates a Simple AD directory. Tagging aws:RequestTag/

CreateDirectory ${TagKey}
(p. 365) ec2:AuthorizeSecurityGro
(p. 365)
ec2:CreateTags
ec2:DescribeSubnets
ec2:DescribeVpcs
Creates a IdentityPool Directory Tagging aws:RequestTag/

CreateIdentityPoolDirectory
in the AWS cloud. ${TagKey}
only]
aws:TagKeys
(p. 365)
Creates a subscription to Write directory*

CreateLogSubscription
forward real time Directory (p. 365)
Service domain controller
security logs to the specified
CloudWatch log group in your
AWS account.
Creates a Microsoft AD in the Tagging aws:RequestTag/

CreateMicrosoftAD
AWS cloud. ${TagKey}
(p. 365) ec2:AuthorizeSecurityGro
(p. 365)
ec2:CreateTags
ec2:DescribeSubnets
ec2:DescribeVpcs
Creates a snapshot of a Simple Write directory*

CreateSnapshot AD or Microsoft AD directory in (p. 365)
the AWS cloud.
360

(*required)
CreateTrust Initiates the creation of the Write directory*

AWS side of a trust relationship (p. 365)
between a Microsoft AD in the
AWS cloud and an external
domain.
Deletes a conditional forwarder Write directory*

DeleteConditionalForwarder
that has been set up for your (p. 365)
AWS directory.
Deletes an AWS Directory Write directory* ec2:DeleteNetworkInterfa

DeleteDirectory Service directory. (p. 365)
ec2:DeleteSecurityGroup
ec2:RevokeSecurityGroup
ec2:RevokeSecurityGroup
Deletes the specified log Write directory*

DeleteLogSubscription
subscription. (p. 365)
Deletes a directory snapshot. Write directory*

DeleteSnapshot (p. 365)
DeleteTrust Deletes an existing trust Write directory*

relationship between your (p. 365)
Microsoft AD in the AWS cloud
and an external domain.
Deletes from the system the Write directory*

DeregisterCertificate
certificate that was registered (p. 365)
for a secured LDAP connection.
Removes the specified directory Write directory*

DeregisterEventTopic
as a publisher to the specified (p. 365)
SNS topic.
Displays information about Read directory*

the certificate registered for a (p. 365)
secured LDAP connection.
Obtains information about the Read directory*

DescribeConditionalForwarders
conditional forwarders for this (p. 365)
account.
Obtains information about the List

DescribeDirectories
directories that belong to this
account.
Provides information about Read directory*

DescribeDomainControllers
any domain controllers in your (p. 365)
directory.
361

(*required)
Obtains information about Read directory*

DescribeEventTopics
which SNS topics receive status (p. 365)
messages from the specified
directory.
Describes the status of LDAP Read directory*

DescribeLDAPSSettings
security for the specified (p. 365)
directory.
Returns the shared directories in Read directory*

DescribeSharedDirectories
your account. (p. 365)
Obtains information about the Read

DescribeSnapshots
directory snapshots that belong
to this account.
Obtains information about Read

DescribeTrusts the trust relationships for this
account.
DisableLDAPS Deactivates LDAP secure calls for Write directory*

the specified directory. (p. 365)
DisableRadius Disables multi-factor Write directory*

authentication (MFA) with the (p. 365)
Remote Authentication Dial In
User Service (RADIUS) server for
an AD Connector directory.
DisableSso Disables single-sign on for a Write directory*

directory. (p. 365)
EnableLDAPS Activates the switch for the Write directory*

specific directory to always use (p. 365)
LDAP secure calls.
EnableRadius Enables multi-factor Write directory*

authentication (MFA) with the (p. 365)
Remote Authentication Dial In
User Service (RADIUS) server for
an AD Connector directory.
EnableSso Enables single-sign on for a Write directory*

directory. (p. 365)
Read directory*
GetAuthorizedApplicationDetails (p. 365)
[permission
only]
Obtains directory limit Read

GetDirectoryLimits
information for the current
region.
362

(*required)
Obtains the manual snapshot Read directory*

GetSnapshotLimits
limits for a directory. (p. 365)
Obtains the aws applications Read directory*

ListAuthorizedApplications
authorized for a directory. (p. 365)
[permission
only]
For the specified directory, lists List directory*

ListCertificates all the certificates registered for (p. 365)
a secured LDAP connection.
ListIpRoutes Lists the address blocks that you Read directory*

have added to a directory. (p. 365)
Lists the active log subscriptions Read

ListLogSubscriptions
for the AWS account.
Lists all schema extensions List directory*

ListSchemaExtensions
applied to a Microsoft AD (p. 365)
Directory.
Lists all tags on an Amazon Read directory*

ListTagsForResource
Directory Services directory. (p. 365)
Registers a certificate for Write directory*

RegisterCertificatesecured LDAP connection. (p. 365)
Associates a directory with an Write directory* sns:GetTopicAttributes

RegisterEventTopic
SNS topic. (p. 365)
Rejects a directory sharing Write directory*

RejectSharedDirectory
request that was sent from the (p. 365)
directory owner account.
Removes IP address blocks from Write directory*

RemoveIpRoutes a directory. (p. 365)
Removes tags from an Amazon Tagging directory* ec2:DeleteTags

Directory Services directory. (p. 365)
aws:RequestTag/

${TagKey}
(p. 365)
aws:TagKeys
(p. 365)
Resets the password for any user Write directory*

ResetUserPassword
in your AWS Managed Microsoft (p. 365)
AD or Simple AD directory.
Restores a directory using an Write directory*

RestoreFromSnapshot
existing directory snapshot. (p. 365)
363

(*required)
Shares a specified directory in Write directory*

ShareDirectory your AWS account (directory (p. 365)
owner) with another AWS
account (directory consumer).
With this operation you can use
your directory from any AWS
account and from any Amazon
VPC within an AWS Region.
Applies a schema extension to a Write directory*

StartSchemaExtension
Microsoft AD directory. (p. 365)
Unauthorizes an application Write directory*

UnauthorizeApplication
from your AWS Directory. (p. 365)
[permission
only]
Stops the directory sharing Write directory*

UnshareDirectorybetween the directory owner (p. 365)
and consumer accounts.
Updates a conditional forwarder Write directory*

UpdateConditionalForwarder
that has been set up for your (p. 365)
AWS directory.
Adds or removes domain Write directory*

UpdateNumberOfDomainControllers
controllers to or from the (p. 365)
directory. Based on the
difference between current
value and new value (provided
through this API call), domain
controllers will be added or
removed. It may take up to 45
minutes for any new domain
controllers to become fully
active once the requested
number of domain controllers is
updated. During this time, you
cannot make another update
request.
UpdateRadius Updates the Remote Write directory*

Authentication Dial In User (p. 365)
Service (RADIUS) server
information for an AD Connector
directory.
UpdateTrust Updates the trust that has Write directory*

been set up between your AWS (p. 365)
Managed Microsoft AD directory
and an on-premises Active
Directory.
364
Amazon DynamoDB

(*required)
VerifyTrust Verifies a trust relationship Read directory*

between your Microsoft AD in (p. 365)
the AWS cloud and an external
domain.
Resource types defined by AWS Directory Service


types
directory arn:${Partition}:ds:${Region}: aws:ResourceTag/

${Account}:directory/${DirectoryId} ${TagKey} (p. 365)
Condition keys for AWS Directory Service

AWS Directory Service defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey}
${TagKey}
aws:TagKeys String

DynamoDB
Amazon DynamoDB (service prefix: dynamodb) provides the following service-specific resources, actions,
References:
365
Amazon DynamoDB

Topics
• Actions defined by Amazon DynamoDB (p. 366)
• Resource types defined by Amazon DynamoDB (p. 373)
• Condition keys for Amazon DynamoDB (p. 374)
Actions defined by Amazon DynamoDB

different actions.

(*required)
BatchGetItem Returns the attributes of one or Read table*

more items from one or more (p. 373)
tables
dynamodb:Attributes

(p. 374)
dynamodb:LeadingKeys
(p. 374)
dynamodb:ReturnConsumedCapacity
(p. 374)
dynamodb:Select
(p. 374)
Puts or deletes multiple items in Write table*

BatchWriteItem one or more tables (p. 373)
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
366
Amazon DynamoDB

(*required)
The ConditionCheckItem Read table*

ConditionCheckItem
operation checks the existence (p. 373)
of a set of attributes for the item
with the given primary key dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
dynamodb:ReturnValues
(p. 374)
CreateBackup Creates a backup for an existing Write table*

table (p. 373)
Enables the user to create a Write global-

CreateGlobalTableglobal table from an existing table*
table (p. 374)
table*
(p. 373)
CreateTable The CreateTable operation adds Write table*

a new table to your account (p. 373)
Adds a new replica table Write table*

CreateTableReplica (p. 373)
DeleteBackup Deletes an existing backup of a Write backup*

table (p. 374)
DeleteItem Deletes a single item in a table Write table*

by primary key (p. 373)
dynamodb:Attributes

(p. 374)
dynamodb:EnclosingOperation
(p. 374)
(p. 374)
(p. 374)
(p. 374)
DeleteTable The DeleteTable operation Write table*

deletes a table and all of its (p. 373)
items
367
Amazon DynamoDB

(*required)
Deletes a replica table and all of Write table*

DeleteTableReplica
its items (p. 373)
Describes an existing backup of Read backup*

DescribeBackup a table (p. 374)
Checks the status of the backup Read table*

DescribeContinuousBackups
restore settings on the specified (p. 373)
table
Describes the contributor Read table*

DescribeContributorInsights
insights status and related (p. 373)
details for a given table or
global secondary index index
(p. 373)
Describes an existing Export of a Read export*

DescribeExport table (p. 374)
Returns information about the Read global-

DescribeGlobalTable
specified global table table*
(p. 374)
Returns settings information Read global-

DescribeGlobalTableSettings
about the specified global table table*
(p. 374)
Returns the current provisioned- Read

DescribeLimits capacity limits for your AWS
account in a region, both for the
region as a whole and for any
one DynamoDB table that you
create there
Describes one or more of the Read

DescribeReservedCapacity
Reserved Capacity purchased
Describes Reserved Capacity Read

DescribeReservedCapacityOfferings
offerings that are available for
purchase
Returns information about a Read stream*

DescribeStream stream, including the current (p. 373)
status of the stream, its Amazon
Resource Name (ARN), the
composition of its shards, and its
corresponding DynamoDB table
DescribeTable Returns information about the Read table*

table (p. 373)
Describes the auto scaling Read table*

DescribeTableReplicaAutoScaling
settings across all replicas of the (p. 373)
global table
368
Amazon DynamoDB

(*required)
Gives a description of the Time Read table*

DescribeTimeToLive
to Live (TTL) status on the (p. 373)
specified table.
Initiates an Export of a Write table*

ExportTableToPointInTime
DynamoDB table to S3 (p. 373)
GetItem The GetItem operation returns Read table*

a set of attributes for the item (p. 373)
with the given primary key
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
(p. 374)
dynamodb:Select
(p. 374)
GetRecords Retrieves the stream records Read stream*

from a given shard (p. 373)
Returns a shard iterator Read stream*

GetShardIterator (p. 373)
ListBackups List backups associated with the List

account and endpoint
Lists the List

ListContributorInsights
ContributorInsightsSummary for
all tables and global secondary
indexes associated with the
current account and endpoint
ListExports List exports associated with the List

Lists all global tables that have a List

ListGlobalTables replica in the specified region
ListStreams Returns an array of stream ARNs Read

ListTables Returns an array of table names List

List all tags on an Amazon Read table*

ListTagsOfResource
DynamoDB resource (p. 373)
369
Amazon DynamoDB

(*required)
PartiQLDelete Grants permission to delete a Write table*

single item in a table by primary (p. 373)
key
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
(p. 374)
PartiQLInsert Grants permission to create a Write table*

new item, if an item with same (p. 373)
primary key does not exist in the
table dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
PartiQLSelect Grants permission to read a set Read table*

of attributes for items from a (p. 373)
table or index
index
(p. 373)
dynamodb:Attributes

(p. 374)
(p. 374)
dynamodb:FullTableScan
(p. 374)
(p. 374)
dynamodb:Select
(p. 374)
Grants permission to edit an Write table*

PartiQLUpdate existing item's attributes (p. 373)
370
Amazon DynamoDB

(*required)
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
(p. 374)
Purchases Reserved Capacity for Write

PurchaseReservedCapacityOfferings
use with your account
PutItem Creates a new item, or replaces Write table*

an old item with a new item (p. 373)
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
(p. 374)
(p. 374)
Query Uses the primary key of a table Read table*

or a secondary index to directly (p. 373)
access items from that table or
index index
(p. 373)
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
(p. 374)
dynamodb:Select
(p. 374)
Creates a new table from an Write backup*

RestoreTableFromBackup
existing backup (p. 374)
371
Amazon DynamoDB

(*required)
table*
(p. 373)
Restores a table to a point in Write table*

RestoreTableToPointInTime
time (p. 373)
Scan Returns one or more items and Read table*

item attributes by accessing (p. 373)
every item in a table or a
secondary index index
(p. 373)
dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
dynamodb:Select
(p. 374)
TagResource Associate a set of tags with an Tagging table*

Amazon DynamoDB resource (p. 373)
Removes the association of tags Tagging table*

UntagResource from an Amazon DynamoDB (p. 373)
resource.
Enables or disables continuous Write table*

UpdateContinuousBackups
backups (p. 373)
Updates the status for Write table*

UpdateContributorInsights
contributor insights for a specific (p. 373)
table or global secondary index
index
(p. 373)
Enables the user to add or Write global-

UpdateGlobalTable
remove replicas in the specified table*
global table (p. 374)
table*
(p. 373)
Enables the user to update Write global-

UpdateGlobalTableSettings
settings of the specified global table*
table (p. 374)
table*
(p. 373)
372
Amazon DynamoDB

(*required)
UpdateItem Edits an existing item's Write table*

attributes, or adds a new item to (p. 373)
the table if it does not already
exist dynamodb:Attributes

(p. 374)
(p. 374)
(p. 374)
(p. 374)
(p. 374)
UpdateTable Modifies the provisioned Write table*

throughput settings, global (p. 373)
secondary indexes, or
DynamoDB Streams settings for
a given table
Updates auto scaling settings on Write table*

UpdateTableReplicaAutoScaling
your replica table (p. 373)
Enables or disables TTL for the Write table*

UpdateTimeToLive
specified table (p. 373)
Resource types defined by Amazon DynamoDB


types
index arn:${Partition}:dynamodb:${Region}:
${Account}:table/${TableName}/index/
${IndexName}
stream arn:${Partition}:dynamodb:${Region}:
${Account}:table/${TableName}/stream/
${StreamLabel}
table arn:${Partition}:dynamodb:${Region}:
${Account}:table/${TableName}
373
Amazon DynamoDB

types
backup arn:${Partition}:dynamodb:${Region}:
${Account}:table/${TableName}/backup/
${BackupName}
export arn:${Partition}:dynamodb:${Region}:
${Account}:table/${TableName}/export/
${exportName}
global-table arn:${Partition}:dynamodb::
${Account}:global-table/${GlobalTableName}
Condition keys for Amazon DynamoDB

Amazon DynamoDB defines the following condition keys that can be used in the Condition element of
Note
For information about how to use context keys to refine DynamoDB access using an IAM policy,
see Using IAM Policy Conditions for Fine-Grained Access Control in the Amazon DynamoDB
Developer Guide.
Filter based on the attribute (field or column) names of the String

dynamodb:Attributestable.
Used to block Transactions APIs calls and allow the non- String
Transaction APIs calls and vice-versa.
Used to block full table scan. Bool

dynamodb:FullTableScan
Filters based on the partition key of the table. String

Filter based on the ReturnConsumedCapacity parameter of a String

request. Contains either "TOTAL" or "NONE".
Filter based on the ReturnValues parameter of String

request. Contains one of the following: "ALL_OLD",
"UPDATED_OLD","ALL_NEW","UPDATED_NEW", or "NONE".
dynamodb:Select Filter based on the Select parameter of a Query or Scan String

request.
374
Amazon DynamoDB Accelerator (DAX)

DynamoDB Accelerator (DAX)
Amazon DynamoDB Accelerator (DAX) (service prefix: dax) provides the following service-specific
References:

Topics
• Actions defined by Amazon DynamoDB Accelerator (DAX) (p. 375)
• Resource types defined by Amazon DynamoDB Accelerator (DAX) (p. 378)
• Condition keys for Amazon DynamoDB Accelerator (DAX) (p. 378)
Actions defined by Amazon DynamoDB Accelerator (DAX)

different actions.

(*required)
BatchGetItem The BatchGetItem action returns Read application*

the attributes of one or more (p. 378)
items from one or more tables.
The BatchWriteItem action Write application*

BatchWriteItem operation puts or deletes (p. 378)
multiple items in one or more
tables.
The ConditionCheckItem Read application*

ConditionCheckItem
operation checks the existence (p. 378)
of a set of attributes for the item
with the given primary key
375

(*required)
CreateCluster The CreateCluster action creates Write application* dax:CreateParameterGrou

a DAX cluster. (p. 378)
dax:CreateSubnetGroup
ec2:CreateNetworkInterfa
ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs
iam:GetRole
iam:PassRole
The CreateParameterGroup Write

CreateParameterGroup
action creates collection of
parameters that you apply to all
of the nodes in a DAX cluster.
The CreateSubnetGroup action Write

CreateSubnetGroup
creates a new subnet group.
The DecreaseReplicationFactor Write application*

DecreaseReplicationFactor
action removes one or more (p. 378)
nodes from a DAX cluster.
DeleteCluster The DeleteCluster action deletes Write application*

a previously provisioned DAX (p. 378)
cluster.
DeleteItem The DeleteItem action deletes a Write application*

single item in a table by primary (p. 378)
key.
dax:EnclosingOperation

(p. 379)
The DeleteParameterGroup Write

DeleteParameterGroup
action deletes the specified
parameter group.
The DeleteSubnetGroup action Write

DeleteSubnetGroup
deletes a subnet group.
The DescribeClusters action List application

DescribeClusters returns information about all (p. 378)
provisioned DAX clusters.
376

(*required)
The DescribeDefaultParameters List

DescribeDefaultParameters
action returns the default
system parameter information
for DAX.
The DescribeEvents action List

DescribeEvents returns events related to DAX
clusters and parameter groups.
The DescribeParameterGroups List

DescribeParameterGroups
action returns a list of parameter
group descriptions.
The DescribeParameters action Read

DescribeParameters
returns the detailed parameter
list for a particular parameter
group.
The DescribeSubnetGroups List

DescribeSubnetGroups
action returns a list of subnet
group descriptions.
GetItem The GetItem action returns a set Read application*

of attributes for the item with (p. 378)
the given primary key.

(p. 379)
The IncreaseReplicationFactor Write application*

IncreaseReplicationFactor
action adds one or more nodes (p. 378)
to a DAX cluster.
ListTags The ListTags action returns a list Read application*

all of the tags for a DAX cluster. (p. 378)
PutItem The PutItem action creates a Write application*

new item, or replaces an old (p. 378)
item with a new item.

(p. 379)
Query The Query action finds items Read application*

based on primary key values. (p. 378)
You can query any table or
secondary index that has a
composite primary key (a
partition key and a sort key).
RebootNode The RebootNode action reboots Write application*

a single node of a DAX cluster. (p. 378)
Scan The Scan action returns one or Read application*

more items and item attributes (p. 378)
by accessing every item in a
table or a secondary index.
377

(*required)
TagResource The TagResource action Tagging application*

associates a set of tags with a (p. 378)
DAX resource.
The UntagResource action Tagging application*

UntagResource removes the association of tags (p. 378)
from a DAX resource.
The UpdateCluster action Write application*

UpdateCluster modifies the settings for a DAX (p. 378)
cluster.
UpdateItem The UpdateItem action edits Write application*

an existing item's attributes, or (p. 378)
adds a new item to the table if it
does not already exist. dax:EnclosingOperation

(p. 379)
The UpdateParameterGroup Write

UpdateParameterGroup
action modifies the parameters
of a parameter group.
The UpdateSubnetGroup action Write

UpdateSubnetGroup
modifies an existing subnet
group.
Resource types defined by Amazon DynamoDB Accelerator

(DAX)

types
application arn:${Partition}:dax:${Region}:
${Account}:cache/${ClusterName}
Condition keys for Amazon DynamoDB Accelerator (DAX)

Amazon DynamoDB Accelerator (DAX) defines the following condition keys that can be used in the
378
Amazon EC2
Used to block Transactions APIs calls and allow the non- String
Transaction APIs calls and vice-versa.

EC2
Amazon EC2 (service prefix: ec2) provides the following service-specific resources, actions, and condition
context keys for use in IAM permission policies.
References:

Topics
• Actions defined by Amazon EC2 (p. 379)
• Resource types defined by Amazon EC2 (p. 638)
• Condition keys for Amazon EC2 (p. 658)
Actions defined by Amazon EC2

different actions.

(*required)
Grants permission to accept a Write reserved- aws:ResourceTag/

AcceptReservedInstancesExchangeQuote
Convertible Reserved Instance instances ${TagKey}
exchange quote (p. 649) (p. 658)
ec2:AvailabilityZone
(p. 659)
379
Amazon EC2

(*required)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
ec2:ReservedInstancesOfferingType
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to accept Write transit- aws:ResourceTag/

AcceptTransitGatewayPeeringAttachment
a transit gateway peering gateway- ${TagKey}
attachment request attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to accept a Write transit- aws:ResourceTag/

AcceptTransitGatewayVpcAttachment
request to attach a VPC to a gateway- ${TagKey}
transit gateway attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to accept Write vpc- aws:ResourceTag/

AcceptVpcEndpointConnections
one or more interface VPC endpoint* ${TagKey}
endpoint connections to your (p. 654) (p. 658)
VPC endpoint service
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
380
Amazon EC2

(*required)
vpc- aws:ResourceTag/

endpoint- ${TagKey}
service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VpceServicePrivateDnsName
(p. 662)
Grants permission to accept a Write vpc* aws:ResourceTag/

AcceptVpcPeeringConnection
VPC peering connection request (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

peering- ${TagKey}
connection* (p. 658)
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to advertise Write

AdvertiseByoipCidr
an IP address range that is
provisioned for use in AWS
through bring your own IP
addresses (BYOIP)
381
Amazon EC2

(*required)
Grants permission to allocate an Write ipv4pool- aws:ResourceTag/

AllocateAddress Elastic IP address (EIP) to your ec2 ${TagKey}
account (p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
AllocateHosts Grants permission to allocate a Write dedicated- aws:ResourceTag/

Dedicated Host to your account host* ${TagKey}
(p. 640) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
382
Amazon EC2

(*required)
Grants permission to apply a Write client- aws:ResourceTag/

ApplySecurityGroupsToClientVpnTargetNetwork
security group to the association vpn- ${TagKey}
between a Client VPN endpoint endpoint* (p. 658)
and a target network (p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:ServerCertificateArn
(p. 661)
ec2:ClientRootCertificateChainArn
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
ec2:CloudwatchLogGroupArn
(p. 659)
ec2:CloudwatchLogStreamArn
(p. 659)
security- aws:ResourceTag/

group* ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
383
Amazon EC2

(*required)
vpc* aws:ResourceTag/

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to assign one Write network- aws:ResourceTag/

AssignIpv6Addresses
or more IPv6 addresses to a interface* ${TagKey}
network interface (p. 648) (p. 658)
ec2:AuthorizedService
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
ec2:AssociatePublicIpAddress
(p. 658)
384
Amazon EC2

(*required)
Grants permission to assign one Write network- aws:ResourceTag/

AssignPrivateIpAddresses
or more secondary private IP interface* ${TagKey}
addresses to a network interface (p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to associate Write elastic-ip aws:ResourceTag/

AssociateAddress an Elastic IP address (EIP) (p. 638) ${TagKey}
with an instance or a network (p. 658)
interface
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
385
Amazon EC2

(*required)
instance aws:ResourceTag/

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
ec2:InstanceProfile
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
386
Amazon EC2

(*required)
network- aws:ResourceTag/

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to associate Write client- aws:ResourceTag/

AssociateClientVpnTargetNetwork
a target network with a Client vpn- ${TagKey}
VPN endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
387
Amazon EC2

(*required)
subnet* aws:ResourceTag/

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to associate Write vpc* aws:ResourceTag/

AssociateDhcpOptions
or disassociate a set of DHCP (p. 655) ${TagKey}
options with a VPC (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to associate Write certificate*

AssociateEnclaveCertificateIamRole
an ACM certificate with an IAM (p. 639)
role to be used in an EC2 Enclave
role*
(p. 649)
388
Amazon EC2

(*required)
Grants permission to associate Write instance* aws:ResourceTag/

iam:PassRole
AssociateIamInstanceProfile
an IAM instance profile with a (p. 644) ${TagKey}
running or stopped instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to associate a Write route- aws:ResourceTag/

AssociateRouteTable
subnet or gateway with a route table* ${TagKey}
table (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
389
Amazon EC2

(*required)
internet- aws:ResourceTag/

gateway ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
subnet aws:ResourceTag/

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
vpn- aws:ResourceTag/

gateway ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to associate a Write subnet* aws:ResourceTag/

AssociateSubnetCidrBlock
CIDR block with a subnet (p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
390
Amazon EC2

(*required)
Grants permission to associate Write subnet* aws:ResourceTag/

AssociateTransitGatewayMulticastDomain
an attachment and list of (p. 651) ${TagKey}
subnets with a transit gateway (p. 658)
multicast domain
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
transit- aws:ResourceTag/

gateway- ${TagKey}
attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
multicast- (p. 658)
domain*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to associate Write transit- aws:ResourceTag/

AssociateTransitGatewayRouteTable
an attachment with a transit gateway- ${TagKey}
gateway route table attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
391
Amazon EC2

(*required)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to associate a Write vpc* aws:ResourceTag/

AssociateVpcCidrBlock
CIDR block with a VPC (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
ipv6pool- aws:ResourceTag/

ec2 ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
392
Amazon EC2

(*required)
Grants permission to link Write instance* aws:ResourceTag/

AttachClassicLinkVpc
an EC2-Classic instance to (p. 644) ${TagKey}
a ClassicLink-enabled VPC (p. 658)
through one or more of the
VPC's security groups ec2:AvailabilityZone
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

group* ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
393
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to attach an Write internet- aws:ResourceTag/

AttachInternetGateway
internet gateway to a VPC gateway* ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
394
Amazon EC2

(*required)
Grants permission to attach a Write instance* aws:ResourceTag/

AttachNetworkInterface
network interface to an instance (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
395
Amazon EC2

(*required)

interface* ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
396
Amazon EC2

(*required)
AttachVolume Grants permission to attach Write instance* aws:ResourceTag/

an EBS volume to a running or (p. 644) ${TagKey}
stopped instance and expose (p. 658)
it to the instance with the
specified device name ec2:AvailabilityZone
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
397
Amazon EC2

(*required)
volume* aws:ResourceTag/

(p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
ec2:VolumeThroughput
(p. 662)
ec2:VolumeType
(p. 662)
Grants permission to attach a Write vpc* aws:ResourceTag/

AttachVpnGateway
virtual private gateway to a VPC (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
398
Amazon EC2

(*required)

gateway* ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to add an Write client- aws:ResourceTag/

AuthorizeClientVpnIngress
inbound authorization rule to a vpn- ${TagKey}
Client VPN endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
Grants permission to add one or Write security- aws:ResourceTag/

AuthorizeSecurityGroupEgress
more outbound rules to a VPC group* ${TagKey}
security group (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
399
Amazon EC2

(*required)
Grants permission to add one or Write security- aws:ResourceTag/

AuthorizeSecurityGroupIngress
more inbound rules to a security group* ${TagKey}
group (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to bundle an Write instance* aws:ResourceTag/

BundleInstance instance store-backed Windows (p. 644) ${TagKey}
instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to cancel a Write

CancelBundleTaskbundling operation
400
Amazon EC2

(*required)
Grants permission to cancel a Write capacity- aws:ResourceTag/

CancelCapacityReservation
Capacity Reservation and release reservation* ${TagKey}
the reserved capacity (p. 638) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to cancel an Write

CancelConversionTask
active conversion task
Grants permission to cancel an Write export- aws:ResourceTag/

CancelExportTaskactive export task image- ${TagKey}
task (p. 658)
(p. 641)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
export- aws:ResourceTag/

instance- ${TagKey}
task (p. 658)
(p. 642)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to cancel Write import- aws:ResourceTag/

CancelImportTaskan in-process import virtual image- ${TagKey}
machine or import snapshot task task (p. 658)
(p. 643)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
401
Amazon EC2

(*required)
import- aws:ResourceTag/

snapshot- ${TagKey}
task (p. 658)
(p. 643)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

CancelReservedInstancesListing
Reserved Instance listing on the
Reserved Instance Marketplace
Grants permission to cancel one Write spot- aws:ResourceTag/

CancelSpotFleetRequests
or more Spot Fleet requests fleet- ${TagKey}
request* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to cancel one Write spot- aws:ResourceTag/

CancelSpotInstanceRequests
or more Spot Instance requests instances- ${TagKey}
request* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
402
Amazon EC2

(*required)
Grants permission to determine Write instance* aws:ResourceTag/

ConfirmProductInstance
whether an owned product code (p. 644) ${TagKey}
is associated with an instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to copy a Write

CopyFpgaImage source Amazon FPGA image
(AFI) to the current Region
CopyImage Grants permission to copy an Write

Amazon Machine Image (AMI)
from a source Region to the
current Region
403
Amazon EC2

(*required)
Grants permission to copy a Write snapshot* aws:ResourceTag/

CopySnapshot point-in-time snapshot of an (p. 650) ${TagKey}
EBS volume and store it in (p. 658)
Amazon S3
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
Grants permission to create a Write capacity- aws:ResourceTag/

CreateCapacityReservation
Capacity Reservation reservation* ${TagKey}
(p. 638) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
404
Amazon EC2

(*required)
Grants permission to create a Write carrier- aws:ResourceTag/

CreateCarrierGateway
carrier gateway and provides gateway* ${TagKey}
CSP connectivity to VPC (p. 639) (p. 658)
customers.
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
ec2:Tenancy
(p. 661)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
405
Amazon EC2

(*required)
Grants permission to create a Write client- aws:ResourceTag/

CreateClientVpnEndpoint
Client VPN endpoint vpn- ${TagKey}
endpoint* (p. 658)
(p. 639)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
406
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
vpc aws:ResourceTag/

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
407
Amazon EC2

(*required)
Grants permission to add a Write client- aws:ResourceTag/

CreateClientVpnRoute
network route to a Client VPN vpn- ${TagKey}
endpoint's route table endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

CreateCustomerGateway
a customer gateway, which
provides information to AWS
about your customer gateway
device
408
Amazon EC2

(*required)

CreateDefaultSubnet
default subnet in a specified
Availability Zone in a default
VPC

CreateDefaultVpca default VPC with a default
subnet in each Availability Zone
Grants permission to create a set Write dhcp- aws:ResourceTag/

CreateDhcpOptions
of DHCP options for a VPC options* ${TagKey}
(p. 640) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to create an Write egress- aws:ResourceTag/

CreateEgressOnlyInternetGateway
egress-only internet gateway for only- ${TagKey}
a VPC internet- (p. 658)
gateway*
(p. 641) aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
409
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
CreateFleet Grants permission to launch an Write fleet* aws:ResourceTag/

EC2 Fleet (p. 642) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
410
Amazon EC2

(*required)
image aws:ResourceTag/

(p. 643) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
key-pair aws:ResourceTag/

(p. 645) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
411
Amazon EC2

(*required)
launch- aws:ResourceTag/

template ${TagKey}
(p. 645) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

interface ${TagKey}
(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
412
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
snapshot aws:ResourceTag/

(p. 650) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
413
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to create one Write vpc- aws:ResourceTag/

iam:PassRole
CreateFlowLogs or more flow logs to capture IP flow-log* ${TagKey}
traffic for a network interface (p. 655) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
414
Amazon EC2

(*required)

interface ${TagKey}
(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
415
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
416
Amazon EC2

(*required)
Grants permission to create an Write fpga- aws:ResourceTag/

CreateFpgaImageAmazon FPGA Image (AFI) from image* ${TagKey}
a design checkpoint (DCP) (p. 642) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
CreateImage Grants permission to create an Write instance* aws:ResourceTag/

Amazon EBS-backed AMI from (p. 644) ${TagKey}
a stopped or running Amazon (p. 658)
EBS-backed instance
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
417
Amazon EC2

(*required)
Grants permission to export a Write export- aws:ResourceTag/

CreateInstanceExportTask
running or stopped instance to instance- ${TagKey}
an Amazon S3 bucket task* (p. 658)
(p. 642)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
418
Amazon EC2

(*required)
instance* aws:ResourceTag/

(p. 644) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
419
Amazon EC2

(*required)
Grants permission to create an Write internet- aws:ResourceTag/

CreateInternetGateway
internet gateway for a VPC gateway* ${TagKey}
(p. 644) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
CreateKeyPair Grants permission to create a Write key-pair* aws:ResourceTag/

2048-bit RSA key pair (p. 645) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to create a Write launch- aws:ResourceTag/

CreateLaunchTemplate
launch template template* ${TagKey}
(p. 645) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
420
Amazon EC2

(*required)
capacity- aws:ResourceTag/

reservation ${TagKey}
(p. 638) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
dedicated- aws:ResourceTag/

host ${TagKey}
(p. 640) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
421
Amazon EC2

(*required)

(p. 643) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)

(p. 645) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
422
Amazon EC2

(*required)

interface ${TagKey}
(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
placement- aws:ResourceTag/

group ${TagKey}
(p. 649) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:PlacementGroupStrategy
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
423
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 650) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
424
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to create Write launch- aws:ResourceTag/

CreateLaunchTemplateVersion
a new version of a launch template* ${TagKey}
template (p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 638) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
425
Amazon EC2

(*required)

host ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)

(p. 643) ${TagKey}
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
426
Amazon EC2

(*required)

(p. 645) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

group ${TagKey}
(p. 649) (p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
427
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 650) ${TagKey}
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
428
Amazon EC2

(*required)
Grants permission to create a Write local- aws:ResourceTag/

CreateLocalGatewayRoute
static route for a local gateway gateway- ${TagKey}
route table route- (p. 658)
table*
(p. 646) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
local- aws:ResourceTag/

gateway- ${TagKey}
virtual- (p. 658)
interface-
group* ec2:Region
(p. 647) (p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to associate a Write local- aws:ResourceTag/

CreateLocalGatewayRouteTableVpcAssociation
VPC with a local gateway route gateway- ${TagKey}
table route- (p. 658)
table*
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
429
Amazon EC2

(*required)

gateway- ${TagKey}
route- (p. 658)
table-vpc-
association* aws:RequestTag/
(p. 646) ${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
430
Amazon EC2

(*required)
Grants permission to create a Write prefix-list* aws:ResourceTag/

CreateManagedPrefixList
managed prefix list (p. 649) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to create a Write elastic-ip* aws:ResourceTag/

CreateNatGateway
NAT gateway in a subnet (p. 638) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
natgateway* aws:ResourceTag/

(p. 647) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
431
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to create a Write network- aws:ResourceTag/

CreateNetworkAclnetwork ACL in a VPC acl* ${TagKey}
(p. 647) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
432
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

CreateNetworkAclEntry
numbered entry (a rule) in a acl* ${TagKey}
network ACL (p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to create a Write network-

CreateNetworkInsightsPath
path to analyze for reachability insights-
path*
(p. 648)
433
Amazon EC2

(*required)

CreateNetworkInterface
network interface in a subnet interface* ${TagKey}
(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
434
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

group ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
435
Amazon EC2

(*required)
Grants permission to create Permissions network- aws:ResourceTag/

CreateNetworkInterfacePermission
a permission for an AWS- managementinterface* ${TagKey}
authorized user to perform (p. 648) (p. 658)
certain operations on a network
interface ec2:AuthorizedService
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to create a Write placement- aws:ResourceTag/

CreatePlacementGroup
placement group group* ${TagKey}
(p. 649) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
436
Amazon EC2

(*required)
Grants permission to create a Write reserved- aws:ResourceTag/

CreateReservedInstancesListing
listing for Standard Reserved instances* ${TagKey}
Instances to be sold in the (p. 649) (p. 658)
Reserved Instance Marketplace
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
CreateRoute Grants permission to create a Write route- aws:ResourceTag/

route in a VPC route table table* ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
carrier- aws:ResourceTag/

gateway ${TagKey}
(p. 639) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
ec2:Tenancy
(p. 661)
437
Amazon EC2

(*required)
egress- aws:ResourceTag/

only- ${TagKey}
internet- (p. 658)
gateway
(p. 641) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

gateway ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
438
Amazon EC2

(*required)

gateway ${TagKey}
(p. 646) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
natgateway aws:ResourceTag/

(p. 647) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
439
Amazon EC2

(*required)
prefix-list aws:ResourceTag/

(p. 649) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

peering- ${TagKey}
connection (p. 658)
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
440
Amazon EC2

(*required)
Grants permission to create a Write vpc* aws:ResourceTag/

CreateRouteTableroute table for a VPC (p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to create a Write security- aws:ResourceTag/

CreateSecurityGroup
security group group* ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
441
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to create a Write snapshot* aws:ResourceTag/

CreateSnapshot snapshot of an EBS volume and (p. 650) ${TagKey}
store it in Amazon S3 (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
442
Amazon EC2

(*required)

(p. 654) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
443
Amazon EC2

(*required)
Grants permission to create Write instance* aws:ResourceTag/

CreateSnapshots crash-consistent snapshots of (p. 644) ${TagKey}
multiple EBS volumes and store (p. 658)
them in Amazon S3
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
444
Amazon EC2

(*required)
snapshot* aws:ResourceTag/

(p. 650) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
445
Amazon EC2

(*required)

(p. 654) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)

CreateSpotDatafeedSubscription
data feed for Spot Instances to
view Spot Instance usage logs
446
Amazon EC2

(*required)
CreateSubnet Grants permission to create a Write capacity- aws:ResourceTag/

subnet in a VPC reservation* ${TagKey}
(p. 638) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
spot- ec2:ResourceTag/

instances- ${TagKey}
request* (p. 661)
(p. 651)
aws:ResourceTag/
${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
447
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
CreateTags Grants permission to add or Tagging capacity- aws:ResourceTag/

overwrite one or more tags for reservation ${TagKey}
Amazon EC2 resources (p. 638) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
448
Amazon EC2

(*required)
client- aws:ResourceTag/

vpn- ${TagKey}
endpoint (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
customer- aws:ResourceTag/

gateway ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
449
Amazon EC2

(*required)

host ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
dhcp- aws:ResourceTag/

options ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

only- ${TagKey}
internet- (p. 658)
gateway
(p. 641) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
450
Amazon EC2

(*required)
elastic- aws:ResourceTag/

gpu ${TagKey}
(p. 641) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:ElasticGpuType
(p. 659)
elastic-ip aws:ResourceTag/

(p. 638) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

image- ${TagKey}
task (p. 658)
(p. 641)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

instance- ${TagKey}
task (p. 658)
(p. 642)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
451
Amazon EC2

(*required)
fleet aws:ResourceTag/

(p. 642) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
fpga- aws:ResourceTag/

image ${TagKey}
(p. 642) (p. 658)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
host- aws:ResourceTag/

(p. 642) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
452
Amazon EC2

(*required)

(p. 643) ${TagKey}
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)

image- ${TagKey}
task (p. 658)
(p. 643)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

snapshot- ${TagKey}
task (p. 658)
(p. 643)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
453
Amazon EC2

(*required)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

gateway ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

ec2 ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
454
Amazon EC2

(*required)

ec2 ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 645) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

template ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 646) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table
(p. 646) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
455
Amazon EC2

(*required)

gateway- ${TagKey}
route- (p. 658)
table-
virtual- ec2:Region
interface- (p. 661)
group-
association ec2:ResourceTag/
(p. 646) ${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table-vpc-
association ec2:Region
(p. 646) (p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

gateway- ${TagKey}
virtual- (p. 658)
interface
(p. 647) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
virtual- (p. 658)
interface-
group ec2:Region
(p. 647) (p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
456
Amazon EC2

(*required)

(p. 647) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

acl ${TagKey}
(p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
457
Amazon EC2

(*required)

group ${TagKey}
(p. 649) (p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 649) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
reserved- aws:ResourceTag/

instances ${TagKey}
(p. 649) (p. 658)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
458
Amazon EC2

(*required)
route- aws:ResourceTag/

table ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 650) ${TagKey}
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
459
Amazon EC2

(*required)
spot- aws:ResourceTag/

fleet- ${TagKey}
request (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

request (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
traffic- aws:ResourceTag/

mirror- ${TagKey}
filter (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
460
Amazon EC2

(*required)

mirror- ${TagKey}
session (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

mirror- ${TagKey}
target (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
connect- (p. 658)
peer
(p. 652) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
461
Amazon EC2

(*required)

gateway- ${TagKey}
multicast- (p. 658)
domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
volume aws:ResourceTag/

(p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
462
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

endpoint ${TagKey}
(p. 654) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

endpoint- ${TagKey}
service (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)

flow-log ${TagKey}
(p. 655) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
463
Amazon EC2

(*required)

peering- ${TagKey}
connection (p. 658)
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
464
Amazon EC2

(*required)

connection ${TagKey}
(p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AuthenticationType
(p. 658)
ec2:DPDTimeoutSeconds
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
ec2:InsideTunnelCidr
(p. 659)
ec2:Phase1DHGroupNumbers
(p. 660)
(p. 660)
ec2:Phase1EncryptionAlgorithms
(p. 660)
(p. 660)
ec2:Phase1IntegrityAlgorithms
(p. 660)
(p. 660)
ec2:Phase1LifetimeSeconds
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
ec2:RekeyFuzzPercentage
(p. 661)
465
Amazon EC2

(*required)
ec2:RekeyMarginTimeSeconds
(p. 661)
ec2:RoutingType
(p. 661)

gateway ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:CreateAction

(p. 659)
Grants permission to create a Write traffic- aws:ResourceTag/

CreateTrafficMirrorFilter
traffic mirror filter mirror- ${TagKey}
filter* (p. 658)
(p. 651)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

CreateTrafficMirrorFilterRule
traffic mirror filter rule mirror- ${TagKey}
filter* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
traffic- ec2:Region
mirror- (p. 661)
filter-rule*
(p. 652)
466
Amazon EC2

(*required)

CreateTrafficMirrorSession
traffic mirror session interface* ${TagKey}
(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

mirror- ${TagKey}
filter* (p. 658)
(p. 651)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
467
Amazon EC2

(*required)

mirror- ${TagKey}
session* (p. 658)
(p. 652)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

mirror- ${TagKey}
target* (p. 658)
(p. 652)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

CreateTrafficMirrorTarget
traffic mirror target mirror- ${TagKey}
target* (p. 658)
(p. 652)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
468
Amazon EC2

(*required)

interface ${TagKey}
(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to create a Write transit- aws:ResourceTag/

CreateTransitGateway
transit gateway gateway* ${TagKey}
(p. 653) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
469
Amazon EC2

(*required)

CreateTransitGatewayMulticastDomain
multicast domain for a transit gateway* ${TagKey}
gateway (p. 653) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
multicast- (p. 658)
domain*
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to request Write transit- aws:ResourceTag/

CreateTransitGatewayPeeringAttachment
a transit gateway peering gateway* ${TagKey}
attachment between a requester (p. 653) (p. 658)
and accepter transit gateway
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
470
Amazon EC2

(*required)

gateway- ${TagKey}
(p. 652)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to create Write prefix-list* aws:ResourceTag/

CreateTransitGatewayPrefixListReference
a transit gateway prefix list (p. 649) ${TagKey}
reference (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
471
Amazon EC2

(*required)

CreateTransitGatewayRoute
static route for a transit gateway gateway- ${TagKey}
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

CreateTransitGatewayRouteTable
route table for a transit gateway gateway* ${TagKey}
(p. 653) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
472
Amazon EC2

(*required)

gateway- ${TagKey}
route- (p. 658)
table*
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to attach a Write transit- aws:ResourceTag/

CreateTransitGatewayVpcAttachment
VPC to a transit gateway gateway* ${TagKey}
(p. 653) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
(p. 652)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
473
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
474
Amazon EC2

(*required)
CreateVolume Grants permission to create an Write volume* aws:ResourceTag/

EBS volume (p. 654) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
475
Amazon EC2

(*required)

(p. 650) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
CreateVpc Grants permission to create a Write vpc* aws:ResourceTag/

VPC with a specified CIDR block (p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
476
Amazon EC2

(*required)

ec2 ${TagKey}
(p. 645) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to create a Write vpc* aws:ResourceTag/

route53:AssociateVPCWit
CreateVpcEndpoint
VPC endpoint for an AWS service (p. 655) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
477
Amazon EC2

(*required)

endpoint* ${TagKey}
(p. 654) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

table ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
478
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to create a Write vpc- aws:ResourceTag/

CreateVpcEndpointConnectionNotification
connection notification for a endpoint ${TagKey}
VPC endpoint or VPC endpoint (p. 654) (p. 658)
service
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
479
Amazon EC2

(*required)

endpoint- ${TagKey}
service (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
Grants permission to create Write vpc- aws:ResourceTag/

CreateVpcEndpointServiceConfiguration
a VPC endpoint service endpoint- ${TagKey}
configuration to which service service* (p. 658)
consumers (AWS accounts, (p. 655)
IAM users, and IAM roles) can aws:RequestTag/
connect ${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
Grants permission to request Write vpc* aws:ResourceTag/

CreateVpcPeeringConnection
a VPC peering connection (p. 655) ${TagKey}
between two VPCs (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
480
Amazon EC2

(*required)

peering- ${TagKey}
(p. 656)
ec2:AccepterVpc
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to create Write customer- aws:ResourceTag/

CreateVpnConnection
a VPN connection between gateway* ${TagKey}
a virtual private gateway or (p. 640) (p. 658)
transit gateway and a customer
gateway aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
481
Amazon EC2

(*required)

connection* ${TagKey}
(p. 657) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
482
Amazon EC2

(*required)
ec2:PresharedKeys
(p. 661)
(p. 661)
(p. 661)
ec2:RoutingType
(p. 661)

gateway ${TagKey}
(p. 653) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 658) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
483
Amazon EC2

(*required)
Grants permission to create Write vpn- aws:ResourceTag/

CreateVpnConnectionRoute
a static route for a VPN connection* ${TagKey}
connection between a virtual (p. 657) (p. 658)
private gateway and a customer
gateway ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
484
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
Grants permission to create a Write vpn- aws:ResourceTag/

CreateVpnGateway
virtual private gateway gateway* ${TagKey}
(p. 658) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete a Write carrier- aws:ResourceTag/

DeleteCarrierGateway
carrier gateway gateway* ${TagKey}
(p. 639) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
ec2:Tenancy
(p. 661)
485
Amazon EC2

(*required)
Grants permission to delete a Write client- aws:ResourceTag/

DeleteClientVpnEndpoint
endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
486
Amazon EC2

(*required)
Grants permission to delete Write client- aws:ResourceTag/

DeleteClientVpnRoute
a route from a Client VPN vpn- ${TagKey}
endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
487
Amazon EC2

(*required)
Grants permission to delete a Write customer- aws:ResourceTag/

DeleteCustomerGateway
customer gateway gateway* ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete a set Write dhcp- aws:ResourceTag/

DeleteDhcpOptions
of DHCP options options* ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete an Write egress- aws:ResourceTag/

DeleteEgressOnlyInternetGateway
egress-only internet gateway only- ${TagKey}
internet- (p. 658)
gateway*
(p. 641) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
DeleteFleets Grants permission to delete one Write fleet* aws:ResourceTag/

or more EC2 Fleets (p. 642) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete one Write vpc- aws:ResourceTag/

DeleteFlowLogs or more flow logs flow-log* ${TagKey}
(p. 655) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
488
Amazon EC2

(*required)
Grants permission to delete an Write fpga- aws:ResourceTag/

DeleteFpgaImageAmazon FPGA Image (AFI) image* ${TagKey}
(p. 642) (p. 658)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete an Write internet- aws:ResourceTag/

DeleteInternetGateway
internet gateway gateway* ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
DeleteKeyPair Grants permission to delete a Write key-pair aws:ResourceTag/

key pair by removing the public (p. 645) ${TagKey}
key from Amazon EC2 (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete Write launch- aws:ResourceTag/

DeleteLaunchTemplate
a launch template and its template ${TagKey}
associated versions (p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
489
Amazon EC2

(*required)
Grants permission to delete one Write launch- aws:ResourceTag/

DeleteLaunchTemplateVersions
or more versions of a launch template ${TagKey}
template (p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete a Write local- aws:ResourceTag/

DeleteLocalGatewayRoute
route from a local gateway route gateway- ${TagKey}
table*
(p. 646) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete an Write local- aws:ResourceTag/

DeleteLocalGatewayRouteTableVpcAssociation
association between a VPC and gateway- ${TagKey}
local gateway route table route- (p. 658)
table-vpc-
association* ec2:Region
(p. 646) (p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to delete a Write prefix-list* aws:ResourceTag/

DeleteManagedPrefixList
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
490
Amazon EC2

(*required)
Grants permission to delete a Write natgateway* aws:ResourceTag/

DeleteNatGateway
NAT gateway (p. 647) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete a Write network- aws:ResourceTag/

DeleteNetworkAclnetwork ACL acl* ${TagKey}
(p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to delete Write network- aws:ResourceTag/

DeleteNetworkAclEntry
an inbound or outbound entry acl* ${TagKey}
(rule) from a network ACL (p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

DeleteNetworkInsightsAnalysis
network insights analysis insights- ${TagKey}
analysis* (p. 658)
(p. 648)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
491
Amazon EC2

(*required)

DeleteNetworkInsightsPath
network insights path insights- ${TagKey}
path* (p. 658)
(p. 648)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

DeleteNetworkInterface
detached network interface interface* ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to delete a Permissions

DeleteNetworkInterfacePermission
permission that is associated management
with a network interface

DeletePlacementGroup
placement group
492
Amazon EC2

(*required)
Grants permission to delete Write reserved- aws:ResourceTag/

DeleteQueuedReservedInstances
the queued purchases for the instances* ${TagKey}
specified Reserved Instances (p. 649) (p. 658)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
DeleteRoute Grants permission to delete a Write route- aws:ResourceTag/

route from a route table table* ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 649) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
493
Amazon EC2

(*required)
Grants permission to delete a Write route- aws:ResourceTag/

DeleteRouteTableroute table table* ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to delete a Write security- aws:ResourceTag/

DeleteSecurityGroup
security group group* ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to delete a Write snapshot* aws:ResourceTag/

DeleteSnapshot snapshot of an EBS volume (p. 650) ${TagKey}
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)

DeleteSpotDatafeedSubscription
data feed for Spot Instances
494
Amazon EC2

(*required)
DeleteSubnet Grants permission to delete a Write subnet* aws:ResourceTag/

subnet (p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
DeleteTags Grants permission to delete one Tagging capacity- aws:ResourceTag/

or more tags from Amazon EC2 reservation ${TagKey}
resources (p. 638) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
495
Amazon EC2

(*required)
client- aws:ResourceTag/

vpn- ${TagKey}
endpoint (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)

gateway ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
496
Amazon EC2

(*required)

host ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
dhcp- aws:ResourceTag/

options ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

only- ${TagKey}
internet- (p. 658)
gateway
(p. 641) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
497
Amazon EC2

(*required)

gpu ${TagKey}
(p. 641) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:ElasticGpuType
(p. 659)
elastic-ip aws:ResourceTag/

(p. 638) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

image- ${TagKey}
task (p. 658)
(p. 641)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

instance- ${TagKey}
task (p. 658)
(p. 642)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
498
Amazon EC2

(*required)
fleet aws:ResourceTag/

(p. 642) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
fpga- aws:ResourceTag/

image ${TagKey}
(p. 642) (p. 658)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
host- aws:ResourceTag/

(p. 642) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
499
Amazon EC2

(*required)

(p. 643) ${TagKey}
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)

image- ${TagKey}
task (p. 658)
(p. 643)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

snapshot- ${TagKey}
task (p. 658)
(p. 643)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
500
Amazon EC2

(*required)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

gateway ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

ec2 ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
501
Amazon EC2

(*required)

ec2 ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 645) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

template ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 646) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table
(p. 646) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
502
Amazon EC2

(*required)

gateway- ${TagKey}
route- (p. 658)
table-
virtual- ec2:Region
interface- (p. 661)
group-
association ec2:ResourceTag/
(p. 646) ${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table-vpc-
association ec2:Region
(p. 646) (p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

gateway- ${TagKey}
virtual- (p. 658)
interface
(p. 647) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
virtual- (p. 658)
interface-
group ec2:Region
(p. 647) (p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
503
Amazon EC2

(*required)

(p. 647) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

acl ${TagKey}
(p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
504
Amazon EC2

(*required)

group ${TagKey}
(p. 649) (p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 649) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
reserved- aws:ResourceTag/

instances ${TagKey}
(p. 649) (p. 658)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
505
Amazon EC2

(*required)

table ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 650) ${TagKey}
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
506
Amazon EC2

(*required)

fleet- ${TagKey}
request (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

request (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

mirror- ${TagKey}
filter (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
507
Amazon EC2

(*required)

mirror- ${TagKey}
session (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

mirror- ${TagKey}
target (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
connect- (p. 658)
peer
(p. 652) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
508
Amazon EC2

(*required)

gateway- ${TagKey}
multicast- (p. 658)
domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
509
Amazon EC2

(*required)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)

endpoint ${TagKey}
(p. 654) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

endpoint- ${TagKey}
service (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)

flow-log ${TagKey}
(p. 655) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
510
Amazon EC2

(*required)

peering- ${TagKey}
connection (p. 658)
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
511
Amazon EC2

(*required)

(p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
512
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)

gateway ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete a Write traffic- aws:ResourceTag/

DeleteTrafficMirrorFilter
traffic mirror filter mirror- ${TagKey}
filter* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete a Write traffic- ec2:Region

DeleteTrafficMirrorFilterRule
traffic mirror filter rule mirror- (p. 661)
filter-rule*
(p. 652)

DeleteTrafficMirrorSession
traffic mirror session mirror- ${TagKey}
session* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

DeleteTrafficMirrorTarget
traffic mirror target mirror- ${TagKey}
target* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
513
Amazon EC2

(*required)
Grants permission to delete a Write transit- aws:ResourceTag/

DeleteTransitGateway
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete Write transit- aws:ResourceTag/

DeleteTransitGatewayConnect
a transit gateway connect gateway- ${TagKey}
attachment attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

DeleteTransitGatewayConnectPeer
transit gateway connect peer gateway- ${TagKey}
connect- (p. 658)
peer*
(p. 652) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permissions to delete Write transit- aws:ResourceTag/

DeleteTransitGatewayMulticastDomain
a transit gateway multicast gateway- ${TagKey}
domain multicast- (p. 658)
domain*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to delete Write transit- aws:ResourceTag/

DeleteTransitGatewayPeeringAttachment
a peering attachment from a gateway- ${TagKey}
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
514
Amazon EC2

(*required)
Grants permission to delete Write prefix-list* aws:ResourceTag/

DeleteTransitGatewayPrefixListReference
reference (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

DeleteTransitGatewayRoute
route from a transit gateway gateway- ${TagKey}
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

DeleteTransitGatewayRouteTable
transit gateway route table gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

DeleteTransitGatewayVpcAttachment
VPC attachment from a transit gateway- ${TagKey}
gateway attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
515
Amazon EC2

(*required)
DeleteVolume Grants permission to delete an Write volume* aws:ResourceTag/

EBS volume (p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
DeleteVpc Grants permission to delete a Write vpc* aws:ResourceTag/

VPC (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
516
Amazon EC2

(*required)
Grants permission to delete Write vpc- aws:ResourceTag/

DeleteVpcEndpointConnectionNotifications
one or more VPC endpoint endpoint* ${TagKey}
connection notifications (p. 654) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

endpoint- ${TagKey}
service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)

DeleteVpcEndpointServiceConfigurations
or more VPC endpoint service endpoint- ${TagKey}
configurations service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)

DeleteVpcEndpoints
or more VPC endpoints endpoint* ${TagKey}
(p. 654) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
517
Amazon EC2

(*required)
Grants permission to delete a Write vpc- aws:ResourceTag/

DeleteVpcPeeringConnection
VPC peering connection peering- ${TagKey}
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
518
Amazon EC2

(*required)
Grants permission to delete a Write vpn- aws:ResourceTag/

DeleteVpnConnection
VPN connection connection* ${TagKey}
(p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
519
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
520
Amazon EC2

(*required)
Grants permission to delete Write vpn- aws:ResourceTag/

DeleteVpnConnectionRoute
a static route for a VPN connection* ${TagKey}
connection between a virtual (p. 657) (p. 658)
private gateway and a customer
gateway ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
521
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
Grants permission to delete a Write vpn- aws:ResourceTag/

DeleteVpnGateway
virtual private gateway gateway* ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to release Write

DeprovisionByoipCidr
an IP address range that was
provisioned through bring your
own IP addresses (BYOIP), and
to delete the corresponding
address pool
Grants permission to deregister Write image* aws:ResourceTag/

DeregisterImage an Amazon Machine Image (AMI) (p. 643) ${TagKey}
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)

DeregisterInstanceEventNotificationAttributes
tags from the set of tags to
include in notifications about
scheduled events for your
instances
522
Amazon EC2

(*required)
Grants permission to deregister Write network- aws:ResourceTag/

DeregisterTransitGatewayMulticastGroupMembers
one or more network interface interface ${TagKey}
members from a group IP (p. 648) (p. 658)
address in a transit gateway
multicast domain ec2:AuthorizedService
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

gateway- ${TagKey}
multicast- (p. 658)
domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
523
Amazon EC2

(*required)
Grants permission to deregister Write network- aws:ResourceTag/

DeregisterTransitGatewayMulticastGroupSources
one or more network interface interface ${TagKey}
sources from a group IP address (p. 648) (p. 658)
in a transit gateway multicast
domain ec2:AuthorizedService
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

gateway- ${TagKey}
multicast- (p. 658)
domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to describe List

the attributes of the AWS
account

DescribeAddressesone or more Elastic IP addresses

DescribeAggregateIdFormat
the longer ID format settings for
all resource types

DescribeAvailabilityZones
one or more of the Availability
Zones that are available to you

DescribeBundleTasks
one or more bundling tasks
524
Amazon EC2

(*required)

DescribeByoipCidrs
the IP address ranges that were
provisioned through bring your
own IP addresses (BYOIP)

DescribeCapacityReservations
one or more Capacity
Reservations

DescribeCarrierGateways
one or more Carrier Gateways

DescribeClassicLinkInstances
one or more linked EC2-Classic
instances

DescribeClientVpnAuthorizationRules
the authorization rules for a
Client VPN endpoint

DescribeClientVpnConnections
active client connections and
connections that have been
terminated within the last
60 minutes for a Client VPN
endpoint

DescribeClientVpnEndpoints
one or more Client VPN
endpoints

DescribeClientVpnRoutes
the routes for a Client VPN
endpoint

DescribeClientVpnTargetNetworks
the target networks that are
associated with a Client VPN
endpoint

DescribeCoipPoolsthe specified customer-owned
address pools or all of your
customer-owned address pools

DescribeConversionTasks
one or more conversion tasks

DescribeCustomerGateways
one or more customer gateways

DescribeDhcpOptions
one or more DHCP options sets
525
Amazon EC2

(*required)

DescribeEgressOnlyInternetGateways
one or more egress-only internet
gateways
Grants permission to describe an Read

DescribeElasticGpus
Elastic Graphics accelerator that
is associated with an instance

DescribeExportImageTasks
one or more export image tasks

DescribeExportTasks
one or more export instance
tasks

DescribeFastSnapshotRestores
the state of fast snapshot
restores for snapshots

DescribeFleetHistory
the events for an EC2 Fleet
during a specified time

DescribeFleetInstances
the running instances for an EC2
Fleet

DescribeFleets one or more EC2 Fleets

DescribeFlowLogsone or more flow logs

DescribeFpgaImageAttribute
the attributes of an Amazon
FPGA Image (AFI)

DescribeFpgaImages
one or more Amazon FPGA
Images (AFIs)

DescribeHostReservationOfferings
the Dedicated Host Reservations
that are available to purchase

DescribeHostReservations
the Dedicated Host Reservations
that are associated with
Dedicated Hosts in the AWS
account
DescribeHosts Grants permission to describe List

one or more Dedicated Hosts
526
Amazon EC2

(*required)

DescribeIamInstanceProfileAssociations
the IAM instance profile
associations

DescribeIdFormatthe ID format settings for
resources

DescribeIdentityIdFormat
the ID format settings for
resources for an IAM user, IAM
role, or root user
Grants permission to describe an List

DescribeImageAttribute
attribute of an Amazon Machine
Image (AMI)

DescribeImages one or more images (AMIs, AKIs,
and ARIs)

DescribeImportImageTasks
import virtual machine or
import snapshot tasks

DescribeImportSnapshotTasks
import snapshot tasks

DescribeInstanceAttribute
the attributes of an instance

DescribeInstanceCreditSpecifications
the credit option for CPU
usage of one or more burstable
performance instances

DescribeInstanceEventNotificationAttributes
the set of tags to include in
notifications about scheduled
events for your instances

DescribeInstanceStatus
the status of one or more
instances

DescribeInstanceTypeOfferings
the set of instance types that are
offered in a location

DescribeInstanceTypes
the details of instance types that
are offered in a location

DescribeInstancesone or more instances
527
Amazon EC2

(*required)

DescribeInternetGateways
one or more internet gateways

DescribeIpv6Poolsone or more IPv6 address pools

DescribeKeyPairs one or more key pairs

DescribeLaunchTemplateVersions
one or more launch template
versions

DescribeLaunchTemplates
one or more launch templates

DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations
the associations between virtual
interface groups and local
gateway route tables

DescribeLocalGatewayRouteTableVpcAssociations
association between VPCs and
local gateway route tables

DescribeLocalGatewayRouteTables
one or more local gateway route
tables

DescribeLocalGatewayVirtualInterfaceGroups
local gateway virtual interface
groups

DescribeLocalGatewayVirtualInterfaces
local gateway virtual interfaces

DescribeLocalGateways
one or more local gateways

DescribeManagedPrefixLists
your managed prefix lists and
any AWS-managed prefix lists

DescribeMovingAddresses
Elastic IP addresses that are
being moved to the EC2-VPC
platform

DescribeNatGateways
one or more NAT gateways

DescribeNetworkAcls
one or more network ACLs
Grants permission to describe a List

DescribeNetworkInterfaceAttribute
network interface attribute
528
Amazon EC2

(*required)

DescribeNetworkInterfacePermissions
the permissions that are
associated with a network
interface

DescribeNetworkInterfaces
one or more network interfaces

DescribePlacementGroups
one or more placement groups

DescribePrefixLists
available AWS services in a prefix
list format

DescribePrincipalIdFormat
the ID format settings for the
root user and all IAM roles and
IAM users that have explicitly
specified a longer ID (17-
character ID) preference

DescribePublicIpv4Pools
one or more IPv4 address pools

DescribeRegions one or more AWS Regions that
are currently available in your
account

DescribeReservedInstances
one or more purchased Reserved
Instances in your account

DescribeReservedInstancesListings
your account's Reserved Instance
listings in the Reserved Instance
Marketplace

DescribeReservedInstancesModifications
the modifications made to one
or more Reserved Instances

DescribeReservedInstancesOfferings
the Reserved Instance offerings
that are available for purchase

DescribeRouteTables
one or more route tables
Grants permission to find Read

DescribeScheduledInstanceAvailability
available schedules for
Scheduled Instances
529
Amazon EC2

(*required)

DescribeScheduledInstances
one or more Scheduled
Instances in your account

DescribeSecurityGroupReferences
the VPCs on the other side of
a VPC peering connection that
are referencing specified VPC
security groups

DescribeSecurityGroups
one or more security groups

DescribeSnapshotAttribute
attribute of a snapshot

DescribeSnapshots
one or more EBS snapshots

DescribeSpotDatafeedSubscription
the data feed for Spot Instances

DescribeSpotFleetInstances
the running instances for a Spot
Fleet

DescribeSpotFleetRequestHistory
the events for a Spot Fleet
request during a specified time

DescribeSpotFleetRequests
one or more Spot Fleet requests

DescribeSpotInstanceRequests
one or more Spot Instance
requests

DescribeSpotPriceHistory
the Spot Instance price history

DescribeStaleSecurityGroups
the stale security group rules
for security groups in a specified
VPC

DescribeSubnets one or more subnets
DescribeTags Grants permission to describe Read

one or more tags for an Amazon
EC2 resource

DescribeTrafficMirrorFilters
one or more traffic mirror filters
530
Amazon EC2

(*required)

DescribeTrafficMirrorSessions
one or more traffic mirror
sessions

DescribeTrafficMirrorTargets
one or more traffic mirror
targets

DescribeTransitGatewayAttachments
one or more attachments
between resources and transit
gateways

DescribeTransitGatewayMulticastDomains
one or more transit gateway
multicast domains

DescribeTransitGatewayPeeringAttachments
peering attachments

DescribeTransitGatewayRouteTables
route tables

DescribeTransitGatewayVpcAttachments
one or more VPC attachments
on a transit gateway

DescribeTransitGateways
one or more transit gateways

DescribeVolumeAttribute
attribute of an EBS volume

DescribeVolumeStatus
the status of one or more EBS
volumes

DescribeVolumes one or more EBS volumes

DescribeVolumesModifications
the current modification status
of one or more EBS volumes

DescribeVpcAttribute
attribute of a VPC

DescribeVpcClassicLink
the ClassicLink status of one or
more VPCs

DescribeVpcClassicLinkDnsSupport
the ClassicLink DNS support
status of one or more VPCs
531
Amazon EC2

(*required)

DescribeVpcEndpointConnectionNotifications
the connection notifications
for VPC endpoints and VPC
endpoint services

DescribeVpcEndpointConnections
the VPC endpoint connections to
your VPC endpoint services

DescribeVpcEndpointServiceConfigurations
VPC endpoint service
configurations (your services)

DescribeVpcEndpointServicePermissions
the principals (service
consumers) that are permitted
to discover your VPC endpoint
service

DescribeVpcEndpointServices
all supported AWS services that
can be specified when creating a
VPC endpoint

DescribeVpcEndpoints
one or more VPC endpoints

DescribeVpcPeeringConnections
one or more VPC peering
connections
DescribeVpcs Grants permission to describe List

one or more VPCs

DescribeVpnConnections
one or more VPN connections

DescribeVpnGateways
one or more virtual private
gateways
532
Amazon EC2

(*required)
Grants permission to unlink Write instance* aws:ResourceTag/

DetachClassicLinkVpc
(detach) a linked EC2-Classic (p. 644) ${TagKey}
instance from a VPC (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
533
Amazon EC2

(*required)
Grants permission to detach an Write internet- aws:ResourceTag/

DetachInternetGateway
internet gateway from a VPC gateway* ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
534
Amazon EC2

(*required)
Grants permission to detach Write instance* aws:ResourceTag/

DetachNetworkInterface
a network interface from an (p. 644) ${TagKey}
instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
535
Amazon EC2

(*required)

(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
536
Amazon EC2

(*required)
Grants permission to detach an Write volume* aws:ResourceTag/

DetachVolume EBS volume from an instance (p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
537
Amazon EC2

(*required)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to detach a Write vpc* aws:ResourceTag/

DetachVpnGateway
virtual private gateway from a (p. 655) ${TagKey}
VPC (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
538
Amazon EC2

(*required)

gateway* ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to disable EBS Write

DisableEbsEncryptionByDefault
encryption by default for your
account
Grants permission to disable Write snapshot* aws:ResourceTag/

DisableFastSnapshotRestores
fast snapshot restores for one (p. 650) ${TagKey}
or more snapshots in specified (p. 658)
Availability Zones
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
Grants permission to disable Write transit- aws:ResourceTag/

DisableTransitGatewayRouteTablePropagation
a resource attachment from gateway- ${TagKey}
propagating routes to the attachment* (p. 658)
specified propagation route (p. 652)
table ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
539
Amazon EC2

(*required)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to disable Write route- aws:ResourceTag/

DisableVgwRoutePropagation
a virtual private gateway table* ${TagKey}
from propagating routes to a (p. 650) (p. 658)
specified route table of a VPC
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

gateway* ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to disable Write vpc* aws:ResourceTag/

DisableVpcClassicLink
ClassicLink for a VPC (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
540
Amazon EC2

(*required)
Grants permission to disable Write vpc aws:ResourceTag/

DisableVpcClassicLinkDnsSupport
ClassicLink DNS support for a (p. 655) ${TagKey}
VPC (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to Write elastic-ip aws:ResourceTag/

DisassociateAddress
disassociate an Elastic IP address (p. 638) ${TagKey}
from an instance or network (p. 658)
interface
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
541
Amazon EC2

(*required)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
542
Amazon EC2

(*required)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to Write client- aws:ResourceTag/

DisassociateClientVpnTargetNetwork
disassociate a target network vpn- ${TagKey}
from a Client VPN endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
543
Amazon EC2

(*required)
Grants permission to Write certificate*

DisassociateEnclaveCertificateIamRole
disassociate an ACM certificate (p. 639)
from a IAM role
role*
(p. 649)
Grants permission to Write instance* aws:ResourceTag/

DisassociateIamInstanceProfile
disassociate an IAM instance (p. 644) ${TagKey}
profile from a running or (p. 658)
stopped instance
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to Write route- aws:ResourceTag/

DisassociateRouteTable
disassociate a subnet from a table ${TagKey}
route table (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
544
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to Write subnet* aws:ResourceTag/

DisassociateSubnetCidrBlock
disassociate a CIDR block from a (p. 651) ${TagKey}
subnet (p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to Write subnet* aws:ResourceTag/

DisassociateTransitGatewayMulticastDomain
disassociate one or more (p. 651) ${TagKey}
subnets from a transit gateway (p. 658)
multicast domain
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
545
Amazon EC2

(*required)

gateway- ${TagKey}
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
multicast- (p. 658)
domain*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to Write transit- aws:ResourceTag/

DisassociateTransitGatewayRouteTable
disassociate a resource gateway- ${TagKey}
attachment from a transit attachment* (p. 658)
gateway route table (p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

DisassociateVpcCidrBlock
disassociate a CIDR block from a
VPC
Grants permission to enable EBS Write

EnableEbsEncryptionByDefault
encryption by default for your
account
546
Amazon EC2

(*required)
Grants permission to enable Write snapshot* aws:ResourceTag/

EnableFastSnapshotRestores
fast snapshot restores for one (p. 650) ${TagKey}
or more snapshots in specified (p. 658)
Availability Zones
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
Grants permission to enable an Write transit- aws:ResourceTag/

EnableTransitGatewayRouteTablePropagation
attachment to propagate routes gateway- ${TagKey}
to a propagation route table attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
547
Amazon EC2

(*required)
Grants permission to enable Write route- aws:ResourceTag/

EnableVgwRoutePropagation
a virtual private gateway to table* ${TagKey}
propagate routes to a VPC route (p. 650) (p. 658)
table
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

gateway* ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
548
Amazon EC2

(*required)
Grants permission to enable I/ Write volume* aws:ResourceTag/

EnableVolumeIO O operations for a volume that (p. 654) ${TagKey}
had I/O operations disabled (p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
Grants permission to enable a Write vpc* aws:ResourceTag/

EnableVpcClassicLink
VPC for ClassicLink (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
549
Amazon EC2

(*required)
Grants permission to enable a Write vpc aws:ResourceTag/

EnableVpcClassicLinkDnsSupport
VPC to support DNS hostname (p. 655) ${TagKey}
resolution for ClassicLink (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to download List client- aws:ResourceTag/

ExportClientVpnClientCertificateRevocationList
the client certificate revocation vpn- ${TagKey}
list for a Client VPN endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
550
Amazon EC2

(*required)
Grants permission to download List client- aws:ResourceTag/

ExportClientVpnClientConfiguration
the contents of the Client VPN vpn- ${TagKey}
endpoint configuration file for a endpoint* (p. 658)
Client VPN endpoint (p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
551
Amazon EC2

(*required)
ExportImage Grants permission to export an Write image* aws:ResourceTag/

Amazon Machine Image (AMI) to (p. 643) ${TagKey}
a VM file (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
Grants permission to export Write transit- aws:ResourceTag/

ExportTransitGatewayRoutes
routes from a transit gateway gateway- ${TagKey}
route table to an Amazon S3 route- (p. 658)
bucket table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to get the list Read certificate*

GetAssociatedEnclaveCertificateIamRoles
of roles associated with an ACM (p. 639)
certificate
Grants permission to get Read ipv6pool- aws:ResourceTag/

GetAssociatedIpv6PoolCidrs
information about the IPv6 CIDR ec2* ${TagKey}
block associations for a specified (p. 645) (p. 658)
IPv6 address pool
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
552
Amazon EC2

(*required)
Grants permission to get usage Read capacity- aws:ResourceTag/

GetCapacityReservationUsage
information about a Capacity reservation* ${TagKey}
Reservation (p. 638) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

GetCoipPoolUsage
the allocations from the
specified customer-owned
address pool
Grants permission to get the Read instance* aws:ResourceTag/

GetConsoleOutput
console output for an instance (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
553
Amazon EC2

(*required)
Grants permission to retrieve Read instance* aws:ResourceTag/

GetConsoleScreenshot
a JPG-format screenshot of a (p. 644) ${TagKey}
running instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

GetDefaultCreditSpecification
the default credit option for
CPU usage of a burstable
performance instance family
Grants permission to get the ID Read

GetEbsDefaultKmsKeyId
of the default customer master
key (CMK) for EBS encryption by
default

GetEbsEncryptionByDefault
whether EBS encryption by
default is enabled for your
account
554
Amazon EC2

(*required)
Grants permission to list the List capacity- aws:ResourceTag/

GetGroupsForCapacityReservation
resource groups to which a reservation* ${TagKey}
Capacity Reservation has been (p. 638) (p. 658)
added
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to preview Read dedicated- aws:ResourceTag/

GetHostReservationPurchasePreview
a reservation purchase with host* ${TagKey}
configurations that match those (p. 640) (p. 658)
of a Dedicated Host
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
555
Amazon EC2

(*required)
Grants permission to get the Read instance* aws:ResourceTag/

GetLaunchTemplateData
configuration data of the (p. 644) ${TagKey}
specified instance for use with a (p. 658)
new launch template or launch
template version ec2:AvailabilityZone
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to get Read prefix-list* aws:ResourceTag/

GetManagedPrefixListAssociations
information about the resources (p. 649) ${TagKey}
that are associated with the (p. 658)
specified managed prefix list
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to get Read prefix-list* aws:ResourceTag/

GetManagedPrefixListEntries
information about the entries (p. 649) ${TagKey}
for a specified managed prefix (p. 658)
list
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
556
Amazon EC2

(*required)
Grants permission to retrieve Read instance* aws:ResourceTag/

GetPasswordDatathe encrypted administrator (p. 644) ${TagKey}
password for a running Windows (p. 658)
instance
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to return a Read reserved- aws:ResourceTag/

GetReservedInstancesExchangeQuote
quote and exchange information instances ${TagKey}
for exchanging one or more (p. 649) (p. 658)
Convertible Reserved Instances
for a new Convertible Reserved ec2:AvailabilityZone
Instance (p. 659)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
557
Amazon EC2

(*required)
Grants permission to list the List transit- aws:ResourceTag/

GetTransitGatewayAttachmentPropagations
route tables to which a resource gateway- ${TagKey}
attachment propagates routes attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to get List transit- aws:ResourceTag/

GetTransitGatewayMulticastDomainAssociations
information about the gateway- ${TagKey}
associations for a transit multicast- (p. 658)
gateway multicast domain domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

GetTransitGatewayPrefixListReferences
information about prefix list gateway- ${TagKey}
references for a transit gateway route- (p. 658)
route table table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

GetTransitGatewayRouteTableAssociations
information about associations gateway- ${TagKey}
for a transit gateway route table route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

GetTransitGatewayRouteTablePropagations
information about the route gateway- ${TagKey}
table propagations for a transit route- (p. 658)
gateway route table table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
558
Amazon EC2

(*required)
Grants permission to upload a Write client- aws:ResourceTag/

ImportClientVpnClientCertificateRevocationList
client certificate revocation list vpn- ${TagKey}
to a Client VPN endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
559
Amazon EC2

(*required)
ImportImage Grants permission to import Write snapshot aws:ResourceTag/

single or multi-volume disk (p. 650) ${TagKey}
images or EBS snapshots into an (p. 658)
Amazon Machine Image (AMI)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
Grants permission to create Write security- aws:ResourceTag/

ImportInstance an import instance task using group ${TagKey}
metadata from a disk image (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
560
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to import a Write

ImportKeyPair public key from an RSA key pair
that was created with a third-
party tool
Grants permission to import a Write snapshot aws:ResourceTag/

ImportSnapshot disk into an EBS snapshot (p. 650) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)

ImportVolume an import volume task using
metadata from a disk image
561
Amazon EC2

(*required)
Grants permission to modify the Write

ModifyAvailabilityZoneGroup
opt-in status of the Local Zone
and Wavelength Zone group for
your account
Grants permission to modify a Write capacity- aws:ResourceTag/

ModifyCapacityReservation
Capacity Reservation's capacity reservation* ${TagKey}
and the conditions under which (p. 638) (p. 658)
it is to be released
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify a Write client- aws:ResourceTag/

ModifyClientVpnEndpoint
endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
562
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to change Write

ModifyDefaultCreditSpecification
the account level default
credit option for CPU usage of
burstable performance instances
Grants permission to change Write

ModifyEbsDefaultKmsKeyId
the default customer master
key (CMK) for EBS encryption by
default for your account
ModifyFleet Grants permission to modify an Write fleet* aws:ResourceTag/

EC2 Fleet (p. 642) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
563
Amazon EC2

(*required)

(p. 643) ${TagKey}
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)

(p. 645) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

template ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
564
Amazon EC2

(*required)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
565
Amazon EC2

(*required)

(p. 650) ${TagKey}
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
566
Amazon EC2

(*required)
Grants permission to modify an Write fpga- aws:ResourceTag/

ModifyFpgaImageAttribute
attribute of an Amazon FPGA image* ${TagKey}
Image (AFI) (p. 642) (p. 658)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ModifyHosts Grants permission to modify a Write dedicated- aws:ResourceTag/

Dedicated Host host* ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
Grants permission to modify the Write

ModifyIdFormat ID format for a resource

ModifyIdentityIdFormat
the ID format of a resource for a
specific principal in your account
567
Amazon EC2

(*required)
Grants permission to modify an Write image* aws:ResourceTag/

ModifyImageAttribute
attribute of an Amazon Machine (p. 643) ${TagKey}
Image (AMI) (p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
Grants permission to modify an Write instance* aws:ResourceTag/

ModifyInstanceAttribute
attribute of an instance (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
568
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
569
Amazon EC2

(*required)
Grants permission to modify the Write instance* aws:ResourceTag/

ModifyInstanceCapacityReservationAttributes
Capacity Reservation settings for (p. 644) ${TagKey}
a stopped instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

(p. 638) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
570
Amazon EC2

(*required)

ModifyInstanceCreditSpecification
credit option for CPU usage on (p. 644) ${TagKey}
an instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
571
Amazon EC2

(*required)

ModifyInstanceEventStartTime
start time for a scheduled EC2 (p. 644) ${TagKey}
instance event (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
572
Amazon EC2

(*required)
Grants permission to modify Write instance* aws:ResourceTag/

ModifyInstanceMetadataOptions
the metadata options for an (p. 644) ${TagKey}
instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
573
Amazon EC2

(*required)
Grants permission to modify Write instance* aws:ResourceTag/

ModifyInstancePlacement
the placement attributes for an (p. 644) ${TagKey}
instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
574
Amazon EC2

(*required)

host ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)

group ${TagKey}
(p. 649) (p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify a Write launch- aws:ResourceTag/

ModifyLaunchTemplate
launch template template* ${TagKey}
(p. 645) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
575
Amazon EC2

(*required)
Grants permission to modify a Write prefix-list* aws:ResourceTag/

ModifyManagedPrefixList
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify an Write network- aws:ResourceTag/

ModifyNetworkInterfaceAttribute
attribute of a network interface interface* ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
576
Amazon EC2

(*required)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
577
Amazon EC2

(*required)
Grants permission to modify Write reserved- aws:ResourceTag/

ModifyReservedInstances
attributes of one or more instances* ${TagKey}
Reserved Instances (p. 649) (p. 658)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Region
(p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to add or Permissions snapshot* aws:ResourceTag/

ModifySnapshotAttribute
remove permission settings for a management (p. 650) ${TagKey}
snapshot (p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
578
Amazon EC2

(*required)
Grants permission to modify a Write spot- aws:ResourceTag/

ModifySpotFleetRequest
Spot Fleet request fleet- ${TagKey}
request* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify an Write subnet* aws:ResourceTag/

ModifySubnetAttribute
attribute of a subnet (p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to allow Write traffic- aws:ResourceTag/

ModifyTrafficMirrorFilterNetworkServices
or restrict mirroring network mirror- ${TagKey}
services filter* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify a Write traffic- aws:ResourceTag/

ModifyTrafficMirrorFilterRule
traffic mirror rule mirror- ${TagKey}
filter* (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
traffic- ec2:Region
mirror- (p. 661)
filter-rule*
(p. 652)
579
Amazon EC2

(*required)
Grants permission to modify a Write traffic- aws:ResourceTag/

ModifyTrafficMirrorSession
traffic mirror session mirror- ${TagKey}
session* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

mirror- ${TagKey}
filter (p. 658)
(p. 651)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

mirror- ${TagKey}
target (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify a Write transit- aws:ResourceTag/

ModifyTransitGateway
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
580
Amazon EC2

(*required)
Grants permission to modify Write prefix-list* aws:ResourceTag/

ModifyTransitGatewayPrefixListReference
reference (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
route- (p. 658)
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify Write transit- aws:ResourceTag/

ModifyTransitGatewayVpcAttachment
a VPC attachment on a transit gateway- ${TagKey}
gateway attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
581
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to modify the Write volume* aws:ResourceTag/

ModifyVolume parameters of an EBS volume (p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
582
Amazon EC2

(*required)
Grants permission to modify an Write volume* aws:ResourceTag/

ModifyVolumeAttribute
attribute of a volume (p. 654) ${TagKey}
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
Grants permission to modify an Write vpc* aws:ResourceTag/

ModifyVpcAttribute
attribute of a VPC (p. 655) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
583
Amazon EC2

(*required)
Grants permission to modify an Write vpc- aws:ResourceTag/

ModifyVpcEndpoint
attribute of a VPC endpoint endpoint* ${TagKey}
(p. 654) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

table ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
584
Amazon EC2

(*required)
Grants permission to modify Write vpc- aws:ResourceTag/

ModifyVpcEndpointConnectionNotification
a connection notification for a endpoint* ${TagKey}
VPC endpoint or VPC endpoint (p. 654) (p. 658)
service
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

endpoint- ${TagKey}
service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
Grants permission to modify the Write vpc- aws:ResourceTag/

ModifyVpcEndpointServiceConfiguration
attributes of a VPC endpoint endpoint- ${TagKey}
service configuration service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
Grants permission to modify the Permissions vpc- aws:ResourceTag/

ModifyVpcEndpointServicePermissions
permissions for a VPC endpoint managementendpoint- ${TagKey}
service service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
585
Amazon EC2

(*required)
Grants permission to modify the Write vpc- aws:ResourceTag/

ModifyVpcPeeringConnectionOptions
VPC peering connection options peering- ${TagKey}
on one side of a VPC peering connection* (p. 658)
connection (p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to modify the Write vpc* aws:ResourceTag/

ModifyVpcTenancy
instance tenancy attribute of a (p. 655) ${TagKey}
VPC (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Tenancy
(p. 661)
586
Amazon EC2

(*required)
Grants permission to modify the Write vpn- aws:ResourceTag/

ModifyVpnConnection
target gateway of a Site-to-Site connection* ${TagKey}
VPN connection (p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
587
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)

gateway ${TagKey}
(p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
588
Amazon EC2

(*required)

ModifyVpnConnectionOptions
connection options for your Site- connection* ${TagKey}
to-Site VPN connection (p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
589
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
590
Amazon EC2

(*required)

ModifyVpnTunnelCertificate
certificate for a Site-to-Site VPN connection* ${TagKey}
connection (p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
591
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
592
Amazon EC2

(*required)

ModifyVpnTunnelOptions
options for a Site-to-Site VPN connection* ${TagKey}
connection (p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
593
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
Grants permission to enable Write instance* aws:ResourceTag/

MonitorInstances detailed monitoring for a (p. 644) ${TagKey}
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to move an Write

MoveAddressToVpc
Elastic IP address from the EC2-
Classic platform to the EC2-VPC
platform
Grants permission to provision Write

ProvisionByoipCidr
an address range for use in
AWS through bring your own IP
addresses (BYOIP), and to create
a corresponding address pool
594
Amazon EC2

(*required)
Grants permission to purchase a Write dedicated- aws:ResourceTag/

PurchaseHostReservation
reservation with configurations host* ${TagKey}
that match those of a Dedicated (p. 640) (p. 658)
Host
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
Grants permission to purchase a Write

PurchaseReservedInstancesOffering
Reserved Instance offering

PurchaseScheduledInstances
one or more Scheduled
Instances with a specified
schedule
595
Amazon EC2

(*required)
Grants permission to request a Write instance* aws:ResourceTag/

RebootInstances reboot of one or more instances (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

RegisterImage Amazon Machine Image (AMI)
Grants permission to add tags Write

RegisterInstanceEventNotificationAttributes
to the set of tags to include in
notifications about scheduled
events for your instances
596
Amazon EC2

(*required)
Grants permission to register Write network- aws:ResourceTag/

RegisterTransitGatewayMulticastGroupMembers
one or more network interfaces interface* ${TagKey}
as a member of a group IP (p. 648) (p. 658)
address in a transit gateway
multicast domain ec2:AuthorizedService
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

gateway- ${TagKey}
multicast- (p. 658)
domain*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
597
Amazon EC2

(*required)
Grants permission to register Write network- aws:ResourceTag/

RegisterTransitGatewayMulticastGroupSources
one or more network interfaces interface* ${TagKey}
as a source of a group IP address (p. 648) (p. 658)
in a transit gateway multicast
domain ec2:AuthorizedService
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

gateway- ${TagKey}
multicast- (p. 658)
domain*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
598
Amazon EC2

(*required)
Grants permission to reject Write subnet aws:ResourceTag/

RejectTransitGatewayMulticastDomainAssociations
requests to associate cross- (p. 651) ${TagKey}
account subnets with a transit (p. 658)
gateway multicast domain
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
multicast- (p. 658)
domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
599
Amazon EC2

(*required)
Grants permission to reject Write transit- aws:ResourceTag/

RejectTransitGatewayPeeringAttachment
a transit gateway peering gateway- ${TagKey}
attachment request attachment* (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to reject a Write transit- aws:ResourceTag/

RejectTransitGatewayVpcAttachment
request to attach a VPC to a gateway- ${TagKey}
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to reject Write vpc- aws:ResourceTag/

RejectVpcEndpointConnections
one or more VPC endpoint endpoint* ${TagKey}
connection requests to a VPC (p. 654) (p. 658)
endpoint service
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

endpoint- ${TagKey}
service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
600
Amazon EC2

(*required)
Grants permission to reject a Write vpc- aws:ResourceTag/

RejectVpcPeeringConnection
VPC peering connection request peering- ${TagKey}
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to release an Write elastic-ip aws:ResourceTag/

ReleaseAddress Elastic IP address (p. 638) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ReleaseHosts Grants permission to release one Write dedicated- aws:ResourceTag/

or more On-Demand Dedicated host* ${TagKey}
Hosts (p. 640) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity
(p. 661)
ec2:HostRecovery
(p. 659)
601
Amazon EC2

(*required)
Grants permission to replace Write instance* aws:ResourceTag/

iam:PassRole
ReplaceIamInstanceProfileAssociation
an IAM instance profile for an (p. 644) ${TagKey}
instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to change Write network- aws:ResourceTag/

ReplaceNetworkAclAssociation
which network ACL a subnet is acl* ${TagKey}
associated with (p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
602
Amazon EC2

(*required)
Grants permission to replace an Write network- aws:ResourceTag/

ReplaceNetworkAclEntry
entry (rule) in a network ACL acl* ${TagKey}
(p. 647) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
ReplaceRoute Grants permission to replace a Write route- aws:ResourceTag/

route within a route table in a table* ${TagKey}
VPC (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
carrier- aws:ResourceTag/

gateway ${TagKey}
(p. 639) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
ec2:Tenancy
(p. 661)

only- ${TagKey}
internet- (p. 658)
gateway
(p. 641) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
603
Amazon EC2

(*required)

(p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)

gateway ${TagKey}
(p. 644) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
604
Amazon EC2

(*required)

gateway ${TagKey}
(p. 646) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 647) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
605
Amazon EC2

(*required)

(p. 649) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 653) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

peering- ${TagKey}
connection (p. 658)
(p. 656)
ec2:AccepterVpc
(p. 658)
ec2:Region
(p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway ${TagKey}
(p. 658) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
606
Amazon EC2

(*required)
Grants permission to change the Write route- aws:ResourceTag/

ReplaceRouteTableAssociation
route table that is associated table* ${TagKey}
with a subnet (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to replace a Write transit- aws:ResourceTag/

ReplaceTransitGatewayRoute
route in a transit gateway route gateway- ${TagKey}
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gateway- ${TagKey}
attachment (p. 658)
(p. 652)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
607
Amazon EC2

(*required)
Grants permission to submit Write instance* aws:ResourceTag/

ReportInstanceStatus
feedback about the status of an (p. 644) ${TagKey}
instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to create a Write security- aws:ResourceTag/

RequestSpotFleetSpot Fleet request group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
608
Amazon EC2

(*required)
Grants permission to create a Write image aws:ResourceTag/

RequestSpotInstances
Spot Instance request (p. 643) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)

(p. 645) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
609
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to reset the Write

ResetEbsDefaultKmsKeyId
default customer master key
(CMK) for EBS encryption for
your account to use the AWS-
managed CMK for EBS
610
Amazon EC2

(*required)
Grants permission to reset an Write fpga- aws:ResourceTag/

ResetFpgaImageAttribute
attribute of an Amazon FPGA image* ${TagKey}
Image (AFI) to its default value (p. 642) (p. 658)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to reset an Write image* aws:ResourceTag/

ResetImageAttribute
attribute of an Amazon Machine (p. 643) ${TagKey}
Image (AMI) to its default value (p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
611
Amazon EC2

(*required)
Grants permission to reset an Write instance* aws:ResourceTag/

ResetInstanceAttribute
attribute of an instance to its (p. 644) ${TagKey}
default value (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
612
Amazon EC2

(*required)
Grants permission to reset an Write network- aws:ResourceTag/

ResetNetworkInterfaceAttribute
attribute of a network interface interface* ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to reset Permissions snapshot* aws:ResourceTag/

ResetSnapshotAttribute
permission settings for a management (p. 650) ${TagKey}
snapshot (p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
Grants permission to restore Write

RestoreAddressToClassic
an Elastic IP address that was
previously moved to the EC2-
VPC platform back to the EC2-
Classic platform
613
Amazon EC2

(*required)
Grants permission to restore the Write prefix-list* aws:ResourceTag/

RestoreManagedPrefixListVersion
entries from a previous version (p. 649) ${TagKey}
of a managed prefix list to a new (p. 658)
version of the prefix list
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to remove an Write client- aws:ResourceTag/

RevokeClientVpnIngress
inbound authorization rule from vpn- ${TagKey}
a Client VPN endpoint endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
Grants permission to remove Write security- aws:ResourceTag/

RevokeSecurityGroupEgress
one or more outbound rules group* ${TagKey}
from a VPC security group (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
614
Amazon EC2

(*required)
Grants permission to remove Write security- aws:ResourceTag/

RevokeSecurityGroupIngress
one or more inbound rules from group* ${TagKey}
a security group (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
RunInstances Grants permission to launch one Write image* aws:ResourceTag/

or more instances (p. 643) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
615
Amazon EC2

(*required)
instance* aws:ResourceTag/

(p. 644) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
616
Amazon EC2

(*required)

(p. 648) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

group* ${TagKey}
(p. 650) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
617
Amazon EC2

(*required)

(p. 651) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
618
Amazon EC2

(*required)

(p. 654) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
619
Amazon EC2

(*required)

(p. 638) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

gpu ${TagKey}
(p. 641) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:ElasticGpuType
(p. 659)
elastic-
inference
(p. 641)
620
Amazon EC2

(*required)

(p. 645) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

template ${TagKey}
(p. 645) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
621
Amazon EC2

(*required)

group ${TagKey}
(p. 649) (p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

(p. 650) ${TagKey}
(p. 658)
aws:RequestTag/
${TagKey}
(p. 658)
aws:TagKeys
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
622
Amazon EC2

(*required)
SCENARIO: EC2-Classic-EBS image*

(p. 643)
instance*
(p. 644)
security-
group*
(p. 650)
volume*
(p. 654)
key-pair
(p. 645)
placement-
group
(p. 649)
snapshot
(p. 650)
SCENARIO: EC2-Classic- image*

InstanceStore (p. 643)
instance*
(p. 644)
security-
group*
(p. 650)
key-pair
(p. 645)
placement-
group
(p. 649)
snapshot
(p. 650)
623
Amazon EC2

(*required)
SCENARIO: EC2-VPC-EBS image*

(p. 643)
instance*
(p. 644)
network-
interface*
(p. 648)
security-
group*
(p. 650)
volume*
(p. 654)
key-pair
(p. 645)
placement-
group
(p. 649)
snapshot
(p. 650)
624
Amazon EC2

(*required)
SCENARIO: EC2-VPC-EBS- image*

Subnet (p. 643)
instance*
(p. 644)
network-
interface*
(p. 648)
security-
group*
(p. 650)
subnet*
(p. 651)
volume*
(p. 654)
key-pair
(p. 645)
placement-
group
(p. 649)
snapshot
(p. 650)
SCENARIO: EC2-VPC- image*

InstanceStore (p. 643)
instance*
(p. 644)
network-
interface*
(p. 648)
security-
group*
(p. 650)
key-pair
(p. 645)
placement-
group
(p. 649)
snapshot
(p. 650)
625
Amazon EC2

(*required)
SCENARIO: EC2-VPC- image*

InstanceStore-Subnet (p. 643)
instance*
(p. 644)
network-
interface*
(p. 648)
security-
group*
(p. 650)
subnet*
(p. 651)
key-pair
(p. 645)
placement-
group
(p. 649)
snapshot
(p. 650)
Grants permission to launch one Write image* aws:ResourceTag/

RunScheduledInstances
or more Scheduled Instances (p. 643) ${TagKey}
(p. 658)
ec2:ImageType
(p. 659)
ec2:Owner
(p. 660)
ec2:Public
(p. 661)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
626
Amazon EC2

(*required)

(p. 645) ${TagKey}
(p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)

interface ${TagKey}
(p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)

group ${TagKey}
(p. 649) (p. 658)
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
627
Amazon EC2

(*required)

group ${TagKey}
(p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)

(p. 650) ${TagKey}
(p. 658)
ec2:Owner
(p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)

(p. 651) ${TagKey}
(p. 658)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
628
Amazon EC2

(*required)
Grants permission to search for List local- aws:ResourceTag/

SearchLocalGatewayRoutes
routes in a local gateway route gateway- ${TagKey}
table*
(p. 646) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to search for List transit- aws:ResourceTag/

SearchTransitGatewayMulticastGroups
groups, sources, and members gateway- ${TagKey}
in a transit gateway multicast multicast- (p. 658)
domain domain
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
Grants permission to search for List transit- aws:ResourceTag/

SearchTransitGatewayRoutes
routes in a transit gateway route gateway- ${TagKey}
table*
(p. 653) ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
629
Amazon EC2

(*required)
Grants permission to send Write instance* aws:ResourceTag/

SendDiagnosticInterrupt
a diagnostic interrupt to an (p. 644) ${TagKey}
Amazon EC2 instance (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
630
Amazon EC2

(*required)
StartInstances Grants permission to start a Write instance* aws:ResourceTag/

stopped instance (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to start Write network- aws:ResourceTag/

StartNetworkInsightsAnalysis
analyzing a specified path insights- ${TagKey}
path* (p. 658)
(p. 648)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
631
Amazon EC2

(*required)
Grants permission to start the Write vpc- aws:ResourceTag/

StartVpcEndpointServicePrivateDnsVerification
private DNS verification process endpoint- ${TagKey}
for a VPC endpoint service service* (p. 658)
(p. 655)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 662)
StopInstances Grants permission to stop an Write instance* aws:ResourceTag/

Amazon EBS-backed instance (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
632
Amazon EC2

(*required)
Grants permission to terminate Write client- aws:ResourceTag/

TerminateClientVpnConnections
active Client VPN endpoint vpn- ${TagKey}
connections endpoint* (p. 658)
(p. 639)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 661)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:SamlProviderArn
(p. 661)
(p. 659)
(p. 659)
633
Amazon EC2

(*required)

(p. 657) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
(p. 661)
634
Amazon EC2

(*required)
(p. 661)
ec2:RoutingType
(p. 661)
Grants permission to shut down Write instance* aws:ResourceTag/

TerminateInstances
one or more instances (p. 644) ${TagKey}
(p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
635
Amazon EC2

(*required)
Grants permission to unassign Write network- aws:ResourceTag/

UnassignIpv6Addresses
one or more IPv6 addresses from interface* ${TagKey}
a network interface (p. 648) (p. 658)
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
Grants permission to unassign Write network- aws:ResourceTag/

UnassignPrivateIpAddresses
one or more secondary private interface* ${TagKey}
IP addresses from a network (p. 648) (p. 658)
interface
(p. 659)
(p. 659)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Subnet
(p. 661)
ec2:Vpc
(p. 662)
(p. 658)
636
Amazon EC2

(*required)
Grants permission to disable Write instance* aws:ResourceTag/

UnmonitorInstances
detailed monitoring for a (p. 644) ${TagKey}
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:RootDeviceType
(p. 661)
ec2:Tenancy
(p. 661)
Grants permission to update Write security- aws:ResourceTag/

UpdateSecurityGroupRuleDescriptionsEgress
descriptions for one or more group* ${TagKey}
outbound rules in a VPC security (p. 650) (p. 658)
group
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
637
Amazon EC2

(*required)
Grants permission to update Write security- aws:ResourceTag/

UpdateSecurityGroupRuleDescriptionsIngress
descriptions for one or more group* ${TagKey}
inbound rules in a security group (p. 650) (p. 658)
ec2:Region
(p. 661)
ec2:ResourceTag/
${TagKey}
(p. 661)
ec2:Vpc
(p. 662)
Grants permission to stop Write

WithdrawByoipCidr
advertising an address range
that was provisioned for use in
AWS through bring your own IP
addresses (BYOIP)
Resource types defined by Amazon EC2


types
elastic-ip arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:elastic-ip/${AllocationId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
aws:TagKeys (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
capacity- arn:${Partition}:ec2:${Region}: aws:RequestTag/

reservation ${Account}:capacity-reservation/ ${TagKey} (p. 658)
${CapacityReservationId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
638
Amazon EC2

types
ec2:ResourceTag/
${TagKey} (p. 661)
carrier- arn:${Partition}:ec2:${Region}: aws:RequestTag/

gateway ${Account}:carrier-gateway/ ${TagKey} (p. 658)
${CarrierGatewayId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:Tenancy (p. 661)
ec2:Vpc (p. 662)
certificate arn:${Partition}:acm:${Region}:
${Account}:certificate/${CertificateId}
client-vpn- arn:${Partition}:ec2:${Region}: aws:RequestTag/

endpoint ${Account}:client-vpn-endpoint/ ${TagKey} (p. 658)
${ClientVpnEndpointId}
aws:ResourceTag/
${TagKey} (p. 658)
(p. 659)
(p. 659)
(p. 659)
ec2:DirectoryArn
(p. 659)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:SamlProviderArn
(p. 661)
(p. 661)
639
Amazon EC2

types
customer- arn:${Partition}:ec2:${Region}: aws:RequestTag/

gateway ${Account}:customer-gateway/ ${TagKey} (p. 658)
${CustomerGatewayId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
dedicated- arn:${Partition}:ec2:${Region}: aws:RequestTag/

host ${Account}:dedicated-host/${DedicatedHostId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:AutoPlacement
(p. 659)
(p. 659)
ec2:HostRecovery
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Quantity (p. 661)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
dhcp-options arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:dhcp-options/${DhcpOptionsId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
640
Amazon EC2

types
egress-only- arn:${Partition}:ec2:${Region}: aws:RequestTag/

internet- ${Account}:egress-only-internet-gateway/ ${TagKey} (p. 658)
gateway ${EgressOnlyInternetGatewayId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
elastic-gpu arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:elastic-gpu/${ElasticGpuId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:ElasticGpuType
(p. 659)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
elastic- arn:${Partition}:elastic-inference:
inference ${Region}:${Account}:elastic-inference-
accelerator/${ElasticInferenceAcceleratorId}
export- arn:${Partition}:ec2:${Region}: aws:RequestTag/

image-task ${Account}:export-image-task/ ${TagKey} (p. 658)
${ExportImageTaskId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
641
Amazon EC2

types
export- arn:${Partition}:ec2:${Region}: aws:RequestTag/

instance-task ${Account}:export-instance-task/ ${TagKey} (p. 658)
${ExportTaskId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
fleet arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:fleet/${FleetId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
fpga-image arn:${Partition}:ec2:${Region}::fpga-image/ aws:RequestTag/

${FpgaImageId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Owner (p. 660)
ec2:Public (p. 661)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
hostarn:${Partition}:ec2:${Region}: aws:RequestTag/

reservation ${Account}:host-reservation/ ${TagKey} (p. 658)
${HostReservationId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
642
Amazon EC2

types
image arn:${Partition}:ec2:${Region}::image/ aws:RequestTag/

${ImageId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:ImageType
(p. 659)
ec2:Owner (p. 660)
ec2:Public (p. 661)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:RootDeviceType
(p. 661)
import- arn:${Partition}:ec2:${Region}: aws:RequestTag/

image-task ${Account}:import-image-task/ ${TagKey} (p. 658)
${ImportImageTaskId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
import- arn:${Partition}:ec2:${Region}: aws:RequestTag/

snapshot-task ${Account}:import-snapshot-task/ ${TagKey} (p. 658)
${ImportSnapshotTaskId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
643
Amazon EC2

types
instance arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:instance/${InstanceId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
(p. 659)
ec2:EbsOptimized
(p. 659)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:PlacementGroup
(p. 660)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:RootDeviceType
(p. 661)
internet- arn:${Partition}:ec2:${Region}: aws:RequestTag/

gateway ${Account}:internet-gateway/ ${TagKey} (p. 658)
${InternetGatewayId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
644
Amazon EC2

types
ipv4pool-ec2 arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ipv6pool-ec2 arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:ipv6pool-ec2/${Ipv6PoolEc2Id} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
key-pair arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:key-pair/${KeyPairName} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
launch- arn:${Partition}:ec2:${Region}: aws:RequestTag/

template ${Account}:launch-template/ ${TagKey} (p. 658)
${LaunchTemplateId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
645
Amazon EC2

types
local-gateway arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:local-gateway/${LocalGatewayId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
local- arn:${Partition}:ec2:${Region}: aws:RequestTag/

gateway- ${Account}:local-gateway-route-table- ${TagKey} (p. 658)
route-table- virtual-interface-group-association/
virtual- aws:ResourceTag/
${LocalGatewayRouteTableVirtualInterfaceGroupAssociationId}
interface- ${TagKey} (p. 658)
group-
association aws:TagKeys (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

gateway- ${Account}:local-gateway- ${TagKey} (p. 658)
route-table- route-table-vpc-association/
vpc-association ${LocalGatewayRouteTableVpcAssociationId} aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

gateway- ${Account}:local-gateway-route-table/ ${TagKey} (p. 658)
route-table ${LocalGatewayRoutetableId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
646
Amazon EC2

types

gateway- ${Account}:local-gateway-virtual-interface- ${TagKey} (p. 658)
virtual- group/${LocalGatewayVirtualInterfaceGroupId}
interface- aws:ResourceTag/
group ${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

gateway- ${Account}:local-gateway-virtual-interface/ ${TagKey} (p. 658)
virtual- ${LocalGatewayVirtualInterfaceId}
interface aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
natgateway arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:natgateway/${NatGatewayId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
network-acl arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:network-acl/${NaclId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:Vpc (p. 662)
647
Amazon EC2

types
network- arn:${Partition}:ec2:${Region}: aws:RequestTag/

insights- ${Account}:network-insights-analysis/ ${TagKey} (p. 658)
analysis ${NetworkInsightsAnalysisId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

insights-path ${Account}:network-insights-path/ ${TagKey} (p. 658)
${NetworkInsightsPathId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

interface ${Account}:network-interface/ ${TagKey} (p. 658)
${NetworkInterfaceId}
aws:ResourceTag/
${TagKey} (p. 658)
(p. 658)
(p. 659)
(p. 659)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:Subnet (p. 661)
ec2:Vpc (p. 662)
648
Amazon EC2

types
placement- arn:${Partition}:ec2:${Region}: aws:RequestTag/

group ${Account}:placement-group/ ${TagKey} (p. 658)
${PlacementGroupName}
aws:ResourceTag/
${TagKey} (p. 658)
(p. 660)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
prefix-list arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:prefix-list/${PrefixListId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
reserved- arn:${Partition}:ec2:${Region}: aws:RequestTag/

instances ${Account}:reserved-instances/ ${TagKey} (p. 658)
${ReservationId}
aws:ResourceTag/
${TagKey} (p. 658)
(p. 659)
ec2:InstanceType
(p. 659)
ec2:Region (p. 661)
(p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
role arn:${Partition}:iam::${Account}:role/
${RoleNameWithPath}
649
Amazon EC2

types
route-table arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:route-table/${RouteTableId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:Vpc (p. 662)
security- arn:${Partition}:ec2:${Region}: aws:RequestTag/

group ${Account}:security-group/${SecurityGroupId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:Vpc (p. 662)
snapshot arn:${Partition}:ec2:${Region}::snapshot/ aws:RequestTag/

${SnapshotId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Owner (p. 660)
ec2:ParentVolume
(p. 660)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:SnapshotTime
(p. 661)
ec2:VolumeSize
(p. 662)
650
Amazon EC2

types
spot-fleet- arn:${Partition}:ec2:${Region}: aws:RequestTag/

request ${Account}:spot-fleet-request/ ${TagKey} (p. 658)
${SpotFleetRequestId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
spot- arn:${Partition}:ec2:${Region}: aws:RequestTag/

instances- ${Account}:spot-instances-request/ ${TagKey} (p. 658)
request ${SpotInstanceRequestId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
subnet arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:subnet/${SubnetId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
(p. 659)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:Vpc (p. 662)
traffic-mirror- arn:${Partition}:ec2:${Region}: aws:RequestTag/

filter ${Account}:traffic-mirror-filter/ ${TagKey} (p. 658)
${TrafficMirrorFilterId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
651
Amazon EC2

types
traffic-mirror- arn:${Partition}:ec2:${Region}: ec2:Region (p. 661)

filter-rule ${Account}:traffic-mirror-filter-rule/
${TrafficMirrorFilterRuleId}

session ${Account}:traffic-mirror-session/ ${TagKey} (p. 658)
${TrafficMirrorSessionId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

target ${Account}:traffic-mirror-target/ ${TagKey} (p. 658)
${TrafficMirrorTargetId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
transit- arn:${Partition}:ec2:${Region}: aws:RequestTag/

gateway- ${Account}:transit-gateway-attachment/ ${TagKey} (p. 658)
attachment ${TransitGatewayAttachmentId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

gateway- ${Account}:transit-gateway-connect-peer/ ${TagKey} (p. 658)
connect-peer ${TransitGatewayConnectPeerId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
652
Amazon EC2

types

gateway ${Account}:transit-gateway/ ${TagKey} (p. 658)
${TransitGatewayId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

gateway- ${Account}:transit-gateway-multicast-domain/ ${TagKey} (p. 658)
multicast- ${TransitGatewayMulticastDomainId}
domain aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)

gateway- ${Account}:transit-gateway-route-table/ ${TagKey} (p. 658)
route-table ${TransitGatewayRouteTableId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
653
Amazon EC2

types
volume arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:volume/${VolumeId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
(p. 659)
ec2:Encrypted
(p. 659)
ec2:ParentSnapshot
(p. 660)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:VolumeIops
(p. 662)
ec2:VolumeSize
(p. 662)
(p. 662)
ec2:VolumeType
(p. 662)
vpc-endpoint arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:vpc-endpoint/${VpcEndpointId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
654
Amazon EC2

types
vpc-endpoint- arn:${Partition}:ec2:${Region}: aws:RequestTag/

service ${Account}:vpc-endpoint-service/ ${TagKey} (p. 658)
${VpcEndpointServiceId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
(p. 662)
vpc-flow-log arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:vpc-flow-log/${VpcFlowLogId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
vpc arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:vpc/${VpcId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
655
Amazon EC2

types
vpc-peering- arn:${Partition}:ec2:${Region}: aws:RequestTag/

connection ${Account}:vpc-peering-connection/ ${TagKey} (p. 658)
${VpcPeeringConnectionId}
aws:ResourceTag/
${TagKey} (p. 658)
ec2:AccepterVpc
(p. 658)
ec2:Region (p. 661)
ec2:RequesterVpc
(p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
656
Amazon EC2

types
vpn- arn:${Partition}:ec2:${Region}: aws:RequestTag/

connection ${Account}:vpn-connection/${VpnConnectionId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
(p. 658)
(p. 659)
ec2:GatewayType
(p. 659)
ec2:IKEVersions
(p. 659)
(p. 659)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
(p. 660)
ec2:PresharedKeys
(p. 661)
ec2:Region (p. 661)
(p. 661)
(p. 661)
657
Amazon EC2

types
ec2:ResourceTag/
${TagKey} (p. 661)
ec2:RoutingType
(p. 661)
vpn-gateway arn:${Partition}:ec2:${Region}: aws:RequestTag/

${Account}:vpn-gateway/${VpnGatewayId} ${TagKey} (p. 658)
aws:ResourceTag/
${TagKey} (p. 658)
ec2:Region (p. 661)
ec2:ResourceTag/
${TagKey} (p. 661)
Condition keys for Amazon EC2

Amazon EC2 defines the following condition keys that can be used in the Condition element of an IAM
aws:RequestTag/ Filters access by a tag key and value pair that is allowed in String
Filters access by the preface string for a tag key and value String
aws:ResourceTag/ pair that are attached to a resource
Filters access by a tag key and value pair of a resource String

aws:ResourceTag/
${TagKey}
aws:TagKeys Filters access by a list of tag keys that are allowed in the String
request
ec2:AccepterVpc Filters access by the ARN of an accepter VPC in a VPC ARN

peering connection
Filters access by whether the user wants to associate a public Bool

IP address with the instance
ec2:Attribute/ Filters access by an attribute being set on a resource String

${AttributeName}
Filters access by the authentication type for the VPN tunnel String
endpoints
658
Amazon EC2
Filters access by the AWS service that has permission to use String
a resource
Filters access by an IAM principal that has permission to use String

ec2:AuthorizedUser a resource
Filters access by the Auto Placement properties of a String

ec2:AutoPlacement Dedicated Host
Filters access by the name of an Availability Zone in an AWS String

ec2:AvailabilityZone Region
Filters access by the ARN of the client root certificate chain ARN
Filters access by the ARN of the CloudWatch Logs log group ARN
Filters access by the ARN of the CloudWatch Logs log stream ARN
ec2:CreateAction Filters access by the name of a resource-creating API action String
Filters access by the duration after which DPD timeout Numeric

occurs on a VPN tunnel
ec2:DirectoryArn Filters access by the ARN of the directory ARN
Filters access by whether the instance is enabled for EBS Bool

ec2:EbsOptimized optimization
Filters access by the type of Elastic Graphics accelerator String

ec2:ElasticGpuType
ec2:Encrypted Filters access by whether the EBS volume is encrypted Bool
ec2:GatewayType Filters access by the gateway type for a VPN endpoint on the String
AWS side of a VPN connection
ec2:HostRecovery Filters access by whether host recovery is enabled for a String

Dedicated Host
ec2:IKEVersions Filters access by the internet key exchange (IKE) versions String
that are permitted for a VPN tunnel
ec2:ImageType Filters access by the type of image (machine, aki, or ari) String
Filters access by the range of inside IP addresses for a VPN String

ec2:InsideTunnelCidr tunnel
Filters access by the market or purchasing option of an String

ec2:InstanceMarketType
instance (on-demand or spot)
Filters access by the ARN of an instance profile ARN

ec2:InstanceType Filters access by the type of instance String
659
Amazon EC2
Filters access by whether users are able to override resources Bool

ec2:IsLaunchTemplateResource
that are specified in the launch template
Filters access by the ARN of a launch template ARN

ec2:LaunchTemplate
Filters access by whether the HTTP endpoint is enabled for String

ec2:MetadataHttpEndpoint
the instance metadata service
Filters access by the allowed number of hops when calling Numeric

ec2:MetadataHttpPutResponseHopLimit
the instance metadata service
Filters access by whether tokens are required when calling String

ec2:MetadataHttpTokens
the instance metadata service (optional or required)
ec2:Owner Filters access by the owner of the resource (amazon, aws- String
marketplace, or an AWS account ID)
Filters access by the ARN of the parent snapshot ARN

ec2:ParentSnapshot
Filters access by the ARN of the parent volume from which ARN
ec2:ParentVolume the snapshot was created
ec2:Permission Filters access by the type of permission for a resource String

(INSTANCE-ATTACH or EIP-ASSOCIATE)
Filters access by the Diffie-Hellman group numbers that are Numeric

permitted for a VPN tunnel for the phase 1 IKE negotiations
Filters access by the encryption algorithms that are String

Filters access by the integrity algorithms that are permitted String

for a VPN tunnel for the phase 1 IKE negotiations
Filters access by the lifetime in seconds for phase 1 of the Numeric

IKE negotiations for a VPN tunnel
Filters access by the Diffie-Hellman group numbers that are Numeric

Filters access by the encryption algorithms that are String

Filters access by the integrity algorithms that are permitted String

for a VPN tunnel for the phase 2 IKE negotiations
Filters access by the lifetime in seconds for phase 2 of the Numeric

IKE negotiations for a VPN tunnel
Filters access by the ARN of the placement group ARN

ec2:PlacementGroup
Filters access by the instance placement strategy used by the String

placement group (cluster, spread, or partition)
660
Amazon EC2
Filters access by the pre-shared key (PSK) used to establish String

ec2:PresharedKeys the initial IKE security association between a virtual private
gateway and a customer gateway
ec2:ProductCode Filters access by the product code that is associated with the String
AMI
ec2:Public Filters access by whether the image has public launch Bool
permissions
ec2:Quantity Filters access by the number of Dedicated Hosts in a request Numeric
ec2:Region Filters access by the name of the AWS Region String
Filters access by the percentage of increase of the rekey Numeric

window (determined by the rekey margin time) within which
the rekey time is randomly selected for a VPN tunnel
Filters access by the margin time before the phase 2 lifetime Numeric
expires for a VPN tunnel
ec2:RequesterVpc Filters access by the ARN of a requester VPC in a VPC peering ARN
connection
Filters access by the payment option of the Reserved String

Instance offering (No Upfront, Partial Upfront, or All
Upfront)
ec2:ResourceTag/ Filters access by the preface string for a tag key and value String
pair that are attached to a resource
ec2:ResourceTag/ Filters access by a tag key and value pair of a resource String
${TagKey}
ec2:RoleDelivery Filters access by the version of the instance metadata service Numeric
for retrieving IAM role credentials for EC2
Filters access by the root device type of the instance (ebs or String
ec2:RootDeviceType instance-store)
ec2:RoutingType Filters access by the routing type for the VPN connection String
Filters access by the ARN of the IAM SAML identity provider ARN
ec2:SamlProviderArn
Filters access by the ARN of the server certificate ARN

Filters access by the initiation time of a snapshot String

ec2:SnapshotTime
Filters access by the ARN of the instance from which the ARN
ec2:SourceInstanceARN
request originated
ec2:Subnet Filters access by the ARN of the subnet ARN
ec2:Tenancy Filters access by the tenancy of the VPC or instance (default, String
dedicated, or host)
661
Amazon EC2 Auto Scaling
ec2:VolumeIops Filters access by the the number of input/output operations Numeric

per second (IOPS) provisioned for the volume
ec2:VolumeSize Filters access by the size of the volume, in GiB Numeric
Filters access by the throughput of the volume, in MiBps Numeric

ec2:VolumeType Filters access by the type of volume (gp2, gp3, io1, io2, st1, String
sc1, or standard)
ec2:Vpc Filters access by the ARN of the VPC ARN
Filters access by the name of the VPC endpoint service String

ec2:VpceServiceName
Filters access by the service owner of the VPC endpoint String

ec2:VpceServiceOwner
service (amazon, aws-marketplace, or an AWS account ID)
Filters access by the private DNS name of the VPC endpoint String
service

EC2 Auto Scaling
Amazon EC2 Auto Scaling (service prefix: autoscaling) provides the following service-specific
References:

Topics
• Actions defined by Amazon EC2 Auto Scaling (p. 662)
• Resource types defined by Amazon EC2 Auto Scaling (p. 671)
• Condition keys for Amazon EC2 Auto Scaling (p. 672)
Actions defined by Amazon EC2 Auto Scaling

different actions.
662

(*required)
Attaches one or more EC2 Write autoScalingGroup*

autoscaling:ResourceTag/

AttachInstances instances to the specified Auto (p. 672) ${TagKey}
Scaling group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Attaches one or more target Write autoScalingGroup*


AttachLoadBalancerTargetGroups
groups to the specified Auto (p. 672) ${TagKey}
aws:ResourceTag/
${TagKey}
(p. 673)
autoscaling:TargetGroupARNs

(p. 673)
Attaches one or more load Write autoScalingGroup*


AttachLoadBalancers
balancers to the specified Auto (p. 672) ${TagKey}
aws:ResourceTag/
${TagKey}
(p. 673)
autoscaling:LoadBalancerNames

(p. 672)
Deletes the specified scheduled Write autoScalingGroup*


BatchDeleteScheduledAction
actions. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Creates or updates multiple Write autoScalingGroup*


BatchPutScheduledUpdateGroupAction
scheduled scaling actions for an (p. 672) ${TagKey}
Auto Scaling group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Grants permission to cancel an Write autoScalingGroup*


CancelInstanceRefresh
instance refresh operation in (p. 672) ${TagKey}
progress (p. 673)
663

(*required)
aws:ResourceTag/
${TagKey}
(p. 673)
Completes the lifecycle action Write autoScalingGroup*


CompleteLifecycleAction
for the specified token or (p. 672) ${TagKey}
instance with the specified (p. 673)
result.
aws:ResourceTag/
${TagKey}
(p. 673)
Creates an Auto Scaling group Tagging autoScalingGroup*


CreateAutoScalingGroup
with the specified name and (p. 672) ${TagKey}
attributes. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
autoscaling:InstanceTypes

(p. 672)
autoscaling:LaunchConfigurationName
(p. 672)
autoscaling:LaunchTemplateVersionSp
(p. 672)
(p. 672)
autoscaling:MaxSize
(p. 672)
autoscaling:MinSize
(p. 672)
(p. 673)
autoscaling:VPCZoneIdentifiers
(p. 673)
aws:RequestTag/
${TagKey}
(p. 673)
aws:TagKeys
(p. 673)
Creates a launch configuration. Write launchConfiguration*

CreateLaunchConfiguration (p. 672)
664

(*required)
autoscaling:ImageId

(p. 672)
autoscaling:InstanceType
(p. 672)
autoscaling:SpotPrice
(p. 673)
autoscaling:MetadataHttpTokens
(p. 672)
autoscaling:MetadataHttpPutResponse
(p. 672)
autoscaling:MetadataHttpEndpoint
(p. 672)
Creates or updates tags for the Tagging autoScalingGroup*


CreateOrUpdateTags
specified Auto Scaling group. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
aws:RequestTag/

${TagKey}
(p. 673)
aws:TagKeys
(p. 673)
Deletes the specified Auto Write autoScalingGroup*


DeleteAutoScalingGroup
Scaling group. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Deletes the specified launch Write launchConfiguration*

DeleteLaunchConfiguration
Deletes the specified lifecycle Write autoScalingGroup*


DeleteLifecycleHook
hook. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
665

(*required)
Deletes the specified Write autoScalingGroup*


DeleteNotificationConfiguration
notification. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
DeletePolicy Deletes the specified Auto Write autoScalingGroup*


Scaling policy. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Deletes the specified scheduled Write autoScalingGroup*


action. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
DeleteTags Deletes the specified tags. Tagging autoScalingGroup*


(p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
aws:RequestTag/

${TagKey}
(p. 673)
aws:TagKeys
(p. 673)
Describes the current Auto List

Scaling resource limits for your
AWS account.
Describes the policy List

DescribeAdjustmentTypes
adjustment types for use with
PutScalingPolicy.
Describes one or more Auto List

DescribeAutoScalingGroups
Scaling groups. If a list of
names is not provided, the
call describes all Auto Scaling
groups.
666

(*required)
Describes one or more Auto List

DescribeAutoScalingInstances
Scaling instances. If a list is not
provided, the call describes all
instances.
Describes the notification types List

DescribeAutoScalingNotificationTypes
that are supported by Auto
Scaling.

DescribeInstanceRefreshes
one or more instance refreshes
for an Auto Scaling group
Describes one or more launch List

DescribeLaunchConfigurations
configurations. If you omit
the list of names, then the
call describes all launch
configurations.
Describes the available types of List

DescribeLifecycleHookTypes
lifecycle hooks.
Describes the lifecycle hooks for List

DescribeLifecycleHooks
the specified Auto Scaling group.
Describes the target groups for List

DescribeLoadBalancerTargetGroups
Describes the load balancers for List

DescribeLoadBalancers
Describes the available List

DescribeMetricCollectionTypes
CloudWatch metrics for Auto
Scaling.
Describes the notification List

DescribeNotificationConfigurations
actions associated with the
specified Auto Scaling group.
Describes the policies for the List

DescribePolicies specified Auto Scaling group.
Describes one or more scaling List

DescribeScalingActivities
activities for the specified Auto
Scaling group.
Describes the scaling List

DescribeScalingProcessTypes
process types for use with
ResumeProcesses and
SuspendProcesses.
Describes the actions scheduled List

for your Auto Scaling group that
haven't run.
DescribeTags Describes the specified tags. Read
667

(*required)
Describes the termination List

DescribeTerminationPolicyTypes
policies supported by Auto
Scaling.
Removes one or more instances Write autoScalingGroup*


DetachInstances from the specified Auto Scaling (p. 672) ${TagKey}
group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Detaches one or more target Write autoScalingGroup*


DetachLoadBalancerTargetGroups
groups from the specified Auto (p. 672) ${TagKey}
aws:ResourceTag/
${TagKey}
(p. 673)

(p. 673)
Removes one or more load Write autoScalingGroup*


DetachLoadBalancers
balancers from the specified (p. 672) ${TagKey}
Auto Scaling group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)

(p. 672)
Disables monitoring of the Write autoScalingGroup*


DisableMetricsCollection
specified metrics for the (p. 672) ${TagKey}
specified Auto Scaling group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Enables monitoring of the Write autoScalingGroup*


EnableMetricsCollection
specified metrics for the (p. 672) ${TagKey}
specified Auto Scaling group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
668

(*required)
EnterStandby Moves the specified instances Write autoScalingGroup*


into Standby mode. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
ExecutePolicy Executes the specified policy. Write autoScalingGroup*


(p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
ExitStandby Moves the specified instances Write autoScalingGroup*


out of Standby mode. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Creates or updates a lifecycle Write autoScalingGroup*


PutLifecycleHook hook for the specified Auto (p. 672) ${TagKey}
Scaling Group. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Configures an Auto Scaling Write autoScalingGroup*


PutNotificationConfiguration
group to send notifications (p. 672) ${TagKey}
when specified events take (p. 673)
place.
aws:ResourceTag/
${TagKey}
(p. 673)
Creates or updates a policy for Write autoScalingGroup*


PutScalingPolicy an Auto Scaling group. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Creates or updates a scheduled Write autoScalingGroup*


PutScheduledUpdateGroupAction
scaling action for an Auto (p. 672) ${TagKey}
aws:ResourceTag/
${TagKey}
(p. 673)
669

(*required)
autoscaling:MaxSize

(p. 672)
autoscaling:MinSize
(p. 672)
Records a heartbeat for the Write autoScalingGroup*


RecordLifecycleActionHeartbeat
lifecycle action associated with (p. 672) ${TagKey}
the specified token or instance. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Resumes the specified Write autoScalingGroup*


ResumeProcesses suspended Auto Scaling (p. 672) ${TagKey}
processes, or all suspended (p. 673)
process, for the specified Auto
Scaling group. aws:ResourceTag/
${TagKey}
(p. 673)
Sets the size of the specified Write autoScalingGroup*


SetDesiredCapacity
Auto Scaling group. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Sets the health status of the Write autoScalingGroup*


SetInstanceHealthspecified instance. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Updates the instance protection Write autoScalingGroup*


SetInstanceProtection
settings of the specified (p. 672) ${TagKey}
instances. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Grants permission to start a new Write autoScalingGroup*


StartInstanceRefresh
instance refresh operation (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
670

(*required)
Suspends the specified Auto Write autoScalingGroup*


SuspendProcessesScaling processes, or all (p. 672) ${TagKey}
processes, for the specified Auto (p. 673)
Scaling group.
aws:ResourceTag/
${TagKey}
(p. 673)
Terminates the specified Write autoScalingGroup*


TerminateInstanceInAutoScalingGroup
instance and optionally adjusts (p. 672) ${TagKey}
the desired group size. (p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)
Updates the configuration for Write autoScalingGroup*


UpdateAutoScalingGroup
the specified Auto Scaling group. (p. 672) ${TagKey}
(p. 673)
aws:ResourceTag/
${TagKey}
(p. 673)

(p. 672)
(p. 672)
autoscaling:LaunchTemplateVersionSp
(p. 672)
autoscaling:MaxSize
(p. 672)
autoscaling:MinSize
(p. 672)
(p. 673)
Resource types defined by Amazon EC2 Auto Scaling

671

types
arn:${Partition}:autoscaling: autoscaling:ResourceTag/
autoScalingGroup${Region}:${Account}:autoScalingGroup: ${TagKey} (p. 673)
${GroupId}:autoScalingGroupName/
${GroupFriendlyName} aws:ResourceTag/
${TagKey} (p. 673)
arn:${Partition}:autoscaling:${Region}:
launchConfiguration
${Account}:launchConfiguration:
${Id}:launchConfigurationName/
${LaunchConfigurationName}
Condition keys for Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling defines the following condition keys that can be used in the Condition
table (p. 2).
The AMI used to create the instance. String

autoscaling:ImageId
The type of instance, in terms of the hardware resources String

autoscaling:InstanceType
available.
The types of instances, in terms of the hardware resources String

available.
The name of a launch configuration. String

Filters access by whether users can specify any version of a Bool

autoscaling:LaunchTemplateVersionSpecified
launch template or only the Latest or Default version
The name of the load balancer. String

The maximum scaling size. Numeric

autoscaling:MaxSize
Filters access by whether the HTTP endpoint is enabled for String

autoscaling:MetadataHttpEndpoint
the instance metadata service.
Filters access by the allowed number of hops when calling Numeric

autoscaling:MetadataHttpPutResponseHopLimit
the instance metadata service.
Filters access by whether tokens are required when calling String

autoscaling:MetadataHttpTokens
the instance metadata service (optional or required)
The minimum scaling size. Numeric

autoscaling:MinSize
672
Amazon EC2 Image Builder
The value of a tag attached to a resource. String

${TagKey}
The spot price associated with an instance. Numeric

autoscaling:SpotPrice
The ARN of a target group. ARN

The identifier of a VPC zone. String

aws:RequestTag/ The value of a tag associated with the request. String

${TagKey}

${TagKey} resource.


EC2 Image Builder
Amazon EC2 Image Builder (service prefix: imagebuilder) provides the following service-specific
References:

Topics
• Actions defined by Amazon EC2 Image Builder (p. 673)
• Resource types defined by Amazon EC2 Image Builder (p. 679)
• Condition keys for Amazon EC2 Image Builder (p. 680)
Actions defined by Amazon EC2 Image Builder

different actions.
673

(*required)
Cancel an image creation Write image*

CancelImageCreation (p. 679)
Create a new component Write component*

CreateComponent (p. 679)
kmsKey
(p. 680)
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
Create a new Container Recipe Write containerRecipe*

imagebuilder:GetCompon
CreateContainerRecipe (p. 680)
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
Create a new distribution Write distributionConfiguration*

CreateDistributionConfiguration
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
CreateImage Create a new image Write image* imagebuilder:GetImageRe

(p. 679)
imagebuilder:GetInfrastru
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
Create a new image pipeline Write imagePipeline*

imagebuilder:GetImageRe
CreateImagePipeline (p. 680)
674

(*required)
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
Create a new Image Recipe Write imageRecipe* imagebuilder:GetCompon

CreateImageRecipe (p. 679)
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
Create a new infrastructure Write infrastructureConfiguration*

iam:PassRole
CreateInfrastructureConfiguration
aws:RequestTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
imagebuilder:CreatedResourceTagKeys
(p. 680)
imagebuilder:CreatedResourceTag/
<key>
(p. 680)
Delete a component Write component*

DeleteComponent (p. 679)
Grants permission to delete a Write containerRecipe*

DeleteContainerRecipe
container recipe (p. 680)
Delete a distribution Write distributionConfiguration*

DeleteDistributionConfiguration
DeleteImage Delete an image Write image*

(p. 679)
Delete an image pipeline Write imagePipeline*

DeleteImagePipeline (p. 680)
Grants permission to delete an Write imageRecipe*

DeleteImageRecipe
image recipe (p. 679)
Delete an infrastructure Write infrastructureConfiguration*

DeleteInfrastructureConfiguration
675

(*required)
View details about a component Read component*

GetComponent (p. 679)
View the resource policy Permissions component*

GetComponentPolicy
associated with a component management (p. 679)
View details about a container Read containerRecipe*

GetContainerRecipe
recipe (p. 680)
View the resource policy Permissions containerRecipe*

GetContainerRecipePolicy
associated with a container management (p. 680)
recipe
View details about a distribution Read distributionConfiguration*

GetDistributionConfiguration
GetImage View details about an image Read image*

(p. 679)
aws:ResourceTag/

${TagKey}
(p. 680)
View details about an image Read imagePipeline*

GetImagePipelinepipeline (p. 680)
View the resource policy Permissions image*

GetImagePolicy associated with an image management (p. 679)
View details about an image Read imageRecipe*

GetImageRecipe recipe (p. 679)
View the resource policy Permissions imageRecipe*

GetImageRecipePolicy
associated with an image recipe management (p. 679)
View details about an Read infrastructureConfiguration*

GetInfrastructureConfiguration
infrastructure configuration (p. 680)
List the component build List componentVersion*

ListComponentBuildVersions
versions in your account (p. 679)
List the component versions List

ListComponents owned by or shared with your
account
List the container recipes owned List

ListContainerRecipes
by or shared with your account
List the distribution List

ListDistributionConfigurations
configurations in your account
List the image build versions in List imageVersion*

ListImageBuildVersions
your account (p. 679)
Returns a list of images created List imagePipeline*

ListImagePipelineImages
by the specified pipeline (p. 680)
676

(*required)
List the image pipelines in your List

ListImagePipelines
account
List the image recipes owned by List

ListImageRecipes or shared with your account
ListImages List the image versions owned List

by or shared with your account
List the infrastructure List

ListInfrastructureConfigurations
configurations in your account
List tag for an Image Builder Read component

ListTagsForResource
resource (p. 679)
distributionConfiguration

(p. 679)
image
(p. 679)
imagePipeline
(p. 680)
imageRecipe
(p. 679)
infrastructureConfiguration

(p. 680)
aws:ResourceTag/

${TagKey}
(p. 680)
Set the resource policy Permissions component*

PutComponentPolicy
associated with a component management (p. 679)
Set the resource policy Permissions containerRecipe*

PutContainerRecipePolicy
associated with a container management (p. 680)
recipe
Set the resource policy Permissions image*

PutImagePolicy associated with an image management (p. 679)
Set the resource policy Permissions imageRecipe*

PutImageRecipePolicy
associated with an image recipe management (p. 679)
Create a new image from a Write imagePipeline*

imagebuilder:GetImagePi
StartImagePipelineExecution
pipeline (p. 680)
TagResource Tag an Image Builder resource Tagging component

(p. 679)
containerRecipe

(p. 680)
677

(*required)

(p. 679)
image
(p. 679)
imagePipeline
(p. 680)
imageRecipe
(p. 679)

(p. 680)
aws:TagKeys
(p. 680)
aws:RequestTag/
${TagKey}
(p. 680)
aws:ResourceTag/
${TagKey}
(p. 680)
Untag an Image Builder resource Tagging component

containerRecipe

(p. 680)

(p. 679)
image
(p. 679)
imagePipeline
(p. 680)
imageRecipe
(p. 679)

(p. 680)
aws:ResourceTag/

${TagKey}
(p. 680)
aws:TagKeys
(p. 680)
Update an existing distribution Write distributionConfiguration*

UpdateDistributionConfiguration
678

(*required)
Update an existing image Write imagePipeline*

UpdateImagePipeline
pipeline (p. 680)
Update an existing infrastructure Write infrastructureConfiguration*

iam:PassRole
UpdateInfrastructureConfiguration
aws:ResourceTag/

${TagKey}
(p. 680)
(p. 680)
<key>
(p. 680)
Resource types defined by Amazon EC2 Image Builder


types
component arn:${Partition}:imagebuilder:${Region}: aws:ResourceTag/

${Account}:component/${ComponentName}/ ${TagKey} (p. 680)
${ComponentVersion}/${ComponentBuildVersion}
arn:${Partition}:imagebuilder:${Region}: aws:ResourceTag/
componentVersion
${Account}:component/${ComponentName}/ ${TagKey} (p. 680)
${ComponentVersion}
${Account}:distribution-configuration/ ${TagKey} (p. 680)
${DistributionConfigurationName}
image arn:${Partition}:imagebuilder: aws:ResourceTag/

${Region}:${Account}:image/${ImageName}/ ${TagKey} (p. 680)
${ImageVersion}/${ImageBuildVersion}
imageVersion arn:${Partition}:imagebuilder: aws:ResourceTag/

${Region}:${Account}:image/${ImageName}/ ${TagKey} (p. 680)
${ImageVersion}
imageRecipe arn:${Partition}:imagebuilder:${Region}: aws:ResourceTag/

${Account}:image-recipe/${ImageRecipeName}/ ${TagKey} (p. 680)
${ImageRecipeVersion}
679
Amazon EC2 Instance Connect

types
arn:${Partition}:imagebuilder: aws:ResourceTag/
containerRecipe ${Region}:${Account}:container- ${TagKey} (p. 680)
recipe/${ContainerRecipeName}/
${ContainerRecipeVersion}
imagePipeline arn:${Partition}:imagebuilder: aws:ResourceTag/

${Region}:${Account}:image-pipeline/ ${TagKey} (p. 680)
${ImagePipelineName}
${Account}:infrastructure-configuration/ ${TagKey} (p. 680)
${ResourceId}
kmsKey arn:${Partition}:kms:${Region}:
${Account}:key/${KeyId}
Condition keys for Amazon EC2 Image Builder

Amazon EC2 Image Builder defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters actions by the presence of tag key-value pairs in the String
${TagKey} request
Filters actions by tag key-value pairs attached to the String

${TagKey}
aws:TagKeys Filters actions by the presence of tag keys in the request String
Filters access by the tag key-value pairs attached to the String

resource created by Image Builder
<key>
Filters access by the presence of tag keys in the request String


EC2 Instance Connect
Amazon EC2 Instance Connect (service prefix: ec2-instance-connect) provides the following service-
References:
680
Amazon EC2 Instance Connect

Topics
• Actions defined by Amazon EC2 Instance Connect (p. 681)
• Resource types defined by Amazon EC2 Instance Connect (p. 681)
• Condition keys for Amazon EC2 Instance Connect (p. 682)
Actions defined by Amazon EC2 Instance Connect

different actions.

(*required)
Grants permission to push the Write instance*

SendSSHPublicKey
SSH public key to the instance (p. 681)
metadata where it remains for
60 seconds. ec2:osuser
(p. 682)
Resource types defined by Amazon EC2 Instance Connect


types
instance arn:${Partition}:ec2:${Region}: aws:ResourceTag/

${Account}:instance/${InstanceId} ${TagKey} (p. 682)
ec2:ResourceTag/
${TagKey} (p. 682)
681
AWS Elastic Beanstalk
Condition keys for Amazon EC2 Instance Connect

Amazon EC2 Instance Connect defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
ec2:ResourceTag/ Filters actions based on the tags associated with the String
${TagKey} resource
ec2:osuser Filters access by specifying the default user name for the String
AMI that you used to launch your instance
Actions, resources, and condition keys for AWS Elastic

Beanstalk
AWS Elastic Beanstalk (service prefix: elasticbeanstalk) provides the following service-specific
References:

Topics
• Actions defined by AWS Elastic Beanstalk (p. 682)
• Resource types defined by AWS Elastic Beanstalk (p. 689)
• Condition keys for AWS Elastic Beanstalk (p. 690)
Actions defined by AWS Elastic Beanstalk

different actions.
682

(*required)
Grants permission to cancel Write environment*elasticbeanstalk:InApplication

AbortEnvironmentUpdate
in-progress environment (p. 690) (p. 691)
configuration update or
application version deployment.
AddTags Grants permission to add tags Tagging application

to an Elastic Beanstalk resource (p. 689)
and to update tag values.
applicationversion

(p. 690)
configurationtemplate

(p. 690)
environment
(p. 690)
platform
(p. 690)
aws:RequestTag/

${TagKey}
(p. 690)
aws:TagKeys
(p. 690)
Grants permission to apply Write environment*elasticbeanstalk:InApplication

ApplyEnvironmentManagedAction
a scheduled managed action (p. 690) (p. 691)
immediately.
Grants permission to associate Write environment*

AssociateEnvironmentOperationsRole
an operations role with an (p. 690)
environment.
Grants permission to check Read

CheckDNSAvailability
CNAME availability.
Grants permission to create or Write application*

ComposeEnvironments
update a group of environments, (p. 689)
each running a separate
component of a single applicationversion*
elasticbeanstalk:InApplication

application. (p. 690) (p. 691)

CreateApplicationnew application. (p. 689)
aws:RequestTag/

${TagKey}
(p. 690)
683

(*required)
aws:TagKeys
(p. 690)
Grants permission to create Write application*

CreateApplicationVersion
an application version for an (p. 689)
application.
applicationversion*

(p. 690) (p. 691)
aws:RequestTag/

${TagKey}
(p. 690)
aws:TagKeys
(p. 690)
Grants permission to create a Write configurationtemplate*


CreateConfigurationTemplate
configuration template. (p. 690) (p. 691)
elasticbeanstalk:FromApplication

(p. 690)
elasticbeanstalk:FromApplicationVersio
(p. 690)
elasticbeanstalk:FromConfigurationTem
(p. 690)
elasticbeanstalk:FromEnvironment
(p. 691)
elasticbeanstalk:FromSolutionStack
(p. 691)
elasticbeanstalk:FromPlatform
(p. 691)
aws:RequestTag/
${TagKey}
(p. 690)
aws:TagKeys
(p. 690)
Grants permission to launch an Write environment*elasticbeanstalk:InApplication

CreateEnvironment
environment for an application. (p. 690) (p. 691)
684

(*required)

(p. 690)
(p. 690)
(p. 691)
(p. 691)
aws:RequestTag/
${TagKey}
(p. 690)
aws:TagKeys
(p. 690)
Grants permission to create Write platform*

CreatePlatformVersion
a new version of a custom (p. 690)
platform.
aws:RequestTag/

${TagKey}
(p. 690)
aws:TagKeys
(p. 690)
Grants permission to create the Write

CreateStorageLocation
Amazon S3 storage location for
the account.
Grants permission to delete Write application*

DeleteApplicationan application along with (p. 689)
all associated versions and
configurations.
Grants permission to delete Write applicationversion*


DeleteApplicationVersion
an application version from an (p. 690) (p. 691)
application.
Grants permission to delete a Write configurationtemplate*


DeleteConfigurationTemplate
configuration template. (p. 690) (p. 691)
Grants permission to delete the Write environment*elasticbeanstalk:InApplication

DeleteEnvironmentConfiguration
draft configuration associated (p. 690) (p. 691)
with the running environment.
Grants permission to delete a Write platform*

DeletePlatformVersion
version of a custom platform. (p. 690)

a list of account attributes,
including resource quotas.
685

(*required)
Grants permission to retrieve List applicationversion


DescribeApplicationVersions
a list of application versions (p. 690) (p. 691)
stored in an AWS Elastic
Beanstalk storage bucket.
Grants permission to retrieve List application

DescribeApplications
the descriptions of existing (p. 689)
applications.
Grants permission to retrieve Read configurationtemplate


DescribeConfigurationOptions
descriptions of environment (p. 690) (p. 691)
configuration options.
environment elasticbeanstalk:InApplication

(p. 690) (p. 691)
solutionstack
(p. 690)
Grants permission to retrieve a Read configurationtemplate


DescribeConfigurationSettings
description of the settings for a (p. 690) (p. 691)
configuration set.

(p. 690) (p. 691)
Grants permission to retrieve Read environment

DescribeEnvironmentHealth
information about the overall (p. 690)
health of an environment.
Grants permission to retrieve Read environment elasticbeanstalk:InApplication

DescribeEnvironmentManagedActionHistory
a list of an environment's (p. 690) (p. 691)
completed and failed managed
actions.

DescribeEnvironmentManagedActions
a list of an environment's (p. 690) (p. 691)
upcoming and in-progress
managed actions.

DescribeEnvironmentResources
a list of AWS resources for an (p. 690) (p. 691)
environment.
Grants permission to retrieve List environment elasticbeanstalk:InApplication

DescribeEnvironments
descriptions for existing (p. 690) (p. 691)
environments.
Grants permission to retrieve Read application

DescribeEvents a list of event descriptions (p. 689)
matching a set of criteria.
applicationversion

(p. 690) (p. 691)

(p. 690) (p. 691)
686

(*required)

(p. 690) (p. 691)
Grants permission to retrieve Read environment

DescribeInstancesHealth
more detailed information (p. 690)
about the health of environment
instances.
Grants permission to retrieve Read platform

DescribePlatformVersion
a description of a platform (p. 690)
version.
Grants permission to Write environment*

DisassociateEnvironmentOperationsRole
disassociate an operations role (p. 690)
with an environment.
Grants permission to retrieve List solutionstack

ListAvailableSolutionStacks
a list of the available solution (p. 690)
stack names.

ListPlatformBranches
a list of the available platform
branches.
Grants permission to retrieve a List platform

ListPlatformVersions
list of the available platforms. (p. 690)
Grants permission to retrieve Read application

ListTagsForResource
a list of tags of an Elastic (p. 689)
Beanstalk resource.
applicationversion

(p. 690)

(p. 690)
environment
(p. 690)
platform
(p. 690)
Grants permission to submit Write application*

PutInstanceStatistics
instance statistics for enhanced (p. 689)
health.
environment*
(p. 690)
Grants permission to delete and Write environment*elasticbeanstalk:InApplication

RebuildEnvironment
recreate all of the AWS resources (p. 690) (p. 691)
for an environment and to force
a restart.
RemoveTags Grants permission to remove Tagging application

tags from an Elastic Beanstalk (p. 689)
resource.
687

(*required)
applicationversion

(p. 690)

(p. 690)
environment
(p. 690)
platform
(p. 690)
aws:TagKeys
(p. 690)
Grants permission to initiate a Read environment*elasticbeanstalk:InApplication

RequestEnvironmentInfo
request to compile information (p. 690) (p. 691)
of the deployed environment.
Grants permission to request Write environment*elasticbeanstalk:InApplication

RestartAppServeran environment to restart the (p. 690) (p. 691)
application container server
running on each Amazon EC2
instance.
Grants permission to retrieve Read environment*elasticbeanstalk:InApplication

RetrieveEnvironmentInfo
the compiled information from (p. 690) (p. 691)
a RequestEnvironmentInfo
request.
Grants permission to swap the Write environment*elasticbeanstalk:InApplication

SwapEnvironmentCNAMEs
CNAMEs of two environments. (p. 690) (p. 691)

(p. 691)
Grants permission to terminate Write environment*elasticbeanstalk:InApplication

TerminateEnvironment
an environment. (p. 690) (p. 691)
Grants permission to update Write application*

UpdateApplication
an application with specified (p. 689)
properties.
Grants permission to update Write application*

UpdateApplicationResourceLifecycle
the application version lifecycle (p. 689)
policy associated with the
application.
Grants permission to update Write applicationversion*


UpdateApplicationVersion
an application version with (p. 690) (p. 691)
specified properties.
Grants permission to update Write configurationtemplate*


UpdateConfigurationTemplate
a configuration template (p. 690) (p. 691)
with specified properties or
configuration option values.
688

(*required)

(p. 690)
(p. 690)
(p. 690)
(p. 691)
(p. 691)
(p. 691)
Grants permission to update an Write environment*elasticbeanstalk:InApplication

UpdateEnvironment
environment. (p. 690) (p. 691)

(p. 690)
(p. 690)
(p. 691)
(p. 691)
Grants permission to check the Read configurationtemplate


ValidateConfigurationSettings
validity of a set of configuration (p. 690) (p. 691)
settings for a configuration
template or an environment. environment elasticbeanstalk:InApplication

(p. 690) (p. 691)
Resource types defined by AWS Elastic Beanstalk


types
application arn:${Partition}:elasticbeanstalk:${Region}: aws:ResourceTag/

${Account}:application/${ApplicationName} ${TagKey} (p. 690)
689

types
arn:${Partition}:elasticbeanstalk: aws:ResourceTag/
applicationversion${Region}:${Account}:applicationversion/ ${TagKey} (p. 690)
${ApplicationName}/${VersionLabel}
(p. 691)
arn:${Partition}:elasticbeanstalk: aws:ResourceTag/
${Region}:${Account}:configurationtemplate/ ${TagKey} (p. 690)
${ApplicationName}/${TemplateName}
(p. 691)
environment arn:${Partition}:elasticbeanstalk:${Region}: aws:ResourceTag/

${Account}:environment/${ApplicationName}/ ${TagKey} (p. 690)
${EnvironmentName}
(p. 691)
solutionstack arn:${Partition}:elasticbeanstalk:
${Region}::solutionstack/
${SolutionStackName}
platform arn:${Partition}:elasticbeanstalk:
${Region}::platform/
${PlatformNameWithVersion}
Condition keys for AWS Elastic Beanstalk

AWS Elastic Beanstalk defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request.
Filters access by an application as a dependency or a ARN

constraint on an input parameter.
Filters access by an application version as a dependency or a ARN

elasticbeanstalk:FromApplicationVersion
Filters access by a configuration template as a dependency ARN

elasticbeanstalk:FromConfigurationTemplate
or a constraint on an input parameter.
690
Amazon Elastic Block Store
Filters access by an environment as a dependency or a ARN

Filters access by a platform as a dependency or a constraint ARN

on an input parameter.
Filters access by a solution stack as a dependency or a ARN

Filters access by the application that contains the resource ARN

that the action operates on.

Elastic Block Store
Amazon Elastic Block Store (service prefix: ebs) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Elastic Block Store (p. 691)
• Resource types defined by Amazon Elastic Block Store (p. 692)
• Condition keys for Amazon Elastic Block Store (p. 693)
Actions defined by Amazon Elastic Block Store

different actions.
691
Amazon Elastic Block Store

(*required)
Grants permission to seal and Write snapshot*

CompleteSnapshot
complete the snapshot after all (p. 692)
of the required blocks of data
have been written to it.
Grants permission to return Read snapshot*

GetSnapshotBlockthe data of a block in an (p. 692)
Amazon Elastic Block Store (EBS)
snapshot
Grants permission to list Read snapshot*

ListChangedBlocks
the blocks that are different (p. 692)
between two Amazon Elastic
Block Store (EBS) snapshots
of the same volume/snapshot
lineage
Grants permission to list the Read snapshot*

ListSnapshotBlocks
blocks in an Amazon Elastic (p. 692)
Block Store (EBS) snapshot.
Grants permission to write a Write snapshot*

PutSnapshotBlockblock of data to a snapshot (p. 692)
created by the StartSnapshot
operation.
Grants permission to create a Write snapshot

StartSnapshot new EBS snapshot. (p. 692)
aws:RequestTag/

${TagKey}
(p. 693)
aws:TagKeys
(p. 693)
Resource types defined by Amazon Elastic Block Store


types
snapshot arn:${Partition}:ec2:${Region}::snapshot/ aws:RequestTag/

${SnapshotId} ${TagKey} (p. 693)
aws:ResourceTag/
${TagKey} (p. 693)
692
Amazon Elastic Container Registry

types
ebs:Description
(p. 693)
ebs:ParentSnapshot
(p. 693)
ebs:VolumeSize
(p. 693)
Condition keys for Amazon Elastic Block Store

Amazon Elastic Block Store defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters access by a tag key and value pair that is allowed in String
Filters access based on tag key-value pairs assigned to the String

aws:ResourceTag/ AWS resource
${TagKey}
aws:TagKeys Filters access by a list of tag keys that are allowed in the String
request
ebs:Description Filters access by the description of the snapshot being String

created.
Filters access by the ID of the parent snapshot. String

ebs:ParentSnapshot
ebs:VolumeSize Filters access by the size of the volume for the snapshot Numeric
being created, in GiB.

Elastic Container Registry
Amazon Elastic Container Registry (service prefix: ecr) provides the following service-specific resources,
References:

693
Topics
• Actions defined by Amazon Elastic Container Registry (p. 694)
• Resource types defined by Amazon Elastic Container Registry (p. 697)
• Condition keys for Amazon Elastic Container Registry (p. 697)
Actions defined by Amazon Elastic Container Registry

different actions.

(*required)
Grants permission to check the Read repository*

BatchCheckLayerAvailability
availability of multiple image (p. 697)
layers in a specified registry and
repository

BatchDeleteImagelist of specified images within a (p. 697)
specified repository

BatchGetImage detailed information for (p. 697)
specified images within a
Grants permission to inform Write repository*

CompleteLayerUpload
Amazon ECR that the image (p. 697)
layer upload for a specified
registry, repository name, and
upload ID, has completed

CreateRepository image repository (p. 697)
aws:RequestTag/

${TagKey}
(p. 697)
aws:TagKeys
(p. 697)
694

(*required)
Grants permission to delete the Write repository*

specified lifecycle policy (p. 697)

DeleteRegistryPolicy
registry policy

DeleteRepository existing image repository (p. 697)

DeleteRepositoryPolicy
the repository policy from a (p. 697)
Grants permission to describe Read repository*

DescribeImageScanFindings
the image scan findings for the (p. 697)
specified image

DescribeImages metadata about the images in a (p. 697)
repository, including image size,
image tags, and creation date

DescribeRegistry the registry settings
Grants permission to describe List repository

DescribeRepositories
image repositories in a registry (p. 697)

token that is valid for a specified
registry for 12 hours

GetDownloadUrlForLayer
download URL corresponding to (p. 697)
an image layer

GetLifecyclePolicyspecified lifecycle policy (p. 697)

GetLifecyclePolicyPreview
results of the specified lifecycle (p. 697)
policy preview request

GetRegistryPolicyregistry policy

GetRepositoryPolicy
repository policy for a specified (p. 697)
repository
Grants permission to notify Write repository*

InitiateLayerUpload
Amazon ECR that you intend to (p. 697)
upload an image layer
ListImages Grants permission to list all the List repository*

image IDs for a given repository (p. 697)
695

(*required)
Grants permission to list the List repository*

ListTagsForResource
tags for an Amazon ECR resource (p. 697)
PutImage Grants permission to create Write repository*

or update the image manifest (p. 697)
associated with an image

PutImageScanningConfiguration
image scanning configuration (p. 697)
for a repository

PutImageTagMutability
image tag mutability settings for (p. 697)
a repository
Grants permission to create or Write repository*

PutLifecyclePolicyupdate a lifecycle policy (p. 697)

PutRegistryPolicyregistry policy

PutReplicationConfiguration
replication configuration for the
registry
Grants permission to replicate Write repository*

ReplicateImage images to the destination (p. 697)
registry
Grants permission to apply a Permissions repository*

SetRepositoryPolicy
repository policy on a specified management (p. 697)
repository to control access
permissions
Grants permission to start an Write repository*

StartImageScan image scan (p. 697)
Grants permission to start a Write repository*

StartLifecyclePolicyPreview
preview of the specified lifecycle (p. 697)
policy
TagResource Grants permission to tag an Tagging repository*

Amazon ECR resource (p. 697)
aws:RequestTag/

${TagKey}
(p. 697)
aws:TagKeys
(p. 697)
Grants permission to untag an Tagging repository*

UntagResource Amazon ECR resource (p. 697)
Grants permission to upload an Write repository*

UploadLayerPart image layer part to Amazon ECR (p. 697)
696
Amazon Elastic Container Registry Public
Resource types defined by Amazon Elastic Container Registry


types
repository arn:${Partition}:ecr:${Region}: aws:ResourceTag/

${Account}:repository/${RepositoryName} ${TagKey} (p. 697)
ecr:ResourceTag/
${TagKey} (p. 697)
Condition keys for Amazon Elastic Container Registry

Amazon Elastic Container Registry defines the following condition keys that can be used in the
${TagKey} each of the tags

${TagKey}

tags in the request
ecr:ResourceTag/ Filters actions based on tag-value associated with the String

${TagKey} resource

Elastic Container Registry Public
Amazon Elastic Container Registry Public (service prefix: ecr-public) provides the following service-
References:

697
Topics
• Actions defined by Amazon Elastic Container Registry Public (p. 698)
• Resource types defined by Amazon Elastic Container Registry Public (p. 700)
• Condition keys for Amazon Elastic Container Registry Public (p. 700)
Actions defined by Amazon Elastic Container Registry Public

different actions.

(*required)
Grants permission to check the Read repository*

BatchCheckLayerAvailability
availability of multiple image (p. 700)
layers in a specified registry and
repository

BatchDeleteImagelist of specified images within a (p. 700)
Grants permission to inform Write repository*

CompleteLayerUpload
Amazon ECR that the image (p. 700)
layer upload for a specified
registry, repository name, and
upload ID, has completed

CreateRepository image repository (p. 700)

DeleteRepository existing image repository (p. 700)

DeleteRepositoryPolicy
the repository policy from a (p. 700)
Grants permission to describe List repository*

DescribeImageTags
all the image tags for a given (p. 700)
repository
698

(*required)

DescribeImages metadata about the images in a (p. 700)
repository, including image size,
image tags, and creation date
Grants permission to retrieve the List registry*

DescribeRegistriescatalog data associated with a (p. 700)
registry
Grants permission to describe List repository

DescribeRepositories
image repositories in a registry (p. 700)

token that is valid for a specified
registry for 12 hours
Grants permission to retrieve the Read registry*

GetRegistryCatalogData
catalog data associated with a (p. 700)
registry

GetRepositoryCatalogData
repository

GetRepositoryPolicy
repository policy for a specified (p. 700)
repository
Grants permission to notify Write repository*

InitiateLayerUpload
Amazon ECR that you intend to (p. 700)
upload an image layer
PutImage Grants permission to create Write repository*

or update the image manifest (p. 700)
associated with an image
Grants permission to create Write registry*

PutRegistryCatalogData
and update the catalog data (p. 700)
associated with a registry

PutRepositoryCatalogData
repository
Grants permission to apply a Permissions repository*

SetRepositoryPolicy
repository policy on a specified management (p. 700)
repository to control access
permissions
Grants permission to upload an Write repository*

UploadLayerPart image layer part to Amazon ECR (p. 700)
Public
699
Amazon Elastic Container Service
Resource types defined by Amazon Elastic Container Registry

Public

types
repository arn:${Partition}:ecr-public::
${Account}:repository/${RepositoryName}
registry arn:${Partition}:ecr-public::
${Account}:registry/${RegistryId}
Condition keys for Amazon Elastic Container Registry Public

Elastic Container Registry Public has no service-specific context keys that can be used in the Condition

Elastic Container Service
Amazon Elastic Container Service (service prefix: ecs) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Elastic Container Service (p. 700)
• Resource types defined by Amazon Elastic Container Service (p. 708)
• Condition keys for Amazon Elastic Container Service (p. 709)
Actions defined by Amazon Elastic Container Service

different actions.
700

(*required)
Creates a new capacity Write aws:RequestTag/

CreateCapacityProvider
provider. Capacity providers are ${TagKey}
associated with an Amazon ECS (p. 709)
cluster and are used in capacity
provider strategies to facilitate aws:TagKeys
cluster auto scaling. (p. 709)
CreateCluster Creates a new Amazon ECS Write ecs:capacity-

cluster. provider
(p. 710)
aws:RequestTag/
${TagKey}
(p. 709)
aws:TagKeys
(p. 709)
CreateService Runs and maintains a desired Write service*

number of tasks from a specified (p. 709)
task definition.
ecs:cluster
(p. 710)
ecs:capacity-
provider
(p. 710)
ecs:task-
definition
(p. 710)
aws:RequestTag/
${TagKey}
(p. 709)
aws:TagKeys
(p. 709)
CreateTaskSet Creates a new Amazon ECS task Write ecs:cluster

set. (p. 710)
ecs:service
(p. 710)
701

(*required)
ecs:task-
definition
(p. 710)
Modifies the ARN and resource Write

DeleteAccountSetting
ID format of a resource for a
specified IAM user, IAM role, or
the root user for an account. You
can specify whether the new
ARN and resource ID format are
disabled for new resources that
are created.
Deletes one or more custom Write container-

DeleteAttributes attributes from an Amazon ECS instance*
resource. (p. 708)
ecs:cluster
(p. 710)
Deletes the specified capacity Write capacity-

DeleteCapacityProvider
provider. provider*
(p. 709)
DeleteCluster Deletes the specified cluster. Write cluster*

(p. 708)
DeleteService Deletes a specified service within Write service*

a cluster. (p. 709)
ecs:cluster
(p. 710)
DeleteTaskSet Deletes the specified task set. Write task-set*

(p. 709)
ecs:cluster
(p. 710)
ecs:service
(p. 710)
Deregisters an Amazon ECS Write cluster*

DeregisterContainerInstance
container instance from the (p. 708)
specified cluster.
Deregisters the specified task Write

DeregisterTaskDefinition
definition by family and revision.
Describes one or more Amazon Read capacity-

DescribeCapacityProviders
ECS capacity providers. provider*
(p. 709)
Describes one or more of your Read cluster*

DescribeClusters clusters. (p. 708)
702

(*required)
Describes Amazon ECS container Read container-

DescribeContainerInstances
instances. instance*
(p. 708)
ecs:cluster
(p. 710)
Describes the specified services Read service*

DescribeServices running in your cluster. (p. 709)
ecs:cluster
(p. 710)
Describes a task definition. You Read

DescribeTaskDefinition
can specify a family and revision
to find information about a
specific task definition, or you
can simply specify the family to
find the latest ACTIVE revision in
that family.
Describes Amazon ECS task sets. Read task-set*

DescribeTaskSets (p. 709)
ecs:cluster
(p. 710)
ecs:service
(p. 710)
DescribeTasks Describes a specified task or Read task*

tasks. (p. 709)
ecs:cluster
(p. 710)
Returns an endpoint for the Write

DiscoverPollEndpoint
Amazon ECS agent to poll for
updates.
Lists the account settings for List

ListAccountSettings
an Amazon ECS resource for a
specified principal.
ListAttributes Lists the attributes for Amazon List cluster*

ECS resources within a specified (p. 708)
target type and cluster.
ListClusters Returns a list of existing clusters. List
Returns a list of container List cluster*

ListContainerInstances
instances in a specified cluster. (p. 708)
ListServices Lists the services that are List ecs:cluster

running in a specified cluster. (p. 710)
703

(*required)
List tags for the specified List cluster

ListTagsForResource
resource. (p. 708)
container-
instance
(p. 708)
task
(p. 709)
task-
definition
(p. 709)
Returns a list of task definition List

ListTaskDefinitionFamilies
families that are registered to
your account (which may include
task definition families that no
longer have any ACTIVE task
definitions).
Returns a list of task definitions List

ListTaskDefinitions
that are registered to your
account.
ListTasks Returns a list of tasks for a List container-

specified cluster. instance*
(p. 708)
ecs:cluster
(p. 710)
Poll Grants permission to an agent Write container-

[permission to connect with the Amazon ECS instance*
only] service to report status and get (p. 708)
commands.
ecs:cluster
(p. 710)

PutAccountSetting
ID format of a resource for a
specified IAM user, IAM role, or
the root user for an account. You
can specify whether the new
ARN and resource ID format are
enabled for new resources that
are created. Enabling this setting
is required to use new Amazon
ECS features such as resource
tagging.
704

(*required)

PutAccountSettingDefault
ID format of a resource type
for all IAM users on an account
for which no individual account
setting has been set. Enabling
this setting is required to use
new Amazon ECS features such
as resource tagging.
PutAttributes Create or update an attribute on Write container-

an Amazon ECS resource. instance*
(p. 708)
ecs:cluster
(p. 710)
Modifies the available capacity Write capacity-

PutClusterCapacityProviders
providers and the default provider*
capacity provider strategy for a (p. 709)
cluster.
ecs:capacity-
provider
(p. 710)
Registers an EC2 instance into Write cluster*

RegisterContainerInstance
the specified cluster. (p. 708)
aws:RequestTag/

${TagKey}
(p. 709)
aws:TagKeys
(p. 709)
Registers a new task definition Write aws:RequestTag/

RegisterTaskDefinition
from the supplied family and ${TagKey}
containerDefinitions. (p. 709)
aws:TagKeys
(p. 709)
RunTask Start a task using random Write task-

placement and the default definition*
Amazon ECS scheduler. (p. 709)
705

(*required)
ecs:cluster
(p. 710)
ecs:capacity-
provider
(p. 710)
aws:RequestTag/
${TagKey}
(p. 709)
aws:TagKeys
(p. 709)
StartTask Starts a new task from the Write task-

specified task definition on the definition*
specified container instance or (p. 709)
instances.
ecs:cluster
(p. 710)
ecs:container-
instances
(p. 710)
aws:RequestTag/
${TagKey}
(p. 709)
aws:TagKeys
(p. 709)
Grants permission to start a Write container-

StartTelemetrySession
telemetry session. instance*
(p. 708)
ecs:cluster
(p. 710)
StopTask Stops a running task. Write task*

(p. 709)
ecs:cluster
(p. 710)
Sent to acknowledge that Write cluster*

SubmitAttachmentStateChanges
attachments changed states. (p. 708)
Sent to acknowledge that a Write cluster*

SubmitContainerStateChange
container changed states. (p. 708)
Sent to acknowledge that a task Write cluster*

SubmitTaskStateChange
changed states. (p. 708)
TagResource Tags the specified resource. Tagging cluster

(p. 708)
706

(*required)
container-
instance
(p. 708)
service
(p. 709)
task
(p. 709)
task-
definition
(p. 709)
aws:TagKeys
(p. 709)
aws:RequestTag/
${TagKey}
(p. 709)
Untags the specified resource. Tagging cluster

container-
instance
(p. 708)
service
(p. 709)
task
(p. 709)
task-
definition
(p. 709)
aws:TagKeys
(p. 709)
Modifies the settings to use for a Write cluster*

UpdateClusterSettings
cluster. (p. 708)
Updates the Amazon ECS Write container-

UpdateContainerAgent
container agent on a specified instance*
container instance. (p. 708)
ecs:cluster
(p. 710)
Enables the user to modify Write container-

UpdateContainerInstancesState
the status of an Amazon ECS instance*
container instance. (p. 708)
707

(*required)
ecs:cluster
(p. 710)
Modifies the parameters of a Write service*

UpdateService service. (p. 709)
ecs:cluster
(p. 710)
ecs:capacity-
provider
(p. 710)
ecs:task-
definition
(p. 710)
Modifies the primary task set Write service*

UpdateServicePrimaryTaskSet
used in a service. (p. 709)
ecs:cluster
(p. 710)
Updates the specified task set. Write task-set*

UpdateTaskSet (p. 709)
ecs:cluster
(p. 710)
ecs:service
(p. 710)
Resource types defined by Amazon Elastic Container Service


types
cluster arn:${Partition}:ecs:${Region}: aws:ResourceTag/

${Account}:cluster/${ClusterName} ${TagKey} (p. 709)
ecs:ResourceTag/
${TagKey} (p. 709)
container- arn:${Partition}:ecs:${Region}: aws:ResourceTag/

instance ${Account}:container-instance/ ${TagKey} (p. 709)
${ContainerInstanceId}
708

types
ecs:ResourceTag/
${TagKey} (p. 709)
service arn:${Partition}:ecs:${Region}: aws:ResourceTag/

${Account}:service/${ServiceName} ${TagKey} (p. 709)
ecs:ResourceTag/
${TagKey} (p. 709)
task arn:${Partition}:ecs:${Region}: aws:ResourceTag/

${Account}:task/${TaskId} ${TagKey} (p. 709)
ecs:ResourceTag/
${TagKey} (p. 709)
task- arn:${Partition}:ecs:${Region}: aws:ResourceTag/

definition ${Account}:task-definition/ ${TagKey} (p. 709)
${TaskDefinitionFamilyName}:
${TaskDefinitionRevisionNumber} ecs:ResourceTag/
${TagKey} (p. 709)
capacity- arn:${Partition}:ecs:${Region}: aws:ResourceTag/

provider ${Account}:capacity-provider/ ${TagKey} (p. 709)
${CapacityProviderName}
ecs:ResourceTag/
${TagKey} (p. 709)
task-set arn:${Partition}:ecs:${region}: aws:ResourceTag/

${Account}:task-set/${ClusterName}/ ${TagKey} (p. 709)
${ServiceName}/${TaskSetId}
ecs:ResourceTag/
${TagKey} (p. 709)
Condition keys for Amazon Elastic Container Service

Amazon Elastic Container Service defines the following condition keys that can be used in the
aws:ResourceTag/ Filters actions based on tag key-value pairs attached to the String
${TagKey} resource.
request.
ecs:ResourceTag/ Filters actions based on tag key-value pairs attached to the String
${TagKey} resource.
709
Amazon Elastic Container Service for Kubernetes
ecs:capacity- The ARN of an Amazon ECS capacity provider. ARN

provider
ecs:cluster The ARN of an Amazon ECS cluster. ARN
ecs:container- The ARN of an Amazon ECS container instance. ARN

instances
ecs:service The ARN of an Amazon ECS service. ARN
ecs:task- The ARN of an Amazon ECS task definition. ARN

definition

Elastic Container Service for Kubernetes
Amazon Elastic Container Service for Kubernetes (service prefix: eks) provides the following service-
References:

Topics
• Actions defined by Amazon Elastic Container Service for Kubernetes (p. 710)
• Resource types defined by Amazon Elastic Container Service for Kubernetes (p. 714)
• Condition keys for Amazon Elastic Container Service for Kubernetes (p. 714)
Actions defined by Amazon Elastic Container Service for

Kubernetes
different actions.
710

(*required)
Permission to view Kubernetes Read cluster*

AccessKubernetesApi
objects via AWS EKS console (p. 714)
[permission
only]
CreateAddon Creates an Amazon EKS add-on. Write cluster*

(p. 714)
aws:RequestTag/

${TagKey}
(p. 714)
aws:TagKeys
(p. 715)
CreateCluster Creates an Amazon EKS cluster. Write aws:RequestTag/

${TagKey}
(p. 714)
aws:TagKeys
(p. 715)
Creates an AWS Fargate profile. Write cluster*

CreateFargateProfile (p. 714)
aws:RequestTag/

${TagKey}
(p. 714)
aws:TagKeys
(p. 715)
Creates an Amazon EKS Write cluster*

CreateNodegroupNodegroup. (p. 714)
aws:RequestTag/

${TagKey}
(p. 714)
aws:TagKeys
(p. 715)
DeleteAddon Deletes an Amazon EKS add-on. Write addon*

(p. 714)
DeleteCluster Deletes an Amazon EKS cluster. Write cluster*

(p. 714)
Deletes an AWS Fargate profile. Write fargateprofile*

DeleteFargateProfile (p. 714)
Deletes an Amazon EKS Write nodegroup*

DeleteNodegroupNodegroup. (p. 714)
711

(*required)
Returns descriptive information Read addon*

DescribeAddon about an Amazon EKS add-on. (p. 714)
Returns descriptive version Read

DescribeAddonVersions
information about the add-
ons that Amazon EKS Add-ons
supports.
Returns descriptive information Read cluster*

DescribeCluster about an Amazon EKS cluster. (p. 714)
Returns descriptive information Read fargateprofile*

DescribeFargateProfile
about an AWS Fargate profile (p. 714)
associated with a cluster.
Returns descriptive information Read nodegroup*

DescribeNodegroup
about an Amazon EKS (p. 714)
nodegroup.
Describes a given update for Read cluster*

DescribeUpdate a given Amazon EKS cluster/ (p. 714)
nodegroup/add-on (in the
specified or default region). addon
(p. 714)
nodegroup
(p. 714)
ListAddons Lists the Amazon EKS add-ons List cluster*

in your AWS account (in the (p. 714)
specified or default region) for a
given cluster.
ListClusters Lists the Amazon EKS clusters List

in your AWS account (in the
specified or default region).
Lists the AWS Fargate profiles List cluster*

ListFargateProfilesin your AWS account (in the (p. 714)
specified or default region)
associated with a given cluster.
Lists the Amazon EKS List cluster*

ListNodegroups nodegroups in your AWS (p. 714)
account (in the specified or
default region) attached to given
cluster.
List tags for the specified List addon

ListTagsForResource
resource. (p. 714)
cluster
(p. 714)
fargateprofile
(p. 714)
712

(*required)
nodegroup
(p. 714)
ListUpdates Lists the updates for a given List cluster*

Amazon EKS cluster/nodegroup/ (p. 714)
add-on (in the specified or
default region). addon
(p. 714)
nodegroup
(p. 714)
TagResource Tags the specified resource. Tagging addon

(p. 714)
cluster
(p. 714)
fargateprofile
(p. 714)
nodegroup
(p. 714)
aws:RequestTag/

${TagKey}
(p. 714)
aws:TagKeys
(p. 715)
Untags the specified resource. Tagging addon

cluster
(p. 714)
fargateprofile
(p. 714)
nodegroup
(p. 714)
aws:TagKeys
(p. 715)
UpdateAddon Update Amazon EKS add-on Write addon*

configurations, such as the VPC- (p. 714)
CNI version.
Update Amazon EKS cluster Write cluster*

UpdateClusterConfig
configurations (eg: API server (p. 714)
endpoint access).
Update the Kubernetes version Write cluster*

UpdateClusterVersion
of an Amazon EKS cluster. (p. 714)
713

(*required)
Update Amazon EKS nodegroup Write nodegroup*

UpdateNodegroupConfig
configurations (eg: min/max/ (p. 714)
desired capacity or labels).
Update the Kubernetes version Write nodegroup*

UpdateNodegroupVersion
of an Amazon EKS nodegroup. (p. 714)
Resource types defined by Amazon Elastic Container Service for

Kubernetes

types
cluster arn:${Partition}:eks:${Region}: aws:ResourceTag/

${Account}:cluster/${ClusterName} ${TagKey} (p. 715)
nodegroup arn:${Partition}:eks:${Region}: aws:ResourceTag/

${Account}:nodegroup/${ClusterName}/ ${TagKey} (p. 715)
${NodegroupName}/${UUID}
addon arn:${Partition}:eks:${Region}: aws:ResourceTag/

${Account}:addon/${ClusterName}/ ${TagKey} (p. 715)
${AddonName}/${UUID}
fargateprofile arn:${Partition}:eks:${Region}: aws:ResourceTag/

${Account}:fargateprofile/${ClusterName}/ ${TagKey} (p. 715)
${FargateProfileName}/${UUID}
Condition keys for Amazon Elastic Container Service for

Kubernetes
Amazon Elastic Container Service for Kubernetes defines the following condition keys that can be used
in the Condition element of an IAM policy. You can use these keys to further refine the conditions
${TagKey} makes to the EKS service.
714
Amazon Elastic File System

aws:ResourceTag/
${TagKey}
the request the user makes to the EKS service.

Elastic File System
Amazon Elastic File System (service prefix: elasticfilesystem) provides the following service-specific
References:

Topics
• Actions defined by Amazon Elastic File System (p. 715)
• Resource types defined by Amazon Elastic File System (p. 719)
• Condition keys for Amazon Elastic File System (p. 719)
Actions defined by Amazon Elastic File System

different actions.

(*required)
Backup Starts a backup job for an Write file-

[permission existing file system. system*
only] (p. 719)
715

(*required)
ClientMount Permission for allowing read- Read file-

[permission access to a file system. system*
only] (p. 719)
elasticfilesystem:AccessPointArn

(p. 719)
Permission for allowing root- Write file-

ClientRootAccess access to a file system. system*
only]

(p. 719)
ClientWrite Permission for allowing write- Write file-

[permission access to a file system. system*
only] (p. 719)

(p. 719)
Creates an access point for the Write file-

CreateAccessPointspecified file system. system*
(p. 719)
Creates a new, empty file Tagging aws:RequestTag/

CreateFileSystem system. ${TagKey}
(p. 719)
aws:TagKeys
(p. 719)
elasticfilesystem:Encrypted
(p. 720)
Creates a mount target for a file Write file-

CreateMountTarget
system. system*
(p. 719)
CreateTags Creates or overwrites tags Tagging file-

associated with a file system. system*
(p. 719)
aws:RequestTag/

${TagKey}
(p. 719)
aws:TagKeys
(p. 719)
Deletes the specified access Write access-

DeleteAccessPointpoint. point*
(p. 719)
716

(*required)
Deletes a file system, Write file-

DeleteFileSystem permanently severing access to system*
its contents. (p. 719)
Clears the resource-level policy Write file-

DeleteFileSystemPolicy
for a given file system. system*
(p. 719)
Deletes the specified mount Write file-

DeleteMountTarget
target. system*
(p. 719)
DeleteTags Deletes the specified tags from a Tagging file-

file system. system*
(p. 719)
aws:TagKeys
(p. 719)
Returns the descriptions of List access-

DescribeAccessPoints
Amazon EFS access points. point
(p. 719)
file-
system
(p. 719)
Returns the current Read file-

DescribeBackupPolicy
BackupPolicy object for the system*
specified Amazon EFS file (p. 719)
system.
Returns the current resource- Read file-

DescribeFileSystemPolicy
level policy for a given file system
system. (p. 719)
Returns the description List file-

DescribeFileSystems
of a specific Amazon EFS system
file system if either the file (p. 719)
system CreationToken or the
FileSystemId is provided;
otherwise, returns descriptions
of all file systems owned by
the caller's AWS account in the
AWS region of the endpoint that
you're calling.
Returns the current Read file-

DescribeLifecycleConfiguration
LifecycleConfiguration object for system*
the specified Amazon EFS file (p. 719)
system.
Returns the security groups Read

DescribeMountTargetSecurityGroups
currently in effect for a mount
target.
717

(*required)
Returns the descriptions of all Read file-

DescribeMountTargets
the current mount targets, or a system*
specific mount target, for a file (p. 719)
system.
access-
point
(p. 719)
DescribeTags Returns the tags associated with Read file-

a file system. system*
(p. 719)
Returns the tags associated Read access-

ListTagsForResource
with the specified Amazon EFS point
resource. (p. 719)
file-
system
(p. 719)
Modifies the set of security Write

ModifyMountTargetSecurityGroups
groups in effect for a mount
target.
Enables automatic backups with Write file-

PutBackupPolicy AWS Backup by creating a new system*
BackupPolicy object. (p. 719)
Apply a resource-level policy Write file-

PutFileSystemPolicy
granting and/or restricting system*
actions from given actors for the (p. 719)
specified file system.
Enables lifecycle management Write file-

PutLifecycleConfiguration
by creating a new system*
LifecycleConfiguration object. (p. 719)
Restore Starts a restore job for an Write file-

[permission existing file system. system*
only] (p. 719)
TagResource Creates or overwrites tags Tagging access-

associated with the specified point
Amazon EFS resource. (p. 719)
file-
system
(p. 719)
Deletes the specified tags from a Tagging access-

UntagResource specified Amazon EFS resource. point
(p. 719)
718

(*required)
file-
system
(p. 719)
Updates the throughput mode Write file-

UpdateFileSystemor the amount of provisioned system*
throughput of an existing file (p. 719)
system.
Resource types defined by Amazon Elastic File System


types
file-system arn:${Partition}:elasticfilesystem: aws:ResourceTag/

${Region}:${Account}:file-system/ ${TagKey} (p. 719)
${FileSystemId}
access-point arn:${Partition}:elasticfilesystem: aws:ResourceTag/

${Region}:${Account}:access-point/ ${TagKey} (p. 719)
${AccessPointId}
Condition keys for Amazon Elastic File System

Amazon Elastic File System defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} the tags

${TagKey}

the request
The ARN of the access point used to mount the file system String
719
Amazon Elastic Inference
Control encryption behavior for new EFS file systems Bool

elasticfilesystem:Encrypted

Elastic Inference
Amazon Elastic Inference (service prefix: elastic-inference) provides the following service-specific
References:

Topics
• Actions defined by Amazon Elastic Inference (p. 720)
• Resource types defined by Amazon Elastic Inference (p. 720)
• Condition keys for Amazon Elastic Inference (p. 721)
Actions defined by Amazon Elastic Inference

different actions.

(*required)
Connect Connects customer to Elastic Write accelerator*

Inference accelerator (p. 721)
Resource types defined by Amazon Elastic Inference

720
Elastic Load Balancing

types
accelerator arn:${Partition}:elastic-inference:
${Region}:${Account}:elastic-inference-
accelerator/${AcceleratorId}
Condition keys for Amazon Elastic Inference

EI has no service-specific context keys that can be used in the Condition element of policy statements.
For the list of the global context keys that are available to all services, see Available keys for conditions.
Actions, resources, and condition keys for Elastic Load

Balancing
Elastic Load Balancing (service prefix: elasticloadbalancing) provides the following service-specific
References:

Topics
• Actions defined by Elastic Load Balancing (p. 721)
• Resource types defined by Elastic Load Balancing (p. 724)
• Condition keys for Elastic Load Balancing (p. 724)
Actions defined by Elastic Load Balancing

different actions.
721

(*required)
AddTags Adds the specified tags to Tagging loadbalancer*

the specified load balancer. (p. 724)
Each load balancer can have a
maximum of 10 tags aws:RequestTag/

${TagKey}
(p. 725)
aws:TagKeys
(p. 725)
Associates one or more security Write loadbalancer*

ApplySecurityGroupsToLoadBalancer
groups with your load balancer (p. 724)
in a virtual private cloud (VPC)
Adds one or more subnets to the Write loadbalancer*

AttachLoadBalancerToSubnets
set of configured subnets for the (p. 724)
specified load balancer
Specifies the health check Write loadbalancer*

ConfigureHealthCheck
settings to use when evaluating (p. 724)
the health state of your back-
end instances
Generates a stickiness policy Write loadbalancer*

CreateAppCookieStickinessPolicy
with sticky session lifetimes that (p. 724)
follow that of an application-
generated cookie
Generates a stickiness policy Write loadbalancer*

CreateLBCookieStickinessPolicy
with sticky session lifetimes (p. 724)
controlled by the lifetime of
the browser (user-agent) or a
specified expiration period
Creates a load balancer Write loadbalancer

CreateLoadBalancer (p. 724)
aws:RequestTag/

${TagKey}
(p. 725)
aws:TagKeys
(p. 725)
Creates one or more listeners for Write loadbalancer*

CreateLoadBalancerListeners
the specified load balancer (p. 724)
Creates a policy with the Write loadbalancer*

CreateLoadBalancerPolicy
specified attributes for the (p. 724)
Deletes the specified load Write loadbalancer*

DeleteLoadBalancer
balancer (p. 724)
722

(*required)
Deletes the specified listeners Write loadbalancer*

DeleteLoadBalancerListeners
from the specified load balancer (p. 724)
Deletes the specified policy from Write loadbalancer*

DeleteLoadBalancerPolicy
the specified load balancer. This (p. 724)
policy must not be enabled for
any listeners
Deregisters the specified Write loadbalancer*

DeregisterInstancesFromLoadBalancer
instances from the specified load (p. 724)
balancer
Describes the state of the Read

DescribeInstanceHealth
specified instances with respect
to the specified load balancer
Describes the attributes for the Read

DescribeLoadBalancerAttributes
Describes the specified policies Read

DescribeLoadBalancerPolicies
Describes the specified load Read

DescribeLoadBalancerPolicyTypes
balancer policy types
Describes the specified the load List

balancers. If no load balancers
are specified, the call describes
all of your load balancers
DescribeTags Describes the tags associated Read loadbalancer*

with the specified load balancers (p. 724)
Removes the specified subnets Write loadbalancer*

DetachLoadBalancerFromSubnets
from the set of configured (p. 724)
subnets for the load balancer
Removes the specified Write loadbalancer*

DisableAvailabilityZonesForLoadBalancer
Availability Zones from the set (p. 724)
of Availability Zones for the
Adds the specified Availability Write loadbalancer*

EnableAvailabilityZonesForLoadBalancer
Zones to the set of Availability (p. 724)
Zones for the specified load
balancer
Modifies the attributes of the Write loadbalancer*

ModifyLoadBalancerAttributes
specified load balancer (p. 724)
Adds the specified instances to Write loadbalancer*

RegisterInstancesWithLoadBalancer
RemoveTags Removes one or more tags from Tagging loadbalancer*

723

(*required)
aws:RequestTag/

${TagKey}
(p. 725)
aws:TagKeys
(p. 725)
Sets the certificate that Write loadbalancer*

SetLoadBalancerListenerSSLCertificate
terminates the specified (p. 724)
listener's SSL connections
Replaces the set of policies Write loadbalancer*

SetLoadBalancerPoliciesForBackendServer
associated with the specified (p. 724)
port on which the back-end
server is listening with a new set
of policies
Replaces the current set of Write loadbalancer*

SetLoadBalancerPoliciesOfListener
policies for the specified load (p. 724)
balancer port with the specified
set of policies
Resource types defined by Elastic Load Balancing


types
loadbalancer arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

${Region}:${Account}:loadbalancer/ ${TagKey} (p. 725)
${LoadBalancerName}
elasticloadbalancing:ResourceTag/
${TagKey} (p. 725)
Condition keys for Elastic Load Balancing

Elastic Load Balancing defines the following condition keys that can be used in the Condition
table (p. 2).
724
Elastic Load Balancing V2
aws:RequestTag/ A key that is present in the request the user makes to the String
${TagKey} ELB service
aws:ResourceTag/ Global tag key and value pair String

${TagKey}
aws:TagKeys The list of all the tag key names associated with the resource String
in the request
The preface string for a tag key and value pair attached to a String
resource
A tag key and value pair String

${TagKey}
Actions, resources, and condition keys for Elastic Load

Balancing V2
Elastic Load Balancing V2 (service prefix: elasticloadbalancing) provides the following service-
References:

Topics
• Actions defined by Elastic Load Balancing V2 (p. 725)
• Resource types defined by Elastic Load Balancing V2 (p. 731)
• Condition keys for Elastic Load Balancing V2 (p. 732)
Actions defined by Elastic Load Balancing V2

different actions.
725

(*required)
Adds the specified certificates to Write listener/

AddListenerCertificates
the specified secure listener app*
(p. 731)
listener/
net*
(p. 731)
AddTags Adds the specified tags to Tagging listener-

the specified load balancer. rule/app
Each load balancer can have a (p. 731)
maximum of 10 tags
listener-
rule/net
(p. 732)
listener/
app
(p. 731)
listener/
net
(p. 731)
loadbalancer/
app/
(p. 732)
loadbalancer/
net/
(p. 732)
targetgroup
(p. 732)
aws:RequestTag/

${TagKey}
(p. 732)
aws:TagKeys
(p. 732)
Creates a listener for the Write loadbalancer/

CreateListener specified Application Load app/
Balancer (p. 732)
loadbalancer/
net/
(p. 732)
aws:RequestTag/

${TagKey}
(p. 732)
726

(*required)
aws:TagKeys
(p. 732)
Creates a load balancer Write loadbalancer/

CreateLoadBalancer app/
(p. 732)
loadbalancer/
net/
(p. 732)
aws:RequestTag/

${TagKey}
(p. 732)
aws:TagKeys
(p. 732)
CreateRule Creates a rule for the specified Write listener/

listener app*
(p. 731)
listener/
net*
(p. 731)
aws:RequestTag/

${TagKey}
(p. 732)
aws:TagKeys
(p. 732)
Creates a target group. Write targetgroup*

CreateTargetGroup (p. 732)
aws:RequestTag/

${TagKey}
(p. 732)
aws:TagKeys
(p. 732)
Deletes the specified listener Write listener/

DeleteListener app*
(p. 731)
listener/
net*
(p. 731)
Deletes the specified load Write loadbalancer/

DeleteLoadBalancer
balancer app/
(p. 732)
727

(*required)
loadbalancer/
net/
(p. 732)
DeleteRule Deletes the specified rule Write listener-

rule/app*
(p. 731)
listener-
rule/net*
(p. 732)
Deletes the specified target Write targetgroup*

DeleteTargetGroup
group (p. 732)
Deregisters the specified targets Write targetgroup*

DeregisterTargetsfrom the specified target group (p. 732)
Describes the Elastic Load Read

Balancing resource limits for the
AWS account
Describes the certificates for the Read

DescribeListenerCertificates
specified secure listener
Describes the specified listeners Read

DescribeListenersor the listeners for the specified
Application Load Balancer

DescribeLoadBalancerAttributes
Describes the specified the load Read

balancers. If no load balancers
are specified, the call describes
all of your load balancers
DescribeRules Describes the specified rules Read

or the rules for the specified
listener
Describes the specified policies Read

DescribeSSLPolicies
or all policies used for SSL
negotiation
DescribeTags Describes the tags associated Read listener-

with the specified resource rule/app
(p. 731)
listener-
rule/net
(p. 732)
listener/
app
(p. 731)
728

(*required)
listener/
net
(p. 731)
loadbalancer/
app/
(p. 732)
loadbalancer/
net/
(p. 732)
targetgroup
(p. 732)

DescribeTargetGroupAttributes
specified target group
Describes the specified target Read

DescribeTargetGroups
groups or all of your target
groups
Describes the health of the Read

DescribeTargetHealth
specified targets or all of your
targets
Modifies the specified properties Write listener/

ModifyListener of the specified listener app*
(p. 731)
listener/
net*
(p. 731)
Modifies the attributes of the Write loadbalancer/

ModifyLoadBalancerAttributes
specified load balancer app/
(p. 732)
loadbalancer/
net/
(p. 732)
ModifyRule Modifies the specified rule Write listener-

rule/app*
(p. 731)
listener-
rule/net*
(p. 732)
Modifies the health checks used Write targetgroup*

ModifyTargetGroup
when evaluating the health state (p. 732)
of the targets in the specified
target group
729

(*required)
Modifies the specified attributes Write targetgroup*

ModifyTargetGroupAttributes
of the specified target group (p. 732)
Registers the specified targets Write targetgroup*

RegisterTargets with the specified target group (p. 732)
Removes the specified Write listener/

RemoveListenerCertificates
certificates of the specified app*
secure listener (p. 731)
listener/
net*
(p. 731)
RemoveTags Removes one or more tags from Tagging listener-

the specified load balancer rule/app
(p. 731)
listener-
rule/net
(p. 732)
listener/
app
(p. 731)
listener/
net
(p. 731)
loadbalancer/
app/
(p. 732)
loadbalancer/
net/
(p. 732)
targetgroup
(p. 732)
aws:RequestTag/

${TagKey}
(p. 732)
aws:TagKeys
(p. 732)
Not found Write loadbalancer/

SetIpAddressType app/
(p. 732)
loadbalancer/
net/
(p. 732)
730

(*required)
Sets the priorities of the Write listener-

SetRulePriorities specified rules rule/app*
(p. 731)
listener-
rule/net*
(p. 732)
Associates the specified security Write loadbalancer/

SetSecurityGroupsgroups with the specified load app/
balancer (p. 732)
loadbalancer/
net/
(p. 732)
SetSubnets Enables the Availability Zone Write loadbalancer/

for the specified subnets for the app/
specified load balancer (p. 732)
loadbalancer/
net/
(p. 732)
SetWebAcl Gives WebAcl permission to WAF Write

[permission
only]
Resource types defined by Elastic Load Balancing V2


types
listener/app arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

${Region}:${Account}:listener/app/ ${TagKey} (p. 732)
${LoadBalancerName}/${LoadBalancerId}/
${ListenerId} elasticloadbalancing:ResourceTag/
${TagKey} (p. 732)
listener-rule/ arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

app ${Region}:${Account}:listener-rule/app/ ${TagKey} (p. 732)
${ListenerId}/${ListenerRuleId} elasticloadbalancing:ResourceTag/
${TagKey} (p. 732)
listener/net arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

${Region}:${Account}:listener/net/ ${TagKey} (p. 732)
731

types
${LoadBalancerName}/${LoadBalancerId}/ elasticloadbalancing:ResourceTag/
${ListenerId} ${TagKey} (p. 732)
listener-rule/ arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

net ${Region}:${Account}:listener-rule/net/ ${TagKey} (p. 732)
${ListenerId}/${ListenerRuleId} elasticloadbalancing:ResourceTag/
${TagKey} (p. 732)
loadbalancer/ arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

app/ ${Region}:${Account}:loadbalancer/app/ ${TagKey} (p. 732)
${LoadBalancerName}/${LoadBalancerId}
${TagKey} (p. 732)
loadbalancer/ arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

net/ ${Region}:${Account}:loadbalancer/net/ ${TagKey} (p. 732)
${LoadBalancerName}/${LoadBalancerId}
${TagKey} (p. 732)
targetgroup arn:${Partition}:elasticloadbalancing: aws:ResourceTag/

${Region}:${Account}:targetgroup/ ${TagKey} (p. 732)
${TargetGroupName}/${TargetGroupId}
${TagKey} (p. 732)
Condition keys for Elastic Load Balancing V2

Elastic Load Balancing V2 defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} ELB service
aws:ResourceTag/ Global tag key and value pair String

${TagKey}
in the request
A tag key and value pair String

${TagKey}
732
Amazon Elastic MapReduce

Elastic MapReduce
Amazon Elastic MapReduce (service prefix: elasticmapreduce) provides the following service-specific
References:

Topics
• Actions defined by Amazon Elastic MapReduce (p. 733)
• Resource types defined by Amazon Elastic MapReduce (p. 737)
• Condition keys for Amazon Elastic MapReduce (p. 738)
Actions defined by Amazon Elastic MapReduce

different actions.
Note
The DescribeJobFlows API is deprecated and will eventually be removed. We recommend you
use ListClusters, DescribeCluster, ListSteps, ListInstanceGroups and ListBootstrapActions instead.

(*required)
Grants permission to add an Write cluster*

AddInstanceFleet instance fleet to a running (p. 737)
cluster.
Grants permission to add Write cluster*

AddInstanceGroups
instance groups to a running (p. 737)
cluster.
Grants permission to add new Write cluster*

AddJobFlowStepssteps to a running cluster. (p. 737)
733

(*required)
AddTags Grants permission to add tags to Tagging cluster

an Amazon EMR resource. (p. 737)
editor
(p. 737)
aws:RequestTag/

${TagKey}
(p. 738)
aws:TagKeys
(p. 738)
elasticmapreduce:RequestTag/
${TagKey}
(p. 738)
CancelSteps Grants permission to cancel Write cluster*

a pending step or steps in a (p. 737)
running cluster.
CreateEditor Grants permission to create an Write cluster*

[permission EMR notebook. (p. 737)
only]
aws:RequestTag/

${TagKey}
(p. 738)
aws:TagKeys
(p. 738)
${TagKey}
(p. 738)

CreateSecurityConfiguration
security configuration.
DeleteEditor Grants permission to delete an Write editor*

only]

DeleteSecurityConfiguration
security configuration.
Grants permission to get details Read cluster*

DescribeCluster about a cluster, including (p. 737)
status, hardware and software
configuration, VPC settings, and
so on.
DescribeEditor Grants permission to view Read editor*

[permission information about a notebook, (p. 737)
only] including status, user, role, tags,
location, and more.
734

(*required)
This API is deprecated and Read cluster*

DescribeJobFlowswill eventually be removed. (p. 737)
We recommend you use
ListClusters, DescribeCluster,
ListSteps, ListInstanceGroups
and ListBootstrapActions
instead.

DescribeSecurityConfiguration
of a security configuration.
DescribeStep Grants permission to get details Read cluster*

about a cluster step. (p. 737)

GetBlockPublicAccessConfiguration
the EMR block public access
configuration for the AWS
account in the Region.
Grants permission to retrieve Read cluster*

GetManagedScalingPolicy
the managed scaling policy (p. 737)

ListBootstrapActions
about the bootstrap actions (p. 737)
ListClusters Grants permission to get the List

status of accessible clusters.
ListEditors Grants permission to list List

[permission summary information for
only] accessible EMR notebooks.

ListInstanceFleetsof instance fleets in a cluster. (p. 737)

ListInstanceGroups
of instance groups in a cluster. (p. 737)
ListInstances Grants permission to get details Read cluster*

about the Amazon EC2 instances (p. 737)
in a cluster.

ListSecurityConfigurations
available security configurations
in this account by name, along
with creation dates and times.
ListSteps Grants permission to list steps Read cluster*

associated with a cluster. (p. 737)
735

(*required)
ModifyCluster Grants permission to change Write cluster*

cluster settings such as number (p. 737)
of steps that can be executed
concurrently for a cluster.
Grants permission to change the Write cluster*

ModifyInstanceFleet
target On-Demand and target (p. 737)
Spot capacities for a instance
fleet.
Grants permission to change Write cluster

ModifyInstanceGroups
the number and configuration (p. 737)
of EC2 instances for an instance
group.
Grants permission to launch the Write cluster*

OpenEditorInConsole
Jupyter notebook editor for an (p. 737)
[permission EMR notebook from within the
only] console. editor*
(p. 737)
Grants permission to create or Write cluster*

PutAutoScalingPolicy
update an automatic scaling (p. 737)
policy for a core instance group
or task instance group.
Grants permission to create or Permissions

PutBlockPublicAccessConfiguration
update the EMR block public management
access configuration for the AWS
account in the Region.
Grants permission to create or Write cluster*

PutManagedScalingPolicy
update the managed scaling (p. 737)
policy associated with a cluster.
Grants permission to remove an Write cluster*

RemoveAutoScalingPolicy
automatic scaling policy from an (p. 737)
instance group.
Grants permission to remove Write cluster*

RemoveManagedScalingPolicy
the managed scaling policy (p. 737)
RemoveTags Grants permission to remove Tagging cluster

tags from an Amazon EMR (p. 737)
resource.
editor
(p. 737)
aws:TagKeys
(p. 738)
736

(*required)
RunJobFlow Grants permission to create and Write aws:RequestTag/

launch a cluster (job flow). ${TagKey}
(p. 738)
aws:TagKeys
(p. 738)
${TagKey}
(p. 738)
Grants permission to add and Write cluster*

SetTerminationProtection
remove termination protection (p. 737)
for a cluster.
StartEditor Grants permission to start an Write cluster*

only]
editor*
(p. 737)
StopEditor Grants permission to shut down Write editor*

[permission an EMR notebook. (p. 737)
only]
Grants permission to terminate a Write cluster*

TerminateJobFlows
cluster (job flow). (p. 737)
Grants permission to use the List

ViewEventsFromAllClustersInConsole
EMR management console to
[permission view events from all clusters.
only]
Resource types defined by Amazon Elastic MapReduce


types
cluster arn:${Partition}:elasticmapreduce:${Region}: aws:ResourceTag/

${Account}:cluster/${ClusterId} ${TagKey} (p. 738)
elasticmapreduce:ResourceTag/
${TagKey} (p. 738)
editor arn:${Partition}:elasticmapreduce:${Region}: aws:ResourceTag/

${Account}:editor/${EditorId} ${TagKey} (p. 738)
737
Amazon Elastic Transcoder

types
${TagKey} (p. 738)
Condition keys for Amazon Elastic MapReduce

Amazon Elastic MapReduce defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters access based on whether the tag and value pair is String
${TagKey} provided with the action
Filters access based on the tag and value pair associated with String
aws:ResourceTag/ an Amazon EMR resource
${TagKey}
aws:TagKeys Filters access based on whether the tag keys are provided String
with the action regardless of tag value
Filters actions based on whether the tag and value pair is String
provided with the action
${TagKey}
Filters actions based on the tag and value pair associated String
with an Amazon EMR resource
${TagKey}

Elastic Transcoder
Amazon Elastic Transcoder (service prefix: elastictranscoder) provides the following service-specific
References:

Topics
• Actions defined by Amazon Elastic Transcoder (p. 739)
• Resource types defined by Amazon Elastic Transcoder (p. 740)
• Condition keys for Amazon Elastic Transcoder (p. 740)
738
Actions defined by Amazon Elastic Transcoder

different actions.

(*required)
CancelJob Cancel a job that Elastic Write job*

Transcoder has not begun to (p. 740)
process
CreateJob Create a job. Write pipeline*

(p. 740)
preset*
(p. 740)
Create a pipeline Write pipeline*

CreatePreset Create a preset. Write preset*

(p. 740)
Delete a pipeline Write pipeline*

DeletePipeline (p. 740)
DeletePreset Delete a preset Write preset*

(p. 740)
Get a list of the jobs that you List pipeline*

ListJobsByPipelineassigned to a pipeline (p. 740)
Get information about all of List

ListJobsByStatus the jobs associated with the
current AWS account that have a
specified status
ListPipelines Get a list of the pipelines List

associated with the current AWS
account
ListPresets Get a list of all presets List

account.
739

(*required)
ReadJob Get detailed information about a Read job*

job (p. 740)
ReadPipeline Get detailed information about a Read pipeline*

pipeline (p. 740)
ReadPreset Get detailed information about a Read preset*

preset. (p. 740)
TestRole Test the settings for a pipeline Write

to ensure that Elastic Transcoder
can create and process jobs
Update settings for a pipeline Write pipeline*

UpdatePipeline (p. 740)
Update only Amazon Simple Write pipeline*

UpdatePipelineNotifications
Notification Service (Amazon (p. 740)
SNS) notifications for a pipeline
Pause or reactivate a pipeline, Write pipeline*

UpdatePipelineStatus
so the pipeline stops or restarts (p. 740)
processing jobs, update the
status for the pipeline.
Resource types defined by Amazon Elastic Transcoder


types
job arn:${Partition}:elastictranscoder:
${Region}:${Account}:job/${JobId}
pipeline arn:${Partition}:elastictranscoder:
${Region}:${Account}:pipeline/${PipelineId}
preset arn:${Partition}:elastictranscoder:
${Region}:${Account}:preset/${PresetId}
Condition keys for Amazon Elastic Transcoder

Elastic Transcoder has no service-specific context keys that can be used in the Condition element of
740
Amazon ElastiCache

ElastiCache
Amazon ElastiCache (service prefix: elasticache) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon ElastiCache (p. 741)
• Resource types defined by Amazon ElastiCache (p. 750)
• Condition keys for Amazon ElastiCache (p. 751)
Actions defined by Amazon ElastiCache

different actions.
Note
When you create an ElastiCache policy in IAM you must use the "*" wildcard character for the
Resource block. For information about using the following ElastiCache API actions in an IAM
policy, see ElastiCache Actions and IAM in the Amazon ElastiCache User Guide.

(*required)
The AddTagsToResource action Tagging cluster

AddTagsToResource
adds up to 10 cost allocation (p. 750)
tags to the named resource.
snapshot
(p. 751)
The Write securitygroup*

AuthorizeCacheSecurityGroupIngress
AuthorizeCacheSecurityGroupIngress (p. 750)
action allows network ingress to
a cache security group.
741
Amazon ElastiCache

(*required)
Apply the service update. Write cluster ec2:CreateNetworkInterfa

BatchApplyUpdateAction (p. 750)
ec2:DescribeSubnets
ec2:DescribeVpcs
s3:GetObject
replicationgroup

(p. 750)
Stop the service update. Write cluster

BatchStopUpdateAction (p. 750)
replicationgroup

(p. 750)
Stop the service update. Write cluster

CompleteMigration (p. 750)
replicationgroup

(p. 750)
The CopySnapshot action makes Write snapshot* elasticache:AddTagsToRes

CopySnapshot a copy of an existing snapshot. (p. 751)
s3:DeleteObject
s3:GetBucketAcl
s3:PutObject
The CreateCacheCluster action Write parametergroup*

CreateCacheCluster
creates a cache cluster. (p. 750)
ec2:DescribeSubnets
ec2:DescribeVpcs
elasticache:AddTagsToRes
s3:GetObject
cluster
(p. 750)
replicationgroup

(p. 750)
securitygroup
(p. 750)
742
Amazon ElastiCache

(*required)
snapshot
(p. 751)
subnetgroup
(p. 750)
The Write parametergroup*

CreateCacheParameterGroup
CreateCacheParameterGroup (p. 750)
action creates a new cache
parameter group.
The CreateCacheSecurityGroup Write securitygroup*

CreateCacheSecurityGroup
action creates a new cache (p. 750)
security group.
The CreateCacheSubnetGroup Write subnetgroup* elasticache:AddTagsToRes

CreateCacheSubnetGroup
action creates a new cache (p. 750)
subnet group.
The Write globalreplicationgroup*

CreateGlobalReplicationGroup
CreateGlobalReplicationGroup (p. 751)
action creates a global
datastore. replicationgroup*

(p. 750)
The CreateReplicationGroup Write parametergroup*

CreateReplicationGroup
action creates a replication (p. 750)
group. ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs
s3:GetObject
cluster
(p. 750)
globalreplicationgroup

(p. 751)
replicationgroup

(p. 750)
securitygroup
(p. 750)
snapshot
(p. 751)
subnetgroup
(p. 750)
743
Amazon ElastiCache

(*required)
usergroup
(p. 751)
The CreateSnapshot action Write snapshot* elasticache:AddTagsToRes

CreateSnapshot creates a copy of an entire cache (p. 751)
cluster at a specific moment in s3:DeleteObject
time.
s3:GetBucketAcl
s3:PutObject
cluster
(p. 750)
replicationgroup

(p. 750)
CreateUser The CreateUser action creates a Write user*

new user. (p. 751)
The CreateUserGroup action Write user*

CreateUserGroup creates a new user group. (p. 751)
usergroup*
(p. 751)

DecreaseNodeGroupsInGlobalReplicationGroup
DecreaseNodeGroupsInGlobalReplicationGroup (p. 751)
action dec a global datastore.
The DecreaseReplicaCount Write replicationgroup*

DecreaseReplicaCount
action decreases the number of (p. 750)
replicas in a Redis replication ec2:DeleteNetworkInterfa
group.
ec2:DescribeSubnets
ec2:DescribeVpcs
The DeleteCacheCluster action Write cluster* ec2:CreateNetworkInterfa

DeleteCacheCluster
deletes a previously provisioned (p. 750)
cache cluster. ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs
snapshot
(p. 751)

DeleteCacheParameterGroup
DeleteCacheParameterGroup (p. 750)
action deletes the specified
cache parameter group.
744
Amazon ElastiCache

(*required)
The DeleteCacheSecurityGroup Write securitygroup*

DeleteCacheSecurityGroup
action deletes a cache security (p. 750)
group.
The DeleteCacheSubnetGroup Write subnetgroup* ec2:CreateNetworkInterfa

DeleteCacheSubnetGroup
action deletes a cache subnet (p. 750)
group. ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs

DeleteGlobalReplicationGroup
DeleteGlobalReplicationGroup (p. 751)
action deletes a global
datastore.
The DeleteReplicationGroup Write replicationgroup*

DeleteReplicationGroup
action deletes an existing (p. 750)
replication group. ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs
snapshot
(p. 751)
The DeleteSnapshot action Write snapshot*

DeleteSnapshot deletes an existing snapshot. (p. 751)
DeleteUser The DeleteUser action deletes an Write user*

existing user. (p. 751)
The DeleteUserGroup action Write usergroup*

DeleteUserGroup deletes an existing user group. (p. 751)
The DescribeCacheClusters List cluster*

DescribeCacheClusters
action returns information about (p. 750)
all provisioned cache clusters
if no cache cluster identifier is
specified, or about a specific
cache cluster if a cache cluster
identifier is supplied.
The List
DescribeCacheEngineVersions
DescribeCacheEngineVersions
action returns a list of the
available cache engines and
their versions.
745
Amazon ElastiCache

(*required)
The List parametergroup*

DescribeCacheParameterGroups
DescribeCacheParameterGroups (p. 750)
action returns information
about parameter groups for
this account, or a particular
parameter group.
The DescribeCacheParameters List parametergroup*

DescribeCacheParameters
action returns the detailed (p. 750)
parameter list for a particular
cache parameter group.
The List securitygroup*

DescribeCacheSecurityGroups
DescribeCacheSecurityGroups (p. 750)
action returns a list of cache
security group descriptions, or
the description of the specified
security group.
The List subnetgroup*

DescribeCacheSubnetGroups
DescribeCacheSubnetGroups (p. 750)
action returns a list of cache
subnet group descriptions, or
the description of the specified
subnet group.
The List
DescribeEngineDefaultParameters
action returns the default
engine and system parameter
information for the specified
cache engine.
The DescribeEvents action List

DescribeEvents returns events related to cache
clusters, cache security groups,
and cache parameter groups.
The List globalreplicationgroup*

DescribeGlobalReplicationGroups
DescribeGlobalReplicationGroups (p. 751)
action returns information
about global datastores for this
account, or a particular global
datastore.
The DescribeReplicationGroups List replicationgroup*

DescribeReplicationGroups
action returns information (p. 750)
about replication groups for
this account, or a particular
replication group.
746
Amazon ElastiCache

(*required)
The List reserved-

DescribeReservedCacheNodes
DescribeReservedCacheNodes instance*
action returns information about (p. 750)
reserved cache nodes for this
account, or a particular reserved
cache node.
The List
DescribeReservedCacheNodesOfferings
DescribeReservedCacheNodesOfferings
action lists available reserved
cache node offerings.
Returns details of the service List

DescribeServiceUpdates
updates
The DescribeSnapshots action List snapshot*

DescribeSnapshots
returns information about cache (p. 751)
cluster snapshots.
Returns details of the update List cluster

DescribeUpdateActions
actions. (p. 750)
replicationgroup

(p. 750)
The DescribeUserGroups action List usergroup*

DescribeUserGroups
returns information about all (p. 751)
user groups for this account, or a
particular user group.
DescribeUsers The DescribeUsers action returns List user*

information about all users for (p. 751)
this account, or a particular user.

DisassociateGlobalReplicationGroup
DisassociateGlobalReplicationGroup (p. 751)
action removes a secondary
Replication Group from the
Global Datastore.

FailoverGlobalReplicationGroup
FailoverGlobalReplicationGroup (p. 751)
action removes a secondary
Replication Group from the
Global Datastore.

IncreaseNodeGroupsInGlobalReplicationGroup
IncreaseNodeGroupsInGlobalReplicationGroup (p. 751)
action increases the number
of node groups in the Global
Datastore.
747
Amazon ElastiCache

(*required)
The IncreaseReplicaCount action Write replicationgroup*

IncreaseReplicaCount
increases the number of replicas (p. 750)
in a Redis replication group. ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs
List Allowed Node Type List cluster

ListAllowedNodeTypeModifications
Modifications (p. 750)
replicationgroup

(p. 750)
The ListTagsForResource Read cluster

ListTagsForResource
action lists all cost allocation (p. 750)
tags currently on the named
resource. snapshot
(p. 751)
The ModifyCacheCluster action Write cluster*

ModifyCacheCluster
modifies the settings for a cache (p. 750)
cluster.
parametergroup

(p. 750)
securitygroup
(p. 750)

ModifyCacheParameterGroup
ModifyCacheParameterGroup (p. 750)
action modifies the parameters
of a cache parameter group.
The ModifyCacheSubnetGroup Write subnetgroup*

ModifyCacheSubnetGroup
action modifies an existing cache (p. 750)
subnet group.

ModifyGlobalReplicationGroup
ModifyGlobalReplicationGroup (p. 751)
action modifies the settings for
a Global Datastore.
The ModifyReplicationGroup Write replicationgroup*

ModifyReplicationGroup
action modifies the settings for (p. 750)
a replication group. ec2:DeleteNetworkInterfa
ec2:DescribeSubnets
ec2:DescribeVpcs
748
Amazon ElastiCache

(*required)
parametergroup

(p. 750)
securitygroup
(p. 750)
usergroup
(p. 751)
The Write replicationgroup*

ModifyReplicationGroupShardConfiguration
ModifyReplicationGroupShardConfiguration (p. 750)
action allows you to add shards, ec2:DeleteNetworkInterfa
remove shards, or rebalance
the keyspaces among exisiting ec2:DescribeNetworkInter
shards.
ec2:DescribeSubnets
ec2:DescribeVpcs
ModifyUser The ModifyUser action modifies Write user*

an existing user. (p. 751)
The ModifyUserGroup action Write user*

ModifyUserGroupmodifies an existing user group. (p. 751)
usergroup*
(p. 751)
The Write reserved- elasticache:AddTagsToRes

PurchaseReservedCacheNodesOffering
PurchaseReservedCacheNodesOffering instance*
action allows you to purchase a (p. 750)
reserved cache node offering.

RebalanceSlotsInGlobalReplicationGroup
RebalanceSlotsInGlobalReplicationGroup (p. 751)
action redistributes slots to
ensure uniform distribution
across existing shards in the
cluster.
The RebootCacheCluster Write cluster*

RebootCacheCluster
action reboots some, or all, (p. 750)
of the cache nodes within a
provisioned cache cluster.
The RemoveTagsFromResource Tagging cluster

action removes the tags (p. 750)
identified by the TagKeys list
from the named resource. snapshot
(p. 751)
The ResetCacheParameterGroup Write parametergroup*

ResetCacheParameterGroup
action modifies the parameters (p. 750)
of a cache parameter group to
the engine or system default
value.
749
Amazon ElastiCache

(*required)
The Write securitygroup*

RevokeCacheSecurityGroupIngress
RevokeCacheSecurityGroupIngress (p. 750)
action revokes ingress from a
cache security group.
Start the migration of data. Write replicationgroup*

StartMigration (p. 750)
TestFailover The TestFailover action allows Write replicationgroup*

you to test automatic failover (p. 750)
on a specified node group in a ec2:DeleteNetworkInterfa
replication group
ec2:DescribeSubnets
ec2:DescribeVpcs
Resource types defined by Amazon ElastiCache


types
arn:${Partition}:elasticache:
parametergroup ${Region}:${Account}:parametergroup:
${CacheParameterGroupName}
securitygroup arn:${Partition}:elasticache:
${Region}:${Account}:securitygroup:
${CacheSecurityGroupName}
subnetgroup arn:${Partition}:elasticache:
${Region}:${Account}:subnetgroup:
${CacheSubnetGroupName}
arn:${Partition}:elasticache:
replicationgroup ${Region}:${Account}:replicationgroup:
${ReplicationGroupId}
cluster arn:${Partition}:elasticache:${Region}:
${Account}:cluster:${CacheClusterId}
reserved- arn:${Partition}:elasticache:
instance ${Region}:${Account}:reserved-instance:
${ReservedCacheNodeId}
750
Amazon Elasticsearch Service

types
snapshot arn:${Partition}:elasticache:${Region}:
${Account}:snapshot:${SnapshotName}
arn:${Partition}:elasticache::
globalreplicationgroup
${Account}:globalreplicationgroup:
${GlobalReplicationGroupId}
user arn:${Partition}:elasticache:${Region}:
${Account}:user:${UserId}
usergroup arn:${Partition}:elasticache:${Region}:
${Account}:usergroup:${UserGroupId}
Condition keys for Amazon ElastiCache

ElastiCache has no service-specific context keys that can be used in the Condition element of policy
conditions.
Note
For information about conditions in an IAM policy to control access to ElastiCache, see
ElastiCache Keys in the Amazon ElastiCache User Guide.

Elasticsearch Service
Amazon Elasticsearch Service (service prefix: es) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Elasticsearch Service (p. 751)
• Resource types defined by Amazon Elasticsearch Service (p. 755)
• Condition keys for Amazon Elasticsearch Service (p. 755)
Actions defined by Amazon Elasticsearch Service

different actions.
751

(*required)
Allows the destination domain Write

AcceptInboundCrossClusterSearchConnection
owner to accept an inbound
cross-cluster search connection
request
AddTags Grants permission to attach Tagging domain*

resource tags to an Amazon ES (p. 755)
domain.
Grants permission to create an Write domain

CreateElasticsearchDomain
Amazon ES domain. (p. 755)
Grants permission to create the Write

CreateElasticsearchServiceRole
service-linked role required for
Amazon ES domains that use
VPC access.
Creates a new cross-cluster Write domain*

CreateOutboundCrossClusterSearchConnection
search connection from a source (p. 755)
domain to a destination domain
Grants permission to delete an Write domain*

DeleteElasticsearchDomain
Amazon ES domain and all of its (p. 755)
data.

DeleteElasticsearchServiceRole
service-linked role required for
Amazon ES domains that use
VPC access.

DeleteInboundCrossClusterSearchConnection
owner to delete an existing
inbound cross-cluster search
connection
Allows the source domain owner Write

DeleteOutboundCrossClusterSearchConnection
to delete an existing outbound
Grants permission to view Read domain*

DescribeElasticsearchDomain
a description of the domain (p. 755)
Amazon ES domain, including
the domain ID, domain service
endpoint, and domain ARN.
Grants permission to view a Read domain*

DescribeElasticsearchDomainConfig
description of the configuration (p. 755)
752

(*required)
options and status of an Amazon
ES domain.
Grants permission to view List domain*

DescribeElasticsearchDomains
a description of the domain (p. 755)
configuration for up to five
specified Amazon ES domains.
Grants permission to view List

DescribeElasticsearchInstanceTypeLimits
the instance count, storage,
and master node limits for a
given Elasticsearch version and
instance type.
Lists all the inbound cross- List

DescribeInboundCrossClusterSearchConnections
cluster search connections for a
destination domain
Lists all the outbound cross- List

DescribeOutboundCrossClusterSearchConnections
cluster search connections for a
source domain
Grants permission to fetch List

DescribeReservedElasticsearchInstanceOfferings
reserved instance offerings for
ES
Grants permission to fetch List

DescribeReservedElasticsearchInstances
ES reserved instances already
purchased by customer
Grants permission to send cross- Read domain

ESCrossClusterGetcluster requests to a destination (p. 755)
domain.
ESHttpDelete Grants permission to send Write domain

HTTP DELETE requests to the (p. 755)
Elasticsearch APIs.
ESHttpGet Grants permission to send Read domain

HTTP GET requests to the (p. 755)
Elasticsearch APIs.
ESHttpHead Grants permission to send Read domain

HTTP HEAD requests to the (p. 755)
Elasticsearch APIs.
ESHttpPatch Grants permission to send Write domain

HTTP PATCH requests to the (p. 755)
Elasticsearch APIs.
ESHttpPost Grants permission to send Write domain

HTTP POST requests to the (p. 755)
Elasticsearch APIs.
753

(*required)
ESHttpPut Grants permission to send Write domain

HTTP PUT requests to the (p. 755)
Elasticsearch APIs.
Grants permission to fetch list List domain*

GetCompatibleElasticsearchVersions
of compatible elastic search (p. 755)
versions to which Amazon ES
domain can be upgraded
Grants permission to fetch Read domain*

GetUpgradeHistory
upgrade history for given ES (p. 755)
domain
Grants permission to fetch Read domain*

GetUpgradeStatusupgrade status for given ES (p. 755)
domain
Grants permission to display List

ListDomainNamesthe names of all Amazon ES
domains that the current user
owns.

ListElasticsearchInstanceTypeDetails
instance types and available
features for a given Elasticsearch
version.

ListElasticsearchInstanceTypes
Elasticsearch instance types
that are supported for a given
Elasticsearch version.

ListElasticsearchVersions
supported Elasticsearch versions
on Amazon ES.
ListTags Grants permission to display all Read domain*

of the tags for an Amazon ES (p. 755)
domain.

PurchaseReservedElasticsearchInstanceOffering
ES reserved instances

RejectInboundCrossClusterSearchConnection
owner to reject an inbound
request
RemoveTags Grants permission to remove Tagging domain*

tags from Amazon ES domains. (p. 755)
Grants permission to modify the Write domain*

UpdateElasticsearchDomainConfig
configuration of an Amazon ES (p. 755)
domain, such as the instance
type or number of instances.
754
Elemental Activations

(*required)
Grants permission to initiate Write domain*

UpgradeElasticsearchDomain
upgrade of elastic search (p. 755)
domain to given version
Resource types defined by Amazon Elasticsearch Service


types
domain arn:${Partition}:es:${Region}:
${Account}:domain/${DomainName}
Condition keys for Amazon Elasticsearch Service

Elasticsearch Service has no service-specific context keys that can be used in the Condition element of
Actions, resources, and condition keys for Elemental

Activations
Elemental Activations (service prefix: elemental-activations) provides the following service-specific
References:

Topics
• Actions defined by Elemental Activations (p. 755)
• Resource types defined by Elemental Activations (p. 756)
• Condition keys for Elemental Activations (p. 757)
Actions defined by Elemental Activations

755
Elemental Activations
different actions.

(*required)
Download the Software files for List

DownloadSoftware
AWS Elemental Appliances and
[permission Software Purchases
only]
Generate Software Licenses for List

GenerateLicenses AWS Elemental Appliances and
[permission Software Purchases
only]
GetActivation Describe an activation Read activation*

only]
This action lists tags for an AWS Read activation

ListTagsForResource
Elemental Activations resource (p. 757)
[permission
only]
TagResource This action adds a tag for an Tagging activation

[permission AWS Elemental Activations (p. 757)
only] resource
aws:TagKeys
(p. 757)
aws:RequestTag/
${TagKey}
(p. 757)
This action removes a tag from Tagging activation

UntagResource an AWS Elemental Activations (p. 757)
[permission resource
only] aws:TagKeys
(p. 757)
Resource types defined by Elemental Activations

756
AWS Elemental Appliances and Software

types
activation arn:${Partition}:elemental-activations: aws:ResourceTag/

${Region}:${Account}:activation/ ${TagKey} (p. 757)
${ResourceId}
Condition keys for Elemental Activations

Elemental Activations defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters actions based on the tags that are passed in the Arn
${TagKey} request

${TagKey}
request

Elemental Appliances and Software
AWS Elemental Appliances and Software (service prefix: elemental-appliances-software) provides
the following service-specific resources, actions, and condition context keys for use in IAM permission
policies.
References:

Topics
• Actions defined by AWS Elemental Appliances and Software (p. 758)
• Resource types defined by AWS Elemental Appliances and Software (p. 759)
• Condition keys for AWS Elemental Appliances and Software (p. 759)
757
Actions defined by AWS Elemental Appliances and Software

different actions.

(*required)
CreateQuote Create a quote Tagging quote*

only]
aws:RequestTag/

${TagKey}
(p. 759)
aws:TagKeys
(p. 759)
GetQuote Describe a quote Read quote*

only]
ListQuotes List the quotes in the user List

[permission account
only]
This action lists tags for an Read quote

ListTagsForResource
AWS Elemental Appliances and (p. 759)
[permission Software resource
only]
TagResource This action tags an AWS Tagging quote

[permission Elemental Appliances and (p. 759)
only] Software resource
aws:TagKeys
(p. 759)
aws:RequestTag/
${TagKey}
(p. 759)
This action removes a tag from Tagging quote

UntagResource an AWS Elemental Appliances (p. 759)
[permission and Software resource
only]
758

(*required)
aws:TagKeys
(p. 759)
UpdateQuote Modify a quote Write quote*

only]
Resource types defined by AWS Elemental Appliances and

Software

types
quote arn:${Partition}:elemental-appliances- aws:ResourceTag/

software:${Region}:${Account}:quote/ ${TagKey} (p. 759)
${ResourceId}
Condition keys for AWS Elemental Appliances and Software

AWS Elemental Appliances and Software defines the following condition keys that can be used in the
aws:RequestTag/ request tag String

${TagKey}
resource tag String

aws:ResourceTag/
${TagKey}
aws:TagKeys tag keys String
759
AWS Elemental MediaConnect

Elemental MediaConnect
AWS Elemental MediaConnect (service prefix: mediaconnect) provides the following service-specific
References:

Topics
• Actions defined by AWS Elemental MediaConnect (p. 760)
• Resource types defined by AWS Elemental MediaConnect (p. 761)
• Condition keys for AWS Elemental MediaConnect (p. 762)
Actions defined by AWS Elemental MediaConnect

different actions.

(*required)

AddFlowOutputs outputs to any flow.
CreateFlow Grants permission to create Write

flows.
DeleteFlow Grants permission to delete Write

flows.
DescribeFlow Grants permission to display the Read

details of a flow including the
flow ARN, name, and Availability
Zone, as well as details about
the source, outputs, and
entitlements.
760
AWS Elemental MediaConnect

(*required)
Grants permission to grant Write

GrantFlowEntitlements
entitlements on any flow.
Grants permission to display a List

ListEntitlements list of all entitlements that have
been granted to the account.
ListFlows Grants permission to display a List

list of flows that are associated
with this account.

RemoveFlowOutput
outputs from any flow.
Grants permission to revoke Write

RevokeFlowEntitlement
StartFlow Grants permission to start flows. Write
StopFlow Grants permission to stop flows. Write

UpdateFlowEntitlement

UpdateFlowOutput
outputs on any flow.

UpdateFlowSource
source of any flow.
Resource types defined by AWS Elemental MediaConnect


types
Entitlement arn:${Partition}:mediaconnect:${Region}:
${Account}:entitlement:${FlowId}:
${EntitlementName}
Flow arn:${Partition}:mediaconnect:${Region}:
${Account}:flow:${FlowId}:${FlowName}
Output arn:${Partition}:mediaconnect:${Region}:
${Account}:output:${OutputId}:${OutputName}
Source arn:${Partition}:mediaconnect:${Region}:
${Account}:source:${SourceId}:${SourceName}
761
AWS Elemental MediaConvert
Condition keys for AWS Elemental MediaConnect

MediaConnect has no service-specific context keys that can be used in the Condition element of policy
conditions.

Elemental MediaConvert
AWS Elemental MediaConvert (service prefix: mediaconvert) provides the following service-specific
References:

Topics
• Actions defined by AWS Elemental MediaConvert (p. 762)
• Resource types defined by AWS Elemental MediaConvert (p. 765)
• Condition keys for AWS Elemental MediaConvert (p. 766)
Actions defined by AWS Elemental MediaConvert

different actions.

(*required)

AssociateCertificate
an AWS Certificate Manager
(ACM) Amazon Resource Name
(ARN) with AWS Elemental
MediaConvert.
762

(*required)
CancelJob Grants permission to cancel an Write Job*

AWS Elemental MediaConvert (p. 766)
job that is waiting in queue
CreateJob Grants permission to create Write JobTemplate

and submit an AWS Elemental (p. 766)
MediaConvert job
Preset
(p. 766)
Queue
(p. 766)
Grants permission to create an Write Preset

CreateJobTemplate
custom job template
Queue
(p. 766)
aws:RequestTag/

${TagKey}
(p. 766)
aws:TagKeys
(p. 766)
CreatePreset Grants permission to create an Write aws:RequestTag/

AWS Elemental MediaConvert ${TagKey}
custom output preset (p. 766)
aws:TagKeys
(p. 766)
CreateQueue Grants permission to create an Write aws:RequestTag/

AWS Elemental MediaConvert ${TagKey}
job queue (p. 766)
aws:TagKeys
(p. 766)
Grants permission to delete an Write JobTemplate*

DeleteJobTemplate
custom job template
DeletePreset Grants permission to delete an Write Preset*

custom output preset
DeleteQueue Grants permission to delete an Write Queue*

job queue
763

(*required)
Grants permission to subscribe List

DescribeEndpointsto the AWS Elemental
MediaConvert service, by
sending a request for an
account-specific endpoint. All
transcoding requests must be
sent to the endpoint that the
service returns.

DisassociateCertificate
an association between the
Amazon Resource Name (ARN)
of an AWS Certificate Manager
(ACM) certificate and an AWS
Elemental MediaConvert
resource.
GetJob Grants permission to get an AWS Read Job*

Elemental MediaConvert job (p. 766)
Grants permission to get an AWS Read JobTemplate*

GetJobTemplate Elemental MediaConvert job (p. 766)
template
GetPreset Grants permission to get an AWS Read Preset*

Elemental MediaConvert output (p. 766)
preset
GetQueue Grants permission to get an AWS Read Queue*

Elemental MediaConvert job (p. 766)
queue
Grants permission to list AWS List

ListJobTemplates Elemental MediaConvert job
templates
ListJobs Grants permission to list AWS List Queue

Elemental MediaConvert jobs (p. 766)
ListPresets Grants permission to list AWS List

Elemental MediaConvert output
presets
ListQueues Grants permission to list AWS List

Elemental MediaConvert job
queues
Grants permission to retrieve the Read JobTemplate

ListTagsForResource
tags for a MediaConvert queue, (p. 766)
preset, or job template
Preset
(p. 766)
Queue
(p. 766)
764

(*required)
TagResource Grants permission to add tags to Tagging JobTemplate

a MediaConvert queue, preset, (p. 766)
or job template
Preset
(p. 766)
Queue
(p. 766)
aws:RequestTag/

${TagKey}
(p. 766)
aws:TagKeys
(p. 766)
Grants permission to remove Tagging JobTemplate

UntagResource tags from a MediaConvert (p. 766)
queue, preset, or job template
Preset
(p. 766)
Queue
(p. 766)
aws:TagKeys
(p. 766)
Grants permission to update an Write JobTemplate*

UpdateJobTemplate
custom job template
Preset
(p. 766)
Queue
(p. 766)
UpdatePreset Grants permission to update an Write Preset*

custom output preset
UpdateQueue Grants permission to update an Write Queue*

job queue
Resource types defined by AWS Elemental MediaConvert

765
AWS Elemental MediaLive

types
Job arn:${Partition}:mediaconvert:${Region}:
${Account}:jobs/${JobId}
Queue arn:${Partition}:mediaconvert:${Region}: aws:ResourceTag/

${Account}:queues/${QueueName} ${TagKey} (p. 766)
Preset arn:${Partition}:mediaconvert:${Region}: aws:ResourceTag/

${Account}:presets/${PresetName} ${TagKey} (p. 766)
JobTemplate arn:${Partition}:mediaconvert:${Region}: aws:ResourceTag/

${Account}:jobTemplates/${JobTemplateName} ${TagKey} (p. 766)
arn:${Partition}:mediaconvert:${Region}:
CertificateAssociation
${Account}:certificates/${CertificateArn}
Condition keys for AWS Elemental MediaConvert

AWS Elemental MediaConvert defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request

Elemental MediaLive
AWS Elemental MediaLive (service prefix: medialive) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Elemental MediaLive (p. 767)
766
• Resource types defined by AWS Elemental MediaLive (p. 772)

• Condition keys for AWS Elemental MediaLive (p. 773)
Actions defined by AWS Elemental MediaLive

different actions.

(*required)
Grants permission to accept an Write input-

AcceptInputDeviceTransfer
input device transfer device*
(p. 772)
BatchDelete Grants permission to delete Write channel

channels, inputs, input security (p. 772)
groups, and multiplexes.
input
(p. 772)
input-
security-
group
(p. 773)
multiplex
(p. 773)
BatchStart Grants permission to start Write channel

channels and multiplexes. (p. 772)
multiplex
(p. 773)
BatchStop Grants permission to stop Write channel

channels and multiplexes. (p. 772)
multiplex
(p. 773)
Grants permission to add and Write channel*

BatchUpdateSchedule
remove actions from a channel's (p. 772)
schedule.
767

(*required)
Grants permission to cancel an Write input-

CancelInputDeviceTransfer
(p. 772)
Grants permission to create a Write channel*

CreateChannel channel (p. 772)
input*
(p. 772)
aws:RequestTag/

${TagKey}
(p. 773)
aws:TagKeys
(p. 773)
CreateInput Grants permission to create an Write input*

input (p. 772)
input-
security-
group*
(p. 773)
aws:RequestTag/

${TagKey}
(p. 773)
aws:TagKeys
(p. 773)
Grants permission to create an Write input-

CreateInputSecurityGroup
input security group security-
group*
(p. 773)
aws:RequestTag/

${TagKey}
(p. 773)
aws:TagKeys
(p. 773)
Grants permission to create a Write multiplex*

CreateMultiplex multiplex (p. 773)
aws:RequestTag/

${TagKey}
(p. 773)
aws:TagKeys
(p. 773)
Grants permission to create a Write multiplex*

CreateMultiplexProgram
multiplex program (p. 773)
768

(*required)
CreateTags Grants permission to create Tagging channel

tags for channels, inputs, input (p. 772)
security groups, multiplexes, and
reservations. input
(p. 772)
input-
security-
group
(p. 773)
multiplex
(p. 773)
reservation
(p. 773)
aws:TagKeys
(p. 773)
aws:RequestTag/
${TagKey}
(p. 773)
Grants permission to delete a Write channel*

DeleteChannel channel (p. 772)
DeleteInput Grants permission to delete an Write input*

input (p. 772)
Grants permission to delete an Write input-

DeleteInputSecurityGroup
group*
(p. 773)
Grants permission to delete a Write multiplex*

DeleteMultiplex multiplex (p. 773)
Grants permission to delete a Write multiplex*

DeleteMultiplexProgram
Grants permission to delete an Write reservation*

DeleteReservationexpired reservation (p. 773)
DeleteTags Grants permission to delete tags Tagging channel

from channels, inputs, input (p. 772)
reservations. input
(p. 772)
input-
security-
group
(p. 773)
769

(*required)
multiplex
(p. 773)
reservation
(p. 773)
aws:TagKeys
(p. 773)
Grants permission to get details Read channel*

DescribeChannel about a channel (p. 772)
DescribeInput Grants permission to describe an Read input*

input (p. 772)
Grants permission to describe an Read input-

DescribeInputDevice
input device device*
(p. 772)

DescribeInputDeviceThumbnail
input device thumbnail device*
(p. 772)

DescribeInputSecurityGroup
group*
(p. 773)
Grants permission to describe a Read multiplex*

DescribeMultiplexmultiplex (p. 773)
Grants permission to describe a Read multiplex*

DescribeMultiplexProgram
Grants permission to get details Read offering*

DescribeOffering about a reservation offering (p. 773)
Grants permission to get details Read reservation*

DescribeReservation
about a reservation (p. 773)
Grants permission to view a Read channel*

DescribeSchedulelist of actions scheduled on a (p. 772)
channel.
ListChannels Grants permission to list List

channels
Grants permission to list input List

ListInputDeviceTransfers
device transfers

ListInputDevices devices

ListInputSecurityGroups
security groups
770

(*required)
ListInputs Grants permission to list inputs List

ListMultiplexPrograms
multiplex programs

ListMultiplexes multiplexes
ListOfferings Grants permission to list List

reservation offerings

ListReservations reservations
Grants permission to list tags List channel

ListTagsForResource
for channels, inputs, input (p. 772)
reservations. input
(p. 772)
input-
security-
group
(p. 773)
multiplex
(p. 773)
reservation
(p. 773)
Grants permission to purchase a Write offering*

PurchaseOffering reservation offering (p. 773)
reservation*
(p. 773)
aws:RequestTag/

${TagKey}
(p. 773)
aws:TagKeys
(p. 773)
Grants permission to reject an Write input-

RejectInputDeviceTransfer
(p. 772)
StartChannel Grants permission to start a Write channel*

channel (p. 772)
Grants permission to start a Write multiplex*

StartMultiplex multiplex (p. 773)
StopChannel Grants permission to stop a Write channel*

channel (p. 772)
771

(*required)
StopMultiplex Grants permission to stop a Write multiplex*

multiplex (p. 773)
Grants permission to transfer an Write input-

TransferInputDevice
(p. 772)
Grants permission to update a Write channel*

UpdateChannel channel (p. 772)
Grants permission to update the Write channel*

UpdateChannelClass
class of a channel (p. 772)
UpdateInput Grants permission to update an Write input*

input (p. 772)
Grants permission to update an Write input-

UpdateInputDevice
(p. 772)
Grants permission to update an Write input-

UpdateInputSecurityGroup
group*
(p. 773)
Grants permission to update a Write multiplex*

UpdateMultiplex multiplex (p. 773)
Grants permission to update a Write multiplex*

UpdateMultiplexProgram
Grants permission to update a Write reservation*

UpdateReservation
reservation (p. 773)
Resource types defined by AWS Elemental MediaLive


types
channel arn:${Partition}:medialive:${Region}: aws:ResourceTag/

${Account}:channel:* ${TagKey} (p. 773)
input arn:${Partition}:medialive:${Region}: aws:ResourceTag/

${Account}:input:* ${TagKey} (p. 773)
input-device arn:${Partition}:medialive:${Region}:
${Account}:inputDevice:*
772
AWS Elemental MediaPackage

types
input- arn:${Partition}:medialive:${Region}: aws:ResourceTag/

security-group ${Account}:inputSecurityGroup:* ${TagKey} (p. 773)
multiplex arn:${Partition}:medialive:${Region}: aws:ResourceTag/

${Account}:multiplex:* ${TagKey} (p. 773)
reservation arn:${Partition}:medialive:${Region}: aws:ResourceTag/

${Account}:reservation:* ${TagKey} (p. 773)
offering arn:${Partition}:medialive:${Region}:
${Account}:offering:*
Condition keys for AWS Elemental MediaLive

AWS Elemental MediaLive defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ The tag for a MediaLive request. String

${TagKey}
The tag for a MediaLive resource. String

aws:ResourceTag/
${TagKey}
aws:TagKeys The tag keys for a MediaLive resource or request. String

Elemental MediaPackage
AWS Elemental MediaPackage (service prefix: mediapackage) provides the following service-specific
References:

Topics
• Actions defined by AWS Elemental MediaPackage (p. 774)
• Resource types defined by AWS Elemental MediaPackage (p. 776)
• Condition keys for AWS Elemental MediaPackage (p. 776)
773
Actions defined by AWS Elemental MediaPackage

different actions.

(*required)

CreateChannel a channel in AWS Elemental ${TagKey}
MediaPackage. (p. 776)
aws:TagKeys
(p. 776)

CreateHarvestJobharvest job in AWS Elemental ${TagKey}
aws:TagKeys
(p. 776)

CreateOriginEndpoint
an endpoint in AWS Elemental ${TagKey}
aws:TagKeys
(p. 776)
Grants permission to delete Write channels*

DeleteChannel a channel in AWS Elemental (p. 776)
MediaPackage.
Grants permission to delete Write origin_endpoints*

DeleteOriginEndpoint
an endpoint in AWS Elemental (p. 776)
MediaPackage.
Grants permission to view the Read channels*

DescribeChannel details of a channel in AWS (p. 776)
Elemental MediaPackage.
Grants permission to view the Read harvest_jobs*

DescribeHarvestJob
details of a harvest job in AWS (p. 776)
774

(*required)
Grants permission to view the Read origin_endpoints*

DescribeOriginEndpoint
details of an endpoint in AWS (p. 776)
ListChannels Grants permission to view a list Read

of channels in AWS Elemental
MediaPackage.
Grants permission to view a Read

ListHarvestJobs list of harvest jobs in AWS
Grants permission to view a list Read

ListOriginEndpoints
of endpoints in AWS Elemental
MediaPackage.
Grants permission to list the Read channels

ListTagsForResource
tags assigned to a Channel or (p. 776)
OriginEndpoint.
harvest_jobs
(p. 776)
origin_endpoints

(p. 776)
Grants permission to rotate Write channels*

RotateIngestEndpointCredentials
IngestEndpoint credentials for (p. 776)
a Channel in AWS Elemental
MediaPackage.
TagResource Write channels

(p. 776)
harvest_jobs
(p. 776)
origin_endpoints

(p. 776)
aws:RequestTag/

${TagKey}
(p. 776)
aws:TagKeys
(p. 776)
Grants permission to delete tags Write channels

UntagResource to a Channel or OriginEndpoint. (p. 776)
harvest_jobs
(p. 776)
origin_endpoints

(p. 776)
775

(*required)
aws:TagKeys
(p. 776)
Grants permission to make Write channels*

UpdateChannel changes to a channel in AWS (p. 776)
Grants permission to make Write origin_endpoints*

UpdateOriginEndpoint
changes to an endpoint in AWS (p. 776)
Resource types defined by AWS Elemental MediaPackage


types
channels arn:${Partition}:mediapackage:${Region}: aws:ResourceTag/

${Account}:channels/${ChannelIdentifier} ${TagKey} (p. 776)
arn:${Partition}:mediapackage: aws:ResourceTag/
origin_endpoints ${Region}:${Account}:origin_endpoints/ ${TagKey} (p. 776)
${OriginEndpointIdentifier}
harvest_jobs arn:${Partition}:mediapackage: aws:ResourceTag/

${Region}:${Account}:harvest_jobs/ ${TagKey} (p. 776)
${HarvestJobIdentifier}
Condition keys for AWS Elemental MediaPackage

AWS Elemental MediaPackage defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey}
${TagKey}
aws:TagKeys String
776
AWS Elemental MediaPackage VOD

Elemental MediaPackage VOD
AWS Elemental MediaPackage VOD (service prefix: mediapackage-vod) provides the following service-
References:

Topics
• Actions defined by AWS Elemental MediaPackage VOD (p. 777)
• Resource types defined by AWS Elemental MediaPackage VOD (p. 779)
• Condition keys for AWS Elemental MediaPackage VOD (p. 780)
Actions defined by AWS Elemental MediaPackage VOD

different actions.

(*required)
CreateAsset Grants permission to create Write aws:RequestTag/

an asset in AWS Elemental ${TagKey}
MediaPackage (p. 780)
aws:TagKeys
(p. 780)

CreatePackagingConfiguration
packaging configuration in AWS ${TagKey}
Elemental MediaPackage (p. 780)
aws:TagKeys
(p. 780)
777

(*required)

CreatePackagingGroup
a packaging group in AWS ${TagKey}
aws:TagKeys
(p. 780)
DeleteAsset Grants permission to delete Write assets*

an asset in AWS Elemental (p. 779)
MediaPackage
Grants permission to delete a Write packaging-

DeletePackagingConfiguration
packaging configuration in AWS configurations*
Grants permission to delete Write packaging-

DeletePackagingGroup
a packaging group in AWS groups*
DescribeAsset Grants permission to view Read assets*

the details of an asset in AWS (p. 779)
Grants permission to view Read packaging-

DescribePackagingConfiguration
the details of a packaging configurations*
configuration in AWS Elemental (p. 779)
MediaPackage
Grants permission to view the Read packaging-

DescribePackagingGroup
details of a packaging group in groups*
AWS Elemental MediaPackage (p. 779)
ListAssets Grants permission to view a List

list of assets in AWS Elemental
MediaPackage
Grants permission to view a list List

ListPackagingConfigurations
of packaging configurations in
Grants permission to view a list List

ListPackagingGroups
of packaging groups in AWS
Grants permission to Read assets

ListTagsForResource
list the tags assigned (p. 779)
to a PackagingGroup,
PackagingConfiguration, or packaging-
Asset. configurations
(p. 779)
packaging-
groups
(p. 779)
778

(*required)
TagResource Grants permission to assign Write assets

tags to a PackagingGroup, (p. 779)
PackagingConfiguration, or
Asset. packaging-
configurations
(p. 779)
packaging-
groups
(p. 779)
aws:RequestTag/

${TagKey}
(p. 780)
aws:TagKeys
(p. 780)
Grants permission to delete Write assets

UntagResource tags from a PackagingGroup, (p. 779)
PackagingConfiguration, or
Asset. packaging-
configurations
(p. 779)
packaging-
groups
(p. 779)
aws:TagKeys
(p. 780)
Resource types defined by AWS Elemental MediaPackage VOD


types
assets arn:${Partition}:mediapackage-vod:${Region}: aws:ResourceTag/

${Account}:assets/${AssetIdentifier} ${TagKey} (p. 780)
packaging- arn:${Partition}:mediapackage-vod:${Region}: aws:ResourceTag/

configurations ${Account}:packaging-configurations/ ${TagKey} (p. 780)
${PackagingConfigurationIdentifier}
packaging- arn:${Partition}:mediapackage-vod: aws:ResourceTag/

groups ${Region}:${Account}:packaging-groups/ ${TagKey} (p. 780)
${PackagingGroupIdentifier}
779
AWS Elemental MediaStore
Condition keys for AWS Elemental MediaPackage VOD

AWS Elemental MediaPackage VOD defines the following condition keys that can be used in the

${TagKey}
request

Elemental MediaStore
AWS Elemental MediaStore (service prefix: mediastore) provides the following service-specific
References:

Topics
• Actions defined by AWS Elemental MediaStore (p. 780)
• Resource types defined by AWS Elemental MediaStore (p. 783)
• Condition keys for AWS Elemental MediaStore (p. 783)
Actions defined by AWS Elemental MediaStore

different actions.
780

(*required)

CreateContainer containers.
Grants permission to delete any Write

DeleteContainer container in the current account.
Grants permission to delete the Permissions

DeleteContainerPolicy
access policy of any container in management
the current account.

DeleteCorsPolicy CORS policy from any container
in the current account.

the lifecycle policy from any
container in the current account.

DeleteMetricPolicy
metric policy from any container
DeleteObject Grants permission to delete Write

objects.

DescribeContainerdetails on any container in the
current account.

DescribeObject object metadata.

GetContainerPolicy
access policy of any container in
GetCorsPolicy Grants permission to retrieve the Read

CORS policy of any container in

GetLifecyclePolicylifecycle policy that is assigned
to any container in the current
account.

GetMetricPolicy metric policy that is assigned
account.
781

(*required)
GetObject Grants permission to retrieve Read

objects.
ListContainers Grants permission to retrieve a List

list of containers in the current
account.
ListItems Grants permission to retrieve a List

list of objects and folders in the
current account.
Grants permission to list tags Read

ListTagsForResource
on any container in the current
account.
Grants permission to create or Permissions

PutContainerPolicy
replace the access policy of any management
PutCorsPolicy Grants permission to add or Write

modify the CORS policy of any
Grants permission to add or Write

PutLifecyclePolicymodify the lifecycle policy that
is assigned to any container in
Grants permission to add or Write

PutMetricPolicy modify the metric policy that is
assigned to any container in the
current account.
PutObject Grants permission to upload Write

objects.
Grants permission to enable Write

StartAccessLogging
access logging on any container

StopAccessLogging
access logging on any container
TagResource Grants permission to add tags Tagging

account.
Grants permission to remove Tagging

UntagResource tags from any container in the
current account.
782
AWS Elemental MediaTailor
Resource types defined by AWS Elemental MediaStore


types
container arn:${Partition}:mediastore:${Region}:
${Account}:container/${ContainerName}
Condition keys for AWS Elemental MediaStore

MediaStore has no service-specific context keys that can be used in the Condition element of policy
conditions.

Elemental MediaTailor
AWS Elemental MediaTailor (service prefix: mediatailor) provides the following service-specific
References:

Topics
• Actions defined by AWS Elemental MediaTailor (p. 783)
• Resource types defined by AWS Elemental MediaTailor (p. 784)
• Condition keys for AWS Elemental MediaTailor (p. 785)
Actions defined by AWS Elemental MediaTailor

different actions.
783
AWS Elemental MediaTailor

(*required)
Deletes the playback Write playbackConfiguration*

DeletePlaybackConfiguration
configuration for the specified (p. 785)
name
Grants permission to retrieve the Read playbackConfiguration*

GetPlaybackConfiguration
configuration for the specified (p. 785)
name
Grants permission to retrieve the List

ListPlaybackConfigurations
list of available configurations
Returns a list of the tags Read

ListTagsForResource
assigned to the specified
playback configuration resource.
Grants permission to add a new Write playbackConfiguration*

PutPlaybackConfiguration
aws:RequestTag/

${TagKey}
(p. 785)
aws:TagKeys
(p. 785)
TagResource Adds tags to the specified Tagging aws:RequestTag/

playback configuration resource. ${TagKey}
(p. 785)
aws:TagKeys
(p. 785)
Removes tags from the specified Tagging aws:RequestTag/

UntagResource playback configuration resource. ${TagKey}
(p. 785)
aws:TagKeys
(p. 785)
Resource types defined by AWS Elemental MediaTailor

784
Elemental Support Cases

types
arn:${Partition}:mediatailor:${Region}: aws:ResourceTag/
playbackConfiguration
${Account}:playbackConfiguration/ ${TagKey} (p. 785)
${ResourceId}
Condition keys for AWS Elemental MediaTailor

AWS Elemental MediaTailor defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request

Support Cases
Elemental Support Cases (service prefix: elemental-support-cases) provides the following service-
References:

Topics
• Actions defined by Elemental Support Cases (p. 785)
• Resource types defined by Elemental Support Cases (p. 786)
• Condition keys for Elemental Support Cases (p. 786)
Actions defined by Elemental Support Cases

785
Elemental Support Content
different actions.

(*required)
CreateCase Grant the permission to create a Write

[permission support case
only]
GetCase Grant the permission to describe Read

[permission a support case in your account
only]
GetCases Grant the permission to list the Read

[permission support cases in your account
only]
UpdateCase Grant the permission to update Write

[permission a support case
only]
Resource types defined by Elemental Support Cases

Elemental Support Cases does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Elemental Support Cases, specify “Resource”: “*” in your
policy.
Condition keys for Elemental Support Cases

Elemental Support Cases has no service-specific context keys that can be used in the Condition

Support Content
Elemental Support Content (service prefix: elemental-support-content) provides the following
References:

786
Amazon EMR on EKS (EMR Containers)
Topics
• Actions defined by Elemental Support Content (p. 787)
• Resource types defined by Elemental Support Content (p. 787)
• Condition keys for Elemental Support Content (p. 787)
Actions defined by Elemental Support Content

different actions.

(*required)
Query Grant the permission to search Read

[permission support content
only]
Resource types defined by Elemental Support Content

Elemental Support Content does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Elemental Support Content, specify “Resource”: “*” in your
policy.
Condition keys for Elemental Support Content

Elemental Support Content has no service-specific context keys that can be used in the Condition

EMR on EKS (EMR Containers)
Amazon EMR on EKS (EMR Containers) (service prefix: emr-containers) provides the following service-
References:
787

Topics
• Actions defined by Amazon EMR on EKS (EMR Containers) (p. 788)
• Resource types defined by Amazon EMR on EKS (EMR Containers) (p. 789)
• Condition keys for Amazon EMR on EKS (EMR Containers) (p. 790)
Actions defined by Amazon EMR on EKS (EMR Containers)

different actions.

(*required)
CancelJobRun Grants permission to cancel a Write jobRun*

job run (p. 790)
virtualCluster*

(p. 790)

CreateVirtualCluster
virtual cluster ${TagKey}
(p. 790)
aws:TagKeys
(p. 790)
Grants permission to delete a Write virtualCluster*

DeleteVirtualCluster
virtual cluster (p. 790)
Grants permission to describe a Read jobRun*

DescribeJobRun job run (p. 790)
virtualCluster*

(p. 790)
Grants permission to describe a Read virtualCluster*

DescribeVirtualCluster
virtual cluster (p. 790)
788

(*required)
ListJobRuns Grants permission to list job runs List virtualCluster*

associated with a virtual cluster (p. 790)
Grants permission to list tags for List jobRun

ListTagsForResource
the specified resource (p. 790)
virtualCluster
(p. 790)
Grants permission to list virtual List

ListVirtualClustersclusters
StartJobRun Grants permission to start a job Write virtualCluster*

run (p. 790)
aws:RequestTag/

${TagKey}
(p. 790)
aws:TagKeys
(p. 790)
emr-
containers:ExecutionRoleArn
(p. 790)
TagResource Grants permission to tag the Tagging jobRun

specified resource (p. 790)
virtualCluster
(p. 790)
aws:RequestTag/

${TagKey}
(p. 790)
aws:TagKeys
(p. 790)
Grants permission to untag the Tagging jobRun

UntagResource specified resource (p. 790)
virtualCluster
(p. 790)
aws:TagKeys
(p. 790)
Resource types defined by Amazon EMR on EKS (EMR

Containers)
789
Amazon EventBridge

types
virtualCluster arn:${Partition}:emr-containers: aws:ResourceTag/

${Region}:${Account}:/virtualclusters/ ${TagKey} (p. 790)
${virtualClusterId}
jobRun arn:${Partition}:emr-containers: aws:ResourceTag/

${Region}:${Account}:/virtualclusters/ ${TagKey} (p. 790)
${virtualClusterId}/jobruns/${jobRunId}
emr-
(p. 790)
Condition keys for Amazon EMR on EKS (EMR Containers)

Amazon EMR on EKS (EMR Containers) defines the following condition keys that can be used in the

${TagKey}
request
emr- Filters actions based on whether the execution role arn is String
provided with the action

EventBridge
Amazon EventBridge (service prefix: events) provides the following service-specific resources, actions,
References:

790
Amazon EventBridge
Topics
• Actions defined by Amazon EventBridge (p. 791)
• Resource types defined by Amazon EventBridge (p. 796)
• Condition keys for Amazon EventBridge (p. 796)
Actions defined by Amazon EventBridge

different actions.

(*required)
Grants permission to activate Write event-

ActivateEventSource
partner event sources source*
(p. 796)
CancelReplay Grants permission to cancel a Write replay*

replay (p. 796)
CreateArchive Grants permission to create a Write archive*

new archive (p. 796)
Grants permission to create Write event-

CreateEventBus event buses bus*
(p. 796)
aws:RequestTag/

${TagKey}
(p. 796)
aws:TagKeys
(p. 797)
Grants permission to create Write event-

CreatePartnerEventSource
(p. 796)
Grants permission to deactivate Write event-

DeactivateEventSource
event sources source*
(p. 796)
791
Amazon EventBridge

(*required)
DeleteArchive Grants permission to delete an Write archive*

archive (p. 796)
Grants permission to delete Write event-

DeleteEventBus event buses bus*
(p. 796)
Grants permission to delete Write event-

DeletePartnerEventSource
(p. 796)
DeleteRule Grants permission to delete Write rule*

rules (p. 796)
events:creatorAccount

(p. 797)
Grants permission to retrieve Read archive*

DescribeArchive details about an archive (p. 796)
Grants permission to retrieve Read event-bus

DescribeEventBusdetails about event buses (p. 796)
Grants permission to retrieve Read event-

DescribeEventSource
details about event sources source*
(p. 796)
Grants permission to retrieve Read event-

DescribePartnerEventSource
details about partner event source*
sources (p. 796)
Grants permission to retrieve the Read replay*

DescribeReplay details of a replay (p. 796)
DescribeRule Grants permission to retrieve Read rule*

details about rules (p. 796)

(p. 797)
DisableRule Grants permission to disable Write rule*

rules (p. 796)

(p. 797)
EnableRule Grants permissions to enable Write rule*

rules (p. 796)

(p. 797)
ListArchives Grants permission to retrieve a List

list of archives
792
Amazon EventBridge

(*required)
Grants permission to to retrieve List

ListEventBuses a list of the event buses in your
account
Grants permission to to retrieve List

ListEventSources a list of event sources shared
with this account
Grants permission to retrieve List event-

ListPartnerEventSourceAccounts
a list of AWS account IDs source*
associated with an event source (p. 796)
Grants permission to retrieve a List

ListPartnerEventSources
list partner event sources
ListReplays Grants permission to retrieve a List

list of replays

ListRuleNamesByTarget
a list of the names of the rules
associated with a target
ListRules Grants permission to retrieve a List

list of the Amazon EventBridge
rules in the account
Grants permission to retrieve a List event-bus

ListTagsForResource
list of tags associated with an (p. 796)
Amazon EventBridge resource
rule
(p. 796)

(p. 797)
Grants permission to retrieve a List rule*

ListTargetsByRulelist of targets defined for a rule (p. 796)

(p. 797)
PutEvents Grants permission to send Write event-

custom events to Amazon bus*
EventBridge (p. 796)
793
Amazon EventBridge

(*required)
events:detail-
type
(p. 797)
events:source
(p. 797)
events:eventBusInvocation
(p. 797)
aws:SourceArn
(p. 797)
aws:SourceAccount
(p. 796)
Grants permission to sends Write

PutPartnerEventscustom events to Amazon
EventBridge
PutPermission Grants permission to use the Write

PutPermission action to grants
permission to another AWS
account to put events to your
default event bus
PutRule Grants permission to create or Tagging rule*

updates rules (p. 796)
events:detail.userIdentity.principalId

(p. 797)
events:detail-
type
(p. 797)
events:source
(p. 797)
events:detail.service
(p. 797)
events:detail.eventTypeCode
(p. 797)
aws:RequestTag/
${TagKey}
(p. 796)
aws:TagKeys
(p. 797)
(p. 797)
794
Amazon EventBridge

(*required)
PutTargets Grants permission to add targets Write rule*

to a rule (p. 796)
events:TargetArn

(p. 797)
(p. 797)
Grants permission to revoke Write

RemovePermission
the permission of another AWS
account to put events to your
default event bus
Grants permission to removes Write rule*

RemoveTargets targets from a rule (p. 796)

(p. 797)
StartReplay Grants permission to start a Write archive*

replay of an archive (p. 796)
TagResource Grants permission to add a Tagging event-bus

tag to an Amazon EventBridge (p. 796)
resource
rule
(p. 796)
aws:TagKeys
(p. 797)
aws:RequestTag/
${TagKey}
(p. 796)
(p. 797)
Grants permissions to test Read

TestEventPattern whether an event pattern
matches the provided event
Grants permission to remove Tagging event-bus

UntagResource a tag from an Amazon (p. 796)
EventBridge resource
rule
(p. 796)
aws:TagKeys
(p. 797)
(p. 797)
795
Amazon EventBridge

(*required)
Grants permission to update an Write archive*

UpdateArchive archive (p. 796)
Resource types defined by Amazon EventBridge


types
event-source arn:${Partition}:events:${Region}::event-
source/${EventSourceName}
event-bus arn:${Partition}:events:${Region}: aws:ResourceTag/

${Account}:event-bus/${EventBusName} ${TagKey} (p. 796)
rule arn:${Partition}:events: aws:ResourceTag/

${Region}:${Account}:rule/ ${TagKey} (p. 796)
[${EventBusName}/]${RuleName}
archive arn:${Partition}:events:${Region}:
${Account}:archive/${ArchiveName}
replay arn:${Partition}:events:${Region}:
${Account}:replay/${ReplayName}
Condition keys for Amazon EventBridge

Amazon EventBridge defines the following condition keys that can be used in the Condition element of
${TagKey} the tags

${TagKey}
Filters actions based on whether the source of the request String

aws:SourceAccount comes from a specific account
796
Amazon EventBridge Schemas
aws:SourceArn Filters actions based on the Amazon Resource Name (ARN) String
of the source making the request

the request
Used internally by AWS services. If a rule is created by an String

events:ManagedBy AWS service on your behalf, the value is the principal name
of the service that created the rule.
events:TargetArn The ARN of a target that can be put to a rule. ARN
Filters actions based on the account the rule was created in String
events:detail- Matches the literal string of the detail-type filed of the String
type event.
Matches the literal string for the detail.eventTypeCode field String

events:detail.eventTypeCode
of the event.
Matches the literal string for the detail.service field of the String
events:detail.service event.
Matches the literal string for the String

events:detail.userIdentity.principalId
detail.useridentity.principalid field of the event.
Filters actions based on whether the event was generated String

events:eventBusInvocation
via API or cross-account bus invocation
events:source The AWS service or AWS partner event source that String
generated the event. Matches the literal string of the source
field of the event.

EventBridge Schemas
Amazon EventBridge Schemas (service prefix: schemas) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon EventBridge Schemas (p. 798)
• Resource types defined by Amazon EventBridge Schemas (p. 801)
• Condition keys for Amazon EventBridge Schemas (p. 801)
797
Actions defined by Amazon EventBridge Schemas

different actions.

(*required)
Creates an event schema Write discoverer*

CreateDiscoverer discoverer. Once created, your (p. 801)
events will be automatically
map into corresponding schema
documents
Create a new schema registry in Write registry*

CreateRegistry your account. (p. 801)
Create a new schema in your Write schema*

CreateSchema account. (p. 801)
Deletes discoverer in your Write discoverer*

DeleteDiscoverer account. (p. 801)
Deletes an existing registry in Write registry*

DeleteRegistry your account. (p. 801)
Delete the resource-based policy Write registry*

attached to a given registry. (p. 801)
Deletes an existing schema in Write schema*

DeleteSchema your account. (p. 801)
Deletes a specific version of Write schema*

DeleteSchemaVersion
schema in your account. (p. 801)
Retrieves metadata for Read schema*

DescribeCodeBinding
generated code for specific (p. 801)
schema in your account.
Retrieves discoverer metadata in Read discoverer*

DescribeDiscoverer
your account. (p. 801)
Describes an existing registry Read registry*

DescribeRegistry metadata in your account. (p. 801)
798

(*required)
Retrieves an existing schema in Read schema*

DescribeSchema your account. (p. 801)
Allows exporting AWS registry or Read registry*

ExportSchema discovered schemas in OpenAPI (p. 801)
3 format to JSONSchema
format. schema*
(p. 801)
Retrieves metadata for Read schema*

GetCodeBindingSource
generated code for specific (p. 801)
schema in your account.
Retrieves schema for the Read

GetDiscoveredSchema
provided list of sample events.
Retrieves the resource-based Read registry*

GetResourcePolicypolicy attached to a given (p. 801)
registry.
Lists all the discoverers in your List discoverer*

ListDiscoverers account. (p. 801)
ListRegistries List all discoverers in your List registry*

account. (p. 801)
List all versions of a schema. List schema*

ListSchemaVersions (p. 801)
ListSchemas List all schemas. List schema*

(p. 801)
This action lists tags for a List discoverer*

ListTagsForResource
resource. (p. 801)
registry*
(p. 801)
schema*
(p. 801)
Generates code for specific Write schema*

PutCodeBinding schema in your account. (p. 801)
Attach resource-based policy to Write registry*

PutResourcePolicythe specific registry. (p. 801)
Searches schemas based on List schema*

SearchSchemas specified keywords in your (p. 801)
account.
799

(*required)
Starts the specified discoverer. Write discoverer*

StartDiscoverer Once started the discoverer (p. 801)
will automatically register
schemas for published events
to configured source in your
account
Starts the specified discoverer. Write discoverer*

StopDiscoverer Once started the discoverer (p. 801)
will automatically register
schemas for published events
to configured source in your
account
TagResource This action tags an resource. Tagging discoverer*

(p. 801)
registry*
(p. 801)
schema*
(p. 801)
aws:TagKeys
(p. 801)
aws:RequestTag/
${TagKey}
(p. 801)
This action removes a tag from Tagging discoverer*

UntagResource on a resource. (p. 801)
registry*
(p. 801)
schema*
(p. 801)
aws:TagKeys
(p. 801)
Updates an existing discoverer in Write discoverer*

UpdateDiscovereryour account. (p. 801)
Updates an existing registry Write registry*

UpdateRegistry metadata in your account. (p. 801)
Updates an existing schema in Write schema*

UpdateSchema your account. (p. 801)
800
AWS Firewall Manager
Resource types defined by Amazon EventBridge Schemas


types
discoverer arn:${Partition}:schemas:${Region}: aws:ResourceTag/

${Account}:discoverer/${DiscovererId} ${TagKey} (p. 801)
registry arn:${Partition}:schemas:${Region}: aws:ResourceTag/

${Account}:registry/${RegistryName} ${TagKey} (p. 801)
schema arn:${Partition}:schemas:${Region}: aws:ResourceTag/

${Account}:schema/${RegistryName}/ ${TagKey} (p. 801)
${SchemaName}
Condition keys for Amazon EventBridge Schemas

Amazon EventBridge Schemas defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} the tags

${TagKey}

the request

Firewall Manager
AWS Firewall Manager (service prefix: fms) provides the following service-specific resources, actions, and
References:
Topics
801
• Actions defined by AWS Firewall Manager (p. 802)

• Resource types defined by AWS Firewall Manager (p. 805)
• Condition keys for AWS Firewall Manager (p. 806)
Actions defined by AWS Firewall Manager

different actions.

(*required)
Grants permission to set Write

AssociateAdminAccount
the AWS Firewall Manager
administrator account and
enables the service in all
organization accounts
Grants permission to Write applications-

DeleteAppsList permanently deletes an AWS list*
Firewall Manager applications (p. 805)
list

DeleteNotificationChannel
an AWS Firewall Manager
association with the IAM
role and the Amazon Simple
Notification Service (SNS) topic
that is used to notify the FM
administrator about major FM
events and errors across the
organization
DeletePolicy Grants permission to Write policy*

permanently delete an AWS (p. 805)
Firewall Manager policy
aws:ResourceTag/

${TagKey}
(p. 806)
Grants permission to Write protocols-

DeleteProtocolsList
permanently deletes an AWS list*
Firewall Manager protocols list (p. 805)
802

(*required)

DisassociateAdminAccount
disassociate the account that
has been set as the AWS Firewall
Manager administrator account
and and disables the service in
all organization accounts

GetAdminAccountthe AWS Organizations master
account that is associated
with AWS Firewall Manager
as the AWS Firewall Manager
administrator
GetAppsList Grants permission to return Read applications-

information about the specified list*
AWS Firewall Manager (p. 805)
applications list
Grants permission to retrieve Read policy*

GetComplianceDetail
detailed compliance information (p. 805)
about the specified member
account. Details include
resources that are in and out of
compliance with the specified
policy

GetNotificationChannel
information about the Amazon
Simple Notification Service
(SNS) topic that is used to record
AWS Firewall Manager SNS logs
GetPolicy Grants permission to retrieve Read policy*

AWS Firewall Manager policy

GetProtectionStatus
policy-level attack summary (p. 805)
information in the event of a
potential DDoS attack
Grants permission to return Read protocols-

GetProtocolsList information about the specified list*
AWS Firewall Manager protocols (p. 805)
list

GetViolationDetails
violations for a resource based (p. 805)
on the specified AWS Firewall
Manager policy and AWS
account
803

(*required)
ListAppsLists Grants permission to return an List

array of AppsListDataSummary
objects
Grants permission to retrieve an List policy*

ListComplianceStatus
array of PolicyComplianceStatus (p. 805)
objects in the response. Use
PolicyComplianceStatus to get
a summary of which member
accounts are protected by the
specified policy
Grants permission to retrieve an List

ListMemberAccounts
array of member account ids if
the caller is FMS admin account
ListPolicies Grants permission to retrieve an List

array of PolicySummary objects
in the response
Grants permission List

ListProtocolsLists to return an array of
ProtocolsListDataSummary
objects
Grants permission to list Tags for Read policy*

ListTagsForResource
a given resource (p. 805)
PutAppsList Grants permission to create Write applications-

an AWS Firewall Manager list*
applications list (p. 805)
aws:RequestTag/

${TagKey}
(p. 806)
aws:TagKeys
(p. 806)
Grants permission to designate Write

PutNotificationChannel
the IAM role and Amazon Simple
Notification Service (SNS) topic
that AWS Firewall Manager
(FM) could use to notify the FM
administrator about major FM
events and errors across the
organization
PutPolicy Grants permission to create an Write policy*

AWS Firewall Manager policy (p. 805)
804

(*required)
aws:RequestTag/

${TagKey}
(p. 806)
aws:TagKeys
(p. 806)
Grants permission to creates an Write protocols-

PutProtocolsList AWS Firewall Manager protocols list*
list (p. 805)
aws:RequestTag/

${TagKey}
(p. 806)
aws:TagKeys
(p. 806)
TagResource Grants permission to add a Tag Tagging policy*

to a given resource (p. 805)
aws:RequestTag/

${TagKey}
(p. 806)
aws:TagKeys
(p. 806)
Grants permission to remove a Tagging policy*

UntagResource Tag from a given resource (p. 805)
aws:TagKeys
(p. 806)
Resource types defined by AWS Firewall Manager


types
policy arn:${Partition}:fms:${Region}: aws:ResourceTag/

${Account}:policy/${Id} ${TagKey} (p. 806)
applications- arn:${Partition}:fms:${Region}: aws:ResourceTag/

list ${Account}:applications-list/${Id} ${TagKey} (p. 806)
protocols-list arn:${Partition}:fms:${Region}: aws:ResourceTag/

${Account}:protocols-list/${Id} ${TagKey} (p. 806)
805
Fleet Hub for AWS IoT Device Management
Condition keys for AWS Firewall Manager

AWS Firewall Manager defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} the tags

${TagKey}

the request
Actions, resources, and condition keys for Fleet Hub

for AWS IoT Device Management
Fleet Hub for AWS IoT Device Management (service prefix: iotfleethub) provides the following
References:

Topics
• Actions defined by Fleet Hub for AWS IoT Device Management (p. 806)
• Resource types defined by Fleet Hub for AWS IoT Device Management (p. 808)
• Condition keys for Fleet Hub for AWS IoT Device Management (p. 808)
Actions defined by Fleet Hub for AWS IoT Device Management

different actions.
806

(*required)

sso:CreateManagedApplic
CreateApplicationapplication ${TagKey}
(p. 808) sso:DescribeRegisteredRe
aws:TagKeys
(p. 809)

CreateDashboard dashboard ${TagKey}
(p. 808)
aws:TagKeys
(p. 809)
Grants permission to delete an Write application* sso:DeleteManagedApplic

DeleteApplicationapplication (p. 808)
Grants permission to delete an Write dashboard*

DeleteDashboard dashboard (p. 808)
Grants permission to describe an Read application*

DescribeApplication
application (p. 808)
Grants permission to describe an Read dashboard*

DescribeDashboard
dashboard (p. 808)

ListApplications applications

ListDashboards dashboards
Grants permission to list all tags Read application

ListTagsForResource
for a resource (p. 808)
dashboard
(p. 808)
TagResource Grants permission to tag a Tagging application

resource (p. 808)
dashboard
(p. 808)
aws:TagKeys
(p. 809)
aws:RequestTag/
${TagKey}
(p. 808)
807

(*required)
Grants permission to untag a Tagging application

dashboard
(p. 808)
aws:TagKeys
(p. 809)
Grants permission to update an Write application*

UpdateApplication
Grants permission to update an Write dashboard*

UpdateDashboarddashboard (p. 808)
Resource types defined by Fleet Hub for AWS IoT Device

Management

types
application arn:${Partition}:iotfleethub:: aws:ResourceTag/

${Account}:application/${ApplicationId} ${TagKey} (p. 808)
dashboard arn:${Partition}:iotfleethub:: aws:ResourceTag/

${Account}:dashboard/${DashboardId} ${TagKey} (p. 808)
Condition keys for Fleet Hub for AWS IoT Device Management
Fleet Hub for AWS IoT Device Management defines the following condition keys that can be used
aws:RequestTag/ Filters access by the tag key-value pairs in the request String
${TagKey}
Filters access by the tags attached to the resource String

aws:ResourceTag/
${TagKey}
808
Amazon Forecast
aws:TagKeys Filters actions by the tag keys in the request String

Forecast
Amazon Forecast (service prefix: forecast) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Forecast (p. 809)
• Resource types defined by Amazon Forecast (p. 813)
• Condition keys for Amazon Forecast (p. 814)
Actions defined by Amazon Forecast

different actions.

(*required)
CreateDataset Grants permission to create a Write dataset*

dataset (p. 814)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
809
Amazon Forecast

(*required)
Grants permission to create a Write datasetGroup*

CreateDatasetGroup
dataset group (p. 814)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
Grants permission to create a Write datasetImportJob*

CreateDatasetImportJob
dataset import job (p. 814)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
Grants permission to create a Write predictor*

CreateForecast forecast (p. 814)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
Grants permission to create Write forecast*

CreateForecastExportJob
a forecast export job using a (p. 814)
forecast resource
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
Grants permission to create a Write datasetGroup*

CreatePredictor predictor (p. 814)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
Grants permission to create a Write predictor*

CreatePredictorBacktestExportJob
predictor backtest export job (p. 814)
using a predictor
810
Amazon Forecast

(*required)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
DeleteDataset Grants permission to delete a Write dataset*

dataset (p. 814)
Grants permission to delete a Write datasetGroup*

DeleteDatasetGroup
Grants permission to delete a Write datasetImportJob*

DeleteDatasetImportJob
Grants permission to delete a Write forecast*

DeleteForecast forecast (p. 814)
Grants permission to delete a Write forecastExport*

DeleteForecastExportJob
forecast export job (p. 814)
Grants permission to delete a Write predictor*

DeletePredictor predictor (p. 814)
Grants permission to delete a Write predictorBacktestExportJob*

DeletePredictorBacktestExportJob
Grants permission to describe a Read dataset*

DescribeDataset dataset (p. 814)
Grants permission to describe a Read datasetGroup*

DescribeDatasetGroup
Grants permission to describe a Read datasetImportJob*

DescribeDatasetImportJob
Grants permission to describe a Read forecast*

DescribeForecast forecast (p. 814)
Grants permission to describe a Read forecastExport*

DescribeForecastExportJob
forecast export job (p. 814)
Grants permission to describe a Read predictor*

DescribePredictorpredictor (p. 814)
Grants permission to describe a Read predictorBacktestExportJob*

DescribePredictorBacktestExportJob
Grants permission to get the Read predictor*

GetAccuracyMetrics
Accuracy Metrics for a predictor (p. 814)

ListDatasetGroupsdataset groups
811
Amazon Forecast

(*required)

ListDatasetImportJobs
dataset import jobs
ListDatasets Grants permission to list all the List

datasets

ListForecastExportJobs
forecast export jobs
ListForecasts Grants permission to list all the List

forecasts

ListPredictorBacktestExportJobs
predictor backtest export jobs
ListPredictors Grants permission to list all the List

predictors
Grants permission to list the List dataset

ListTagsForResource
tags for an Amazon Forecast (p. 814)
resource
datasetGroup
(p. 814)
datasetImportJob

(p. 814)
forecast
(p. 814)
forecastExport

(p. 814)
predictor
(p. 814)
predictorBacktestExportJob

(p. 814)
Grants permission to retrieve a Read forecast*

QueryForecast forecast for a single item (p. 814)
TagResource Grants permission to associate Tagging dataset

the specified tags to a resource (p. 814)
datasetGroup
(p. 814)
datasetImportJob

(p. 814)
forecast
(p. 814)
forecastExport

(p. 814)
812
Amazon Forecast

(*required)
predictor
(p. 814)

(p. 814)
aws:RequestTag/

${TagKey}
(p. 814)
aws:TagKeys
(p. 814)
Grants permission to delete the Tagging dataset

UntagResource specified tags for a resource (p. 814)
datasetGroup
(p. 814)
datasetImportJob

(p. 814)
forecast
(p. 814)
forecastExport

(p. 814)
predictor
(p. 814)

(p. 814)
aws:TagKeys
(p. 814)
Grants permission to update a Write dataset*

UpdateDatasetGroup
datasetGroup*

(p. 814)
Resource types defined by Amazon Forecast

813
Amazon Fraud Detector

types
dataset arn:${Partition}:forecast:${Region}: aws:ResourceTag/

${Account}:dataset/${ResourceId} ${TagKey} (p. 814)
datasetGroup arn:${Partition}:forecast:${Region}: aws:ResourceTag/

${Account}:dataset-group/${ResourceId} ${TagKey} (p. 814)
arn:${Partition}:forecast:${Region}: aws:ResourceTag/
datasetImportJob${Account}:dataset-import-job/${ResourceId} ${TagKey} (p. 814)
algorithm arn:${Partition}:forecast:::algorithm/
${ResourceId}
predictor arn:${Partition}:forecast:${Region}: aws:ResourceTag/

${Account}:predictor/${ResourceId} ${TagKey} (p. 814)
arn:${Partition}:forecast:${Region}: aws:ResourceTag/
${Account}:predictor-backtest-export-job/ ${TagKey} (p. 814)
${ResourceId}
forecast arn:${Partition}:forecast:${Region}: aws:ResourceTag/

${Account}:forecast/${ResourceId} ${TagKey} (p. 814)
forecastExport arn:${Partition}:forecast:${Region}: aws:ResourceTag/

${Account}:forecast-export-job/${ResourceId} ${TagKey} (p. 814)
Condition keys for Amazon Forecast

Amazon Forecast defines the following condition keys that can be used in the Condition element of
${TagKey} request

${TagKey}
request

Fraud Detector
Amazon Fraud Detector (service prefix: frauddetector) provides the following service-specific
814
References:

Topics
• Actions defined by Amazon Fraud Detector (p. 815)
• Resource types defined by Amazon Fraud Detector (p. 826)
• Condition keys for Amazon Fraud Detector (p. 827)
Actions defined by Amazon Fraud Detector

different actions.

(*required)
Creates a batch of variables. Write aws:RequestTag/

BatchCreateVariable ${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
Gets a batch of variables. List variable

BatchGetVariable (p. 826)
Creates a detector version. The Write detector*

CreateDetectorVersion
detector version starts in a (p. 826)
DRAFT status.
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
CreateModel Creates a model using the Write model*

specified model type. (p. 826)
815

(*required)
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
Creates a version of the model Write model*

CreateModelVersion
using the specified model type (p. 826)
and model id.
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
CreateRule Creates a rule for use with the Write detector*

specified detector. (p. 826)
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
Creates a variable. Write aws:RequestTag/

CreateVariable ${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
Deletes the detector. Before Write detector*

DeleteDetector deleting a detector, you must (p. 826)
first delete all detector versions
and rule versions associated with
the detector.
Deletes the detector version. Write detector-

DeleteDetectorVersion
You cannot delete detector version*
versions that are in ACTIVE (p. 826)
status.
Deletes an entity type. You Write entity-

DeleteEntityType cannot delete an entity type type*
that is included in an event type. (p. 826)
DeleteEvent Deletes the specified event. Write
Deletes an event type. You Write event-

DeleteEventType cannot delete an event type that type*
is used in a detector or a model. (p. 826)
816

(*required)
Removes a SageMaker model Write external-

DeleteExternalModel
from Amazon Fraud Detector. model*
You can remove an Amazon (p. 826)
SageMaker model if it is not
associated with a detector
version.
DeleteLabel Deletes a label. You cannot Write label*

delete labels that are included in (p. 826)
an event type in Amazon Fraud
Detector. You cannot delete
a label assigned to an event
ID. You must first delete the
relevant event ID.
DeleteModel Deletes a model. You can delete Write model*

models and model versions (p. 826)
in Amazon Fraud Detector,
provided that they are not
associated with a detector
version.
Deletes a model version. You Write model-

DeleteModelVersion
can delete models and model version*
versions in Amazon Fraud (p. 826)
Detector, provided that they are
not associated with a detector
version.
Deletes an outcome. You cannot Write outcome*

DeleteOutcome delete an outcome that is used (p. 826)
in a rule version.
DeleteRule Deletes the rule. You cannot Write rule*

delete a rule if it is used by an (p. 826)
ACTIVE or INACTIVE detector
version.
Deletes a variable. You cannot Write variable*

DeleteVariable delete variables that are (p. 826)
included in an event type in
Amazon Fraud Detector.
Gets all versions for a specified Read detector*

DescribeDetector detector. (p. 826)
Gets all of the model versions Read model-

DescribeModelVersions
for the specified model type version
or for the specified model type (p. 826)
and model ID. You can also get
details for a single, specified
model version.
817

(*required)
Gets a particular detector List detector-

GetDetectorVersion
version. version*
(p. 826)
GetDetectors Gets all detectors or a single List detector

detector if a detectorId is (p. 826)
specified. This is a paginated
API. If you provide a null
maxResults, this action retrieves
a maximum of 10 records
per page. If you provide a
maxResults, the value must
be between 5 and 10. To get
the next page results, provide
the pagination token from the
GetDetectorsResponse as part of
your request. A null pagination
token fetches the records from
the beginning.
Gets all entity types or a specific List entity-

GetEntityTypes entity type if a name is specified. type
This is a paginated API. If you (p. 826)
provide a null maxResults, this
action retrieves a maximum
of 10 records per page. If
you provide a maxResults,
the value must be between
5 and 10. To get the next
page results, provide the
pagination token from the
GetEntityTypesResponse as
part of your request. A null
pagination token fetches the
records from the beginning.
Evaluates an event against a Read

GetEventPrediction
detector version. If a version ID
is not provided, the detector’s
(ACTIVE) version is used.
818

(*required)
Gets all event types or a specific List event-

GetEventTypes event type if name is provided. type
This is a paginated API. If you (p. 826)
provide a null maxResults, this
action retrieves a maximum
of 10 records per page. If
you provide a maxResults,
the value must be between
5 and 10. To get the next
page results, provide the
pagination token from the
GetEventTypesResponse as
Gets the details for one or List external-

GetExternalModels
more Amazon SageMaker model
models that have been imported (p. 826)
into the service. This is a
paginated API. If you provide
a null maxResults, this actions
retrieves a maximum of 10
records per page. If you provide
a maxResults, the value must
GetExternalModelsResult as
Gets the encryption key if a Read

GetKMSEncryptionKey
Key Management Service (KMS)
customer master key (CMK)
has been specified to be used
to encrypt content in Amazon
Fraud Detector.
819

(*required)
GetLabels Gets all labels or a specific label List label

if name is provided. This is a (p. 826)
paginated API. If you provide
a null maxResults, this action
the pagination token from
the GetGetLabelsResponse as
Gets the details of the specified List model-

GetModelVersion model version. version*
(p. 826)
GetModels Gets one or more models. List model

Gets all models for the AWS (p. 826)
account if no model type and
no model id provided. Gets all
models for the AWS account and
model type, if the model type
is specified but model id is not
provided. Gets a specific model
if (model type, model id) tuple is
specified.
GetOutcomes Gets one or more outcomes. This List outcome

is a paginated API. If you provide (p. 826)
a null maxResults, this actions
GetOutcomesResult as part of
your request. A null pagination
the beginning.
GetRules Get all rules for a detector List rule

(paginated) if ruleId and (p. 826)
ruleVersion are not specified.
Gets all rules for the detector
and the ruleId if present
(paginated). Gets a specific
rule if both the ruleId and the
ruleVersion are specified.
820

(*required)
GetVariables Gets all of the variables or List variable

the specific variable. This is (p. 826)
a paginated API. Providing
null maxSizePerPage results
in retrieving maximum of 100
maxSizePerPage the value
must be between 50 and 100.
To get the next page result, a
provide a pagination token from
GetVariablesResult as part of
your request. Null pagination
the beginning.
Lists all tags associated with the List detector

ListTagsForResource
resource. This is a paginated API. (p. 826)
To get the next page results,
provide the pagination token detector-
from the response as part of version
your request. A null pagination (p. 826)
entity-
the beginning.
type
(p. 826)
event-
type
(p. 826)
external-
model
(p. 826)
label
(p. 826)
model
(p. 826)
model-
version
(p. 826)
outcome
(p. 826)
rule
(p. 826)
variable
(p. 826)
PutDetector Creates or updates a detector. Write detector*

(p. 826)
821

(*required)
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
PutEntityType Creates or updates an entity Write entity-

type. An entity represents who is type*
performing the event. As part of (p. 826)
a fraud prediction, you pass the
entity ID to indicate the specific aws:RequestTag/

entity who performed the event. ${TagKey}
An entity type classifies the (p. 827)
entity. Example classifications
include customer, merchant, or aws:TagKeys
account. (p. 827)
PutEventType Creates or updates an event Write event-

type. An event is a business type*
activity that is evaluated for (p. 826)
fraud risk. With Amazon Fraud
Detector, you generate fraud aws:RequestTag/

predictions for events. An event ${TagKey}
type defines the structure for (p. 827)
an event sent to Amazon Fraud
Detector. This includes the aws:TagKeys
variables sent as part of the (p. 827)
event, the entity performing the
event (such as a customer), and
the labels that classify the event.
Example event types include
online payment transactions,
account registrations, and
authentications.
Creates or updates an Amazon Write external-

PutExternalModelSageMaker model endpoint. model*
You can also use this action to (p. 826)
update the configuration of the
model endpoint, including the aws:RequestTag/

IAM role and/or the mapped ${TagKey}
variables. (p. 827)
aws:TagKeys
(p. 827)
Specifies the Key Management Write

PutKMSEncryptionKey
Service (KMS) customer master
key (CMK) to be used to encrypt
content in Amazon Fraud
Detector.
822

(*required)
PutLabel Creates or updates label. A Write label*

label classifies an event as (p. 826)
fraudulent or legitimate. Labels
are associated with event types aws:RequestTag/

and used to train supervised ${TagKey}
machine learning models in (p. 827)
Amazon Fraud Detector.
aws:TagKeys
(p. 827)
PutOutcome Creates or updates an outcome. Write outcome*

(p. 826)
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
TagResource Assigns tags to a resource. Tagging detector

(p. 826)
detector-
version
(p. 826)
entity-
type
(p. 826)
event-
type
(p. 826)
external-
model
(p. 826)
label
(p. 826)
model
(p. 826)
model-
version
(p. 826)
outcome
(p. 826)
rule
(p. 826)
823

(*required)
variable
(p. 826)
aws:TagKeys
(p. 827)
aws:RequestTag/
${TagKey}
(p. 827)
Removes tags from a resource. Tagging detector

detector-
version
(p. 826)
entity-
type
(p. 826)
event-
type
(p. 826)
external-
model
(p. 826)
label
(p. 826)
model
(p. 826)
model-
version
(p. 826)
outcome
(p. 826)
rule
(p. 826)
variable
(p. 826)
aws:TagKeys
(p. 827)
aws:RequestTag/
${TagKey}
(p. 827)
824

(*required)
Updates a detector version. The Write detector*

UpdateDetectorVersion
detector version attributes that (p. 826)
you can update include models,
external model endpoints,
rules, rule execution mode, and
description. You can only update
a DRAFT detector version.
Updates the detector version's Write detector-

UpdateDetectorVersionMetadata
description. You can update version*
the metadata for any detector (p. 826)
version (DRAFT, ACTIVE, or
INACTIVE).
Updates the detector Write detector-

UpdateDetectorVersionStatus
version’s status. You can version*
perform the following (p. 826)
promotions or demotions using
UpdateDetectorVersionStatus:
DRAFT to ACTIVE, ACTIVE to
INACTIVE, and INACTIVE to
ACTIVE.
UpdateModel Updates a model. You can Write model*

update the description attribute (p. 826)
using this action.
Updates a model version. Write model*

UpdateModelVersion
Updating a model version (p. 826)
retrains an existing model
version using updated training aws:RequestTag/

data and produces a new minor ${TagKey}
version of the model. You can (p. 827)
update the training data set
location and data access role aws:TagKeys
attributes using this action. This (p. 827)
action creates and trains a new
minor version of the model, for
example version 1.01, 1.02, 1.03.
Updates the status of a model Write

UpdateModelVersionStatus
version.
Updates a rule's metadata. The Write rule*

UpdateRuleMetadata
description attribute can be (p. 826)
updated.
Updates a rule version resulting Write rule*

UpdateRuleVersion
in a new rule version. Updates (p. 826)
a rule version resulting in a new
rule version (version 1, 2, 3 ...).
825

(*required)
aws:RequestTag/

${TagKey}
(p. 827)
aws:TagKeys
(p. 827)
Updates a variable. Write variable*

UpdateVariable (p. 826)
Resource types defined by Amazon Fraud Detector


types
detector arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:detector/${resourcePath} ${TagKey} (p. 827)
detector- arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

version ${Account}:detector-version/${resourcePath} ${TagKey} (p. 827)
entity-type arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:entity-type/${resourcePath} ${TagKey} (p. 827)
external- arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

model ${Account}:external-model/${resourcePath} ${TagKey} (p. 827)
event-type arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:event-type/${resourcePath} ${TagKey} (p. 827)
label arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:label/${resourcePath} ${TagKey} (p. 827)
model arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:model/${resourcePath} ${TagKey} (p. 827)
model-version arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:model-version/${resourcePath} ${TagKey} (p. 827)
outcome arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:outcome/${resourcePath} ${TagKey} (p. 827)
rule arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:rule/${resourcePath} ${TagKey} (p. 827)
variable arn:${Partition}:frauddetector:${Region}: aws:ResourceTag/

${Account}:variable/${resourcePath} ${TagKey} (p. 827)
826
Amazon FreeRTOS
Condition keys for Amazon Fraud Detector

Amazon Fraud Detector defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} request

${TagKey}
request

FreeRTOS
Amazon FreeRTOS (service prefix: freertos) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon FreeRTOS (p. 827)
• Resource types defined by Amazon FreeRTOS (p. 828)
• Condition keys for Amazon FreeRTOS (p. 829)
Actions defined by Amazon FreeRTOS

different actions.
827
Amazon FreeRTOS

(*required)
Creates a software Write configuration*

CreateSoftwareConfiguration
aws:RequestTag/

${TagKey}
(p. 829)
aws:TagKeys
(p. 829)
Deletes the software Write configuration*

DeleteSoftwareConfiguration
Describes the hardware Read

DescribeHardwarePlatform
platform.
Describes the software Read configuration*

DescribeSoftwareConfiguration
Get the URL for Amazon Read

GetSoftwareURL FreeRTOS software download.
Get the URL for Amazon Read

GetSoftwareURLForConfiguration
FreeRTOS software download
based on the configuration.
Lists versions of List

ListFreeRTOSVersions
AmazonFreeRTOS.
Lists the hardware platforms. List

ListHardwarePlatforms
Lists the hardware vendors. List

ListHardwareVendors
Lists the software List

ListSoftwareConfigurations
configurations.
Updates the software Write configuration*

UpdateSoftwareConfiguration
Resource types defined by Amazon FreeRTOS

828
Amazon FSx

types
configuration arn:${Partition}:freertos: aws:ResourceTag/

${Region}:${Account}:configuration/ ${TagKey} (p. 829)
${configurationName}
Condition keys for Amazon FreeRTOS

Amazon FreeRTOS defines the following condition keys that can be used in the Condition element of
aws:RequestTag/ A tag key that is present in the request that the user makes String
${TagKey} to Amazon FreeRTOS.
The tag key component of a tag attached to an Amazon String

aws:ResourceTag/ FreeRTOS resource.
${TagKey}
in the request.

FSx
Amazon FSx (service prefix: fsx) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by Amazon FSx (p. 829)
• Resource types defined by Amazon FSx (p. 832)
• Condition keys for Amazon FSx (p. 833)
Actions defined by Amazon FSx

different actions.
829
Amazon FSx

(*required)
This action cancels a data Write task*

CancelDataRepositoryTask
repository task (p. 833)
CreateBackup This action creates a new Tagging backup*

backup. (p. 833)
file-
system*
(p. 833)
aws:RequestTag/

${TagKey}
(p. 833)
aws:TagKeys
(p. 833)
This action creates a new task. Tagging file-

CreateDataRepositoryTask system*
(p. 833)
task*
(p. 833)
aws:RequestTag/

${TagKey}
(p. 833)
aws:TagKeys
(p. 833)
This action creates a new, empty, Tagging file-

CreateFileSystem Amazon FSx file system system*
(p. 833)
aws:RequestTag/

${TagKey}
(p. 833)
aws:TagKeys
(p. 833)
This action creates a new Tagging backup*

CreateFileSystemFromBackup
Amazon FSx file system from an (p. 833)
existing backup.
830
Amazon FSx

(*required)
file-
system*
(p. 833)
aws:RequestTag/

${TagKey}
(p. 833)
aws:TagKeys
(p. 833)
DeleteBackup This action deletes a backup, Write backup*

deleting its contents. After (p. 833)
deletion, the backup no longer
exists, and its data is gone.
This action deletes a file system, Write file-

DeleteFileSystem deleting its contents. system*
(p. 833)
This action returns the Read

DescribeBackups description of specific Amazon
FSx backups, if one or more
BackupIds are provided for that
backup. Otherwise, it returns
all backups owned by your AWS
account in the AWS Region of
the endpoint that you're calling.

DescribeDataRepositoryTasks
description of specific Amazon
FSx data repository task, if one
or more TaskIds are provided
for that data repository task.
Otherwise, it returns all data
repository task owned by your
AWS account in the AWS Region
of the endpoint that you're
calling.

DescribeFileSystems
description of specific
Amazon FSx file systems, if a
FileSystemIds value is provided
for that file system. Otherwise,
it returns descriptions of all file
systems owned by your AWS
account in the AWS Region of
the endpoint that you're calling.
This action lists tags for an Read backup

ListTagsForResource
Amazon FSx resource. (p. 833)
831
Amazon FSx

(*required)
file-
system
(p. 833)
task
(p. 833)
TagResource This action tags an Amazon FSx Tagging backup

resource. (p. 833)
file-
system
(p. 833)
task
(p. 833)
aws:TagKeys
(p. 833)
aws:RequestTag/
${TagKey}
(p. 833)
This action removes a tag from Tagging backup

UntagResource an Amazon FSx resource. (p. 833)
file-
system
(p. 833)
task
(p. 833)
aws:TagKeys
(p. 833)
This action updates file system Write file-

UpdateFileSystemconfiguration. system*
(p. 833)
Resource types defined by Amazon FSx

Note
Amazon FSx for Windows File Server and Amazon FSx for Lustre share some of the same
resource types, with the same ARN format for each.
832
Amazon GameLift

types
file-system arn:${Partition}:fsx:${Region}: aws:ResourceTag/

${Account}:file-system/* ${TagKey} (p. 833)
backup arn:${Partition}:fsx:${Region}: aws:ResourceTag/

${Account}:backup/* ${TagKey} (p. 833)
task arn:${Partition}:fsx:${Region}: aws:ResourceTag/

${Account}:task/* ${TagKey} (p. 833)
Condition keys for Amazon FSx

Amazon FSx defines the following condition keys that can be used in the Condition element of an IAM
${TagKey}
${TagKey}
aws:TagKeys String

GameLift
Amazon GameLift (service prefix: gamelift) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon GameLift (p. 833)
• Resource types defined by Amazon GameLift (p. 841)
• Condition keys for Amazon GameLift (p. 842)
Actions defined by Amazon GameLift

833
Amazon GameLift
different actions.

(*required)
AcceptMatch Registers player acceptance Write

or rejection of a proposed
FlexMatch match.
Locates and reserves a game Write gameServerGroup*

ClaimGameServerserver to host a new game (p. 842)
session.
CreateAlias Defines a new alias for a fleet. Write aws:RequestTag/

${TagKey}
(p. 842)
aws:TagKeys
(p. 842)
CreateBuild Creates a new game build using Write aws:RequestTag/

files stored in an Amazon S3 ${TagKey}
bucket. (p. 842)
aws:TagKeys
(p. 842)
CreateFleet Creates a new fleet of Write aws:RequestTag/

computing resources to run your ${TagKey}
game servers. (p. 842)
aws:TagKeys
(p. 842)
Creates a new game server Write aws:RequestTag/

CreateGameServerGroup
group, sets up a corresponding ${TagKey}
Auto Scaling group, and (p. 842)
launches instances to host game
servers. aws:TagKeys
(p. 842)
Starts a new game session on a Write

CreateGameSession
specified fleet.
Sets up a new queue for Write aws:RequestTag/

CreateGameSessionQueue
processing new game session ${TagKey}
placement requests. (p. 842)
834
Amazon GameLift

(*required)
aws:TagKeys
(p. 842)
Creates a new FlexMatch Write aws:RequestTag/

CreateMatchmakingConfiguration
matchmaker. ${TagKey}
(p. 842)
aws:TagKeys
(p. 842)
Creates a new matchmaking rule Write aws:RequestTag/

CreateMatchmakingRuleSet
set for FlexMatch. ${TagKey}
(p. 842)
aws:TagKeys
(p. 842)
Reserves an available game Write

CreatePlayerSession
session slot for a player.
Reserves available game session Write

CreatePlayerSessions
slots for multiple players.
CreateScript Creates a new Realtime Servers Write aws:RequestTag/

script. ${TagKey}
(p. 842)
aws:TagKeys
(p. 842)
Allows GameLift to create or Write

CreateVpcPeeringAuthorization
delete a peering connection
between a GameLift fleet VPC
and a VPC on another AWS
account.
Establishes a peering connection Write

CreateVpcPeeringConnection
between your GameLift fleet
VPC and a VPC on another
account.
DeleteAlias Deletes an alias. Write alias*

(p. 841)
DeleteBuild Deletes a game build. Write build*

(p. 841)
DeleteFleet Deletes an empty fleet. Write fleet*

(p. 842)
Permanently deletes a game Write gameServerGroup*

DeleteGameServerGroup
server group and terminates (p. 842)
FleetIQ activity for the
corresponding Auto Scaling
group.
835
Amazon GameLift

(*required)
Deletes an existing game session Write gameSessionQueue*

DeleteGameSessionQueue
queue. (p. 842)
Deletes an existing FlexMatch Write matchmakingConfiguration*

DeleteMatchmakingConfiguration
matchmaker. (p. 842)
Deletes an existing FlexMatch Write matchmakingRuleSet*

DeleteMatchmakingRuleSet
matchmaking rule set. (p. 842)
Deletes a set of auto-scaling Write fleet*

DeleteScalingPolicy
rules. (p. 842)
DeleteScript Deletes a Realtime Servers Write script*

script. (p. 841)
Cancels a VPC peering Write

DeleteVpcPeeringAuthorization
authorization.
Removes a peering connection Write

DeleteVpcPeeringConnection
between VPCs.
Removes a game server from a Write gameServerGroup*

DeregisterGameServer
game server group. (p. 842)
DescribeAlias Retrieves properties for an alias. Read alias*

(p. 841)
DescribeBuild Retrieves properties for a game Read build*

build. (p. 841)
Retrieves the maximum allowed Read

DescribeEC2InstanceLimits
and current usage for EC2
instance types.
Retrieves general properties, Read

DescribeFleetAttributes
including status, for fleets.
Retrieves the current capacity Read

DescribeFleetCapacity
setting for fleets.
Retrieves entries from a fleet's Read fleet*

DescribeFleetEvents
event log. (p. 842)
Retrieves the inbound Read fleet*

DescribeFleetPortSettings
connection permissions for a (p. 842)
fleet.
Retrieves utilization statistics for Read

DescribeFleetUtilization
fleets.
Retrieves properties for a game Read gameServerGroup*

DescribeGameServer
server. (p. 842)
Retrieves properties for a game Read gameServerGroup*

DescribeGameServerGroup
server group. (p. 842)
836
Amazon GameLift

(*required)
Retrieves the status of EC2 Read gameServerGroup*

DescribeGameServerInstances
instances in a game server (p. 842)
group.
Retrieves properties for game Read

DescribeGameSessionDetails
sessions in a fleet, including the
protection policy.
Retrieves details of a game Read

DescribeGameSessionPlacement
session placement request.

DescribeGameSessionQueues
session queues.

DescribeGameSessions
sessions in a fleet.
Retrieves information about Read fleet*

DescribeInstancesinstances in a fleet. (p. 842)
Retrieves details of Read

DescribeMatchmaking
matchmaking tickets.
Retrieves properties for Read

DescribeMatchmakingConfigurations
FlexMatch matchmakers.
Retrieves properties for Read

DescribeMatchmakingRuleSets
FlexMatch matchmaking rule
sets.
Retrieves properties for player Read

DescribePlayerSessions
sessions in a game session.
Retrieves the current runtime Read fleet*

DescribeRuntimeConfiguration
configuration for a fleet. (p. 842)
Retrieves all scaling policies that Read fleet*

DescribeScalingPolicies
are applied to a fleet. (p. 842)
Retrieves properties for a Read script*

DescribeScript Realtime Servers script. (p. 841)
Retrieves valid VPC peering Read

DescribeVpcPeeringAuthorizations
authorizations.
Retrieves details on active Read

DescribeVpcPeeringConnections
or pending VPC peering
connections.
Retrieves the location of stored Read

GetGameSessionLogUrl
logs for a game session.
Requests remote access to a Read fleet*

GetInstanceAccessspecified fleet instance. (p. 842)
837
Amazon GameLift

(*required)
ListAliases Retrieves all aliases that are List

defined in the current region.
ListBuilds Retrieves all game build in the List

current region.
ListFleets Retrieves a list of fleet IDs for all List

fleets in the current region.
Retrieves all game server groups List

ListGameServerGroups
that are defined in the current
region.
Retrieves all game servers that List gameServerGroup*

ListGameServers are currently running in a game (p. 842)
server group.
ListScripts Retrieves properties for all List

Realtime Servers scripts in the
current region.
Lists tags for GameLift resources List alias

build
(p. 841)
fleet
(p. 842)
gameServerGroup

(p. 842)
gameSessionQueue

(p. 842)
matchmakingConfiguration

(p. 842)
matchmakingRuleSet

(p. 842)
script
(p. 841)
Creates or updates a fleet auto- Write fleet*

PutScalingPolicy scaling policy. (p. 842)
Notifies GameLift FleetIQ when Write gameServerGroup*

RegisterGameServer
a new game server is ready to (p. 842)
host gameplay.
Retrieves fresh upload Read build*

RequestUploadCredentials
credentials to use when (p. 841)
uploading a new game build.
838
Amazon GameLift

(*required)
ResolveAlias Retrieves the fleet ID associated Read alias*

with an alias. (p. 841)
Reinstates suspended FleetIQ Write gameServerGroup*

ResumeGameServerGroup
activity for a game server group. (p. 842)
Retrieves game sessions that Read

SearchGameSessions
match a set of search criteria.
Resumes auto-scaling activity Write fleet*

StartFleetActions on a fleet after it was suspended (p. 842)
with StopFleetActions().
Sends a game session placement Write gameSessionQueue*

StartGameSessionPlacement
request to a game session (p. 842)
queue.
Requests FlexMatch Write

StartMatchBackfillmatchmaking to fill available
player slots in an existing game
session.
Requests FlexMatch Write

StartMatchmakingmatchmaking for one or a group
of players and game session
placement for a resulting match.
Suspends auto-scaling activity Write fleet*

StopFleetActions on a fleet. (p. 842)
Cancels a game session Write

StopGameSessionPlacement
placement request that is in
progress.
Cancels a matchmaking or Write

StopMatchmakingmatch backfill request that is in
progress.
Temporarily stops FleetIQ Write gameServerGroup*

SuspendGameServerGroup
activity for a game server group. (p. 842)
TagResource Tags GameLift resources Tagging alias

(p. 841)
build
(p. 841)
fleet
(p. 842)
gameServerGroup

(p. 842)
gameSessionQueue

(p. 842)
839
Amazon GameLift

(*required)

(p. 842)
matchmakingRuleSet

(p. 842)
script
(p. 841)
aws:RequestTag/

${TagKey}
(p. 842)
aws:TagKeys
(p. 842)
Untags GameLift resources Tagging alias

build
(p. 841)
fleet
(p. 842)
gameServerGroup

(p. 842)
gameSessionQueue

(p. 842)

(p. 842)
matchmakingRuleSet

(p. 842)
script
(p. 841)
aws:TagKeys
(p. 842)
UpdateAlias Updates the properties of an Write alias*

existing alias. (p. 841)
UpdateBuild Updates an existing build's Write build*

metadata. (p. 841)
Updates the general properties Write fleet*

UpdateFleetAttributes
of an existing fleet. (p. 842)
Adjusts a fleet's capacity Write fleet*

UpdateFleetCapacity
settings. (p. 842)
840
Amazon GameLift

(*required)
Adjusts a fleet's port settings. Write fleet*

UpdateFleetPortSettings (p. 842)
Changes game server properties, Write gameServerGroup*

UpdateGameServer
health status, or utilization (p. 842)
status.
Updates properties for game Write gameServerGroup*

UpdateGameServerGroup
server group, including allowed (p. 842)
instance types.
Updates the properties of an Write

UpdateGameSession
existing game session.
Updates properties of an Write gameSessionQueue*

UpdateGameSessionQueue
existing game session queue. (p. 842)
Updates properties of an Write matchmakingConfiguration*

UpdateMatchmakingConfiguration
existing FlexMatch matchmaking (p. 842)
configuration.
Updates how server processes Write fleet*

UpdateRuntimeConfiguration
are configured on instances in an (p. 842)
existing fleet.
UpdateScript Updates the metadata and Write script*

content of an existing Realtime (p. 841)
Servers script.
Validates the syntax of a Read

ValidateMatchmakingRuleSet
FlexMatch matchmaking rule
set.
Resource types defined by Amazon GameLift


types
alias arn:${Partition}:gamelift:${Region}::alias/ aws:ResourceTag/

${AliasId} ${TagKey} (p. 842)
build arn:${Partition}:gamelift:${Region}: aws:ResourceTag/

${AccountId}:build/${BuildId} ${TagKey} (p. 842)
script arn:${Partition}:gamelift:${Region}: aws:ResourceTag/

${AccountId}:script/${ScriptId} ${TagKey} (p. 842)
841
Amazon Glacier

types
fleet arn:${Partition}:gamelift:${Region}: aws:ResourceTag/

${Account}:fleet/${FleetId} ${TagKey} (p. 842)
arn:${Partition}:gamelift:${Region}: aws:ResourceTag/
gameSessionQueue
${Account}:gamesessionqueue/ ${TagKey} (p. 842)
${GameSessionQueueName}
${Account}:matchmakingconfiguration/ ${TagKey} (p. 842)
${MatchmakingConfigurationName}
matchmakingRuleSet
${Account}:matchmakingruleset/ ${TagKey} (p. 842)
${MatchmakingRuleSetName}
gameServerGroup${Account}:gameservergroup/ ${TagKey} (p. 842)
${GameServerGroupName}
Condition keys for Amazon GameLift

Amazon GameLift defines the following condition keys that can be used in the Condition element of
${TagKey} request

${TagKey}
request

Glacier
Amazon Glacier (service prefix: glacier) provides the following service-specific resources, actions, and
References:

842
Amazon Glacier
Topics
• Actions defined by Amazon Glacier (p. 843)
• Resource types defined by Amazon Glacier (p. 845)
• Condition keys for Amazon Glacier (p. 846)
Actions defined by Amazon Glacier

different actions.

(*required)
Aborts a multipart upload Write vault*

AbortMultipartUpload
identified by the upload ID (p. 845)
Aborts the vault locking process Permissions vault*

AbortVaultLock if the vault lock is not in the management (p. 845)
Locked state
Adds the specified tags to a Tagging vault*

AddTagsToVault vault (p. 845)
Completes a multipart upload Write vault*

CompleteMultipartUpload
process (p. 845)
Completes the vault locking Permissions vault*

CompleteVaultLock
process management (p. 845)
CreateVault Creates a new vault with the Write vault*

specified name (p. 845)
DeleteArchive Deletes an archive from a vault Write vault*

(p. 845)
glacier:ArchiveAgeInDays

(p. 846)
DeleteVault Deletes a vault Write vault*

(p. 845)
843
Amazon Glacier

(*required)
Deletes the access policy Permissions vault*

DeleteVaultAccessPolicy
associated with the specified management (p. 845)
vault
Deletes the notification Write vault*

DeleteVaultNotifications
configuration set for a vault (p. 845)
DescribeJob Returns information about a job Read vault*

you previously initiated (p. 845)
DescribeVault Returns information about a Read vault*

vault (p. 845)
Returns the current data Read

GetDataRetrievalPolicy
retrieval policy for the account
and region specified in the GET
request
Downloads the output of the job Read vault*

GetJobOutput you initiated (p. 845)
Retrieves the access-policy Read vault*

GetVaultAccessPolicy
subresource set on the vault (p. 845)
GetVaultLock Retrieves attributes from the Read vault*

lock-policy subresource set on (p. 845)
the specified vault
Retrieves the notification- Read vault*

GetVaultNotifications
configuration subresource set on (p. 845)
the vault
InitiateJob Initiates a job of the specified Write vault*

type (p. 845)

(p. 846)
Initiates a multipart upload Write vault*

InitiateMultipartUpload (p. 845)
Initiates the vault locking Permissions vault*

InitiateVaultLock process management (p. 845)
ListJobs Lists jobs for a vault that are List vault*

in-progress and jobs that have (p. 845)
recently finished
Lists in-progress multipart List vault*

ListMultipartUploads
uploads for the specified vault (p. 845)
ListParts Lists the parts of an archive that List vault*

have been uploaded in a specific (p. 845)
multipart upload
844
Amazon Glacier

(*required)
This operation lists the List

ListProvisionedCapacity
provisioned capacity for the
Lists all the tags attached to a List vault*

ListTagsForVault vault (p. 845)
ListVaults Lists all vaults List
This operation purchases a Write

PurchaseProvisionedCapacity
provisioned capacity unit for an
AWS account.
Removes one or more tags from Tagging vault*

RemoveTagsFromVault
the set of tags attached to a (p. 845)
vault
Sets and then enacts a data Permissions

SetDataRetrievalPolicy
retrieval policy in the region management
specified in the PUT request
Configures an access policy for Permissions vault*

SetVaultAccessPolicy
a vault and will overwrite an management (p. 845)
existing policy
Configures vault notifications Write vault*

SetVaultNotifications (p. 845)
Adds an archive to a vault Write vault*

UploadArchive (p. 845)
Uploads a part of an archive Write vault*

UploadMultipartPart (p. 845)
Resource types defined by Amazon Glacier


types
vault arn:${Partition}:glacier:${Region}:
${Account}:vaults/${VaultName}
845
AWS Global Accelerator
Condition keys for Amazon Glacier

Amazon Glacier defines the following condition keys that can be used in the Condition element of an
How long an archive has been stored in the vault, in days. String
A customer-defined tag. String

glacier:ResourceTag/
Actions, resources, and condition keys for AWS Global

Accelerator
AWS Global Accelerator (service prefix: globalaccelerator) provides the following service-specific
References:

Topics
• Actions defined by AWS Global Accelerator (p. 846)
• Resource types defined by AWS Global Accelerator (p. 850)
• Condition keys for AWS Global Accelerator (p. 851)
Actions defined by AWS Global Accelerator

different actions.
846

(*required)
Grants permission to add a Write endpointgroup*

AddCustomRoutingEndpoints
virtual private cloud (VPC) (p. 851)
subnet endpoint to a custom
routing accelerator endpoint
group.
Grants permission to advertises Write

AdvertiseByoipCidr
an IPv4 address range that is
provisioned for use with your
accelerator through bring your
own IP addresses (BYOIP).
Grants permission to allows Write endpointgroup*

AllowCustomRoutingTraffic
custom routing of user traffic to (p. 851)
a private destination IP:PORT in
a specific VPC subnet.

CreateAcceleratorstandard accelerator. ${TagKey}
(p. 851)
aws:TagKeys
(p. 851)

CreateCustomRoutingAccelerator
Custom Routing accelerator ${TagKey}
(p. 851)
aws:TagKeys
(p. 851)
Grants permission to create an Write listener*

CreateCustomRoutingEndpointGroup
endpoint group for the specified (p. 851)
listener for a custom routing
accelerator.
Grants permission to create Write accelerator*

CreateCustomRoutingListener
a listener to process inbound (p. 851)
connections from clients to a
custom routing accelerator.
Grants permission to add an Write listener*

CreateEndpointGroup
endpoint group to a standard (p. 851)
accelerator listener.
Grants permission to add Write accelerator*

CreateListener a listener to a standard (p. 851)
accelerator.
Grants permission to delete a Write accelerator*

DeleteAcceleratorstandard accelerator. (p. 851)
Grants permission to delete a Write accelerator*

DeleteCustomRoutingAccelerator
custom routing accelerator. (p. 851)
847

(*required)
Grants permission to delete an Write endpointgroup*

DeleteCustomRoutingEndpointGroup
endpoint group from a listener (p. 851)
for a custom routing accelerator.
Grants permission to delete a Write listener*

DeleteCustomRoutingListener
listener for a custom routing (p. 851)
accelerator.
Grants permission to delete an Write endpointgroup*

DeleteEndpointGroup
endpoint group associated with (p. 851)
a standard accelerator listener.
Grants permission to delete Write listener*

DeleteListener a listener from a standard (p. 851)
accelerator.
Grants permission to disallows Write endpointgroup*

DenyCustomRoutingTraffic
custom routing of user traffic to (p. 851)
a private destination IP:PORT in
a specific VPC subnet.
Grants permission to releases Write

DeprovisionByoipCidr
the specified address range that
you provisioned for use with
your accelerator through bring
your own IP addresses (BYOIP).
Grants permissions to describe a Read accelerator*

DescribeAccelerator
standard accelerator. (p. 851)
Grants permission to describe a Read accelerator*

DescribeAcceleratorAttributes
standard accelerator attributes. (p. 851)
Grants permission to describe a Read accelerator*

DescribeCustomRoutingAccelerator
Grants permission to describe Read accelerator*

DescribeCustomRoutingAcceleratorAttributes
the attributes of a custom (p. 851)
routing accelerator.
Grants permission to describe Read endpointgroup*

DescribeCustomRoutingEndpointGroup
an endpoint group for a custom (p. 851)
Grants permission to describe Read listener*

DescribeCustomRoutingListener
a listener for a custom routing (p. 851)
accelerator.
Grants permission to describe a Read endpointgroup*

DescribeEndpointGroup
standard accelerator endpoint (p. 851)
group.
Grants permission to describe a Read listener*

DescribeListener standard accelerator listener. (p. 851)
848

(*required)

ListAccelerators standard accelerators.
ListByoipCidrs Grants permission to list the List

BYOIP cidrs.

ListCustomRoutingAccelerators
custom routing accelerators for
an AWS account.
Grants permission to list the List listener*

ListCustomRoutingEndpointGroups
endpoint groups that are (p. 851)
associated with a listener for a
custom routing accelerator.
Grants permission to list the List accelerator*

ListCustomRoutingListeners
listeners for a custom routing (p. 851)
accelerator.
Grants permission to list the List accelerator*

ListCustomRoutingPortMappings
port mappings for a custom (p. 851)

ListCustomRoutingPortMappingsByDestination
the port mappings for a
specific endpoint IP address (a
destination address) in a subnet
Grants permission to list all List listener*

ListEndpointGroups
endpoint groups associated with (p. 851)
a standard accelerator listener.
ListListeners Grants permission to list all List accelerator*

listeners associated with a (p. 851)
standard accelerator.
Grants permission to list tags for Read accelerator

ListTagsForResource
a globalaccelerator resource. (p. 851)
Grants permission to provisions Write

ProvisionByoipCidr
an address range for use with
your accelerator through bring
your own IP addresses (BYOIP).
Grants permission to remove Write endpointgroup*

RemoveCustomRoutingEndpoints
virtual private cloud (VPC) (p. 851)
subnet endpoints from a custom
routing accelerator endpoint
group.
TagResource Grants permission to add tags to Tagging accelerator

a globalaccelerator resource. (p. 851)
849

(*required)
aws:RequestTag/

${TagKey}
(p. 851)
aws:TagKeys
(p. 851)
Grants permission to remove Tagging accelerator

UntagResource tags from a globalaccelerator (p. 851)
resource.
aws:TagKeys
(p. 851)
Grants permission to update a Write accelerator*

UpdateAcceleratorstandard accelerator. (p. 851)

UpdateAcceleratorAttributes
standard accelerator attributes. (p. 851)

UpdateCustomRoutingAccelerator
Grants permission to update the Write accelerator*

UpdateCustomRoutingAcceleratorAttributes
attributes for a custom routing (p. 851)
accelerator.
Grants permission to update a Write listener*

UpdateCustomRoutingListener
listener for a custom routing (p. 851)
accelerator.
Grants permission to update an Write endpointgroup*

UpdateEndpointGroup
endpoint group on a standard (p. 851)
accelerator listener.
Grants permission to update Write listener*

UpdateListener a listener on a standard (p. 851)
accelerator.
Grants permission to stops Write

WithdrawByoipCidr
advertising a BYOIP IPv4
address.
Resource types defined by AWS Global Accelerator

850
AWS Glue

types
accelerator arn:${Partition}:globalaccelerator:: aws:ResourceTag/

${Account}:accelerator/${AcceleratorId} ${TagKey} (p. 851)
listener arn:${Partition}:globalaccelerator:: aws:ResourceTag/

${Account}:accelerator/${AcceleratorId}/ ${TagKey} (p. 851)
listener/${ListenerId}
arn:${Partition}:globalaccelerator:: aws:ResourceTag/
endpointgroup ${Account}:accelerator/${AcceleratorId}/ ${TagKey} (p. 851)
listener/${ListenerId}/endpoint-group/
${EndpointGroupId}
Condition keys for AWS Global Accelerator

AWS Global Accelerator defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request
Actions, resources, and condition keys for AWS Glue

AWS Glue (service prefix: glue) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by AWS Glue (p. 852)
• Resource types defined by AWS Glue (p. 865)
• Condition keys for AWS Glue (p. 866)
851
AWS Glue
Actions defined by AWS Glue

different actions.

(*required)
Grants permission to create one Write catalog*

BatchCreatePartition
or more partitions (p. 865)
database*
(p. 865)
table*
(p. 865)
Grants permission to delete one Write catalog*

BatchDeleteConnection
or more connections (p. 865)
connection*
(p. 866)

BatchDeletePartition
or more partitions (p. 865)
database*
(p. 865)
table*
(p. 865)

BatchDeleteTableor more tables (p. 865)
database*
(p. 865)
table*
(p. 865)

BatchDeleteTableVersion
or more versions of a table (p. 865)
852
AWS Glue

(*required)
database*
(p. 865)
table*
(p. 865)
tableversion*
(p. 866)

BatchGetCrawlersone or more crawlers

BatchGetDevEndpoints
one or more development
endpoints
BatchGetJobs Grants permission to retrieve Read

one or more jobs
Grants permission to retrieve Read catalog*

BatchGetPartitionone or more partitions (p. 865)
database*
(p. 865)
table*
(p. 865)

BatchGetTriggers one or more triggers

BatchGetWorkflows
one or more workflows
Grants permission to stop one or Write

BatchStopJobRunmore job runs for a job
Grants permission to stop a Write mlTransform*

CancelMLTaskRunrunning ML Task Run (p. 866)

CheckSchemaVersionValidity
a check the validity of schema
version

CreateClassifier classifier
Grants permission to create a Write catalog*

CreateConnectionconnection (p. 865)
connection*
(p. 866)
853
AWS Glue

(*required)
CreateCrawler Grants permission to create a Write aws:RequestTag/

crawler ${TagKey}
(p. 866)
aws:TagKeys
(p. 866)

CreateDatabase database (p. 865)
database*
(p. 865)

CreateDevEndpoint
development endpoint ${TagKey}
(p. 866)
aws:TagKeys
(p. 866)
CreateJob Grants permission to create a job Write aws:RequestTag/

${TagKey}
(p. 866)
aws:TagKeys
(p. 866)

CreateMLTransform
ML Transform

CreatePartition partition (p. 865)
database*
(p. 865)
table*
(p. 865)
Grants permission to create a Write registry*

CreateRegistry new schema registry (p. 866)

CreateSchema new schema container (p. 866)
schema*
(p. 866)
CreateScript Grants permission to create a Write

script

CreateSecurityConfiguration
security configuration
CreateTable Grants permission to create a Write catalog*

table (p. 865)
854
AWS Glue

(*required)
database*
(p. 865)
table*
(p. 865)
CreateTrigger Grants permission to create a Write aws:RequestTag/

trigger ${TagKey}
(p. 866)
aws:TagKeys
(p. 866)

CreateUserDefinedFunction
function definition (p. 865)
database*
(p. 865)
userdefinedfunction*

(p. 866)

CreateWorkflow workflow ${TagKey}
(p. 866)
aws:TagKeys
(p. 866)

DeleteClassifier classifier
Grants permission to delete a Write catalog*

DeleteConnectionconnection (p. 865)
connection*
(p. 866)
DeleteCrawler Grants permission to delete a Write

crawler

DeleteDatabase database (p. 865)
database*
(p. 865)

DeleteDevEndpoint
development endpoint
DeleteJob Grants permission to delete a Write

job
Grants permission to delete an Write mlTransform*

DeleteMLTransform
ML Transform (p. 866)
855
AWS Glue

(*required)

DeletePartition partition (p. 865)
database*
(p. 865)
table*
(p. 865)
Grants permission to delete a Write registry*

DeleteRegistry schema registry (p. 866)

resource policy (p. 865)

DeleteSchema schema container (p. 866)
schema*
(p. 866)

DeleteSchemaVersions
range of schema versions (p. 866)
schema*
(p. 866)

DeleteSecurityConfiguration
DeleteTable Grants permission to delete a Write catalog*

table (p. 865)
database*
(p. 865)
table*
(p. 865)

DeleteTableVersion
version of a table (p. 865)
database*
(p. 865)
table*
(p. 865)
tableversion*
(p. 866)
DeleteTrigger Grants permission to delete a Write

trigger

DeleteUserDefinedFunction
856
AWS Glue

(*required)
database*
(p. 865)

(p. 866)

DeleteWorkflow workflow
Grants permission to retrieve the Read catalog*

GetCatalogImportStatus
catalog import status (p. 865)
GetClassifier Grants permission to retrieve a Read

classifier
GetClassifiers Grants permission to list all Read

classifiers
Grants permission to retrieve a Read catalog*

GetConnection connection (p. 865)
connection*
(p. 866)

GetConnections list of connections (p. 865)
connection*
(p. 866)
GetCrawler Grants permission to retrieve a Read

crawler

GetCrawlerMetricsmetrics about crawlers
GetCrawlers Grants permission to retrieve all Read

crawlers

GetDataCatalogEncryptionSettings
catalog encryption settings
GetDatabase Grants permission to retrieve a Read catalog*

database (p. 865)
database*
(p. 865)
GetDatabases Grants permission to retrieve all Read catalog*

databases (p. 865)
database*
(p. 865)
857
AWS Glue

(*required)
Grants permission to transform Read

GetDataflowGraph
a script into a directed acyclic
graph (DAG)

GetDevEndpoint development endpoint

GetDevEndpoints development endpoints
GetJob Grants permission to retrieve a Read

job

GetJobBookmark job bookmark
GetJobRun Grants permission to retrieve a Read

job run
GetJobRuns Grants permission to retrieve all Read

job runs of a job
GetJobs Grants permission to retrieve all Read

current jobs
Grants permission to retrieve an Read mlTransform*

GetMLTaskRun ML Task Run (p. 866)
Grants permission to retrieve all List mlTransform*

GetMLTaskRuns ML Task Runs (p. 866)
Grants permission to retrieve an Read mlTransform*

GetMLTransform ML Transform (p. 866)
Grants permission to retrieve all List

GetMLTransformsML Transforms
GetMapping Grants permission to create a Read

mapping
GetPartition Grants permission to retrieve a Read catalog*

partition (p. 865)
database*
(p. 865)
table*
(p. 865)
GetPartitions Grants permission to retrieve the Read catalog*

partitions of a table (p. 865)
database*
(p. 865)
858
AWS Glue

(*required)
table*
(p. 865)
GetPlan Grants permission to retrieve a Read

mapping for a script
GetRegistry Grants permission to retrieve a Read registry*

schema registry (p. 866)

GetResourcePolicyresource policy (p. 865)
GetSchema Grants permission to retrieve a Read registry*

schema container (p. 866)
schema*
(p. 866)
Grants permission to retrieve Read registry*

GetSchemaByDefinition
a schema version based on (p. 866)
schema definition
schema*
(p. 866)
Grants permission to retrieve a Read registry

GetSchemaVersion
schema version (p. 866)
schema
(p. 866)
Grants permission to compare Read registry*

GetSchemaVersionsDiff
two schema versions in schema (p. 866)
registry
schema*
(p. 866)

GetSecurityConfiguration

GetSecurityConfigurations
retrieve one or more security
configurations
GetTable Grants permission to retrieve a Read catalog*

table (p. 865)
database*
(p. 865)
table*
(p. 865)

GetTableVersion version of a table (p. 865)
859
AWS Glue

(*required)
database*
(p. 865)
table*
(p. 865)
tableversion*
(p. 866)

GetTableVersions list of versions of a table (p. 865)
database*
(p. 865)
table*
(p. 865)
tableversion*
(p. 866)
GetTables Grants permission to retrieve the Read catalog*

tables in a database (p. 865)
database*
(p. 865)
table*
(p. 865)
GetTags Grants permission to retrieve all Read crawler

tags associated with a resource (p. 866)
devendpoint
(p. 866)
job
(p. 866)
trigger
(p. 866)
workflow
(p. 866)
GetTrigger Grants permission to retrieve a Read

trigger
GetTriggers Grants permission to retrieve the Read

triggers associated with a job

GetUserDefinedFunction
function definition. (p. 865)
database*
(p. 865)
860
AWS Glue

(*required)

(p. 866)
Grants permission to retrieve Read catalog*

GetUserDefinedFunctions
multiple function definitions (p. 865)
database*
(p. 865)

(p. 866)
GetWorkflow Grants permission to retrieve a Read

workflow

GetWorkflowRun workflow run

GetWorkflowRunProperties
workflow run properties

GetWorkflowRunsruns of a workflow
Grants permission to import an Write catalog*

ImportCatalogToGlue
Athena data catalog into AWS (p. 865)
Glue
ListCrawlers Grants permission to retrieve all List

crawlers

ListDevEndpoints development endpoints
ListJobs Grants permission to retrieve all List

current jobs

ListMLTransformsML Transforms
ListRegistries Grants permission to retrieve a List

list of schema registries
Grants permission to retrieve a List registry*

ListSchemaVersions
list of schema versions (p. 866)
schema*
(p. 866)
ListSchemas Grants permission to retrieve a List registry

list of schema containers (p. 866)
ListTriggers Grants permission to retrieve all List

triggers
861
AWS Glue

(*required)
ListWorkflows Grants permission to retrieve all List

workflows

PutDataCatalogEncryptionSettings
catalog encryption settings
Grants permission to update a Write catalog*

PutResourcePolicyresource policy (p. 865)
Grants permission to add Write registry

PutSchemaVersionMetadata
metadata to schema version (p. 866)
schema
(p. 866)

PutWorkflowRunProperties
workflow run properties
Grants permission to fetch List registry

QuerySchemaVersionMetadata
metadata for a schema version (p. 866)
schema
(p. 866)

RegisterSchemaVersion
new schema version (p. 866)
schema*
(p. 866)
Grants permission to remove Write registry

RemoveSchemaVersionMetadata
metadata from schema version (p. 866)
schema
(p. 866)
Grants permission to reset a job Write

ResetJobBookmark
bookmark
SearchTables Grants permission to retrieve the Read catalog*

tables in the catalog (p. 865)
database*
(p. 865)
table*
(p. 865)
StartCrawler Grants permission to start a Write

crawler
Grants permission to change the Write

StartCrawlerSchedule
schedule state of a crawler to
SCHEDULED
862
AWS Glue

(*required)
Grants permission to start an Write mlTransform*

StartExportLabelsTaskRun
Export Labels ML Task Run (p. 866)

StartImportLabelsTaskRun
Import Labels ML Task Run (p. 866)
StartJobRun Grants permission to start Write

running a job

StartMLEvaluationTaskRun
Evaluation ML Task Run (p. 866)
Grants permission to start a Write mlTransform*

StartMLLabelingSetGenerationTaskRun
Labeling Set Generation ML Task (p. 866)
Run
StartTrigger Grants permission to start a Write

trigger
Grants permission to start Write

StartWorkflowRunrunning a workflow
StopCrawler Grants permission to stop a Write

running crawler
Grants permission to set the Write

StopCrawlerSchedule
schedule state of a crawler to
NOT_SCHEDULED
StopTrigger Grants permission to stop a Write

trigger
TagResource Grants permission to add tags to Tagging crawler

a resource (p. 866)
devendpoint
(p. 866)
job
(p. 866)
trigger
(p. 866)
workflow
(p. 866)
aws:TagKeys
(p. 866)
aws:RequestTag/
${TagKey}
(p. 866)
Grants permission to remove Tagging crawler

UntagResource tags associated with a resource (p. 866)
863
AWS Glue

(*required)
devendpoint
(p. 866)
job
(p. 866)
trigger
(p. 866)
workflow
(p. 866)
aws:TagKeys
(p. 866)

UpdateClassifier classifier

UpdateConnection
connection (p. 865)
connection*
(p. 866)

UpdateCrawler crawler

UpdateCrawlerSchedule
schedule of a crawler

UpdateDatabase database (p. 865)
database*
(p. 865)

UpdateDevEndpoint
development endpoint
UpdateJob Grants permission to update a Write

job
Grants permission to update an Write mlTransform*

UpdateMLTransform
ML Transform (p. 866)

UpdatePartition partition (p. 865)
database*
(p. 865)
table*
(p. 865)
Grants permission to update a Write registry*

UpdateRegistry schema registry (p. 866)
864
AWS Glue

(*required)
Grants permission to update a Write registry*

UpdateSchema schema container (p. 866)
schema*
(p. 866)
UpdateTable Grants permission to update a Write catalog*

table (p. 865)
database*
(p. 865)
table*
(p. 865)

UpdateTrigger trigger

UpdateUserDefinedFunction
database*
(p. 865)

(p. 866)

UpdateWorkflow workflow
Grants permission to use an ML Write mlTransform*

UseMLTransformsTransform from within a Glue (p. 866)
ETL Script
Resource types defined by AWS Glue


types
catalog arn:${Partition}:glue:${Region}:
${Account}:catalog
database arn:${Partition}:glue:${Region}:
${Account}:database/${DatabaseName}
table arn:${Partition}:glue:${Region}:
${Account}:table/${DatabaseName}/
${TableName}
865
AWS Glue

types
tableversion arn:${Partition}:glue:${Region}:
${Account}:tableVersion/${DatabaseName}/
${TableName}/${TableVersionName}
connection arn:${Partition}:glue:${Region}:
${Account}:connection/${ConnectionName}
arn:${Partition}:glue:${Region}:
userdefinedfunction
${Account}:userDefinedFunction/
${DatabaseName}/${UserDefinedFunctionName}
devendpoint arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:devendpoint/${DevEndpointName} ${TagKey} (p. 866)
job arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:job/${JobName} ${TagKey} (p. 866)
trigger arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:trigger/${TriggerName} ${TagKey} (p. 866)
crawler arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:crawler/${CrawlerName} ${TagKey} (p. 866)
workflow arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:workflow/${WorkflowName} ${TagKey} (p. 866)
mlTransform arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:mlTransform/${TransformId} ${TagKey} (p. 866)
registry arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:registry/${RegistryName} ${TagKey} (p. 866)
schema arn:${Partition}:glue:${Region}: aws:ResourceTag/

${Account}:schema/${SchemaName} ${TagKey} (p. 866)
Condition keys for AWS Glue

AWS Glue defines the following condition keys that can be used in the Condition element of an IAM

${TagKey}
request
866
AWS Glue DataBrew
Actions, resources, and condition keys for AWS Glue

DataBrew
AWS Glue DataBrew (service prefix: databrew) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS Glue DataBrew (p. 867)
• Resource types defined by AWS Glue DataBrew (p. 871)
• Condition keys for AWS Glue DataBrew (p. 871)
Actions defined by AWS Glue DataBrew

different actions.

(*required)
Grants permission to delete one Write Recipe*

BatchDeleteRecipeVersion
or more recipe versions (p. 871)
CreateDataset Grants permission to create a Write aws:RequestTag/

dataset ${TagKey}
(p. 871)
aws:TagKeys
(p. 871)

CreateProfileJob profile job ${TagKey}
(p. 871)
867
AWS Glue DataBrew

(*required)
aws:TagKeys
(p. 871)
CreateProject Grants permission to create a Write aws:RequestTag/

project ${TagKey}
(p. 871)
aws:TagKeys
(p. 871)
CreateRecipe Grants permission to create a Write aws:RequestTag/

recipe ${TagKey}
(p. 871)
aws:TagKeys
(p. 871)

CreateRecipeJob recipe job ${TagKey}
(p. 871)
aws:TagKeys
(p. 871)

CreateSchedule schedule ${TagKey}
(p. 871)
aws:TagKeys
(p. 871)
DeleteDataset Grants permission to delete a Write Dataset*

dataset (p. 871)
DeleteJob Grants permission to delete a Write Job*

job (p. 871)
DeleteProject Grants permission to delete a Write Project*

project (p. 871)
Grants permission to delete a Write Recipe*

DeleteRecipeVersion
recipe version (p. 871)
Grants permission to delete a Write Schedule*

DeleteSchedule schedule (p. 871)
Grants permission to view Read Dataset*

DescribeDataset details about a dataset (p. 871)
DescribeJob Grants permission to view Read Job*

details about a job (p. 871)
Grants permission to view Read Project*

DescribeProject details about a project (p. 871)
868
AWS Glue DataBrew

(*required)
Grants permission to view Read Recipe*

DescribeRecipe details about a recipe (p. 871)
Grants permission to view Read Schedule*

DescribeScheduledetails about a schedule (p. 871)
ListDatasets Grants permission to list List Dataset*

datasets in your account (p. 871)
ListJobRuns Grants permission to list job runs List Job*

for a given job (p. 871)
ListJobs Grants permission to list jobs in List

your account
ListProjects Grants permission to list projects List

in your account
Grants permission to list List Recipe*

ListRecipeVersionsversions in your recipe (p. 871)
ListRecipes Grants permission to list recipes List

in your account
ListSchedules Grants permission to list List Schedule*

schedules in your account (p. 871)
Grants permission to retrieve List Dataset

ListTagsForResource
tags associated with a resource (p. 871)
Job
(p. 871)
Project
(p. 871)
Recipe
(p. 871)
Schedule
(p. 871)
PublishRecipe Grants permission to publish a Write Recipe*

major verison of a recipe (p. 871)
Grants permission to submit an Write Project*

SendProjectSessionAction
action to the interactive session (p. 871)
for a project
StartJobRun Grants permission to start Write Job*

running a job (p. 871)
Grants permission to start an Write Project*

StartProjectSession
interactive session for a project (p. 871)
869
AWS Glue DataBrew

(*required)
StopJobRun Grants permission to stop a job Write Job*

run for a job (p. 871)
TagResource Grants permission to add tags to Tagging Dataset

a resource (p. 871)
Job
(p. 871)
Project
(p. 871)
Recipe
(p. 871)
Schedule
(p. 871)
aws:RequestTag/

${TagKey}
(p. 871)
aws:TagKeys
(p. 871)
Grants permission to remove Tagging Dataset

UntagResource tags associated with a resource (p. 871)
Job
(p. 871)
Project
(p. 871)
Recipe
(p. 871)
Schedule
(p. 871)
aws:TagKeys
(p. 871)
Grants permission to modify a Write Dataset*

UpdateDataset dataset (p. 871)
Grants permission to modify a Write Job*

UpdateProfileJobprofile job (p. 871)
Grants permission to modify a Write Project*

UpdateProject project (p. 871)
UpdateRecipe Grants permission to modify a Write Recipe*

recipe (p. 871)
870
AWS Glue DataBrew

(*required)
Grants permission to modify a Write Job*

UpdateRecipeJob recipe job (p. 871)
Grants permission to modify a Write Schedule*

UpdateSchedule schedule (p. 871)
Resource types defined by AWS Glue DataBrew


types
Project arn:${Partition}:databrew:: aws:ResourceTag/

${Account}:project/${ResourceId} ${TagKey} (p. 871)
Dataset arn:${Partition}:databrew:: aws:ResourceTag/

Recipe arn:${Partition}:databrew:: aws:ResourceTag/

${Account}:recipe/${ResourceId} ${TagKey} (p. 871)
Job arn:${Partition}:databrew::${Account}:job/ aws:ResourceTag/

${ResourceId} ${TagKey} (p. 871)
Schedule arn:${Partition}:databrew:: aws:ResourceTag/

${Account}:schedule/${ResourceId} ${TagKey} (p. 871)
Condition keys for AWS Glue DataBrew

AWS Glue DataBrew defines the following condition keys that can be used in the Condition element of
${TagKey} request

${TagKey}
request
871
AWS Ground Station

Ground Station
AWS Ground Station (service prefix: groundstation) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Ground Station (p. 872)
• Resource types defined by AWS Ground Station (p. 875)
• Condition keys for AWS Ground Station (p. 875)
Actions defined by AWS Ground Station

different actions.

(*required)
Grants permission to cancel a Write Contact*

CancelContact contact (p. 875)
CreateConfig Grants permission to create a Write aws:RequestTag/

configuration ${TagKey}
(p. 875)
aws:TagKeys
(p. 876)

CreateDataflowEndpointGroup
data flow endpoint group ${TagKey}
(p. 875)
872
AWS Ground Station

(*required)
aws:TagKeys
(p. 876)

CreateMissionProfile
mission profile ${TagKey}
(p. 875)
aws:TagKeys
(p. 876)
DeleteConfig Grants permission to delete a Write Config*

config (p. 875)
Grants permission to delete a Write DataflowEndpointGroup*

DeleteDataflowEndpointGroup
data flow endpoint group (p. 875)
Grants permission to delete a Write MissionProfile*

DeleteMissionProfile
mission profile (p. 875)
Grants permission to describe a Read Contact*

DescribeContact contact (p. 875)
GetConfig Grants permission to return a Read Config*

Grants permission to return a Read DataflowEndpointGroup*

GetDataflowEndpointGroup
data flow endpoint group (p. 875)

GetMinuteUsage minutes usage
Grants permission to retrieve a Read MissionProfile*

GetMissionProfilemission profile (p. 875)
GetSatellite Grants permission to return Read Satellite*

information about a satellite (p. 875)
ListConfigs Grants permisson to return a list List

of past configurations
ListContacts Grants permission to return a list List

of contacts
Grants permission to list data List

ListDataflowEndpointGroups
flow endpoint groups
Grants permission to list ground List

ListGroundStations
stations

ListMissionProfilesof mission profiles
ListSatellites Grants permission to list List

satellites
Grants permission to list tags for Read Config

ListTagsForResource
a resource (p. 875)
873
AWS Ground Station

(*required)
Contact
(p. 875)
DataflowEndpointGroup

(p. 875)
MissionProfile
(p. 875)
Grants permission to reserve a Write aws:RequestTag/

ReserveContact contact ${TagKey}
(p. 875)
aws:TagKeys
(p. 876)
TagResource Grants permission to assign a Tagging Config

resource tag (p. 875)
Contact
(p. 875)

(p. 875)
MissionProfile
(p. 875)
aws:TagKeys
(p. 876)
aws:RequestTag/
${TagKey}
(p. 875)
Grants permission to deassign a Tagging Config

UntagResource resource tag (p. 875)
Contact
(p. 875)

(p. 875)
MissionProfile
(p. 875)
aws:TagKeys
(p. 876)
UpdateConfig Grants permission to update a Write Config*

Grants permission to update a Write MissionProfile*

UpdateMissionProfile
mission profile (p. 875)
874
AWS Ground Station
Resource types defined by AWS Ground Station


types
Config arn:${Partition}:groundstation:${Region}: aws:ResourceTag/

${Account}:config/${configType}/${configId} ${TagKey} (p. 876)
groundstation:configId
(p. 876)
groundstation:configType
(p. 876)
Contact arn:${Partition}:groundstation:${Region}: aws:ResourceTag/

${Account}:contact/${contactId} ${TagKey} (p. 876)
groundstation:contactId
(p. 876)
arn:${Partition}:groundstation:${Region}: aws:ResourceTag/
${Account}:dataflow-endpoint-group/ ${TagKey} (p. 876)
${dataflowEndpointGroupId}
groundstation:dataflowEndpointGroup
(p. 876)
arn:${Partition}:groundstation:${Region}: groundstation:groundStationId
GroundStationResource
${Account}:groundstation:${groundStationId} (p. 876)
MissionProfile arn:${Partition}:groundstation: aws:ResourceTag/

${Region}:${Account}:mission-profile/ ${TagKey} (p. 876)
${missionProfileId}
groundstation:missionProfileId
(p. 876)
Satellite arn:${Partition}:groundstation:${Region}: groundstation:satelliteId

${Account}:satellite/${satelliteId} (p. 876)
Condition keys for AWS Ground Station

AWS Ground Station defines the following condition keys that can be used in the Condition element of
${TagKey} makes to the Ground Station service.
875
Amazon GroundTruth Labeling
aws:ResourceTag/ Filters access by a tag key and value pair. String

${TagKey}
the request the user makes to the Ground Station service.
Filters access by the ID of a config String

groundstation:configId
Filters access by the type of a config String

groundstation:configType
Filters access by the ID of a contact String

groundstation:contactId
Filters access by the ID of a dataflow endpoint group String

groundstation:dataflowEndpointGroupId
Filters access by the ID of a ground station String

groundstation:groundStationId
Filters access by the ID of a mission profile String

groundstation:missionProfileId
Filters access by the ID of a satellite String

groundstation:satelliteId

GroundTruth Labeling
Amazon GroundTruth Labeling (service prefix: groundtruthlabeling) provides the following service-
References:

Topics
• Actions defined by Amazon GroundTruth Labeling (p. 876)
• Resource types defined by Amazon GroundTruth Labeling (p. 877)
• Condition keys for Amazon GroundTruth Labeling (p. 877)
Actions defined by Amazon GroundTruth Labeling

different actions.
876
Amazon GuardDuty

(*required)
Get status of Read

DescribeConsoleJob
GroundTruthLabeling Jobs.
[permission
only]
Paginated list API to list dataset Read

ListDatasetObjects
objects in a manifest file.
[permission
only]
Filter records from a manifest Write

RunFilterOrSampleDatasetJob
file using S3 select. Get sample
[permission entries based on random
only] sampling.
List a S3 prefix and create Write

RunGenerateManifestByCrawlingJob
manifest files from objects in
[permission that location.
only]
Resource types defined by Amazon GroundTruth Labeling

Amazon GroundTruth Labeling does not support specifying a resource ARN in the Resource element of
an IAM policy statement. To allow access to Amazon GroundTruth Labeling, specify “Resource”: “*”
in your policy.
Condition keys for Amazon GroundTruth Labeling

GroundTruth Labeling has no service-specific context keys that can be used in the Condition element

GuardDuty
Amazon GuardDuty (service prefix: guardduty) provides the following service-specific resources,
References:
877
Amazon GuardDuty

Topics
• Actions defined by Amazon GuardDuty (p. 878)
• Resource types defined by Amazon GuardDuty (p. 884)
• Condition keys for Amazon GuardDuty (p. 884)
Actions defined by Amazon GuardDuty

different actions.

(*required)
Grants permission to accept Write detector*

AcceptInvitation invitations to become a (p. 884)
GuardDuty member account
Grants permission to archive Write detector*

ArchiveFindings GuardDuty findings (p. 884)

CreateDetector detector ${TagKey}
(p. 884)
aws:TagKeys
(p. 884)
CreateFilter Grants permission to create Write detector*

GuardDuty filters. A filters (p. 884)
defines finding attributes and
conditions used to filter findings aws:RequestTag/

${TagKey}
(p. 884)
aws:TagKeys
(p. 884)
CreateIPSet Grants permission to create an Write detector*

IPSet (p. 884)
878
Amazon GuardDuty

(*required)
aws:RequestTag/

${TagKey}
(p. 884)
aws:TagKeys
(p. 884)
Grants permission to create Write detector*

CreateMembers GuardDuty member accounts, (p. 884)
where the account used to
create a member becomes
the GuardDuty administrator
account
Grants permission to create a Write detector* s3:GetObject

CreatePublishingDestination
publishing destination (p. 884)
s3:ListBucket

CreateSampleFindings
sample findings (p. 884)

CreateThreatIntelSet
GuardDuty ThreatIntelSets, (p. 884)
where a ThreatIntelSet consists
of known malicious IP addresses aws:RequestTag/

used by GuardDuty to generate ${TagKey}
findings (p. 884)
aws:TagKeys
(p. 884)
Grants permission to decline Write

DeclineInvitationsinvitations to become a
Grants permission to delete Write detector*

DeleteDetector GuardDuty detectors (p. 884)
DeleteFilter Grants permission to delete Write detector*

GuardDuty filters (p. 884)
filter*
(p. 884)
DeleteIPSet Grants permission to delete Write detector*

GuardDuty IPSets (p. 884)
ipset*
(p. 884)

DeleteInvitations invitations to become a

DeleteMembers GuardDuty member accounts (p. 884)
879
Amazon GuardDuty

(*required)
Grants permission to delete a Write detector*

DeletePublishingDestination
publishingDestination*

(p. 884)

DeleteThreatIntelSet
GuardDuty ThreatIntelSets (p. 884)
threatintelset*

(p. 884)
Grants permission to retrieve Read detector*

DescribeOrganizationConfiguration
details about the delegated (p. 884)
administrator associated with a
GuardDuty detector

DescribePublishingDestination
details about a publishing (p. 884)
destination

(p. 884)

DisableOrganizationAdminAccount
the organization delegated
administrator for GuardDuty
Grants permission to Write detector*

DisassociateFromMasterAccount
disassociate a GuardDuty (p. 884)
member account from its
GuardDuty master account
Grants permission to Write detector*

DisassociateMembers
disassociate GuardDuty member (p. 884)
accounts from their master
GuardDuty account

EnableOrganizationAdminAccount
an organization delegated
administrator for GuardDuty
GetDetector Grants permission to retrieve Read detector*

GuardDuty detectors (p. 884)
GetFilter Grants permission to retrieve Read detector*

filter*
(p. 884)
GetFindings Grants permission to retrieve Read detector*

GuardDuty findings (p. 884)

GetFindingsStatistics
a list of GuardDuty finding (p. 884)
statistics
880
Amazon GuardDuty

(*required)
GetIPSet Grants permsission to retrieve Read detector*

ipset*
(p. 884)

GetInvitationsCount
the count of all GuardDuty
invitations sent to a specified
account, which does not include
the accepted invitation

GetMasterAccountdetails of the GuardDuty master (p. 884)
account associated with a
member account
GetMembers Grants permission to retrieve Read detector*

the member accounts associated (p. 884)
with a master account

GetThreatIntelSetGuardDuty ThreatIntelSets (p. 884)
threatintelset*

(p. 884)
Grants permission to invite Write detector*

InviteMembers other AWS accounts to enable (p. 884)
GuardDuty and become
GuardDuty member accounts
ListDetectors Grants permission to retrieve a List

list of GuardDuty detectors
ListFilters Grants permission to retrieve a List detector*

list of GuardDuty filters (p. 884)
ListFindings Grants permission to retrieve a List detector*

list of GuardDuty findings (p. 884)
ListIPSets Grants permission to retrieve a List detector*

list of GuardDuty IPSets (p. 884)

a lists of all of the GuardDuty
membership invitations that
were sent to an AWS account
ListMembers Grants permission to retrierve List detector*

a lsit of GuardDuty member (p. 884)
accounts associated with a
master account
881
Amazon GuardDuty

(*required)

ListOrganizationAdminAccounts
details about the organization
delegated administrator for
GuardDuty
Grants permission to retrieve a List detector*

ListPublishingDestinations
list of publishing destinations (p. 884)
Grants permission to retrieve List detector

ListTagsForResource
a list of tags associated with a (p. 884)
GuardDuty resource
filter
(p. 884)
ipset
(p. 884)
threatintelset
(p. 884)
Grants permission to List detector*

ListThreatIntelSets
retrieve a list of GuardDuty (p. 884)
ThreatIntelSets
Grants permission to a Write detector*

StartMonitoringMembers
GuardDuty administrator (p. 884)
account to monitor findings
from GuardDuty member
accounts
Grants permission to disable Write detector*

StopMonitoringMembers
monitoring findings from (p. 884)
member accounts
TagResource Grants permission to add tags to Write detector

a GuardDuty resource (p. 884)
filter
(p. 884)
ipset
(p. 884)
threatintelset
(p. 884)
aws:RequestTag/

${TagKey}
(p. 884)
aws:TagKeys
(p. 884)
Grants permission to unarchive Write detector*

UnarchiveFindingsGuardDuty findings (p. 884)
882
Amazon GuardDuty

(*required)
Grants permission to remove Write detector

UntagResource tags from a GuardDuty resource (p. 884)
filter
(p. 884)
ipset
(p. 884)
threatintelset
(p. 884)
aws:TagKeys
(p. 884)
Grants permission to update Write detector*

UpdateDetector GuardDuty detectors (p. 884)
UpdateFilter Grants permission to updates Write detector*

filter*
(p. 884)

UpdateFindingsFeedback
findings feedback to mark (p. 884)
GuardDuty findings as useful or
not useful
UpdateIPSet Grants permission to update Write detector*

ipset*
(p. 884)

UpdateOrganizationConfiguration
the delegated administrator (p. 884)
configuration associated with a
GuardDuty detector
Grants permission to update a Write detector* s3:GetObject

UpdatePublishingDestination
s3:ListBucket

(p. 884)
Grants permission to updates Write detector*

UpdateThreatIntelSet
the GuardDuty ThreatIntelSets (p. 884)
threatintelset*

(p. 884)
883
Amazon GuardDuty
Resource types defined by Amazon GuardDuty


types
detector arn:${Partition}:guardduty:${Region}: aws:ResourceTag/

${Account}:detector/${DetectorId} ${TagKey} (p. 884)
filter arn:${Partition}:guardduty:${Region}: aws:ResourceTag/

${Account}:detector/${DetectorId}/filter/ ${TagKey} (p. 884)
${FilterName}
ipset arn:${Partition}:guardduty:${Region}: aws:ResourceTag/

${Account}:detector/${DetectorId}/ipset/ ${TagKey} (p. 884)
${IPSetId}
threatintelset arn:${Partition}:guardduty:${Region}: aws:ResourceTag/

${Account}:detector/${DetectorId}/ ${TagKey} (p. 884)
threatintelset/${ThreatIntelSetId}
arn:${Partition}:guardduty:
publishingDestination
${Region}:${Account}:detector/
${DetectorId}/publishingDestination/
${PublishingDestinationId}
Condition keys for Amazon GuardDuty

Amazon GuardDuty defines the following condition keys that can be used in the Condition element of

${TagKey}
request
884
AWS Health APIs and Notifications
Actions, resources, and condition keys for AWS Health

APIs and Notifications
AWS Health APIs and Notifications (service prefix: health) provides the following service-specific
References:

Topics
• Actions defined by AWS Health APIs and Notifications (p. 885)
• Resource types defined by AWS Health APIs and Notifications (p. 886)
• Condition keys for AWS Health APIs and Notifications (p. 887)
Actions defined by AWS Health APIs and Notifications

different actions.

(*required)
Gets a list of accounts that have Read organizations:ListAccount

DescribeAffectedAccountsForOrganization
been affected by the specified
events in organization.
Gets a list of entities that have Read event*

DescribeAffectedEntities
been affected by the specified (p. 887)
events.
health:eventTypeCode

(p. 887)
health:service
(p. 887)
Gets a list of entities that Read organizations:ListAccount

DescribeAffectedEntitiesForOrganization
have been affected by the
885
AWS Health APIs and Notifications

(*required)
specified events and accounts in
organization.
Returns the number of entities Read

DescribeEntityAggregates
that are affected by each of the
specified events.
Returns the number of events Read

DescribeEventAggregates
of each event type (issue,
scheduled change, and account
notification).
Returns detailed information Read event*

DescribeEventDetails
about one or more specified (p. 887)
events.

(p. 887)
health:service
(p. 887)
Returns detailed information Read organizations:ListAccount

DescribeEventDetailsForOrganization
about one or more specified
events for provided accounts in
organization.
Returns the event types that Read

DescribeEventTypes
meet the specified filter criteria.
Returns information about Read

DescribeEvents events that meet the specified
filter criteria.
Returns information about Read organizations:ListAccount

DescribeEventsForOrganization
events that meet the specified
filter criteria in organization.
Returns the status of enabling Permissions organizations:ListAccount

DescribeHealthServiceStatusForOrganization
or disabling the Organizational management
View feature
Disables the Organizational View Permissions organizations:DisableAWS

DisableHealthServiceAccessForOrganization
feature. management
organizations:ListAccount
Enables the Organizational View Permissions iam:CreateServiceLinkedR

EnableHealthServiceAccessForOrganization
feature. management
organizations:EnableAWS
organizations:ListAccount
Resource types defined by AWS Health APIs and Notifications

886
Amazon Honeycode

types
event arn:${Partition}:health:*::event/${Service}/
${EventTypeCode}/*
Condition keys for AWS Health APIs and Notifications

AWS Health APIs and Notifications defines the following condition keys that can be used in the
The type of event. String

health:service The service of the event. String

Honeycode
Amazon Honeycode (service prefix: honeycode) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Honeycode (p. 887)
• Resource types defined by Amazon Honeycode (p. 889)
• Condition keys for Amazon Honeycode (p. 889)
Actions defined by Amazon Honeycode

different actions.
887
Amazon Honeycode

(*required)
Grants permission to approve Write

ApproveTeamAssociation
a team association request for
[permission your AWS Account
only]
Grants permission to create new Write table*

BatchCreateTableRows
rows in a table (p. 889)
Grants permission to delete rows Write table*

BatchDeleteTableRows
from a table (p. 889)
Grants permission to update Write table*

BatchUpdateTableRows
Grants permission to upsert Write table*

BatchUpsertTableRows
CreateTenant Grants permission to create Write

[permission a new tenant within Amazon
only] Honeycode for your AWS
Account
Grants permission to get details Read table*

DescribeTableDataImportJob
about a table data import job (p. 889)
Grants permission to load the Read screen*

GetScreenData data from a screen (p. 889)
Grants permission to invoke a Write screen-

InvokeScreenAutomation
screen automation automation*
(p. 889)
Grants permission to list the List table*

ListTableColumnscolumns in a table (p. 889)
ListTableRows Grants permission to list the List table*

ListTables Grants permission to list the List workbook*

tables in a workbook (p. 889)

ListTeamAssociations
pending and approved team
[permission associations with your AWS
only] Account
888
Amazon Honeycode

(*required)
ListTenants Grants permission to list all List

[permission tenants of Amazon Honeycode
only] for your AWS Account
Grants permission to query the Read table*

QueryTableRows rows of a table using a filter (p. 889)
Grants permission to reject a Write

RejectTeamAssociation
team association request for
[permission your AWS Account
only]
Grants permission to start a Write table*

StartTableDataImportJob
table data import job (p. 889)
Resource types defined by Amazon Honeycode


types
workbook arn:${Partition}:honeycode:${Region}:
${Account}:workbook:workbook/${WorkbookId}
table arn:${Partition}:honeycode:${Region}:
${Account}:table:workbook/${WorkbookId}/
table/${TableId}
screen arn:${Partition}:honeycode:${Region}:
${Account}:screen:workbook/${WorkbookId}/
app/${AppId}/screen/${ScreenId}
screen- arn:${Partition}:honeycode:${Region}:
automation ${Account}:screen-automation:workbook/
${WorkbookId}/app/${AppId}/screen/
${ScreenId}/automation/${AutomationId}
Condition keys for Amazon Honeycode

Honeycode has no service-specific context keys that can be used in the Condition element of policy
conditions.
889
IAM Access Analyzer
Actions, resources, and condition keys for IAM Access

Analyzer
IAM Access Analyzer (service prefix: access-analyzer) provides the following service-specific
References:

Topics
• Actions defined by IAM Access Analyzer (p. 890)
• Resource types defined by IAM Access Analyzer (p. 892)
• Condition keys for IAM Access Analyzer (p. 892)
Actions defined by IAM Access Analyzer

different actions.

(*required)
Grants permission to apply an Write Analyzer*

ApplyArchiveRulearchive rule. (p. 892)
Grants permission to create an Write Analyzer* iam:CreateServiceLinkedR

CreateAnalyzer analyzer. (p. 892)
aws:RequestTag/

${TagKey}
(p. 893)
aws:TagKeys
(p. 893)
890
IAM Access Analyzer

(*required)
Grants permission to create an Write ArchiveRule*

CreateArchiveRulearchive rule for the specified (p. 892)
analyzer.
Grants permission to delete the Write Analyzer*

DeleteAnalyzer specified analyzer. (p. 892)
Grants permission to delete Write ArchiveRule*

DeleteArchiveRulearchive rules for the specified (p. 892)
analyzer.
Grants permission to retrieve Read Analyzer*

GetAnalyzedResource
information about an analyzed (p. 892)
resource.
GetAnalyzer Grants permission to retrieve Read Analyzer*

information about analyzers. (p. 892)
aws:RequestTag/

${TagKey}
(p. 893)
aws:TagKeys
(p. 893)
Grants permission to retrieve Read ArchiveRule*

GetArchiveRule information about archive rules (p. 892)
for the specified analyzer.
GetFinding Grants permission to retrieve Read Analyzer*

findings. (p. 892)
Grants permission to retrieve a Read Analyzer*

ListAnalyzedResources
list of resources that have been (p. 892)
analyzed.
ListAnalyzers Grants permission to retrieves a List

list of analyzers.
Grants permission to retrieve List Analyzer*

ListArchiveRules a list of archive rules from an (p. 892)
analyzer.
ListFindings Grants permission to retrieve a Read Analyzer*

list of findings from an analyzer. (p. 892)
Grants permission to retrieve a Read Analyzer

ListTagsForResource
list of tags applied to a resource. (p. 892)
Grants permission to start a Write Analyzer*

StartResourceScan
scan of the policies applied to a (p. 892)
resource.
TagResource Grants permission to add a tag Tagging Analyzer

to a resource. (p. 892)
891
IAM Access Analyzer

(*required)
aws:RequestTag/

${TagKey}
(p. 893)
aws:TagKeys
(p. 893)
Grants permission to remove a Tagging Analyzer

UntagResource tag from a resource. (p. 892)
aws:RequestTag/

${TagKey}
(p. 893)
aws:TagKeys
(p. 893)
Grants permission to modify an Write ArchiveRule*

UpdateArchiveRule
archive rule. (p. 892)
Grants permission to modify Write Analyzer*

UpdateFindings findings. (p. 892)
Resource types defined by IAM Access Analyzer


types
Analyzer arn:${Partition}:access-analyzer:${Region}: aws:ResourceTag/

${Account}:analyzer/${analyzerName} ${TagKey} (p. 893)
ArchiveRule arn:${Partition}:access-analyzer:${Region}:
${Account}:analyzer/${analyzerName}/archive-
rule/${ruleName}
Condition keys for IAM Access Analyzer

IAM Access Analyzer defines the following condition keys that can be used in the Condition element of
892
Identity And Access Management

${TagKey}
request
Actions, resources, and condition keys for Identity

And Access Management
Identity And Access Management (service prefix: iam) provides the following service-specific resources,
References:

Topics
• Actions defined by Identity And Access Management (p. 893)
• Resource types defined by Identity And Access Management (p. 906)
• Condition keys for Identity And Access Management (p. 907)
Actions defined by Identity And Access Management

different actions.
893

(*required)
Grants permission to add a new Write oidc-

AddClientIDToOpenIDConnectProvider
client ID (audience) to the list of provider*
registered IDs for the specified (p. 906)
IAM OpenID Connect (OIDC)
provider resource
Grants permission to add an IAM Write instance- iam:PassRole

AddRoleToInstanceProfile
role to the specified instance profile*
profile (p. 906)
Grants permission to add an IAM Write group*

AddUserToGroup user to the specified IAM group (p. 906)
Grants permission to attach a Permissions group*

AttachGroupPolicy
managed policy to the specified management (p. 906)
IAM group
iam:PolicyARN

(p. 907)
Grants permission to attach a Permissions role*

AttachRolePolicy managed policy to the specified management (p. 907)
IAM role
iam:PolicyARN

(p. 907)
iam:PermissionsBoundary
(p. 907)
Grants permission to attach a Permissions user*

AttachUserPolicy managed policy to the specified management (p. 907)
IAM user
iam:PolicyARN

(p. 907)
(p. 907)
Grants permission for an IAM Write user*

ChangePassword user to to change their own (p. 907)
password
Grants permission to create Write user*

CreateAccessKey access key and secret access key (p. 907)
for the specified IAM user

CreateAccountAlias
alias for your AWS account
CreateGroup Grants permission to create a Write group*

new group (p. 906)
Grants permission to create a Write instance-

CreateInstanceProfile
new instance profile profile*
(p. 906)
894

(*required)
Grants permission to create a Write user*

CreateLoginProfile
password for the specified IAM (p. 907)
user
Grants permission to create Write oidc-

CreateOpenIDConnectProvider
an IAM resource that describes provider*
an identity provider (IdP) that (p. 906)
supports OpenID Connect
(OIDC)
CreatePolicy Grants permission to create a Permissions policy*

new managed policy management (p. 907)
Grants permission to create a Permissions policy*

CreatePolicyVersion
new version of the specified management (p. 907)
managed policy
CreateRole Grants permission to create a Write role*

new role (p. 907)

(p. 907)
Grants permission to create Write saml-

CreateSAMLProvider
an IAM resource that describes provider*
an identity provider (IdP) that (p. 907)
supports SAML 2.0
Grants permission to create an Write role*

CreateServiceLinkedRole
IAM role that allows an AWS (p. 907)
service to perform actions on
your behalf iam:AWSServiceName

(p. 907)
Grants permission to create a Write user*

CreateServiceSpecificCredential
new service-specific credential (p. 907)
for an IAM user
CreateUser Grants permission to create a Write user*

new IAM user (p. 907)

(p. 907)
Grants permission to create a Write mfa*

CreateVirtualMFADevice
new virtual MFA device (p. 906)
Grants permission to deactivate Write user*

DeactivateMFADevice
the specified MFA device and (p. 907)
remove its association with
the IAM user for which it was
originally enabled
Grants permission to delete the Write user*

DeleteAccessKey access key pair that is associated (p. 907)
with the specified IAM user
895

(*required)

DeleteAccountAlias
specified AWS account alias
Grants permission to delete the Permissions

DeleteAccountPasswordPolicy
password policy for the AWS management
account
DeleteGroup Grants permission to delete the Write group*

specified IAM group (p. 906)
Grants permission to delete the Permissions group*

DeleteGroupPolicy
specified inline policy from its management (p. 906)
group
Grants permission to delete the Write instance-

DeleteInstanceProfile
specified instance profile profile*
(p. 906)

DeleteLoginProfile
user
Grants permission to delete Write oidc-

DeleteOpenIDConnectProvider
an OpenID Connect identity provider*
provider (IdP) resource object in (p. 906)
IAM
DeletePolicy Grants permission to delete the Permissions policy*

specified managed policy and management (p. 907)
remove it from any IAM entities
(users, groups, or roles) to which
it is attached
Grants permission to delete Permissions policy*

DeletePolicyVersion
a version from the specified management (p. 907)
managed policy
DeleteRole Grants permission to delete the Write role*

specified role (p. 907)
Grants permission to remove the Permissions role*

DeleteRolePermissionsBoundary
permissions boundary from a management (p. 907)
role

(p. 907)
Grants permission to delete the Permissions role*

DeleteRolePolicy specified inline policy from the management (p. 907)
specified role

(p. 907)
Grants permission to delete a Write saml-

DeleteSAMLProvider
SAML provider resource in IAM provider*
(p. 907)
896

(*required)

DeleteSSHPublicKey
specified SSH public key (p. 907)
Grants permission to delete the Write server-

DeleteServerCertificate
specified server certificate certificate*
(p. 907)
Grants permission to delete Write role*

DeleteServiceLinkedRole
an IAM role that is linked to (p. 907)
a specific AWS service, if the
service is no longer using it
Grants permission to delete Write user*

DeleteServiceSpecificCredential
the specified service-specific (p. 907)
credential for an IAM user
Grants permission to delete Write user*

DeleteSigningCertificate
a signing certificate that is (p. 907)
IAM user
DeleteUser Grants permission to delete the Write user*

specified IAM user (p. 907)
Grants permission to remove the Permissions user*

DeleteUserPermissionsBoundary
permissions boundary from the management (p. 907)
specified IAM user

(p. 907)
Grants permission to delete the Permissions user*

DeleteUserPolicy specified inline policy from an management (p. 907)
IAM user

(p. 907)
Grants permission to delete a Write mfa

DeleteVirtualMFADevice
virtual MFA device (p. 906)
sms-mfa
(p. 907)
Grants permission to detach Permissions group*

DetachGroupPolicy
a managed policy from the management (p. 906)
specified IAM group
iam:PolicyARN

(p. 907)
Grants permission to detach Permissions role*

DetachRolePolicy a managed policy from the management (p. 907)
specified role
iam:PolicyARN

(p. 907)
(p. 907)
897

(*required)
Grants permission to detach Permissions user*

DetachUserPolicya managed policy from the management (p. 907)
specified IAM user
iam:PolicyARN

(p. 907)
(p. 907)
Grants permission to enable an Write user*

EnableMFADeviceMFA device and associate it with (p. 907)
the specified IAM user
Grants permission to generate Read

GenerateCredentialReport
a credential report for the AWS
account
Grants permission to generate Read access- organizations:DescribePo

GenerateOrganizationsAccessReport
an access report for an AWS report*
Organizations entity (p. 906) organizations:ListChildren
organizations:ListParents
organizations:ListPolicies
organizations:ListRoots
organizations:ListTargetsF
iam:OrganizationsPolicyId

(p. 907)
Grants permission to generate a Read

GenerateServiceLastAccessedDetails
service last accessed data report
for an IAM resource
Grants permission to retrieve Read user*

GetAccessKeyLastUsed
information about when the (p. 907)
specified access key was last
used

GetAccountAuthorizationDetails
information about all IAM users,
groups, roles, and policies in
your AWS account, including
their relationships to one
another

GetAccountPasswordPolicy
the password policy for the AWS
account

GetAccountSummary
information about IAM entity
usage and IAM quotas in the
AWS account
898

(*required)

GetContextKeysForCustomPolicy
list of all of the context keys that
are referenced in the specified
policy
Grants permission to retrieve Read group

GetContextKeysForPrincipalPolicy
a list of all context keys that (p. 906)
are referenced in all IAM
policies that are attached to role
the specified IAM identity (user, (p. 907)
group, or role)
user
(p. 907)

GetCredentialReport
credential report for the AWS
account
GetGroup Grants permission to retrieve a Read group*

list of IAM users in the specified (p. 906)
IAM group
Grants permission to retrieve an Read group*

GetGroupPolicy inline policy document that is (p. 906)
embedded in the specified IAM
group
Grants permission to retrieve Read instance-

GetInstanceProfileinformation about the specified profile*
instance profile, including the (p. 906)
instance profile's path, GUID,
ARN, and role
Grants permission to retrieve List user*

GetLoginProfile the user name and password (p. 907)
creation date for the specified
IAM user
Grants permission to retrieve Read oidc-

GetOpenIDConnectProvider
information about the specified provider*
OpenID Connect (OIDC) provider (p. 906)
resource in IAM
Grants permission to retrieve an Read

GetOrganizationsAccessReport
AWS Organizations access report
GetPolicy Grants permission to retrieve Read policy*

managed policy, including the
policy's default version and the
total number of identities to
which the policy is attached
899

(*required)

GetPolicyVersion information about a version of (p. 907)
the specified managed policy,
including the policy document
GetRole Grants permission to retrieve Read role*

role, including the role's path,
GUID, ARN, and the role's trust
policy
GetRolePolicy Grants permission to retrieve Read role*

an inline policy document that (p. 907)
is embedded with the specified
IAM role
Grants permission to retrieve the Read saml-

GetSAMLProviderSAML provider metadocument provider*
that was uploaded when the (p. 907)
IAM SAML provider resource was
created or updated
Grants permission to retrieve Read user*

GetSSHPublicKey the specified SSH public key, (p. 907)
including metadata about the
key
Grants permission to retrieve Read server-

GetServerCertificate
information about the specified certificate*
server certificate stored in IAM (p. 907)

GetServiceLastAccessedDetails
information about the service
last accessed data report

GetServiceLastAccessedDetailsWithEntities
information about the entities
from the service last accessed
data report
Grants permission to retrieve an Read role*

GetServiceLinkedRoleDeletionStatus
IAM service-linked role deletion (p. 907)
status
GetUser Grants permission to retrieve Read user*

IAM user, including the user's
creation date, path, unique ID,
and ARN
GetUserPolicy Grants permission to retrieve an Read user*

inline policy document that is (p. 907)
embedded in the specified IAM
user
900

(*required)
Grants permission to list List user*

ListAccessKeys information about the access (p. 907)
key IDs that are associated with
the specified IAM user

ListAccountAliasesaccount alias that is associated
with the AWS account
Grants permission to list all List group*

ListAttachedGroupPolicies
managed policies that are (p. 906)
attached to the specified IAM
group
Grants permission to list all List role*

ListAttachedRolePolicies
role
Grants permission to list all List user*

ListAttachedUserPolicies
user
Grants permission to list all IAM List policy*

ListEntitiesForPolicy
identities to which the specified (p. 907)
managed policy is attached
Grants permission to list the List group*

ListGroupPolicies names of the inline policies that (p. 906)
are embedded in the specified
IAM group
ListGroups Grants permission to list the IAM List

groups that have the specified
path prefix
Grants permission to list the IAM List user*

ListGroupsForUsergroups that the specified IAM (p. 907)
user belongs to
Grants permission to list the List instance-

ListInstanceProfiles
instance profiles that have the profile*
specified path prefix (p. 906)
Grants permission to list the List role*

ListInstanceProfilesForRole
instance profiles that have the (p. 907)
specified associated IAM role
Grants permission to list the List user

ListMFADevices MFA devices for an IAM user (p. 907)
901

(*required)

ListOpenIDConnectProviders
information about the IAM
OpenID Connect (OIDC) provider
resource objects that are defined
in the AWS account
ListPolicies Grants permission to list all List

managed policies

ListPoliciesGrantingServiceAccess
information about the policies
that grant an entity access to a
specific service
Grants permission to list List policy*

ListPolicyVersionsinformation about the versions (p. 907)
of the specified managed policy,
including the version that is
currently set as the policy's
default version
Grants permission to list the List role*

ListRolePolicies names of the inline policies that (p. 907)
IAM role
ListRoleTags Grants permission to list the List role*

tags that are attached to the (p. 907)
specified IAM role.
ListRoles Grants permission to list the List

IAM roles that have the specified
path prefix

ListSAMLProvidersSAML provider resources in IAM

ListSSHPublicKeysinformation about the SSH (p. 907)
public keys that are associated

ListServerCertificates
server certificates that have the
specified path prefix
Grants permission to list the List user*

ListServiceSpecificCredentials
service-specific credentials that (p. 907)
are associated with the specified
IAM user

ListSigningCertificates
information about the signing (p. 907)
certificates that are associated
902

(*required)
Grants permission to list the List user*

ListUserPolicies names of the inline policies that (p. 907)
IAM user
ListUserTags Grants permission to list the List user*

tags that are attached to the (p. 907)
specified IAM user.
ListUsers Grants permission to list the IAM List

users that have the specified
path prefix
Grants permission to list virtual List

ListVirtualMFADevices
MFA devices by assignment
status
PassRole Grants permission to pass a role Write role*

[permission to a service (p. 907)
only]
iam:AssociatedResourceArn

(p. 907)
iam:PassedToService
(p. 907)
Grants permission to create Permissions group*

PutGroupPolicy or update an inline policy management (p. 906)
document that is embedded in
the specified IAM group
Grants permission to set a Permissions role*

PutRolePermissionsBoundary
managed policy as a permissions management (p. 907)
boundary for a role

(p. 907)
PutRolePolicy Grants permission to create Permissions role*

or update an inline policy management (p. 907)
the specified IAM role iam:PermissionsBoundary

(p. 907)
Grants permission to set a Permissions user*

PutUserPermissionsBoundary
managed policy as a permissions management (p. 907)
boundary for an IAM user

(p. 907)
PutUserPolicy Grants permission to create Permissions user*

or update an inline policy management (p. 907)
the specified IAM user iam:PermissionsBoundary

(p. 907)
903

(*required)
Grants permission to remove the Write oidc-

RemoveClientIDFromOpenIDConnectProvider
client ID (audience) from the list provider*
of client IDs in the specified IAM (p. 906)
OpenID Connect (OIDC) provider
resource
Grants permission to remove an Write instance-

RemoveRoleFromInstanceProfile
IAM role from the specified EC2 profile*
instance profile (p. 906)
Grants permission to remove Write group*

RemoveUserFromGroup
an IAM user from the specified (p. 906)
group
Grants permission to reset the Write user*

ResetServiceSpecificCredential
password for an existing service- (p. 907)
specific credential for an IAM
user
Grants permission to Write user*

ResyncMFADevicesynchronize the specified MFA (p. 907)
device with its IAM entity (user
or role)
Grants permission to set the Permissions policy*

SetDefaultPolicyVersion
version of the specified policy as management (p. 907)
the policy's default version
Grants permission to set the STS Write

SetSecurityTokenServicePreferences
global endpoint token version
Grants permission to simulate Read

SimulateCustomPolicy
whether an identity-based
policy or resource-based policy
provides permissions for specific
API operations and resources
Grants permission to simulate Read group

SimulatePrincipalPolicy
whether an identity-based policy (p. 906)
that is attached to a specified
IAM entity (user or role) provides role
permissions for specific API (p. 907)
operations and resources
user
(p. 907)
TagRole Grants permission to add tags to Tagging role*

an IAM role. (p. 907)
TagUser Grants permission to add tags to Tagging user*

an IAM user. (p. 907)
UntagRole Grants permission to remove the Tagging role*

specified tags from the role. (p. 907)
904

(*required)
UntagUser Grants permission to remove the Tagging user*

specified tags from the user. (p. 907)
Grants permission to update the Write user*

UpdateAccessKey status of the specified access key (p. 907)
as Active or Inactive

UpdateAccountPasswordPolicy
password policy settings for the
AWS account
Grants permission to update the Permissions role*

UpdateAssumeRolePolicy
policy that grants an IAM entity management (p. 907)
permission to assume a role
UpdateGroup Grants permission to update the Write group*

name or path of the specified (p. 906)
IAM group
Grants permission to change the Write user*

UpdateLoginProfile
user
Grants permission to update the Write oidc-

UpdateOpenIDConnectProviderThumbprint
entire list of server certificate provider*
thumbprints that are associated (p. 906)
with an OpenID Connect (OIDC)
provider resource
UpdateRole Grants permission to update the Write role*

description or maximum session (p. 907)
duration setting of a role
Grants permission to update Write role*

UpdateRoleDescription
only the description of a role (p. 907)
Grants permission to update Write saml-

UpdateSAMLProvider
the metadata document for an provider*
existing SAML provider resource (p. 907)
Grants permission to update Write user*

UpdateSSHPublicKey
the status of an IAM user's SSH (p. 907)
public key to active or inactive
Grants permission to update Write server-

UpdateServerCertificate
the name or the path of the certificate*
specified server certificate (p. 907)
stored in IAM

UpdateServiceSpecificCredential
the status of a service-specific (p. 907)
credential to active or inactive
for an IAM user
905

(*required)

UpdateSigningCertificate
the status of the specified user (p. 907)
signing certificate to active or
disabled
UpdateUser Grants permission to update Write user*

the name or the path of the (p. 907)
specified IAM user
Grants permission to upload an Write user*

UploadSSHPublicKey
SSH public key and associate it (p. 907)
Grants permission to upload a Write server-

UploadServerCertificate
server certificate entity for the certificate*
AWS account (p. 907)
Grants permission to upload an Write user*

UploadSigningCertificate
X.509 signing certificate and (p. 907)
associate it with the specified
IAM user
Resource types defined by Identity And Access Management


types
access-report arn:${Partition}:iam::${Account}:access-
report/${EntityPath}
assumed-role arn:${Partition}:iam::${Account}:assumed-
role/${RoleName}/${RoleSessionName}
federated- arn:${Partition}:iam::${Account}:federated-
user user/${UserName}
group arn:${Partition}:iam::${Account}:group/
${GroupNameWithPath}
instance- arn:${Partition}:iam::${Account}:instance-
profile profile/${InstanceProfileNameWithPath}
mfa arn:${Partition}:iam::${Account}:mfa/
${MfaTokenIdWithPath}
oidc-provider arn:${Partition}:iam::${Account}:oidc-
provider/${OidcProviderName}
906

types
policy arn:${Partition}:iam::${Account}:policy/
${PolicyNameWithPath}
role arn:${Partition}:iam::${Account}:role/ iam:ResourceTag/

${RoleNameWithPath} ${TagKey} (p. 907)
saml-provider arn:${Partition}:iam::${Account}:saml-
provider/${SamlProviderName}
server- arn:${Partition}:iam::${Account}:server-
certificate certificate/${CertificateNameWithPath}
sms-mfa arn:${Partition}:iam::${Account}:sms-mfa/
${MfaTokenIdWithPath}
user arn:${Partition}:iam::${Account}:user/ iam:ResourceTag/

${UserNameWithPath} ${TagKey} (p. 907)
Condition keys for Identity And Access Management

Identity And Access Management defines the following condition keys that can be used in the
Filters access by the AWS service to which this role is String

iam:AWSServiceNameattached
Filters by the resource that the role will be used on behalf of ARN
iam:AssociatedResourceArn
Filters access by the ID of an AWS Organizations policy String

iam:OrganizationsPolicyId
Filters access by the AWS service to which this role is passed String
iam:PassedToService
Filters access if the specified policy is set as the permissions String

boundary on the IAM entity (user or role)
iam:PolicyARN Filters access by the ARN of an IAM policy ARN
Filters access by the tags attached to an IAM entity (user or String

iam:ResourceTag/ role).
${TagKey}
907
AWS Identity Store

Identity Store
AWS Identity Store (service prefix: identitystore) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Identity Store (p. 908)
• Resource types defined by AWS Identity Store (p. 909)
• Condition keys for AWS Identity Store (p. 909)
Actions defined by AWS Identity Store

different actions.

(*required)
Retrieves information about Read

DescribeGroup group from the directory that
AWS Identity Store provides by
default
DescribeUser Retrieves information about Read

user from the directory that
AWS Identity Store provides by
default
ListGroups Search for groups within the List

associated directory
ListUsers Search for users within the List

associated directory
908
AWS Import Export Disk Service
Resource types defined by AWS Identity Store

AWS Identity Store does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to AWS Identity Store, specify “Resource”: “*” in your policy.
Condition keys for AWS Identity Store

Identity Store has no service-specific context keys that can be used in the Condition element of policy
conditions.

Import Export Disk Service
AWS Import Export Disk Service (service prefix: importexport) provides the following service-specific
References:

Topics
• Actions defined by AWS Import Export Disk Service (p. 909)
• Resource types defined by AWS Import Export Disk Service (p. 910)
• Condition keys for AWS Import Export Disk Service (p. 910)
Actions defined by AWS Import Export Disk Service

different actions.

(*required)
CancelJob This action cancels a specified Write

job. Only the job owner can
909
Amazon Inspector

(*required)
cancel it. The action fails if the
job has already started or is
complete.
CreateJob This action initiates the process Write

of scheduling an upload or
download of your data.
This action generates a pre-paid Read

GetShippingLabelshipping label that you will use
to ship your device to AWS for
processing.
GetStatus This action returns information Read

about a job, including where the
job is in the processing pipeline,
the status of the results, and the
signature value associated with
the job.
ListJobs This action returns the jobs List

associated with the requester.
UpdateJob You use this action to change Write

the parameters specified in
the original manifest file by
supplying a new manifest file.
Resource types defined by AWS Import Export Disk Service

AWS Import Export Disk Service does not support specifying a resource ARN in the Resource element of
an IAM policy statement. To allow access to AWS Import Export Disk Service, specify “Resource”: “*”
in your policy.
Condition keys for AWS Import Export Disk Service

Import/Export has no service-specific context keys that can be used in the Condition element of policy
conditions.

Inspector
Amazon Inspector (service prefix: inspector) provides the following service-specific resources, actions,
References:

910
Amazon Inspector
Topics
• Actions defined by Amazon Inspector (p. 911)
• Resource types defined by Amazon Inspector (p. 914)
• Condition keys for Amazon Inspector (p. 914)
Actions defined by Amazon Inspector

different actions.

(*required)
Assigns attributes (key and value Write

AddAttributesToFindings
pairs) to the findings that are
specified by the ARNs of the
findings.
Creates a new assessment target Write

CreateAssessmentTarget
using the ARN of the resource
group that is generated by
CreateResourceGroup.
Creates an assessment template Write

CreateAssessmentTemplate
for the assessment target that
is specified by the ARN of the
assessment target.
Creates a resource group using Write

CreateResourceGroup
the specified set of tags (key
and value pairs) that are used to
select the EC2 instances to be
included in an Amazon Inspector
assessment target.
Deletes the assessment run that Write

DeleteAssessmentRun
assessment run.
Deletes the assessment target Write

DeleteAssessmentTarget
that is specified by the ARN of
the assessment target.
911
Amazon Inspector

(*required)
Deletes the assessment Write

DeleteAssessmentTemplate
template that is specified by
the ARN of the assessment
template.
Describes the assessment runs Read

DescribeAssessmentRuns
that are specified by the ARNs of
the assessment runs.
Describes the assessment Read

DescribeAssessmentTargets
targets that are specified by the
ARNs of the assessment targets.
Describes the assessment Read

DescribeAssessmentTemplates
templates that are specified
by the ARNs of the assessment
templates.
Describes the IAM role that Read

DescribeCrossAccountAccessRole
enables Amazon Inspector to
access your AWS account.
Describes the findings that are Read

DescribeFindings specified by the ARNs of the
findings.
Describes the resource groups Read

DescribeResourceGroups
the resource groups.
Describes the rules packages Read

DescribeRulesPackages
the rules packages.
Information about the data that Read

GetTelemetryMetadata
is collected for the specified
assessment run.
Lists the agents of the List

ListAssessmentRunAgents
assessment runs that are
assessment runs.
Lists the assessment runs that List

ListAssessmentRuns
correspond to the assessment
templates that are specified
by the ARNs of the assessment
templates.
Lists the ARNs of the assessment List

ListAssessmentTargets
targets within this AWS account.
912
Amazon Inspector

(*required)
Lists the assessment templates List

ListAssessmentTemplates
that correspond to the
assessment targets that are
assessment targets.
Lists all the event subscriptions List

ListEventSubscriptions
for the assessment template
the assessment template.
ListFindings Lists findings that are generated List

by the assessment runs that are
assessment runs.
Lists all available Amazon List

ListRulesPackagesInspector rules packages.
Lists all tags associated with an List

ListTagsForResource
assessment template.
Previews the agents installed Read

PreviewAgents on the EC2 instances that are
part of the specified assessment
target.
Registers the IAM role that Write

RegisterCrossAccountAccessRole
Amazon Inspector uses to list
your EC2 instances at the start
of the assessment run or when
you call the PreviewAgents
action.
Removes entire attributes Write

RemoveAttributesFromFindings
(key and value pairs) from the
findings that are specified by the
ARNs of the findings where an
attribute with the specified key
exists.
Sets tags (key and value pairs) Tagging

SetTagsForResource
to the assessment template that
Starts the assessment run Write

StartAssessmentRun
specified by the ARN of the
Stops the assessment run that Write

StopAssessmentRun
assessment run.
913
Amazon Interactive Video Service

(*required)
Enables the process of sending Write

SubscribeToEventAmazon Simple Notification
Service (SNS) notifications about
a specified event to a specified
SNS topic.
Disables the process of sending Write

UnsubscribeFromEvent
Amazon Simple Notification
Service (SNS) notifications about
a specified event to a specified
SNS topic.
Updates the assessment target Write

UpdateAssessmentTarget
the assessment target.
Resource types defined by Amazon Inspector

Amazon Inspector does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Amazon Inspector, specify “Resource”: “*” in your policy.
Condition keys for Amazon Inspector

Inspector has no service-specific context keys that can be used in the Condition element of policy
conditions.

Interactive Video Service
Amazon Interactive Video Service (service prefix: ivs) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Interactive Video Service (p. 914)
• Resource types defined by Amazon Interactive Video Service (p. 918)
• Condition keys for Amazon Interactive Video Service (p. 918)
Actions defined by Amazon Interactive Video Service

914
different actions.

(*required)
Grants permission to Read Channel*

BatchGetChannel get multiple channels (p. 918)
simultaneously by channel ARN.
Grants permission to get Read Stream-

BatchGetStreamKey
multiple stream keys Key*
simultaneously by stream key (p. 918)
ARN.
Grants permission to create a Write Channel*

CreateChannel new channel and an associated (p. 918)
stream key.
Stream-
Key*
(p. 918)
aws:TagKeys
(p. 918)
aws:RequestTag/
${TagKey}
(p. 918)
Grants permission to create a Write Stream-

CreateStreamKey stream key. Key*
(p. 918)
aws:TagKeys
(p. 918)
aws:RequestTag/
${TagKey}
(p. 918)
Grants permission to delete a Write Channel*

DeleteChannel channel and channel's stream (p. 918)
keys.
Stream-
Key*
(p. 918)
915

(*required)
Grants permission to delete the Write Playback-

DeletePlaybackKeyPair
playback key pair for a specified Key-Pair*
ARN (p. 918)
Grants permission to delete the Write Stream-

DeleteStreamKey stream key for a specified ARN Key*
(p. 918)
GetChannel Grants permission to get the Read Channel*

channel configuration for a (p. 918)
specified channel ARN
Grants permission to get the Read Playback-

GetPlaybackKeyPair
playback keypair information for Key-Pair*
a specified ARN (p. 918)
GetStream Grants permission to get Read Channel*

information about the active (p. 918)
(live) stream on a specified
channel
Grants permission to get stream- Read Stream-

GetStreamKey key information for a specified Key*
ARN (p. 918)
Grants permission to import the Write Playback-

ImportPlaybackKeyPair
public key. Key-Pair*
(p. 918)
aws:TagKeys
(p. 918)
aws:RequestTag/
${TagKey}
(p. 918)
ListChannels Grants permission to get List Channel*

channels
Grants permission to get List Playback-

ListPlaybackKeyPairs
summary information about Key-Pair*
playback key pairs (p. 918)
Grants permission to get List Channel*

ListStreamKeys summary information about (p. 918)
stream keys
Stream-
Key*
(p. 918)
ListStreams Grants permission to get List Channel*

summary information about live (p. 918)
streams
916

(*required)
Grants permission to get Tagging Channel

ListTagsForResource
information about the tags for a (p. 918)
specified ARN
Playback-
Key-Pair
(p. 918)
Stream-
Key
(p. 918)
aws:TagKeys
(p. 918)
aws:RequestTag/
${TagKey}
(p. 918)
PutMetadata Grants permission to insert Write Channel*

metadata into an RTMP stream (p. 918)
for a specified channel
StopStream Grants permission to disconnect Write Channel*

a streamer on a specified (p. 918)
channel
TagResource Grants permission to add or Tagging Channel

update tags for a resource with a (p. 918)
specified ARN
Playback-
Key-Pair
(p. 918)
Stream-
Key
(p. 918)
aws:TagKeys
(p. 918)
aws:RequestTag/
${TagKey}
(p. 918)
Grants permission to remove Tagging Channel

UntagResource tags for a resource with a (p. 918)
specified ARN
Playback-
Key-Pair
(p. 918)
Stream-
Key
(p. 918)
917

(*required)
aws:TagKeys
(p. 918)
Grants permission to update a Write Channel*

UpdateChannel channel's configuration (p. 918)
Resource types defined by Amazon Interactive Video Service


types
Channel arn:${Partition}:ivs::${Account}:channel/ aws:ResourceTag/

Stream-Key arn:${Partition}:ivs::${Account}:stream-key/ aws:ResourceTag/

Playback-Key- arn:${Partition}:ivs::${Account}:playback- aws:ResourceTag/

Pair key/${ResourceId} ${TagKey} (p. 918)
Condition keys for Amazon Interactive Video Service

Amazon Interactive Video Service defines the following condition keys that can be used in the
aws:RequestTag/ Filters actions based on the tags associated with the request String
${TagKey}

${TagKey}
request
918
AWS IoT
Actions, resources, and condition keys for AWS IoT

AWS IoT (service prefix: iot) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by AWS IoT (p. 919)
• Resource types defined by AWS IoT (p. 939)
• Condition keys for AWS IoT (p. 941)
Actions defined by AWS IoT

different actions.

(*required)
Accepts a pending certificate Write cert*

AcceptCertificateTransfer
transfer. (p. 940)
Adds a thing to the specified Write billinggroup*

AddThingToBillingGroup
billing group. (p. 940)
thing*
(p. 940)
Adds a thing to the specified Write thing*

AddThingToThingGroup
thing group. (p. 940)
thinggroup*
(p. 940)
Associates a group with a Write job*

AssociateTargetsWithJob
continuous job. (p. 940)
919
AWS IoT

(*required)
thing*
(p. 940)
thinggroup*
(p. 940)
AttachPolicy Attaches a policy to the Permissions cert

specified target. management (p. 940)
thinggroup
(p. 940)
Attaches the specified policy Permissions cert

AttachPrincipalPolicy
to the specified principal management (p. 940)
(certificate or other credential).
Associates a Device Defender Write securityprofile*

AttachSecurityProfile
security profile with a thing (p. 941)
group or with this account.
dimension
(p. 941)
thinggroup
(p. 940)
Attaches the specified principal Write

AttachThingPrincipal
to the specified thing.
Cancels a mitigation action task Write

CancelAuditMitigationActionsTask
that is in progress.
Cancels an audit that is in Write

CancelAuditTask progress. The audit can be either
scheduled or on-demand.
Cancels a pending transfer for Write cert*

CancelCertificateTransfer
the specified certificate. (p. 940)
CancelJob Cancels a job. Write job*

(p. 940)
Cancels a job execution on a Write job*

CancelJobExecution
particular device. (p. 940)
thing*
(p. 940)
Clears the default authorizer. Write

ClearDefaultAuthorizer
CloseTunnel Closes a tunnel. Write tunnel*

(p. 940)
iot:Delete
(p. 941)
920
AWS IoT

(*required)
Connect Connect as the specified client Write client*

(p. 940)
Creates a Device Defender audit Write

CreateAuditSuppression
suppression.
Creates an authorizer. Write authorizer*

CreateAuthorizer (p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a billing group. Tagging billinggroup*

CreateBillingGroup (p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates an X.509 certificate Write

CreateCertificateFromCsr
using the specified certificate
signing request.
Defines a dimension that can be Write dimension*

CreateDimension used to to limit the scope of a (p. 941)
metric used in a security profile.
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a domain configuration. Write domainconfiguration*

CreateDomainConfiguration (p. 941)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
iot:DomainName
(p. 941)
Creates a Dynamic Thing Group Tagging dynamicthinggroup*

CreateDynamicThingGroup (p. 940)
921
AWS IoT

(*required)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a fleet metric Tagging fleetmetric*

CreateFleetMetric (p. 940)
index*
(p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
CreateJob Creates a job. Write job*

(p. 940)
thing*
(p. 940)
thinggroup*
(p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a 2048 bit RSA key pair Write

CreateKeysAndCertificate
and issues an X.509 certificate
using the issued public key.
Defines an action Write mitigationaction*

CreateMitigationAction
that can be applied to (p. 941)
audit findings by using
StartAuditMitigationActionsTask. aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates an OTA update job. Write otaupdate*

CreateOTAUpdate (p. 940)
922
AWS IoT

(*required)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
CreatePolicy Creates an AWS IoT policy. Write policy*

(p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a new version of the Write policy*

CreatePolicyVersion
specified AWS IoT policy. (p. 940)
Creates a provisioning claim. Write provisioningtemplate*

CreateProvisioningClaim (p. 941)
Creates a fleet provisioning Write provisioningtemplate*

CreateProvisioningTemplate
template. (p. 941)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a new version of a fleet Write provisioningtemplate*

CreateProvisioningTemplateVersion
provisioning template. (p. 941)
Creates a role alias. Write rolealias*

CreateRoleAlias (p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a scheduled audit that is Write scheduledaudit*

CreateScheduledAudit
run at a specified time interval. (p. 941)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
923
AWS IoT

(*required)
Creates a Device Defender Write securityprofile*

CreateSecurityProfile
security profile. (p. 941)
dimension
(p. 941)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
CreateStream Creates a new AWS IoT stream Write stream*

(p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
CreateThing Creates a thing in the thing Write thing*

registry. (p. 940)
billinggroup
(p. 940)
Creates a thing group. Tagging thinggroup*

CreateThingGroup (p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a new thing type. Tagging thingtype*

CreateThingType (p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Creates a rule. Write rule*

CreateTopicRule (p. 941)
924
AWS IoT

(*required)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Deletes the audit configuration Write

DeleteAccountAuditConfiguration
associated with the account.
Deletes a Device Defender audit Write

DeleteAuditSuppression
suppression.
Deletes the specified authorizer. Write authorizer*

DeleteAuthorizer (p. 940)
Deletes the specified billing Tagging billinggroup*

DeleteBillingGroup
group. (p. 940)
Deletes a registered CA Write cacert*

DeleteCACertificate
Deletes the specified certificate. Write cert*

DeleteCertificate (p. 940)
Removes the specified Write dimension*

DeleteDimension dimension from your AWS (p. 941)
account.
Deletes a domain configuration. Write domainconfiguration*

DeleteDomainConfiguration (p. 941)
Deletes the specified Dynamic Tagging dynamicthinggroup*

DeleteDynamicThingGroup
Thing Group (p. 940)
Deletes the specified fleet metric Tagging fleetmetric*

DeleteFleetMetric (p. 940)
DeleteJob Deletes a job and its related job Write job*

executions. (p. 940)
Deletes a job execution. Write job*

DeleteJobExecution (p. 940)
thing*
(p. 940)
Deletes a defined mitigation Write mitigationaction*

DeleteMitigationAction
action from your AWS account. (p. 941)
Deletes an OTA update job. Write otaupdate*

DeleteOTAUpdate (p. 940)
DeletePolicy Deletes the specified policy. Write policy*

(p. 940)
925
AWS IoT

(*required)
Deletes the specified version of Write policy*

DeletePolicyVersion
the specified policy. (p. 940)
Deletes a fleet provisioning Write provisioningtemplate*

DeleteProvisioningTemplate
template. (p. 941)
Deletes a fleet provisioning Write provisioningtemplate*

DeleteProvisioningTemplateVersion
template version. (p. 941)
Deletes a CA certificate Write

DeleteRegistrationCode
registration code.
Deletes the specified role alias. Write rolealias*

DeleteRoleAlias (p. 940)
Deletes a scheduled audit. Write scheduledaudit*

DeleteScheduledAudit (p. 941)
Deletes a Device Defender Write securityprofile*

DeleteSecurityProfile
dimension
(p. 941)
DeleteStream Deletes a specified stream. Write stream*

(p. 940)
DeleteThing Deletes the specified thing. Write thing*

(p. 940)
Deletes the specified thing Tagging thinggroup*

DeleteThingGroupgroup. (p. 940)
Deletes the specified thing Write thing*

DeleteThingShadow
shadow. (p. 940)
Deletes the specified thing type. Tagging thingtype*

DeleteThingType (p. 940)
Deletes the specified rule. Write rule*

DeleteTopicRule (p. 941)
Deletes the specified v2 logging Write

DeleteV2LoggingLevel
level.
Deprecates the specified thing Write thingtype*

DeprecateThingType
type. (p. 940)
Gets information about audit Read

DescribeAccountAuditConfiguration
configurations for the account.
926
AWS IoT

(*required)
Gets information about a single Read

DescribeAuditFinding
audit finding. Properties include
the reason for noncompliance,
the severity of the issue, and
when the audit that returned the
finding was started.
Gets information about an audit Read

DescribeAuditMitigationActionsTask
mitigation task that is used to
apply mitigation actions to a set
of audit findings.
Gets information about a Device Read

DescribeAuditSuppression
Defender audit suppression.
Gets information about a Device Read

DescribeAuditTaskDefender audit.
Describes an authorizer. Read authorizer*

DescribeAuthorizer (p. 940)
Gets information about the Read billinggroup*

DescribeBillingGroup
specified billing group. (p. 940)
Describes a registered CA Read cacert*

DescribeCACertificate
Gets information about the Read cert*

specified certificate. (p. 940)
Describes the default authorizer. Read

DescribeDefaultAuthorizer
Provides details about a Read dimension*

DescribeDimension
dimension that is defined in your (p. 941)
AWS account.
Gets information about the Read domainconfiguration*

DescribeDomainConfiguration
domain configuration. (p. 941)
Returns a unique endpoint Read

DescribeEndpointspecific to the AWS account
making the call.
Returns account event Read

DescribeEventConfigurations
configurations.
Gets information about the Read fleetmetric*

DescribeFleetMetric
specified fleet metric. (p. 940)
DescribeIndex Gets information about the Read index*

specified index. (p. 940)
DescribeJob Describes a job. Read job*

(p. 940)
927
AWS IoT

(*required)
Describes a job execution. Read job

DescribeJobExecution (p. 940)
thing
(p. 940)
Gets information about a Read mitigationaction*

DescribeMitigationAction
mitigation action. (p. 941)
Returns information about a Read provisioningtemplate*

DescribeProvisioningTemplate
fleet provisioning template. (p. 941)
Returns information about a Read provisioningtemplate*

DescribeProvisioningTemplateVersion
fleet provisioning template (p. 941)
version.
Describes a role alias. Read rolealias*

DescribeRoleAlias (p. 940)
Gets information about a Read scheduledaudit*

DescribeScheduledAudit
scheduled audit. (p. 941)
Gets information about a Device Read securityprofile*

DescribeSecurityProfile
Defender security profile. (p. 941)
Gets information about the Read stream*

DescribeStream specified stream. (p. 940)
DescribeThing Gets information about the Read thing*

specified thing. (p. 940)
Gets information about the Read thinggroup*

DescribeThingGroup
specified thing group. (p. 940)
Gets information about the bulk Read

DescribeThingRegistrationTask
thing registration task.
Gets information about the Read thingtype*

DescribeThingType
specified thing type. (p. 940)
Describes a tunnel. Read tunnel*

DescribeTunnel (p. 940)
DetachPolicy Detaches a policy from the Permissions cert

specified target. management (p. 940)
thinggroup
(p. 940)
Removes the specified policy Permissions cert

DetachPrincipalPolicy
from the specified certificate. management (p. 940)
Disassociates a Device Defender Write securityprofile*

DetachSecurityProfile
security profile from a thing (p. 941)
group or from this account.
928
AWS IoT

(*required)
dimension
(p. 941)
thinggroup
(p. 940)
Detaches the specified principal Write

DetachThingPrincipal
from the specified thing.
Disables the specified rule. Write rule*

DisableTopicRule (p. 941)
Enables the specified rule. Write rule*

EnableTopicRule (p. 941)
Get buckets aggregation for IoT Read index*

GetBucketsAggregation
fleet index (p. 940)
Get cardinality for IoT fleet Read index*

GetCardinality index (p. 940)
Gets effective policies. Read cert

GetEffectivePolicies (p. 940)
Gets current fleet indexing Read

GetIndexingConfiguration
configuration
Gets a job document. Read job*

GetJobDocument (p. 940)
Gets the logging options. Read

GetLoggingOptions
Gets the information about the Read otaupdate*

GetOTAUpdate OTA update job. (p. 940)
Gets the list of all jobs for a Read thing*

GetPendingJobExecutions
thing that are not in a terminal (p. 940)
state.
Get percentiles for IoT fleet Read index*

GetPercentiles index (p. 940)
GetPolicy Gets information about the Read policy*

specified policy with the policy (p. 940)
document of the default version.
Gets information about the Read policy*

GetPolicyVersion specified policy version. (p. 940)
Gets a registration code used Read

GetRegistrationCode
to register a CA certificate with
AWS IoT.
GetStatistics Get statistics for IoT fleet index Read index*

(p. 940)
929
AWS IoT

(*required)
Gets the thing shadow. Read thing*

GetThingShadow (p. 940)
GetTopicRule Gets information about the Read rule*

specified rule. (p. 941)
Gets v2 logging options. Read

GetV2LoggingOptions
Lists the active violations for a List securityprofile

ListActiveViolations
given Device Defender security (p. 941)
profile or Thing.
thing
(p. 940)
Lists the policies attached to the List

ListAttachedPolicies
specified thing group.
Lists the findings (results) of List

ListAuditFindings a Device Defender audit or of
the audits performed during a
specified time period.
Gets the status of audit List

ListAuditMitigationActionsExecutions
mitigation action tasks that were
executed.
Gets a list of audit mitigation List

ListAuditMitigationActionsTasks
action tasks that match the
specified filters.
Lists your Device Defender audit List

ListAuditSuppressions
suppressions.
ListAuditTasks Lists the Device Defender audits List

that have been performed
during a given time period.
Lists the authorizers registered List

ListAuthorizers in your account.
Lists all billing groups. List

ListBillingGroups
Lists the CA certificates List

ListCACertificatesregistered for your AWS account.
Lists your certificates. List

ListCertificates
List the device certificates signed List

ListCertificatesByCA
by the specified CA certificate.
Lists the dimensions that are List

ListDimensions defined for your AWS account.
930
AWS IoT

(*required)
Lists the domain configuration List

ListDomainConfigurations
created by your AWS account.
Lists the fleet metrics in your List

ListFleetMetrics account.
ListIndices Lists all indices for fleet index List
Lists the job executions for a job. List job*

ListJobExecutionsForJob (p. 940)
Lists the job executions for the List thing*

ListJobExecutionsForThing
specified thing. (p. 940)
ListJobs Lists jobs. List
Gets a list of all mitigation List

ListMitigationActions
actions that match the specified
filter criteria.
Lists all named shadows for a List thing*

ListNamedShadowsForThing
given thing. (p. 940)
Lists OTA update jobs in the List

ListOTAUpdates account.
Lists certificates that are being List

ListOutgoingCertificates
transfered but not yet accepted.
ListPolicies Lists your policies. List
Lists the principals associated List

ListPolicyPrincipals
with the specified policy.
Lists the versions of the List policy*

ListPolicyVersionsspecified policy, and identifies (p. 940)
the default version.
Lists the policies attached to the List

ListPrincipalPolicies
specified principal. If you use an
Amazon Cognito identity, the ID
needs to be in Amazon Cognito
Identity format.
Lists the things associated with List

ListPrincipalThings
the specified principal.
A list of fleet provisioning List provisioningtemplate*

ListProvisioningTemplateVersions
template versions. (p. 941)
Lists the fleet provisioning List

ListProvisioningTemplates
templates in your AWS account.
Lists role aliases. List

ListRoleAliases
931
AWS IoT

(*required)
Lists all of your scheduled List

ListScheduledAudits
audits.
Lists the Device Defender List dimension

ListSecurityProfiles
security profiles you have (p. 941)
created.
Lists the Device Defender List thinggroup

ListSecurityProfilesForTarget
security profiles attached to a (p. 940)
target.
ListStreams Lists the streams in your List

account.
Lists all tags for a given List authorizer

ListTagsForResource
resource. (p. 940)
billinggroup
(p. 940)
cacert
(p. 940)
dimension
(p. 941)
domainconfiguration

(p. 941)
dynamicthinggroup

(p. 940)
fleetmetric
(p. 940)
job
(p. 940)
mitigationaction

(p. 941)
otaupdate
(p. 940)
policy
(p. 940)
provisioningtemplate

(p. 941)
rolealias
(p. 940)
rule
(p. 941)
932
AWS IoT

(*required)
scheduledaudit

(p. 941)
securityprofile

(p. 941)
stream
(p. 940)
thinggroup
(p. 940)
thingtype
(p. 940)
List targets for the specified List policy*

ListTargetsForPolicy
policy. (p. 940)
Lists the targets associated with List securityprofile*

ListTargetsForSecurityProfile
a given Device Defender security (p. 941)
profile.
Lists all thing groups. List

ListThingGroups
List thing groups to which the List thing*

ListThingGroupsForThing
specified thing belongs. (p. 940)
Lists the principals associated List

ListThingPrincipals
with the specified thing.
Lists information about bulk List

ListThingRegistrationTaskReports
thing registration tasks.
Lists bulk thing registration List

ListThingRegistrationTasks
tasks.
Lists all thing types. List

ListThingTypes
ListThings Lists all things. List
Lists all things in the specified List billinggroup*

ListThingsInBillingGroup
billing group. (p. 940)
Lists all things in the specified List thinggroup*

ListThingsInThingGroup
thing group. (p. 940)
ListTopicRules Lists the rules for the specific List

topic.
ListTunnels Lists tunnels. List
Lists the v2 logging levels. List

ListV2LoggingLevels
933
AWS IoT

(*required)
Lists the Device Defender List securityprofile

ListViolationEvents
security profile violations (p. 941)
discovered during the given time
period. thing
(p. 940)
OpenTunnel Opens a tunnel. Write aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
iot:ThingGroupArn
(p. 941)
iot:TunnelDestinationService
(p. 941)
Publish Publish to the specified topic. Write topic*

(p. 940)
Receive Receive from the specified topic. Write topic*

(p. 940)
Registers a CA certificate with Write aws:RequestTag/

RegisterCACertificate
AWS IoT. ${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Registers a device certificate Write

RegisterCertificatewith AWS IoT.
Registers a device certificate Write

RegisterCertificateWithoutCA
with AWS IoT without a
registered CA (certificate
authority).
RegisterThing Registers your thing. Write
Rejects a pending certificate Write cert*

RejectCertificateTransfer
transfer. (p. 940)
Removes thing from the Write billinggroup*

RemoveThingFromBillingGroup
specified billing group. (p. 940)
thing*
(p. 940)
Removes thing from the Write thing*

RemoveThingFromThingGroup
specified thing group. (p. 940)
thinggroup*
(p. 940)
934
AWS IoT

(*required)
Replaces the specified rule. Write rule*

ReplaceTopicRule (p. 941)
SearchIndex Search IoT fleet index Read index*

(p. 940)
Sets the default authorizer. Permissions authorizer*

SetDefaultAuthorizer
This will be used if a websocket management (p. 940)
connection is made without
specifying an authorizer.
Sets the specified version of the Permissions policy*

SetDefaultPolicyVersion
specified policy as the policy's management (p. 940)
default (operative) version.
Sets the logging options. Write

SetLoggingOptions
Sets the v2 logging level. Write

SetV2LoggingLevel
Sets the v2 logging options. Write

SetV2LoggingOptions
Starts a task that applies a set Write

StartAuditMitigationActionsTask
of mitigation actions to the
specified target.
Gets and starts the next pending Write thing*

StartNextPendingJobExecution
job execution for a thing. (p. 940)
Starts an on-demand Device Write

StartOnDemandAuditTask
Defender audit.
Starts a bulk thing registration Write

StartThingRegistrationTask
task.
Stops a bulk thing registration Write

StopThingRegistrationTask
task.
Subscribe Subscribe to the specified Write topicfilter*

TopicFilter. (p. 940)
TagResource Tag a specified resource Tagging authorizer

(p. 940)
billinggroup
(p. 940)
cacert
(p. 940)
dimension
(p. 941)
935
AWS IoT

(*required)

(p. 941)
dynamicthinggroup

(p. 940)
fleetmetric
(p. 940)
job
(p. 940)
mitigationaction

(p. 941)
otaupdate
(p. 940)
policy
(p. 940)

(p. 941)
rolealias
(p. 940)
rule
(p. 941)
scheduledaudit

(p. 941)
securityprofile

(p. 941)
stream
(p. 940)
thinggroup
(p. 940)
thingtype
(p. 940)
aws:RequestTag/

${TagKey}
(p. 941)
aws:TagKeys
(p. 941)
Test the policies evaluation for Read cert

TestAuthorizationgroup policies (p. 940)
936
AWS IoT

(*required)
Invoke the specified custom Read authorizer*

TestInvokeAuthorizer
authorizer for testing purposes. (p. 940)
Transfers the specified Write cert*

TransferCertificatecertificate to the specified AWS (p. 940)
account.
Untag a specified resource Tagging authorizer

billinggroup
(p. 940)
cacert
(p. 940)
dimension
(p. 941)

(p. 941)
dynamicthinggroup

(p. 940)
fleetmetric
(p. 940)
job
(p. 940)
mitigationaction

(p. 941)
otaupdate
(p. 940)
policy
(p. 940)

(p. 941)
rolealias
(p. 940)
rule
(p. 941)
scheduledaudit

(p. 941)
securityprofile

(p. 941)
937
AWS IoT

(*required)
stream
(p. 940)
thinggroup
(p. 940)
thingtype
(p. 940)
aws:TagKeys
(p. 941)
Configures or reconfigures the Write

UpdateAccountAuditConfiguration
Device Defender audit settings
for this account.
Updates a Device Defender audit Write

UpdateAuditSuppression
suppression.
Updates an authorizer Write authorizer*

UpdateAuthorizer (p. 940)
Updates information associated Write billinggroup*

UpdateBillingGroup
with the specified billing group. (p. 940)
Updates a registered CA Write cacert*

UpdateCACertificate
Updates the status of the Write cert*

UpdateCertificatespecified certificate. This (p. 940)
operation is idempotent.
Updates the definition for a Write dimension*

UpdateDimensiondimension. (p. 941)
Updates a domain configuration. Write domainconfiguration*

UpdateDomainConfiguration (p. 941)
Updates a Dynamic Thing Group Write dynamicthinggroup*

UpdateDynamicThingGroup (p. 940)
Updates event configurations. Write

UpdateEventConfigurations
Updates a fleet metric Write fleetmetric*

UpdateFleetMetric (p. 940)
index*
(p. 940)
Updates fleet indexing Write

UpdateIndexingConfiguration
configuration
UpdateJob Updates a job. Write job*

(p. 940)
938
AWS IoT

(*required)
Updates a job execution. Write thing*

UpdateJobExecution (p. 940)
Updates the definition for the Write mitigationaction*

UpdateMitigationAction
specified mitigation action. (p. 941)
Updates a fleet provisioning Write provisioningtemplate*

UpdateProvisioningTemplate
template. (p. 941)
Updates the role alias Write rolealias*

UpdateRoleAlias (p. 940)
Updates a scheduled audit, Write scheduledaudit*

UpdateScheduledAudit
including what checks are (p. 941)
performed and how often the
audit takes place.
Updates a Device Defender Write securityprofile*

UpdateSecurityProfile
dimension
(p. 941)
Updates the data for a stream. Write stream*

UpdateStream (p. 940)
UpdateThing Updates information associated Write thing*

with the specified thing. (p. 940)
Updates information associated Write thinggroup*

UpdateThingGroup
with the specified thing group. (p. 940)
Updates the thing groups to Write thing*

UpdateThingGroupsForThing
which the thing belongs. (p. 940)
thinggroup
(p. 940)
Updates the thing shadow. Write thing*

UpdateThingShadow (p. 940)
Validates a Device Defender Read

ValidateSecurityProfileBehaviors
security profile behaviors
specification.
Resource types defined by AWS IoT

939
AWS IoT

types
client arn:${Partition}:iot:${Region}:
${Account}:client/${ClientId}
index arn:${Partition}:iot:${Region}:
${Account}:index/${IndexName}
fleetmetric arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:fleetmetric/${FleetMetricName} ${TagKey} (p. 941)
job arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:job/${JobId} ${TagKey} (p. 941)
tunnel arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:tunnel/${TunnelId} ${TagKey} (p. 941)
thing arn:${Partition}:iot:${Region}:
${Account}:thing/${ThingName}
thinggroup arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:thinggroup/${ThingGroupName} ${TagKey} (p. 941)
billinggroup arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:billinggroup/${BillingGroupName} ${TagKey} (p. 941)
arn:${Partition}:iot:${Region}: aws:ResourceTag/
dynamicthinggroup
${Account}:thinggroup/${ThingGroupName} ${TagKey} (p. 941)
thingtype arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:thingtype/${ThingTypeName} ${TagKey} (p. 941)
topic arn:${Partition}:iot:${Region}:
${Account}:topic/${TopicName}
topicfilter arn:${Partition}:iot:${Region}:
${Account}:topicfilter/${TopicFilter}
rolealias arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:rolealias/${RoleAlias} ${TagKey} (p. 941)
authorizer arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:authorizer/${AuthorizerName} ${TagKey} (p. 941)
policy arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:policy/${PolicyName} ${TagKey} (p. 941)
cert arn:${Partition}:iot:${Region}:
${Account}:cert/${Certificate}
cacert arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:cacert/${CACertificate} ${TagKey} (p. 941)
stream arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:stream/${streamId} ${TagKey} (p. 941)
otaupdate arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:otaupdate/${otaUpdateId} ${TagKey} (p. 941)
940
AWS IoT

types
scheduledaudit ${Account}:scheduledaudit/${ScheduleName} ${TagKey} (p. 941)
mitigationaction ${Account}:mitigationaction/ ${TagKey} (p. 941)
${MitigationActionName}
securityprofile ${Account}:securityprofile/ ${TagKey} (p. 941)
${SecurityProfileName}
dimension arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:dimension/${DimensionName} ${TagKey} (p. 941)
rule arn:${Partition}:iot:${Region}: aws:ResourceTag/

${Account}:rule/${ruleName} ${TagKey} (p. 941)
${Account}:provisioningtemplate/ ${TagKey} (p. 941)
${provisioningTemplate}
${Account}:domainconfiguration/ ${TagKey} (p. 941)
${domainConfigurationName}
Condition keys for AWS IoT

AWS IoT defines the following condition keys that can be used in the Condition element of an IAM
${TagKey} to IoT.
aws:ResourceTag/ The tag key component of a tag attached to an IoT resource. String
${TagKey}
in the request.
iot:Delete The flag indicating whether or not to also delete an IoT Bool
Tunnel immediately
iot:DomainName Filters actions based on the domain name of an IoT String

DomainConfiguration
The list of all IoT Thing Group ARNs that the destination IoT String
iot:ThingGroupArn Thing belongs to for an IoT Tunnel
The list of all destination services for an IoT Tunnel String

iot:TunnelDestinationService
941
AWS IoT 1-Click
Actions, resources, and condition keys for AWS IoT 1-

Click
AWS IoT 1-Click (service prefix: iot1click) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS IoT 1-Click (p. 942)
• Resource types defined by AWS IoT 1-Click (p. 944)
• Condition keys for AWS IoT 1-Click (p. 945)
Actions defined by AWS IoT 1-Click

different actions.

(*required)
Associate a device to a Write project*

AssociateDeviceWithPlacement
placement (p. 944)
Claim a batch of devices with a Read

ClaimDevicesByClaimCode
claim code.
Create a new placement in a Write project*

CreatePlacement project (p. 944)
CreateProject Create a new project Write project*

(p. 944)
aws:RequestTag/

${TagKey}
(p. 945)
942
AWS IoT 1-Click

(*required)
aws:TagKeys
(p. 945)
Delete a placement from a Write project*

DeletePlacement project (p. 944)
DeleteProject Delete a project Write project*

(p. 944)
Describe a device Read device*

DescribeDevice (p. 944)
Describe a placement Read project*

DescribePlacement (p. 944)
Describe a project Read project*

DescribeProject (p. 944)
Disassociate a device from a Write project*

DisassociateDeviceFromPlacement
placement (p. 944)
Finalize a device claim Read device*

FinalizeDeviceClaim (p. 944)
aws:RequestTag/

${TagKey}
(p. 945)
aws:TagKeys
(p. 945)
Get available methods of a Read device*

GetDeviceMethods
device (p. 944)
Get devices associated to a Read project*

GetDevicesInPlacement
placement (p. 944)
Initialize a device claim Read device*

InitiateDeviceClaim (p. 944)
Invoke a device method Write device*

InvokeDeviceMethod (p. 944)
List past events published by a Read device*

ListDeviceEvents device (p. 944)
ListDevices List all devices List
List placements in a project Read project*

ListPlacements (p. 944)
ListProjects List all projects List
Lists the tags (metadata) which List device

ListTagsForResource
you have assigned to the (p. 944)
resource.
943
AWS IoT 1-Click

(*required)
project
(p. 944)
TagResource Adds to or modifies the tags Write device

of the given resource. Tags are (p. 944)
metadata which can be used to
manage a resource. project
(p. 944)
aws:RequestTag/

${TagKey}
(p. 945)
aws:TagKeys
(p. 945)
Unclaim a device Read device*

UnclaimDevice (p. 944)
Removes the given tags Write device

UntagResource (metadata) from the resource. (p. 944)
project
(p. 944)
aws:TagKeys
(p. 945)
Update device state Write device*

UpdateDeviceState (p. 944)
Update a placement Write project*

UpdatePlacement (p. 944)
Update a project Write project*

Resource types defined by AWS IoT 1-Click


types
device arn:${Partition}:iot1click:${Region}: aws:ResourceTag/

${Account}:devices/${DeviceId} ${TagKey} (p. 945)
project arn:${Partition}:iot1click:${Region}: aws:ResourceTag/

${Account}:projects/${ProjectName} ${TagKey} (p. 945)
944
AWS IoT Analytics
Condition keys for AWS IoT 1-Click

AWS IoT 1-Click defines the following condition keys that can be used in the Condition element of
${TagKey} to IoT 1-Click.
The preface string for a tag key and value pair attached to an String
aws:ResourceTag/ IoT 1-Click resource.
${TagKey}
aws:TagKeys The list of all the tag key names associated with the IoT 1- String
Click resource in the request.

Analytics
AWS IoT Analytics (service prefix: iotanalytics) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS IoT Analytics (p. 945)
• Resource types defined by AWS IoT Analytics (p. 949)
• Condition keys for AWS IoT Analytics (p. 950)
Actions defined by AWS IoT Analytics

different actions.
945
AWS IoT Analytics

(*required)
Puts a batch of messages into Write channel*

BatchPutMessagethe specified channel. (p. 949)
Cancels reprocessing for the Write pipeline*

CancelPipelineReprocessing
Creates a channel. Write channel*

CreateChannel (p. 949)
aws:RequestTag/

${TagKey}
(p. 950)
aws:TagKeys
(p. 950)
CreateDataset Creates a dataset. Write dataset*

(p. 949)
aws:RequestTag/

${TagKey}
(p. 950)
aws:TagKeys
(p. 950)
Generates content of the Write dataset*

CreateDatasetContent
specified dataset (by executing (p. 949)
the dataset actions).
Creates a datastore. Write datastore*

CreateDatastore (p. 949)
aws:RequestTag/

${TagKey}
(p. 950)
aws:TagKeys
(p. 950)
Creates a pipeline. Write pipeline*

aws:RequestTag/

${TagKey}
(p. 950)
aws:TagKeys
(p. 950)
946
AWS IoT Analytics

(*required)
Deletes the specified channel. Write channel*

DeleteChannel (p. 949)
DeleteDataset Deletes the specified dataset. Write dataset*

(p. 949)
Deletes the content of the Write dataset*

DeleteDatasetContent
specified dataset. (p. 949)
Deletes the specified datastore. Write datastore*

DeleteDatastore (p. 949)
Deletes the specified pipeline. Write pipeline*

DeletePipeline (p. 949)
Describes the specified channel. Read channel*

DescribeChannel (p. 949)
Describes the specified dataset. Read dataset*

DescribeDataset (p. 949)
Describes the specified Read datastore*

DescribeDatastoredatastore. (p. 949)
Describes logging options for Read

DescribeLoggingOptions
the the account.
Describes the specified pipeline. Read pipeline*

DescribePipeline (p. 949)
Gets the content of the specified Read dataset*

GetDatasetContent
dataset. (p. 949)
ListChannels Lists the channels for the List

account.
ListDatasets Lists the datasets for the List

account.
ListDatastores Lists the datastores for the List

account.
ListPipelines Lists the pipelines for the List

account.
Lists the tags (metadata) which Read channel

ListTagsForResource
you have assigned to the (p. 949)
resource.
dataset
(p. 949)
datastore
(p. 949)
pipeline
(p. 949)
947
AWS IoT Analytics

(*required)
Puts logging options for the the Write

PutLoggingOptions
account.
Runs the specified pipeline Read

RunPipelineActivity
activity.
Samples the specified channel's Read channel*

SampleChannelData
data. (p. 949)
Starts reprocessing for the Write pipeline*

StartPipelineReprocessing
TagResource Adds to or modifies the tags Tagging channel

of the given resource. Tags are (p. 949)
metadata which can be used to
manage a resource. dataset
(p. 949)
datastore
(p. 949)
pipeline
(p. 949)
aws:RequestTag/

${TagKey}
(p. 950)
aws:TagKeys
(p. 950)
Removes the given tags Tagging channel

UntagResource (metadata) from the resource. (p. 949)
dataset
(p. 949)
datastore
(p. 949)
pipeline
(p. 949)
aws:RequestTag/

${TagKey}
(p. 950)
aws:TagKeys
(p. 950)
Updates the specified channel. Write channel*

UpdateChannel (p. 949)
Updates the specified dataset. Write dataset*

UpdateDataset (p. 949)
948
AWS IoT Analytics

(*required)
Updates the specified datastore. Write datastore*

UpdateDatastore (p. 949)
Updates the specified pipeline. Write pipeline*

UpdatePipeline (p. 949)
Resource types defined by AWS IoT Analytics


types
channel arn:${Partition}:iotanalytics:${Region}: aws:RequestTag/

${Account}:channel/${ChannelName} ${TagKey} (p. 950)
iotanalytics:ResourceTag/
${TagKey} (p. 950)
dataset arn:${Partition}:iotanalytics:${Region}: aws:RequestTag/

${Account}:dataset/${DatasetName} ${TagKey} (p. 950)
${TagKey} (p. 950)
datastore arn:${Partition}:iotanalytics:${Region}: aws:RequestTag/

${Account}:datastore/${DatastoreName} ${TagKey} (p. 950)
${TagKey} (p. 950)
pipeline arn:${Partition}:iotanalytics:${Region}: aws:RequestTag/

${Account}:pipeline/${PipelineName} ${TagKey} (p. 950)
${TagKey} (p. 950)
949
AWS IoT Core Device Advisor
Condition keys for AWS IoT Analytics

AWS IoT Analytics defines the following condition keys that can be used in the Condition element of
${TagKey} to IoT Analytics.
aws:TagKeys The list of all the tag key names associated with the IoT String
Analytics resource in the request.
The preface string for a tag key and value pair attached to an String
IoT Analytics resource.
${TagKey}

Core Device Advisor
AWS IoT Core Device Advisor (service prefix: iotdeviceadvisor) provides the following service-specific
References:

Topics
• Actions defined by AWS IoT Core Device Advisor (p. 950)
• Resource types defined by AWS IoT Core Device Advisor (p. 952)
• Condition keys for AWS IoT Core Device Advisor (p. 952)
Actions defined by AWS IoT Core Device Advisor

different actions.
950

(*required)

CreateSuiteDefinition
suite definition ${TagKey}
(p. 952)
aws:TagKeys
(p. 953)
Grants permission to delete a Write suitedefinition*

DeleteSuiteDefinition
suite definition (p. 952)
Grants permission to get a suite Read suitedefinition*

GetSuiteDefinitiondefinition (p. 952)
GetSuiteRun Grants permission to get a suite Read suiterun*

run (p. 952)
Grants permission to get the Read suiterun*

GetSuiteRunReport
qualification report for a suite (p. 952)
run
Grants permission to list suite List

ListSuiteDefinitions
definitions
ListSuiteRuns Grants permission to list suite List suitedefinition*

runs (p. 952)
Grants permission to list the Read suitedefinition

ListTagsForResource
tags (metadata) assigned to a (p. 952)
resource
suiterun
(p. 952)
ListTestCases Grants permission to list the test List

cases provided by IoT Device
Advisor
StartSuiteRun Grants permission to start a Write aws:RequestTag/

suite run ${TagKey}
(p. 952)
aws:TagKeys
(p. 953)
TagResource Grants permission to add to or Tagging suitedefinition

modify the tags of the given (p. 952)
resource. Tags are metadata
which can be used to manage a suiterun
resource (p. 952)
951

(*required)
aws:RequestTag/

${TagKey}
(p. 952)
aws:TagKeys
(p. 953)
Grants permission to remove the Tagging suitedefinition

UntagResource given tags (metadata) from a (p. 952)
resource
suiterun
(p. 952)
aws:TagKeys
(p. 953)
Grants permission to update a Write suitedefinition*

UpdateSuiteDefinition
suite definition (p. 952)
Resource types defined by AWS IoT Core Device Advisor


types
arn:${Partition}:iotdeviceadvisor: aws:ResourceTag/
suitedefinition ${Region}:${Account}:suitedefinition/ ${TagKey} (p. 953)
${suiteDefinitionId}
suiterun arn:${Partition}:iotdeviceadvisor:${Region}: aws:ResourceTag/

${Account}:suiterun/${suiteDefinitionId}/ ${TagKey} (p. 953)
${suiteRunId}
Condition keys for AWS IoT Core Device Advisor

AWS IoT Core Device Advisor defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} request
952
AWS IoT Core for LoRaWAN

${TagKey}
request

Core for LoRaWAN
AWS IoT Core for LoRaWAN (service prefix: iotwireless) provides the following service-specific
References:

Topics
• Actions defined by AWS IoT Core for LoRaWAN (p. 953)
• Resource types defined by AWS IoT Core for LoRaWAN (p. 958)
• Condition keys for AWS IoT Core for LoRaWAN (p. 959)
Actions defined by AWS IoT Core for LoRaWAN

different actions.

(*required)
Link partner accounts with Aws Write

AssociateAwsAccountWithPartnerAccount
account.
953

(*required)
Associate the wireless device Write WirelessDevice*

iot:DescribeThing
AssociateWirelessDeviceWithThing
with AWS IoT thing for a given (p. 958)
wirelessDeviceId.
thing*
(p. 959)
Associate a WirelessGateway Write WirelessGateway*

AssociateWirelessGatewayWithCertificate
with the IoT Core Identity (p. 958)
certificate.
cert*
(p. 959)
Associate the wireless gateway Write WirelessGateway*

iot:DescribeThing
AssociateWirelessGatewayWithThing
with AWS IoT thing for a given (p. 958)
wirelessGatewayId.
thing*
(p. 959)
Create a Destination resource. Write Destination*

CreateDestination (p. 958)
aws:RequestTag/

${TagKey}
(p. 959)
aws:TagKeys
(p. 959)
Create a DeviceProfile resource. Write DeviceProfile*

CreateDeviceProfile (p. 958)
aws:RequestTag/

${TagKey}
(p. 959)
aws:TagKeys
(p. 959)
Create a ServiceProfile resource. Write ServiceProfile*

CreateServiceProfile (p. 958)
aws:RequestTag/

${TagKey}
(p. 959)
aws:TagKeys
(p. 959)
Create a WirelessDevice resource Write Destination*

CreateWirelessDevice
with given Destination. (p. 958)
WirelessDevice*

(p. 958)
Create a WirelessGateway Write WirelessGateway*

CreateWirelessGateway
resource. (p. 958)
954

(*required)
aws:RequestTag/

${TagKey}
(p. 959)
aws:TagKeys
(p. 959)
Create a task for a given Write WirelessGateway*

CreateWirelessGatewayTask
WirelessGateway. (p. 958)
Create a WirelessGateway task Write

CreateWirelessGatewayTaskDefinition
definition.
Delete a Destination. Write Destination*

DeleteDestination (p. 958)
Delete a DeviceProfile. Write DeviceProfile*

DeleteDeviceProfile (p. 958)
Delete a ServiceProfile. Write ServiceProfile*

DeleteServiceProfile (p. 958)
Delete a WirelessDevice. Write WirelessDevice*

DeleteWirelessDevice (p. 958)
Delete a WirelessGateway. Write WirelessGateway*

DeleteWirelessGateway (p. 958)
Delete task for a given Write WirelessGateway*

DeleteWirelessGatewayTask
WirelessGateway. (p. 958)
Delete a WirelessGateway task Write

DeleteWirelessGatewayTaskDefinition
definition.
Disassociate an AWS account Write

DisassociateAwsAccountFromPartnerAccount
from a partner account.
Disassociate a wireless device Write WirelessDevice*

iot:DescribeThing
DisassociateWirelessDeviceFromThing
from a AWS IoT thing. (p. 958)
thing*
(p. 959)
Disassociate a WirelessGateway Write WirelessGateway*

DisassociateWirelessGatewayFromCertificate
from a IoT Core Identity (p. 958)
certificate.
cert*
(p. 959)
Disassociate a WirelessGateway Write WirelessGateway*

iot:DescribeThing
DisassociateWirelessGatewayFromThing
from a IoT Core thing. (p. 958)
thing*
(p. 959)
955

(*required)
Get the Destination Read Destination*

GetDestination (p. 958)
Get the DeviceProfile Read DeviceProfile*

GetDeviceProfile (p. 958)
Get the associated Read

GetPartnerAccount
PartnerAccount
Retrieve the customer account Read

GetServiceEndpoint
specific endpoint for CUPS
protocol connection or
LoRaWAN Network Server
(LNS) protocol connection, and
optionally server trust certificate
in PEM format.
Get the ServiceProfile Read ServiceProfile*

GetServiceProfile (p. 958)
Get the WirelessDevice Read WirelessDevice*

GetWirelessDevice (p. 958)
Get statistics info for a given Read WirelessDevice*

GetWirelessDeviceStatistics
WirelessDevice (p. 958)
Get the WirelessGateway Read WirelessGateway*

GetWirelessGateway (p. 958)
Get the IoT Core Identity Read WirelessGateway*

GetWirelessGatewayCertificate
certificate id associated with the (p. 958)
WirelessGateway.
Get Current firmware version Read WirelessGateway*

GetWirelessGatewayFirmwareInformation
and other information for the (p. 958)
WirelessGateway
Get statistics info for a given Read WirelessGateway*

GetWirelessGatewayStatistics
WirelessGateway (p. 958)
Get the task for a given Read WirelessGateway*

GetWirelessGatewayTask
WirelessGateway (p. 958)
Describe the given Read

GetWirelessGatewayTaskDefinition
WirelessGateway task definition.
List information of available List

ListDestinations Destinations based on the AWS
account.

ListDeviceProfilesDeviceProfiles based on the AWS
account.
Lists the available partner List

ListPartnerAccounts
accounts.
956

(*required)

ListServiceProfilesServiceProfiles based on the
AWS account.
Lists all tags for a given List Destination

ListTagsForResource
resource. (p. 958)
DeviceProfile
(p. 958)
ServiceProfile
(p. 958)
WirelessGateway

(p. 958)

ListWirelessDevices
WirelessDevices based on the
AWS account.

ListWirelessGatewayTaskDefinitions
WirelessGateway task definitions
based on the AWS account.

ListWirelessGateways
WirelessGateways based on the
AWS account.
Send the decrypted application Write WirelessDevice*

SendDataToWirelessDevice
data frame to the target device (p. 958)
TagResource Tag a given resource. Tagging Destination

(p. 958)
DeviceProfile
(p. 958)
ServiceProfile
(p. 958)
WirelessGateway

(p. 958)
aws:RequestTag/

${TagKey}
(p. 959)
aws:TagKeys
(p. 959)
Simulate a provisioned device Write WirelessDevice*

TestWirelessDevice
to send an uplink data with (p. 958)
payload of 'Hello'
Remove the given tags from the Tagging Destination

957

(*required)
DeviceProfile
(p. 958)
ServiceProfile
(p. 958)
WirelessGateway

(p. 958)
aws:TagKeys
(p. 959)
Update a Destination resource. Write Destination*

UpdateDestination (p. 958)
Update a partner account. Write

UpdatePartnerAccount
Update a WirelessDevice Write WirelessDevice*

UpdateWirelessDevice
resource. (p. 958)
Update a WirelessGateway Write WirelessGateway*

UpdateWirelessGateway
resource. (p. 958)
Resource types defined by AWS IoT Core for LoRaWAN


types
arn:${Partition}:iotwireless:
WirelessDevice ${Region}:${Account}:WirelessDevice/
${WirelessDeviceId}
arn:${Partition}:iotwireless: aws:ResourceTag/
WirelessGateway ${Region}:${Account}:WirelessGateway/ ${TagKey} (p. 959)
${WirelessGatewayId}
DeviceProfile arn:${Partition}:iotwireless:${Region}: aws:ResourceTag/

${Account}:DeviceProfile/${DeviceProfileId} ${TagKey} (p. 959)
ServiceProfile arn:${Partition}:iotwireless: aws:ResourceTag/

${Region}:${Account}:ServiceProfile/ ${TagKey} (p. 959)
${ServiceProfileId}
Destination arn:${Partition}:iotwireless:${Region}: aws:ResourceTag/

${Account}:Destination/${DestinationName} ${TagKey} (p. 959)
958
AWS IoT Device Tester

types
cert arn:${Partition}:iot:${Region}:
${Account}:cert/${Certificate}
Condition keys for AWS IoT Core for LoRaWAN

AWS IoT Core for LoRaWAN defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} to IoT Wireless.
aws:ResourceTag/ The tag key component of a tag attached to an IoT Wireless String
${TagKey} resource.
in the request.

Device Tester
AWS IoT Device Tester (service prefix: iot-device-tester) provides the following service-specific
References:

Topics
• Actions defined by AWS IoT Device Tester (p. 959)
• Resource types defined by AWS IoT Device Tester (p. 960)
• Condition keys for AWS IoT Device Tester (p. 960)
Actions defined by AWS IoT Device Tester

959
AWS IoT Events
different actions.

(*required)
CheckVersion Grants permission for IoT Device Read

Tester to check if a given set of
product, test suite and device
tester version are compatible
Grants permission for IoT Device Read

DownloadTestSuite
Tester to download compatible
test suite versions
LatestIdt Grants permission for IoT Device Read

Tester to get information on
latest version of device tester
available
SendMetrics Grants permissions for IoT Write

Device Tester to send usage
metrics on your behalf
Grants permission for IoT Device Read

SupportedVersionTester to get list of supported
products and test suite versions
Resource types defined by AWS IoT Device Tester

AWS IoT Device Tester does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to AWS IoT Device Tester, specify “Resource”: “*” in your policy.
Condition keys for AWS IoT Device Tester

IoT Device Tester has no service-specific context keys that can be used in the Condition element of

Events
AWS IoT Events (service prefix: iotevents) provides the following service-specific resources, actions,
960
AWS IoT Events
References:

Topics
• Actions defined by AWS IoT Events (p. 961)
• Resource types defined by AWS IoT Events (p. 964)
• Condition keys for AWS IoT Events (p. 965)
Actions defined by AWS IoT Events

different actions.

(*required)
Grants permission to send one Write input*

BatchAcknowledgeAlarm
or more acknowledge action (p. 964)
requests to AWS IoT Events
Grants permission to disable one Write input*

BatchDisableAlarm
or more alarm instances (p. 964)
Grants permission to enable one Write input*

BatchEnableAlarmor more alarm instances (p. 964)
Grants permission to send a set Write input*

BatchPutMessageof messages to the AWS IoT (p. 964)
Events system
Grants permission to reset one Write input*

BatchResetAlarm or more alarm instances (p. 964)
Grants permission to change one Write input*

BatchSnoozeAlarm
or more alarm instances to the (p. 964)
snooze mode
961
AWS IoT Events

(*required)
Grants permission to update Write input*

BatchUpdateDetector
a detector instance within the (p. 964)
AWS IoT Events system
Grants permission to create an Write alarmModel*

CreateAlarmModel
alarm model to monitor an AWS (p. 964)
IoT Events input attribute or an
AWS IoT SiteWise asset property aws:RequestTag/

${TagKey}
(p. 965)
aws:TagKeys
(p. 965)
Grants permission to create a Write detectorModel*

CreateDetectorModel
detector model to monitor an (p. 964)
AWS IoT Events input attribute
aws:RequestTag/

${TagKey}
(p. 965)
aws:TagKeys
(p. 965)
CreateInput Grants permission to create an Write input*

Input in IotEvents (p. 964)
aws:RequestTag/

${TagKey}
(p. 965)
aws:TagKeys
(p. 965)
Grants permission to delete an Write alarmModel*

DeleteAlarmModel
alarm model (p. 964)
Grants permission to delete a Write detectorModel*

DeleteDetectorModel
detector model (p. 964)
DeleteInput Grants permission to delete an Write input*

input (p. 964)
Grants permission to retrieve Read alarmModel*

DescribeAlarm information about an alarm (p. 964)
instance
Grants permission to retrieve Read alarmModel*

DescribeAlarmModel
information about an alarm (p. 964)
model
Grants permission to retriev Read detectorModel*

DescribeDetector information about a detector (p. 964)
instance
962
AWS IoT Events

(*required)
Grants permission to retrieve Read detectorModel*

DescribeDetectorModel
information about a detector (p. 964)
model
DescribeInput Grants permission to retrieve an Read input*

information about Input (p. 964)

current settings of the AWS IoT
Events logging options
Grants permission to list all the List alarmModel*

ListAlarmModelVersions
versions of an alarm model (p. 964)

ListAlarmModels alarm models that you created
ListAlarms Grants permission to retrieve List alarmModel*

information about all alarm (p. 964)
instances per alarmModel
Grants permission to list all the List detectorModel*

ListDetectorModelVersions
versions of a detector model (p. 964)

ListDetectorModels
detector models that you
created
ListDetectors Grants permission to retrieve List detectorModel*

information about all detector (p. 964)
instances per detectormodel
ListInputs Grants permission to lists the List

inputs you have created
Grants permission to list the Read detectorModel

ListTagsForResource
tags (metadata) which you have (p. 964)
assigned to the resource
input
(p. 964)
Grants permission to set or Write

PutLoggingOptions
update the AWS IoT Events
logging options
TagResource Grants permission to adds to or Tagging detectorModel

modifies the tags of the given (p. 964)
resource.Tags are metadata
which can be used to manage a input
resource (p. 964)
963
AWS IoT Events

(*required)
aws:RequestTag/

${TagKey}
(p. 965)
aws:TagKeys
(p. 965)
Grants permission to remove the Tagging detectorModel

UntagResource given tags (metadata) from the (p. 964)
resource
input
(p. 964)
aws:TagKeys
(p. 965)
Grants permission to update an Write alarmModel*

UpdateAlarmModel
alarm model (p. 964)
Grants permission to update a Write detectorModel*

UpdateDetectorModel
detector model (p. 964)
UpdateInput Grants permission to update an Write input*

input (p. 964)
Grants permission to update Write input*

UpdateInputRouting
input routing (p. 964)
Resource types defined by AWS IoT Events


types
arn:${Partition}:iotevents: aws:ResourceTag/
detectorModel ${Region}:${Account}:detectorModel/ ${TagKey} (p. 965)
${DetectorModelName}
alarmModel arn:${Partition}:iotevents:${Region}: aws:ResourceTag/

${Account}:alarmModel/${AlarmModelName} ${TagKey} (p. 965)
input arn:${Partition}:iotevents:${Region}: aws:ResourceTag/

${Account}:input/${inputName} ${TagKey} (p. 965)
964
AWS IoT Greengrass
Condition keys for AWS IoT Events

AWS IoT Events defines the following condition keys that can be used in the Condition element of an
${TagKey}

aws:ResourceTag/
${TagKey}
Filters access by the instanceId (key-value) of the message String

iotevents:keyValue

Greengrass
AWS IoT Greengrass (service prefix: greengrass) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS IoT Greengrass (p. 965)
• Resource types defined by AWS IoT Greengrass (p. 975)
• Condition keys for AWS IoT Greengrass (p. 977)
Actions defined by AWS IoT Greengrass

different actions.
965
AWS IoT Greengrass

(*required)
Grants permission to associate Write group*

AssociateRoleToGroup
a role with a group. The (p. 975)
role's permissions must allow
Greengrass core Lambda
functions and connectors to
perform actions in other AWS
services.
Grants permission to associate Permissions

AssociateServiceRoleToAccount
a role with your account. AWS management
IoT Greengrass uses this role to
access your Lambda functions
and AWS IoT resources.

CreateConnectorDefinition
connector definition. ${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
Grants permission to create a Write connectorDefinition*

CreateConnectorDefinitionVersion
version of an existing connector (p. 976)
definition.

CreateCoreDefinition
core definition. ${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
Grants permission to create Write coreDefinition*

CreateCoreDefinitionVersion
a version of an existing core (p. 976)
definition. Greengrass groups
must each contain exactly one
Greengrass core.
Grants permission to create a Write group*

CreateDeployment
deployment. (p. 975)

CreateDeviceDefinition
device definition. ${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
966
AWS IoT Greengrass

(*required)
Grants permission to create a Write deviceDefinition*

CreateDeviceDefinitionVersion
version of an existing device (p. 976)
definition.

CreateFunctionDefinition
Lambda function definition to ${TagKey}
be used in a group that contains (p. 977)
a list of Lambda functions and
their configurations. aws:TagKeys
(p. 977)
Grants permission to create a Write functionDefinition*

CreateFunctionDefinitionVersion
version of an existing Lambda (p. 976)
function definition.
CreateGroup Grants permission to create a Write aws:RequestTag/

group. ${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
Grants permission to create a Write group*

CreateGroupCertificateAuthority
CA for the group, or rotate the (p. 975)
existing CA.
Grants permission to create Write group*

CreateGroupVersion
a version of a group that has (p. 975)
already been defined.

CreateLoggerDefinition
logger definition. ${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
Grants permission to create a Write loggerDefinition*

CreateLoggerDefinitionVersion
version of an existing logger (p. 976)
definition.

CreateResourceDefinition
resource definition that contains ${TagKey}
a list of resources to be used in a (p. 977)
group.
aws:TagKeys
(p. 977)
Grants permission to create a Write resourceDefinition*

CreateResourceDefinitionVersion
version of an existing resource (p. 976)
definition.
967
AWS IoT Greengrass

(*required)

CreateSoftwareUpdateJob
AWS IoT job that will trigger
your Greengrass cores to update
the software they are running.

CreateSubscriptionDefinition
subscription definition. ${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
Grants permission to create Write subscriptionDefinition*

CreateSubscriptionDefinitionVersion
a version of an existing (p. 976)
subscription definition.
Grants permission to delete a Write connectorDefinition*

DeleteConnectorDefinition
connector definition. (p. 976)
Grants permission to delete Write coreDefinition*

DeleteCoreDefinition
a core definition. Deleting a (p. 976)
definition that is currently in use
in a deployment affects future
deployments.
Grants permission to delete a Write deviceDefinition*

DeleteDeviceDefinition
device definition. Deleting a (p. 976)
deployments.
Grants permission to delete a Write functionDefinition*

DeleteFunctionDefinition
Lambda function definition. (p. 976)
Deleting a definition that is
currently in use in a deployment
affects future deployments.
DeleteGroup Grants permission to delete a Write group*

group that is not currently in use (p. 975)
in a deployment.
Grants permission to delete a Write loggerDefinition*

DeleteLoggerDefinition
logger definition. Deleting a (p. 976)
deployments.
Grants permission to delete a Write resourceDefinition*

DeleteResourceDefinition
resource definition. (p. 976)
Grants permission to delete a Write subscriptionDefinition*

DeleteSubscriptionDefinition
subscription definition. Deleting (p. 976)
a definition that is currently
in use in a deployment affects
future deployments.
968
AWS IoT Greengrass

(*required)
Grants permission to Write group*

DisassociateRoleFromGroup
disassociate the role from a (p. 975)
group.

DisassociateServiceRoleFromAccount
disassociate the service role
from an account. Without a
service role, deployments will
not work.
Discover Grants permission to retrieve Read thing*

information required to connect (p. 977)
to a Greengrass core.
Grants permission to retrieve the Read group*

GetAssociatedRolerole associated with a group. (p. 975)
Grants permission to return the Read bulkDeployment*

GetBulkDeploymentStatus
status of a bulk deployment. (p. 975)
Grants permission to retrieve the Read connectivityInfo*

GetConnectivityInfo
connectivity information for a (p. 975)
core.
Grants permission to retrieve Read connectorDefinition*

GetConnectorDefinition
information about a connector (p. 976)
definition.
Grants permission to retrieve Read connectorDefinition*

GetConnectorDefinitionVersion
information about a connector (p. 976)
definition version.
connectorDefinitionVersion*

(p. 977)
Grants permission to retrieve Read coreDefinition*

GetCoreDefinitioninformation about a core (p. 976)
definition.
Grants permission to retrieve Read coreDefinition*

GetCoreDefinitionVersion
information about a core (p. 976)
coreDefinitionVersion*

(p. 976)
Grants permission to return the Read deployment*

GetDeploymentStatus
status of a deployment. (p. 975)
group*
(p. 975)
Grants permission to retrieve Read deviceDefinition*

GetDeviceDefinition
information about a device (p. 976)
definition.
969
AWS IoT Greengrass

(*required)
Grants permission to retrieve Read deviceDefinition*

GetDeviceDefinitionVersion
information about a device (p. 976)
deviceDefinitionVersion*

(p. 976)
Grants permission to retrieve Read functionDefinition*

GetFunctionDefinition
information about a Lambda (p. 976)
function definition, such as its
creation time and latest version.
Grants permission to retrieve Read functionDefinition*

GetFunctionDefinitionVersion
information about a Lambda (p. 976)
function definition version, such
as which Lambda functions are functionDefinitionVersion*

included in the version and their (p. 976)
configurations.
GetGroup Grants permission to retrieve Read group*

information about a group. (p. 975)
Grants permission to return the Read certificateAuthority*

GetGroupCertificateAuthority
public key of the CA associated (p. 975)
with a group.
group*
(p. 975)
Grants permission to retrieve the Read group*

GetGroupCertificateConfiguration
current configuration for the CA (p. 975)
used by a group.
Grants permission to retrieve Read group*

GetGroupVersion information about a group (p. 975)
version.
groupVersion*
(p. 975)
Grants permission to retrieve Read loggerDefinition*

GetLoggerDefinition
information about a logger (p. 976)
definition.
Grants permission to retrieve Read loggerDefinition*

GetLoggerDefinitionVersion
information about a logger (p. 976)
loggerDefinitionVersion*

(p. 976)
Grants permission to retrieve Read resourceDefinition*

GetResourceDefinition
information about a resource (p. 976)
definition, such as its creation
time and latest version.
970
AWS IoT Greengrass

(*required)
Grants permission to retrieve Read resourceDefinition*

GetResourceDefinitionVersion
information about a resource (p. 976)
definition version, such as which
resources are included in the resourceDefinitionVersion*

version. (p. 976)

GetServiceRoleForAccount
service role that is attached to
an account.
Grants permission to retrieve Read subscriptionDefinition*

GetSubscriptionDefinition
information about a subscription (p. 976)
definition.
Grants permission to retrieve Read subscriptionDefinition*

GetSubscriptionDefinitionVersion
information about a subscription (p. 976)
subscriptionDefinitionVersion*

(p. 976)
Grants permission to retrieve List bulkDeployment*

ListBulkDeploymentDetailedReports
a paginated list of the (p. 975)
deployments that have been
started in a bulk deployment
operation and their current
deployment status.

ListBulkDeployments
list of bulk deployments.
Grants permission to list List connectorDefinition*

ListConnectorDefinitionVersions
the versions of a connector (p. 976)
definition.

ListConnectorDefinitions
list of connector definitions.
Grants permission to list the List coreDefinition*

ListCoreDefinitionVersions
versions of a core definition. (p. 976)

ListCoreDefinitions
list of core definitions.
Grants permission to retrieve List group*

ListDeployments a list of all deployments for a (p. 975)
group.
Grants permission to list the List deviceDefinition*

ListDeviceDefinitionVersions
versions of a device definition. (p. 976)

ListDeviceDefinitions
list of device definitions.
Grants permission to list the List functionDefinition*

ListFunctionDefinitionVersions
versions of a Lambda function (p. 976)
definition.
971
AWS IoT Greengrass

(*required)

ListFunctionDefinitions
a list of Lambda function
definitions.
Grants permission to retrieve a List group*

ListGroupCertificateAuthorities
list of current CAs for a group. (p. 975)
Grants permission to list the List group*

ListGroupVersionsversions of a group. (p. 975)
ListGroups Grants permission to retrieve a List

list of groups.
Grants permission to list the List loggerDefinition*

ListLoggerDefinitionVersions
versions of a logger definition. (p. 976)

ListLoggerDefinitions
list of logger definitions.
Grants permission to list the List resourceDefinition*

ListResourceDefinitionVersions
versions of a resource definition. (p. 976)

ListResourceDefinitions
list of resource definitions.
Grants permission to list the List subscriptionDefinition*

ListSubscriptionDefinitionVersions
versions of a subscription (p. 976)
definition.

ListSubscriptionDefinitions
list of subscription definitions.
Grants permission to list the List bulkDeployment

ListTagsForResource
tags for a resource. (p. 975)
connectorDefinition

(p. 976)
coreDefinition
(p. 976)
deviceDefinition

(p. 976)
functionDefinition

(p. 976)
group
(p. 975)
loggerDefinition

(p. 976)
resourceDefinition

(p. 976)
972
AWS IoT Greengrass

(*required)
subscriptionDefinition

(p. 976)
aws:RequestTag/

${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
Grants permission to reset a Write group*

ResetDeployments
group's deployments. (p. 975)
Grants permission to deploy Write aws:RequestTag/

StartBulkDeployment
multiple groups in one ${TagKey}
operation. (p. 977)
aws:TagKeys
(p. 977)
Grants permission to stop the Write bulkDeployment*

StopBulkDeployment
execution of a bulk deployment. (p. 975)
TagResource Grants permission to add tags to Tagging bulkDeployment

a resource. (p. 975)

(p. 976)
coreDefinition
(p. 976)
deviceDefinition

(p. 976)
functionDefinition

(p. 976)
group
(p. 975)
loggerDefinition

(p. 976)
resourceDefinition

(p. 976)

(p. 976)
aws:RequestTag/

${TagKey}
(p. 977)
aws:TagKeys
(p. 977)
973
AWS IoT Greengrass

(*required)
Grants permission to remove Tagging bulkDeployment

UntagResource tags from a resource. (p. 975)

(p. 976)
coreDefinition
(p. 976)
deviceDefinition

(p. 976)
functionDefinition

(p. 976)
group
(p. 975)
loggerDefinition

(p. 976)
resourceDefinition

(p. 976)

(p. 976)
aws:TagKeys
(p. 977)
Grants permission to update the Write connectivityInfo*

UpdateConnectivityInfo
connectivity information for a (p. 975)
Greengrass core. Any devices
that belong to the group that
has this core will receive this
information in order to find the
location of the core and connect
to it.
Grants permission to update a Write connectorDefinition*

UpdateConnectorDefinition
connector definition. (p. 976)
Grants permission to update a Write coreDefinition*

UpdateCoreDefinition
core definition. (p. 976)
Grants permission to update a Write deviceDefinition*

UpdateDeviceDefinition
device definition. (p. 976)
Grants permission to update a Write functionDefinition*

UpdateFunctionDefinition
Lambda function definition. (p. 976)
UpdateGroup Grants permission to update a Write group*

group. (p. 975)
974
AWS IoT Greengrass

(*required)
Grants permission to update Write group*

UpdateGroupCertificateConfiguration
the certificate expiry time for a (p. 975)
group.
Grants permission to update a Write loggerDefinition*

UpdateLoggerDefinition
logger definition. (p. 976)
Grants permission to update a Write resourceDefinition*

UpdateResourceDefinition
resource definition. (p. 976)
Grants permission to update a Write subscriptionDefinition*

UpdateSubscriptionDefinition
subscription definition. (p. 976)
Resource types defined by AWS IoT Greengrass


types
arn:${Partition}:greengrass:${Region}:
connectivityInfo ${Account}:/greengrass/things/${ThingName}/
connectivityInfo
artifact arn:${Partition}:greengrass:${Region}:
${Account}:/greengrass/groups/${GroupId}/
deployments/${DeploymentId}/artifacts/
lambda/${ArtifactId}
certificateAuthority
${Account}:/greengrass/groups/
${GroupId}/certificateauthorities/
${CertificateAuthorityId}
deployment arn:${Partition}:greengrass:${Region}:
deployments/${DeploymentId}
arn:${Partition}:greengrass:${Region}: aws:ResourceTag/
bulkDeployment ${Account}:/greengrass/bulk/deployments/ ${TagKey} (p. 977)
${BulkDeploymentId}
group arn:${Partition}:greengrass:${Region}: aws:ResourceTag/

${Account}:/greengrass/groups/${GroupId} ${TagKey} (p. 977)
groupVersion arn:${Partition}:greengrass:${Region}:
versions/${VersionId}
975
AWS IoT Greengrass

types
coreDefinition arn:${Partition}:greengrass:${Region}: aws:ResourceTag/

${Account}:/greengrass/definition/cores/ ${TagKey} (p. 977)
${CoreDefinitionId}
coreDefinitionVersion
${Account}:/greengrass/definition/cores/
${CoreDefinitionId}/versions/${VersionId}
deviceDefinition ${Account}:/greengrass/definition/devices/ ${TagKey} (p. 977)
${DeviceDefinitionId}
deviceDefinitionVersion
${Account}:/greengrass/definition/devices/
${DeviceDefinitionId}/versions/${VersionId}
functionDefinition${Account}:/greengrass/definition/functions/ ${TagKey} (p. 977)
${FunctionDefinitionId}
functionDefinitionVersion
${Account}:/greengrass/definition/
functions/${FunctionDefinitionId}/versions/
${VersionId}
${Account}:/greengrass/definition/ ${TagKey} (p. 977)
subscriptions/${SubscriptionDefinitionId}
subscriptionDefinitionVersion
subscriptions/${SubscriptionDefinitionId}/
loggerDefinition ${Account}:/greengrass/definition/loggers/ ${TagKey} (p. 977)
${LoggerDefinitionId}
loggerDefinitionVersion
${Account}:/greengrass/definition/loggers/
${LoggerDefinitionId}/versions/${VersionId}
resourceDefinition${Account}:/greengrass/definition/resources/ ${TagKey} (p. 977)
${ResourceDefinitionId}
resourceDefinitionVersion
resources/${ResourceDefinitionId}/versions/
${VersionId}
${Account}:/greengrass/definition/ ${TagKey} (p. 977)
connectors/${ConnectorDefinitionId}
976
AWS IoT SiteWise

types
connectorDefinitionVersion
connectors/${ConnectorDefinitionId}/
Condition keys for AWS IoT Greengrass

AWS IoT Greengrass defines the following condition keys that can be used in the Condition element of
aws:CurrentTime Filters access by checking date/time conditions for the Date

current date and time.
aws:EpochTime Filters access by checking date/time conditions for the Date

current date and time in epoch or Unix time.
Filters access by checking how long ago (in seconds) the Numeric
aws:MultiFactorAuthAge
security credentials validated by multi-factor authentication
(MFA) in the request were issued using MFA.
Filters access by checking whether multi-factor Boolean

aws:MultiFactorAuthPresent
authentication (MFA) was used to validate the temporary
security credentials that made the current request.
${TagKey} each of the mandatory tags.
${TagKey}
Filters access by checking whether the request was sent Boolean

aws:SecureTransport using SSL.

aws:UserAgent Filters access by the requester's client application. String

SiteWise
AWS IoT SiteWise (service prefix: iotsitewise) provides the following service-specific resources,
977
AWS IoT SiteWise
References:

Topics
• Actions defined by AWS IoT SiteWise (p. 978)
• Resource types defined by AWS IoT SiteWise (p. 984)
• Condition keys for AWS IoT SiteWise (p. 984)
Actions defined by AWS IoT SiteWise

different actions.

(*required)
Grants permission to associate a Write asset*

AssociateAssets child asset to a parent asset by a (p. 984)
hierarchy
Grants permission to associate Write project*

BatchAssociateProjectAssets
assets to a project (p. 984)
Grants permission to Write project*

BatchDisassociateProjectAssets
disassociate assets from a (p. 984)
project
Grants permission to put Write asset*

BatchPutAssetPropertyValue
property values for asset (p. 984)
properties
Grants permission to create an Permissions portal

CreateAccessPolicy
access policy for a portal or a management (p. 984)
project
project
(p. 984)
978
AWS IoT SiteWise

(*required)
aws:RequestTag/

${TagKey}
(p. 985)
aws:TagKeys
(p. 985)
CreateAsset Grants permission to create an Write asset-

asset from an asset model model*
(p. 984)
aws:RequestTag/

${TagKey}
(p. 985)
aws:TagKeys
(p. 985)

CreateAssetModelasset model ${TagKey}
(p. 985)
aws:TagKeys
(p. 985)

CreateDashboard dashboard in a project (p. 984)
aws:RequestTag/

${TagKey}
(p. 985)
aws:TagKeys
(p. 985)

CreateGateway gateway ${TagKey}
(p. 985)
aws:TagKeys
(p. 985)
CreatePortal Grants permission to create a Write aws:RequestTag/

sso:CreateManagedApplic
portal ${TagKey}
(p. 985) sso:DescribeRegisteredRe
aws:TagKeys
(p. 985)
CreateProject Grants permission to create a Write portal*

project in a portal (p. 984)
979
AWS IoT SiteWise

(*required)
aws:RequestTag/

${TagKey}
(p. 985)
aws:TagKeys
(p. 985)
Grants permission to delete an Permissions access-

DeleteAccessPolicy
access policy managementpolicy*
(p. 984)
DeleteAsset Grants permission to delete an Write asset*

asset (p. 984)
Grants permission to delete an Write asset-

DeleteAssetModelasset model model*
(p. 984)
Grants permission to delete a Write dashboard*

DeleteDashboard dashboard (p. 984)
Grants permission to delete a Write gateway*

DeleteGateway gateway (p. 984)
DeletePortal Grants permission to delete a Write portal* sso:DeleteManagedApplic

portal (p. 984)

project (p. 984)
Grants permission to describe an Permissions access-

DescribeAccessPolicy
(p. 984)
DescribeAsset Grants permission to describe an Read asset*

asset (p. 984)
Grants permission to describe an Read asset-

DescribeAssetModel
asset model model*
(p. 984)
Grants permission to describe an Read asset*

DescribeAssetProperty
asset property (p. 984)
Grants permission to describe a Read dashboard*

DescribeDashboard
dashboard (p. 984)
Grants permission to describe a Read gateway*

DescribeGateway gateway (p. 984)
Grants permission to describe Read gateway*

DescribeGatewayCapabilityConfiguration
a capability configuration for a (p. 984)
gateway
980
AWS IoT SiteWise

(*required)

logging options for the AWS
account
Grants permission to describe a Read portal*

DescribePortal portal (p. 984)
Grants permission to describe a Read project*

DescribeProject project (p. 984)
Grants permission to Write asset*

DisassociateAssetsdisassociate a child asset from a (p. 984)
parent asset by a hierarchy
Grants permission to retrieve Read asset*

GetAssetPropertyAggregates
computed aggregates for an (p. 984)
asset property

GetAssetPropertyValue
the latest value for an asset (p. 984)
property

GetAssetPropertyValueHistory
the value history for an asset (p. 984)
property
Grants permission to list all Permissions portal

ListAccessPolicies access policies for an identity or management (p. 984)
a resource
project
(p. 984)

ListAssetModels asset models
Grants permission to list the List asset*

ListAssetRelationships
asset relationship graph for an (p. 984)
asset
ListAssets Grants permission to list all List asset-

assets model
(p. 984)
Grants permission to list all List asset*

ListAssociatedAssets
assets associated to an asset by (p. 984)
a hierarchy
Grants permission to list all List project*

ListDashboards dashboards in a project (p. 984)
ListGateways Grants permission to list all List

gateways
ListPortals Grants permission to list all List

portals
981
AWS IoT SiteWise

(*required)
Grants permission to list all List project*

ListProjectAssets assets associated with a project (p. 984)
ListProjects Grants permission to list all List portal*

projects in a portal (p. 984)
Grants permission to list all tags Read access-

ListTagsForResource
for a resource policy
(p. 984)
asset
(p. 984)
asset-
model
(p. 984)
dashboard
(p. 984)
gateway
(p. 984)
portal
(p. 984)
project
(p. 984)
aws:ResourceTag/

${TagKey}
(p. 985)
Grants permission to set logging Write

PutLoggingOptions
options for the AWS account
TagResource Grants permission to tag a Tagging access-

resource policy
(p. 984)
asset
(p. 984)
asset-
model
(p. 984)
dashboard
(p. 984)
gateway
(p. 984)
portal
(p. 984)
982
AWS IoT SiteWise

(*required)
project
(p. 984)
aws:TagKeys
(p. 985)
aws:RequestTag/
${TagKey}
(p. 985)
Grants permission to untag a Tagging access-

UntagResource resource policy
(p. 984)
asset
(p. 984)
asset-
model
(p. 984)
dashboard
(p. 984)
gateway
(p. 984)
portal
(p. 984)
project
(p. 984)
aws:TagKeys
(p. 985)
Grants permission to update an Permissions access-

UpdateAccessPolicy
(p. 984)
UpdateAsset Grants permission to update an Write asset*

asset (p. 984)
Grants permission to update an Write asset-

UpdateAssetModel
asset model model*
(p. 984)
Grants permission to update an Write asset*

UpdateAssetProperty
asset property (p. 984)
Grants permission to update a Write dashboard*

UpdateDashboarddashboard (p. 984)
Grants permission to update a Write gateway*

UpdateGateway gateway (p. 984)
983
AWS IoT SiteWise

(*required)
Grants permission to update a Write gateway*

UpdateGatewayCapabilityConfiguration
capability configuration for a (p. 984)
gateway
UpdatePortal Grants permission to update a Write portal*

portal (p. 984)
Grants permission to update a Write project*

Resource types defined by AWS IoT SiteWise


types
asset arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:asset/${AssetId} ${TagKey} (p. 985)
asset-model arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:asset-model/${AssetModelId} ${TagKey} (p. 985)
gateway arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:gateway/${GatewayId} ${TagKey} (p. 985)
portal arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:portal/${PortalId} ${TagKey} (p. 985)
project arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:project/${ProjectId} ${TagKey} (p. 985)
dashboard arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:dashboard/${DashboardId} ${TagKey} (p. 985)
access-policy arn:${Partition}:iotsitewise:${Region}: aws:ResourceTag/

${Account}:access-policy/${AccessPolicyId} ${TagKey} (p. 985)
Condition keys for AWS IoT SiteWise

AWS IoT SiteWise defines the following condition keys that can be used in the Condition element of
984
AWS IoT Things Graph
${TagKey}

aws:ResourceTag/
${TagKey}
Filters access by an asset hierarchy path, which is the string String

iotsitewise:assetHierarchyPath
of asset IDs in the asset's hierarchy, each separated by a
forward slash
Filters access by the ID of a child asset being associated to a String

iotsitewise:childAssetId
parent asset
iotsitewise:group Filters access by the ID of an AWS Single Sign-On group String
iotsitewise:iam Filters access by the ID of an AWS IAM identity String
iotsitewise:portal Filters access by the ID of a portal String
Filters access by the ID of a project String

iotsitewise:project
Filters access by the ID of an asset property String

iotsitewise:propertyId
iotsitewise:user Filters access by the ID of an AWS Single Sign-On user String

Things Graph
AWS IoT Things Graph (service prefix: iotthingsgraph) provides the following service-specific
References:

Topics
• Actions defined by AWS IoT Things Graph (p. 985)
• Resource types defined by AWS IoT Things Graph (p. 990)
• Condition keys for AWS IoT Things Graph (p. 990)
Actions defined by AWS IoT Things Graph

985
different actions.

(*required)
Associates a device with a Write iot:DescribeThing

AssociateEntityToThing
concrete thing that is in the
user's registry. A thing can be iot:DescribeThingGroup
associated with only one device
at a time. If you associate a thing
with a new device id, its previous
association will be removed.
Creates a workflow template. Write

CreateFlowTemplate
Workflows can be created only
in the user's namespace. (The
public namespace contains
only entities.) The workflow
can contain only entities in
the specified namespace. The
workflow is validated against
the entities in the latest version
of the user's namespace unless
another namespace version is
specified in the request.
Creates an instance of a system Tagging aws:RequestTag/

CreateSystemInstance
with specified configurations ${TagKey}
and Things. (p. 990)
aws:TagKeys
(p. 991)
Creates a system. The system is Write

CreateSystemTemplate
validated against the entities in
the latest version of the user's
namespace unless another
namespace version is specified in
the request.
Deletes a workflow. Any new Write Workflow*

DeleteFlowTemplate
system or system instance that (p. 990)
contains this workflow will fail
to update or deploy. Existing
system instances that contain
the workflow will continue to
986

(*required)
run (since they use a snapshot
of the workflow taken at the
time of deploying the system
instance).

DeleteNamespacenamespace. This action deletes
all of the entities in the
namespace. Delete the systems
and flows in the namespace
before performing this action.
Deletes a system instance. Only Write SystemInstance*

DeleteSystemInstance
instances that have never been (p. 990)
deployed, or that have been
undeployed from the target can
be deleted. Users can create a
new system instance that has
the same ID as a deleted system
instance.
Deletes a system. New system Write System*

DeleteSystemTemplate
instances can't contain the (p. 990)
system after its deletion.
Existing system instances that
contain the system will continue
to work because they use a
snapshot of the system that is
taken when it is deployed.
Deploys the system instance Write SystemInstance*

DeploySystemInstance
to the target specified in (p. 990)
CreateSystemInstance.
Deprecates the specified Write Workflow*

DeprecateFlowTemplate
workflow. This action marks (p. 990)
the workflow for deletion.
Deprecated flows can't be
deployed, but existing system
instances that use the flow will
continue to run.
Deprecates the specified system. Write System*

DeprecateSystemTemplate (p. 990)
Gets the latest version of the Read

DescribeNamespace
user's namespace and the public
version that it is tracking.
987

(*required)
Dissociates a device entity from Write iot:DescribeThing

DissociateEntityFromThing
a concrete thing. The action
takes only the type of the entity iot:DescribeThingGroup
that you need to dissociate
because only one entity of a
particular type can be associated
with a thing.
GetEntities Gets descriptions of the Read

specified entities. Uses the latest
version of the user's namespace
by default.
Gets the latest version of Read Workflow*

GetFlowTemplatethe DefinitionDocument and (p. 990)
FlowTemplateSummary for the
specified workflow.
Gets revisions of the specified Read Workflow*

GetFlowTemplateRevisions
workflow. Only the last 100 (p. 990)
revisions are stored. If the
workflow has been deprecated,
this action will return revisions
that occurred before the
deprecation. This action won't
work for workflows that have
been deleted.
Gets the status of a namespace Read

GetNamespaceDeletionStatus
deletion task.
Gets a system instance. Read SystemInstance*

GetSystemInstance (p. 990)
Gets a system. Read System*

GetSystemTemplate (p. 990)
Gets revisions made to the Read System*

GetSystemTemplateRevisions
specified system template. (p. 990)
Only the previous 100 revisions
are stored. If the system has
been deprecated, this action
will return the revisions that
occurred before its deprecation.
This action won't work with
systems that have been deleted.
Gets the status of the specified Read

GetUploadStatus upload.
Lists details of a single workflow List

ListFlowExecutionMessages
execution
Lists all tags for a given resource List SystemInstance

988

(*required)
SearchEntities Searches for entities of the Read

specified type. You can search
for entities in your namespace
and the public namespace that
you're tracking.
Searches for workflow Read SystemInstance*

SearchFlowExecutions
executions of a system instance (p. 990)
Searches for summary Read

SearchFlowTemplates
information about workflows.
Searches for system instances in Read

SearchSystemInstances
the user's account.
Searches for summary Read

SearchSystemTemplates
information about systems
in the user's account. You can
filter by the ID of a workflow to
return only systems that use the
specified workflow.
SearchThings Searches for things associated Read

with the specified entity. You
can search by both device and
device model.
TagResource Tag a specified resource Tagging SystemInstance

(p. 990)
aws:RequestTag/

${TagKey}
(p. 990)
aws:TagKeys
(p. 991)
Removes the system instance Write SystemInstance*

UndeploySystemInstance
and associated triggers from the (p. 990)
target.
Untag a specified resource Tagging SystemInstance

aws:TagKeys
(p. 991)
Updates the specified workflow. Write Workflow*

UpdateFlowTemplate
All deployed systems and system (p. 990)
instances that use the workflow
will see the changes in the
flow when it is redeployed.
The workflow can contain
only entities in the specified
namespace.
989

(*required)
Updates the specified system. Write System*

UpdateSystemTemplate
You don't need to run this action (p. 990)
after updating a workflow.
Any system instance that
uses the system will see the
changes in the system when it is
redeployed.
Asynchronously uploads one or Write

UploadEntityDefinitions
more entity definitions to the
user's namespace.
Resource types defined by AWS IoT Things Graph


types
Workflow arn:${Partition}:iotthingsgraph:${Region}:
${Account}:Workflow/${NamespacePath}
System arn:${Partition}:iotthingsgraph:${Region}:
${Account}:System/${NamespacePath}
arn:${Partition}:iotthingsgraph:${Region}: aws:ResourceTag/
SystemInstance ${Account}:Deployment/${NamespacePath} ${TagKey} (p. 990)
Condition keys for AWS IoT Things Graph

AWS IoT Things Graph defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} makes to the thingsgraph service.

aws:ResourceTag/
${TagKey}
990
AWS IQ
the request the user makes to the thingsgraph service.
Actions, resources, and condition keys for AWS IQ

AWS IQ (service prefix: iq) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by AWS IQ (p. 991)
• Resource types defined by AWS IQ (p. 991)
• Condition keys for AWS IQ (p. 992)
Actions defined by AWS IQ

different actions.

(*required)
CreateProject Grants permission to submit Write

[permission new project requests
only]
Resource types defined by AWS IQ

AWS IQ does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS IQ, specify “Resource”: “*” in your policy.
991
AWS IQ Permissions
Condition keys for AWS IQ

IQ has no service-specific context keys that can be used in the Condition element of policy statements.
For the list of the global context keys that are available to all services, see Available keys for conditions.
Actions, resources, and condition keys for AWS IQ

Permissions
AWS IQ Permissions (service prefix: iq-permission) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS IQ Permissions (p. 992)
• Resource types defined by AWS IQ Permissions (p. 993)
• Condition keys for AWS IQ Permissions (p. 993)
Actions defined by AWS IQ Permissions

different actions.

(*required)
Grants permission to approve an Write

ApproveAccessGrant
access grant
[permission
only]
992
Amazon Kendra
Resource types defined by AWS IQ Permissions

AWS IQ Permissions does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to AWS IQ Permissions, specify “Resource”: “*” in your policy.
Condition keys for AWS IQ Permissions

IQ Permission has no service-specific context keys that can be used in the Condition element of policy
conditions.

Kendra
Amazon Kendra (service prefix: kendra) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Kendra (p. 993)
• Resource types defined by Amazon Kendra (p. 997)
• Condition keys for Amazon Kendra (p. 997)
Actions defined by Amazon Kendra

different actions.

(*required)
Grant permission to batch delete Write index*

BatchDeleteDocument
document (p. 997)
993
Amazon Kendra

(*required)
Grant permission to batch put Write index*

BatchPutDocument
document (p. 997)
Grant permission to create a Write index*

CreateDataSourcedata source (p. 997)
aws:RequestTag/

${TagKey}
(p. 998)
aws:TagKeys
(p. 998)
CreateFaq Grant permission to create an Write index*

Faq (p. 997)
aws:RequestTag/

${TagKey}
(p. 998)
aws:TagKeys
(p. 998)
CreateIndex Grant permission to create an Write aws:RequestTag/

Index ${TagKey}
(p. 998)
aws:TagKeys
(p. 998)
Grant permission to create a Write index*

CreateThesaurus Thesaurus (p. 997)
aws:RequestTag/

${TagKey}
(p. 998)
aws:TagKeys
(p. 998)
Grant permission to delete a Write data-

DeleteDataSourcedata source source*
(p. 997)
index*
(p. 997)
DeleteFaq Grant permission to delete an Write faq*

Faq (p. 997)
index*
(p. 997)
DeleteIndex Grant permission to delete an Write index*

Index (p. 997)
994
Amazon Kendra

(*required)
Grant permission to delete a Write index*

DeleteThesaurus Thesaurus (p. 997)
thesaurus*
(p. 997)
Grant permission to describe a Read data-

DescribeDataSource
data source source*
(p. 997)
index*
(p. 997)
DescribeFaq Grant permission to describe an Read faq*

Faq (p. 997)
index*
(p. 997)
DescribeIndex Grant permission to describe an Read index*

Index (p. 997)
Grant permission to describe a Read index*

DescribeThesaurus
Thesaurus (p. 997)
thesaurus*
(p. 997)
Grant permission to get Data List data-

ListDataSourceSyncJobs
Source sync job history source*
(p. 997)
index*
(p. 997)
Grant permission to list the data List index*

ListDataSources sources (p. 997)
ListFaqs Grant permission to list the Faqs List index*

(p. 997)
ListIndices Grant permission to list the List

indexes
Grant permission to list tags for List data-

ListTagsForResource
a resource source
(p. 997)
faq
(p. 997)
index
(p. 997)
thesaurus
(p. 997)
995
Amazon Kendra

(*required)
ListThesauri Grant permission to list the List index*

Thesauri (p. 997)
Query Grant permission to query Read index*

documents and faqs (p. 997)
Grant permission to start Data Write data-

StartDataSourceSyncJob
Source sync job source*
(p. 997)
index*
(p. 997)
Grant permission to stop Data Write data-

StopDataSourceSyncJob
Source sync job source*
(p. 997)
index*
(p. 997)
Grant permission to send Write index*

SubmitFeedback feedback about a query results (p. 997)
TagResource Grant permission to tag a Tagging data-

resource with given key value source
pairs (p. 997)
faq
(p. 997)
index
(p. 997)
thesaurus
(p. 997)
aws:RequestTag/

${TagKey}
(p. 998)
aws:TagKeys
(p. 998)
Grant permission to remove the Tagging data-

UntagResource tag with the given key from a source
resource (p. 997)
faq
(p. 997)
index
(p. 997)
thesaurus
(p. 997)
996
Amazon Kendra

(*required)
aws:TagKeys
(p. 998)
Grant permission to update a Write data-

UpdateDataSource
data source source*
(p. 997)
index*
(p. 997)
UpdateIndex Grant permission to update an Write index*

Index (p. 997)
Grant permission to update a Write index*

UpdateThesaurusthesaurus (p. 997)
thesaurus*
(p. 997)
Resource types defined by Amazon Kendra


types
index arn:${Partition}:kendra:${Region}: aws:ResourceTag/

${Account}:index/${IndexId} ${TagKey} (p. 998)
data-source arn:${Partition}:kendra:${Region}: aws:ResourceTag/

${Account}:index/${IndexId}/data-source/ ${TagKey} (p. 998)
${DataSourceId}
faq arn:${Partition}:kendra:${Region}: aws:ResourceTag/

${Account}:index/${IndexId}/faq/${FaqId} ${TagKey} (p. 998)
thesaurus arn:${Partition}:kendra:${Region}: aws:ResourceTag/

${Account}:index/${IndexId}/thesaurus/ ${TagKey} (p. 998)
${ThesaurusId}
Condition keys for Amazon Kendra

Amazon Kendra defines the following condition keys that can be used in the Condition element of
997
AWS Key Management Service
${TagKey} each of the mandatory tags
${TagKey}

tags in the request
Actions, resources, and condition keys for AWS Key

Management Service
AWS Key Management Service (service prefix: kms) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Key Management Service (p. 998)
• Resource types defined by AWS Key Management Service (p. 1008)
• Condition keys for AWS Key Management Service (p. 1008)
Actions defined by AWS Key Management Service

different actions.
998

(*required)
Controls permission to cancel Write key*

CancelKeyDeletion
the scheduled deletion of a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to connect Write

ConnectCustomKeyStore
or reconnect a custom key store
to its associated AWS CloudHSM
cluster
CreateAlias Controls permission to create Write alias*

an alias for a customer master (p. 1008)
key (CMK). Aliases are optional
friendly names that you can key*
associate with customer master (p. 1008)
keys
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to create Write cloudhsm:DescribeCluster

CreateCustomKeyStore
a custom key store that is
associated with an AWS
CloudHSM cluster that you own
and manage
CreateGrant Controls permission to add a Permissions key*

grant to a customer master management (p. 1008)
key. You can use grants to add
permissions without changing kms:CallerAccount

the key policy or IAM policy (p. 1009)
kms:GrantConstraintType
(p. 1009)
kms:GrantIsForAWSResource
(p. 1009)
kms:ViaService
(p. 1010)
CreateKey Controls permission to create a Write kms:BypassPolicyLockoutSafetyCheck

customer master key that can (p. 1008)
be used to protect data keys and
other sensitive information kms:CustomerMasterKeySpec
(p. 1009)
kms:CustomerMasterKeyUsage
(p. 1009)
999

(*required)
kms:KeyOrigin
(p. 1009)
Decrypt Controls permission to decrypt Write key*

ciphertext that was encrypted (p. 1008)
under a customer master key
kms:CallerAccount

(p. 1009)
kms:EncryptionAlgorithm
(p. 1009)
kms:EncryptionContextKeys
(p. 1009)
kms:ViaService
(p. 1010)
DeleteAlias Controls permission to delete Write alias*

an alias. Aliases are optional (p. 1008)
friendly names that you can
associate with customer master key*
keys (p. 1008)
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to delete a Write

DeleteCustomKeyStore
custom key store
Controls permission to delete Write key*

DeleteImportedKeyMaterial
cryptographic material that (p. 1008)
you imported into a customer
master key. This action makes kms:CallerAccount

the key unusable (p. 1009)
kms:ViaService
(p. 1010)
Controls permission to view Read

DescribeCustomKeyStores
detailed information about
custom key stores in the account
and region
DescribeKey Controls permission to view Read key*

customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
1000

(*required)
DisableKey Controls permission to disable Write key*

a customer master key, which (p. 1008)
prevents it from being used in
cryptographic operations kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to disable Write key*

DisableKeyRotation
automatic rotation of a (p. 1008)
customer managed customer
master key kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to Write

DisconnectCustomKeyStore
disconnect the custom key
store from its associated AWS
CloudHSM cluster
EnableKey Controls permission to change Write key*

the state of a customer master (p. 1008)
key (CMK) to enabled. This
allows the CMK to be used in kms:CallerAccount

cryptographic operations (p. 1009)
kms:ViaService
(p. 1010)
Controls permission to enable Write key*

EnableKeyRotation
automatic rotation of the (p. 1008)
cryptographic material in a
customer master key kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Encrypt Controls permission to use the Write key*

specified customer master key to (p. 1008)
encrypt data and data keys
kms:CallerAccount

(p. 1009)
(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)
1001

(*required)
Controls permission to use Write key*

GenerateDataKeythe customer master key to (p. 1008)
generate data keys. You can use
the data keys to encrypt data kms:CallerAccount

outside of AWS KMS (p. 1009)
(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)

GenerateDataKeyPair
the customer master key to (p. 1008)
generate data key pairs
kms:CallerAccount

(p. 1009)
kms:DataKeyPairSpec
(p. 1009)
(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)

GenerateDataKeyPairWithoutPlaintext
generate data key pairs. Unlike
the GenerateDataKeyPair kms:CallerAccount

operation, this operation (p. 1009)
returns an encrypted private key
without a plaintext copy kms:DataKeyPairSpec
(p. 1009)
(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)
1002

(*required)

GenerateDataKeyWithoutPlaintext
generate a data key. Unlike the
GenerateDataKey operation, this kms:CallerAccount

operation returns an encrypted (p. 1009)
data key without a plaintext
version of the data key kms:EncryptionAlgorithm
(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to get a Write

GenerateRandomcryptographically secure random
byte string from AWS KMS
GetKeyPolicy Controls permission to view Read key*

the key policy for the specified (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to Read key*

GetKeyRotationStatus
determine whether automatic (p. 1008)
key rotation is enabled on the
customer master key kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to get Read key*

GetParametersForImport
data that is required to import (p. 1008)
cryptographic material into
a customer managed key, kms:CallerAccount

including a public key and (p. 1009)
import token
kms:ViaService
(p. 1010)
kms:WrappingAlgorithm
(p. 1010)
kms:WrappingKeySpec
(p. 1010)
GetPublicKey Controls permission to Read key*

download the public key of an (p. 1008)
asymmetric customer master key
1003

(*required)
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to import Write key*

ImportKeyMaterial
cryptographic material into a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ExpirationModel
(p. 1009)
kms:ValidTo
(p. 1010)
kms:ViaService
(p. 1010)
ListAliases Controls permission to view the List

aliases that are defined in the
account. Aliases are optional
friendly names that you can
associate with customer master
keys
ListGrants Controls permission to view all List key*

grants for a customer master (p. 1008)
key
kms:CallerAccount

(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to view List key*

ListKeyPolicies the names of key policies for a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
ListKeys Controls permission to view the List

key ID and Amazon Resource
Name (ARN) of all customer
master keys in the account
1004

(*required)

ListResourceTags all tags that are attached to a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)

ListRetirableGrants
grants in which the specified (p. 1008)
principal is the retiring principal.
Other principals might be able
to retire the grant and this
principal might be able to retire
other grants
PutKeyPolicy Controls permission to replace Permissions key*

the key policy for the specified management (p. 1008)
customer master key
kms:BypassPolicyLockoutSafetyCheck

(p. 1008)
kms:CallerAccount
(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to decrypt Write key*

ReEncryptFrom data as part of the process that (p. 1008)
decrypts and reencrypts the
data within AWS KMS kms:CallerAccount

(p. 1009)
(p. 1009)
(p. 1009)
kms:ReEncryptOnSameKey
(p. 1009)
kms:ViaService
(p. 1010)
ReEncryptTo Controls permission to encrypt Write key*

data as part of the process that (p. 1008)
decrypts and reencrypts the
data within AWS KMS
1005

(*required)
kms:CallerAccount

(p. 1009)
(p. 1009)
(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)
RetireGrant Controls permission to retire a Permissions key*

grant. The RetireGrant operation management (p. 1008)
is typically called by the grant
user after they complete the
tasks that the grant allowed
them to perform
RevokeGrant Controls permission to revoke a Permissions key*

grant, which denies permission management (p. 1008)
for all operations that depend
on the grant kms:CallerAccount

(p. 1009)
(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to schedule Write key*

ScheduleKeyDeletion
deletion of a customer master (p. 1008)
key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Sign Controls permission to produce Write key*

a digital signature for a message (p. 1008)
1006

(*required)
kms:CallerAccount

(p. 1009)
kms:MessageType
(p. 1009)
kms:SigningAlgorithm
(p. 1010)
kms:ViaService
(p. 1010)
TagResource Controls permission to create or Tagging key*

update tags that are attached to (p. 1008)
a customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to delete Tagging key*

UntagResource tags that are attached to a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
UpdateAlias Controls permission to associate Write alias*

an alias with a different (p. 1008)
customer master key. An alias
is an optional friendly name key*
that you can associate with a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
Controls permission to change Write

UpdateCustomKeyStore
the properties of a custom key
store
Controls permission to delete Write key*

UpdateKeyDescription
or change the description of a (p. 1008)
customer master key
kms:CallerAccount

(p. 1009)
kms:ViaService
(p. 1010)
1007

(*required)
Verify Controls permission to use the Write key*

specified customer master key to (p. 1008)
verify digital signatures
kms:CallerAccount

(p. 1009)
kms:MessageType
(p. 1009)
(p. 1010)
kms:ViaService
(p. 1010)
Resource types defined by AWS Key Management Service


types
alias arn:${Partition}:kms:${Region}:
${Account}:alias/${Alias}
key arn:${Partition}:kms:${Region}:
Condition keys for AWS Key Management Service

AWS Key Management Service defines the following condition keys that can be used in the Condition
table (p. 2).
Filters access to the specified AWS KMS operations based on String

aws:ResourceTag/ tags assigned to the customer master key
${TagKey}
Filters access to the CreateKey and PutKeyPolicy operations Bool

kms:BypassPolicyLockoutSafetyCheck
based on the value of the BypassPolicyLockoutSafetyCheck
parameter in the request
1008
Filters access to specified AWS KMS operations based on the String

kms:CallerAccount AWS account ID of the caller. You can use this condition key
to allow or deny access to all IAM users and roles in an AWS
account in a single policy statement
Filters access to an API operation based on the String

kms:CustomerMasterKeySpec
CustomerMasterKeySpec property of the CMK that is created
by or used in the operation. Use it to qualify authorization of
the CreateKey operation or any operation that is authorized
for a CMK resource
Filters access to an API operation based on the KeyUsage String

kms:CustomerMasterKeyUsage
property of the CMK created by or used in the operation. Use
it to qualify authorization of the CreateKey operation or any
operation that is authorized for a CMK resource
Filters access to GenerateDataKeyPair and String

kms:DataKeyPairSpecGenerateDataKeyPairWithoutPlaintext operations based on
the value of the DataKeyPairSpec parameter in the request
Filters access to encryption operations based on the value of String

the encryption algorithm in the request
Filters access based on the presence of specified keys in the String

encryption context. The encryption context is an optional
element in a cryptographic operation
Filters access to the ImportKeyMaterial operation based on String

kms:ExpirationModelthe value of the ExpirationModel parameter in the request
Filters access to the CreateGrant operation based on the String

kms:GrantConstraintType
grant constraint in the request
Filters access to the CreateGrant operation when the request Bool

comes from a specified AWS service

kms:GrantOperationsoperations in the grant

kms:GranteePrincipalgrantee principal in the grant
kms:KeyOrigin Filters access to an API operation based on the Origin String

property of the CMK created by or used in the operation. Use
it to qualify authorization of the CreateKey operation or any
operation that is authorized for a CMK resource
Filters access to the Sign and Verify operations based on the String
kms:MessageType value of the MessageType parameter in the request
Filters access to the ReEncrypt operation when it uses the Bool

same customer master key that was used for the Encrypt
operation
kms:RequestAlias Filters access to cryptographic operations, DescribeKey, and String

GetPublicKey based on the alias in the request
1009
Amazon Keyspaces (for Apache Cassandra)
Filters access to specified AWS KMS operations based on String

kms:ResourceAliases aliases associated with the customer master key

kms:RetiringPrincipalretiring principal in the grant
Filters access to the Sign and Verify operations based on the String
signing algorithm in the request
kms:ValidTo Filters access to the ImportKeyMaterial operation based on Numeric

the value of the ValidTo parameter in the request. You can
use this condition key to allow users to import key material
only when it expires by the specified date
kms:ViaService Filters access when a request made on the principal's behalf String
comes from a specified AWS service
Filters access to the GetParametersForImport operation String

kms:WrappingAlgorithm
based on the value of the WrappingAlgorithm parameter in
the request
Filters access to the GetParametersForImport operation String

kms:WrappingKeySpec
based on the value of the WrappingKeySpec parameter in
the request

Keyspaces (for Apache Cassandra)
Amazon Keyspaces (for Apache Cassandra) (service prefix: cassandra) provides the following service-
References:

Topics
• Actions defined by Amazon Keyspaces (for Apache Cassandra) (p. 1010)
• Resource types defined by Amazon Keyspaces (for Apache Cassandra) (p. 1012)
• Condition keys for Amazon Keyspaces (for Apache Cassandra) (p. 1013)
Actions defined by Amazon Keyspaces (for Apache Cassandra)

different actions.
1010

(*required)
Alter Grants permission to alter a Write keyspace

keyspace or table (p. 1012)
table
(p. 1012)
aws:RequestTag/

${TagKey}
(p. 1013)
aws:TagKeys
(p. 1013)
Create Grants permission to create a Write keyspace

table
(p. 1012)
aws:RequestTag/

${TagKey}
(p. 1013)
aws:TagKeys
(p. 1013)
Drop Grants permission to drop a Write keyspace

table
(p. 1012)
Modify Grants permission to INSERT, Write table*

UPDATE or DELETE data in a (p. 1012)
table
Restore Grants permission to restore Write table*

table from a backup (p. 1012)
aws:RequestTag/

${TagKey}
(p. 1013)
aws:TagKeys
(p. 1013)
1011

(*required)
Select Grants permission to SELECT Read table*

data from a table (p. 1012)
TagResource Grants permission to tag a Tagging keyspace

table
(p. 1012)
aws:RequestTag/

${TagKey}
(p. 1013)
aws:TagKeys
(p. 1013)
Grants permission to untag a Tagging keyspace

UntagResource keyspace or table (p. 1012)
table
(p. 1012)
aws:RequestTag/

${TagKey}
(p. 1013)
aws:TagKeys
(p. 1013)
Resource types defined by Amazon Keyspaces (for Apache

Cassandra)

types
keyspace arn:${Partition}:cassandra:${Region}: aws:ResourceTag/

${Account}:/keyspace/${KeyspaceName}/ ${TagKey} (p. 1013)
table arn:${Partition}:cassandra:${Region}: aws:ResourceTag/

${Account}:/keyspace/${KeyspaceName}/table/ ${TagKey} (p. 1013)
${tableName}
1012
Amazon Kinesis
Condition keys for Amazon Keyspaces (for Apache Cassandra)

Amazon Keyspaces (for Apache Cassandra) defines the following condition keys that can be used in
the Condition element of an IAM policy. You can use these keys to further refine the conditions

${TagKey}
request

Kinesis
Amazon Kinesis (service prefix: kinesis) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Kinesis (p. 1013)
• Resource types defined by Amazon Kinesis (p. 1016)
• Condition keys for Amazon Kinesis (p. 1016)
Actions defined by Amazon Kinesis

different actions.
1013
Amazon Kinesis

(*required)
Adds or updates tags for the Tagging stream*

AddTagsToStreamspecified Amazon Kinesis (p. 1016)
stream. Each stream can have up
to 10 tags.
CreateStream Creates a Amazon Kinesis Write stream*

stream. (p. 1016)
Decreases the stream's retention Write stream*

DecreaseStreamRetentionPeriod
period, which is the length of (p. 1016)
time data records are accessible
after they are added to the
stream.
DeleteStream Deletes a stream and all its Write stream*

shards and data. (p. 1016)
Deregisters a stream consumer Write consumer*

DeregisterStreamConsumer
with a Kinesis data stream. (p. 1016)
stream*
(p. 1016)
Describes the shard limits and Read

DescribeLimits usage for the account.
Describes the specified stream. Read stream*

DescribeStream (p. 1016)
Gets the description of a Read consumer*

DescribeStreamConsumer
registered stream consumer. (p. 1016)
stream*
(p. 1016)
Provides a summarized Read stream*

DescribeStreamSummary
description of the specified (p. 1016)
Kinesis data stream without the
shard list.
Disables enhanced monitoring. Write

DisableEnhancedMonitoring
API_EnableEnhancedMonitoring.html
Write
EnableEnhancedMonitoring
GetRecords Gets data records from a shard. Read stream*

(p. 1016)
Gets a shard iterator. A shard Read stream*

GetShardIterator iterator expires five minutes (p. 1016)
1014
Amazon Kinesis

(*required)
after it is returned to the
requester.
Increases the stream's retention Write stream*

IncreaseStreamRetentionPeriod
period, which is the length of (p. 1016)
time data records are accessible
after they are added to the
stream.
ListShards Lists the shards in a stream and List

provides information about each
shard.
Lists the stream consumers List

ListStreamConsumers
registered to receive data
from a Kinesis stream using
enhanced fan-out, and provides
information about each
consumer.
ListStreams Lists your streams. List
Lists the tags for the specified Read stream*

ListTagsForStreamAmazon Kinesis stream. (p. 1016)
MergeShards Merges two adjacent shards in Write stream*

a stream and combines them (p. 1016)
into a single shard to reduce the
stream's capacity to ingest and
transport data.
PutRecord Writes a single data record from Write stream*

a producer into an Amazon (p. 1016)
Kinesis stream.
PutRecords Writes multiple data records Write stream*

from a producer into an Amazon (p. 1016)
Kinesis stream in a single call
(also referred to as a PutRecords
request).
Registers a stream consumer Write consumer*

RegisterStreamConsumer
with a Kinesis data stream. (p. 1016)
stream*
(p. 1016)
Description for SplitShard Tagging stream*

RemoveTagsFromStream (p. 1016)
SplitShard Description for SplitShard Write stream*

(p. 1016)
1015
Amazon Kinesis

(*required)
Grants permission to enable or Write kmsKey*

StartStreamEncryption
update server-side encryption (p. 1016)
using an AWS KMS key for a
specified stream. stream*
(p. 1016)
Grants permission to disable Write kmsKey*

StopStreamEncryption
server-side encryption for a (p. 1016)
specified stream.
stream*
(p. 1016)
Listening to a specific shard with Read consumer*

SubscribeToShardenhanced fan-out. (p. 1016)
stream*
(p. 1016)
Updates the shard count of the Write

UpdateShardCount
specified stream to the specified
number of shards.
Resource types defined by Amazon Kinesis


types
stream arn:${Partition}:kinesis:${Region}:
${Account}:stream/${StreamName}
consumer arn:${Partition}:kinesis:
${Region}:${Account}:${StreamType}/
${StreamName}/consumer/${ConsumerName}:
${ConsumerCreationTimpstamp}
kmsKey arn:${Partition}:kms:${Region}:
Condition keys for Amazon Kinesis

Kinesis has no service-specific context keys that can be used in the Condition element of policy
conditions.
1016
Amazon Kinesis Analytics

Kinesis Analytics
Amazon Kinesis Analytics (service prefix: kinesisanalytics) provides the following service-specific
References:

Topics
• Actions defined by Amazon Kinesis Analytics (p. 1017)
• Resource types defined by Amazon Kinesis Analytics (p. 1019)
• Condition keys for Amazon Kinesis Analytics (p. 1019)
Actions defined by Amazon Kinesis Analytics

different actions.

(*required)
Adds input to the application. Write application*

AddApplicationInput (p. 1019)
Adds output to the application. Write application*

AddApplicationOutput (p. 1019)
Adds reference data source to Write application*

AddApplicationReferenceDataSource
the application. (p. 1019)
Creates an application. Write aws:RequestTag/

CreateApplication ${TagKey}
(p. 1019)
aws:TagKeys
(p. 1019)
1017
Amazon Kinesis Analytics

(*required)
Deletes the application. Write application*

DeleteApplication (p. 1019)
Deletes the specified output of Write application*

DeleteApplicationOutput
Deletes the specified reference Write application*

DeleteApplicationReferenceDataSource
data source of the application. (p. 1019)
Describes the specified Read application*

DescribeApplication
application. (p. 1019)
Discovers the input schema for Read

DiscoverInputSchema
the application.
Grant permission to Kinesis Read application*

GetApplicationState
Data Analytics console to (p. 1019)
[permission display stream results for Kinesis
only] Data Analytics SQL runtime
applications.
List applications for the account List

ListApplications
Fetch the tags associated with Read application*

ListTagsForResource
Starts the application. Write application*

StartApplication (p. 1019)
Stops the application. Write application*

StopApplication (p. 1019)
TagResource Add tags to the application. Tagging application*

(p. 1019)
aws:RequestTag/

${TagKey}
(p. 1019)
aws:TagKeys
(p. 1019)
Remove the specified tags from Tagging application*

UntagResource the application. (p. 1019)
aws:TagKeys
(p. 1019)
Updates the application. Write application*

1018
Amazon Kinesis Analytics V2
Resource types defined by Amazon Kinesis Analytics


types
application arn:${Partition}:kinesisanalytics:${Region}: aws:ResourceTag/

Condition keys for Amazon Kinesis Analytics

Amazon Kinesis Analytics defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} the tags

${TagKey}
aws:TagKeys Filters actions based on the presence of mandatory tag keys String
in the request

Kinesis Analytics V2
Amazon Kinesis Analytics V2 (service prefix: kinesisanalytics) provides the following service-specific
References:

Topics
• Actions defined by Amazon Kinesis Analytics V2 (p. 1020)
• Resource types defined by Amazon Kinesis Analytics V2 (p. 1022)
• Condition keys for Amazon Kinesis Analytics V2 (p. 1022)
1019
Actions defined by Amazon Kinesis Analytics V2

different actions.

(*required)
Adds cloudwatch logging option Write application*

AddApplicationCloudWatchLoggingOption
to the application. (p. 1022)
Adds input to the application. Write application*

AddApplicationInput (p. 1022)
Adds input processing Write application*

AddApplicationInputProcessingConfiguration
configuration to the application. (p. 1022)
Adds output to the application. Write application*

AddApplicationOutput (p. 1022)
Adds reference data source to Write application*

AddApplicationReferenceDataSource
Adds VPC configuration to the Write application*

AddApplicationVpcConfiguration
Creates an application. Write aws:RequestTag/

CreateApplication ${TagKey}
(p. 1022)
aws:TagKeys
(p. 1022)
Creates a snapshot for an Write application*

CreateApplicationSnapshot
Deletes the application. Write application*

DeleteApplication (p. 1022)
Deletes the specified cloudwatch Write application*

DeleteApplicationCloudWatchLoggingOption
logging option of the (p. 1022)
application.
1020

(*required)
Deletes the specified input Write application*

DeleteApplicationInputProcessingConfiguration
processing configuration of the (p. 1022)
application.
Deletes the specified output of Write application*

DeleteApplicationOutput
Deletes the specified reference Write application*

DeleteApplicationReferenceDataSource
data source of the application. (p. 1022)
Deletes a snapshot for an Write application*

DeleteApplicationSnapshot
Deletes the specified VPC Write application*

DeleteApplicationVpcConfiguration
configuration of the application. (p. 1022)
Describes the specified Read application*

DescribeApplication
Describes an application Read application*

DescribeApplicationSnapshot
snapshot. (p. 1022)
Discovers the input schema for Read

DiscoverInputSchema
the application.
Lists the snapshots for an Read application*

ListApplicationSnapshots
List applications for the account List

ListApplications
Fetch the tags associated with Read application*

ListTagsForResource
Starts the application. Write application*

StartApplication (p. 1022)
Stops the application. Write application*

StopApplication (p. 1022)
TagResource Add tags to the application. Tagging application*

(p. 1022)
aws:RequestTag/

${TagKey}
(p. 1022)
aws:TagKeys
(p. 1022)
Remove the specified tags from Tagging application*

UntagResource the application. (p. 1022)
aws:TagKeys
(p. 1022)
1021
Amazon Kinesis Firehose

(*required)
Updates the application. Write application*

Resource types defined by Amazon Kinesis Analytics V2


types
application arn:${Partition}:kinesisanalytics:${Region}: aws:ResourceTag/

Condition keys for Amazon Kinesis Analytics V2

Amazon Kinesis Analytics V2 defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} the tags

${TagKey}
aws:TagKeys Filters actions based on the presence of mandatory tag keys String
in the request

Kinesis Firehose
Amazon Kinesis Firehose (service prefix: firehose) provides the following service-specific resources,
References:
1022

Topics
• Actions defined by Amazon Kinesis Firehose (p. 1023)
• Resource types defined by Amazon Kinesis Firehose (p. 1024)
• Condition keys for Amazon Kinesis Firehose (p. 1024)
Actions defined by Amazon Kinesis Firehose

different actions.

(*required)
Creates a delivery stream. Write deliverystream*

CreateDeliveryStream (p. 1024)
aws:RequestTag/

${TagKey}
(p. 1025)
aws:TagKeys
(p. 1025)
Deletes a delivery stream and its Write deliverystream*

DeleteDeliveryStream
data. (p. 1024)
Describes the specified delivery List deliverystream*

DescribeDeliveryStream
stream and gets the status. (p. 1024)
Lists your delivery streams. List

ListDeliveryStreams
Lists the tags for the specified List deliverystream*

ListTagsForDeliveryStream
delivery stream. (p. 1024)
PutRecord Writes a single data record into Write deliverystream*

an Amazon Kinesis Firehose (p. 1024)
delivery stream.
1023

(*required)
Writes multiple data records Write deliverystream*

PutRecordBatch into a delivery stream in a single (p. 1024)
call, which can achieve higher
throughput per producer than
when writing single records.
Enables server-side encryption Write deliverystream*

StartDeliveryStreamEncryption
(SSE) for the delivery stream. (p. 1024)
Disables the specified Write deliverystream*

StopDeliveryStreamEncryption
destination of the specified (p. 1024)
delivery stream.
Adds or updates tags for the Write deliverystream*

TagDeliveryStream
specified delivery stream. (p. 1024)
aws:RequestTag/

${TagKey}
(p. 1025)
aws:TagKeys
(p. 1025)
Removes tags from the specified Write deliverystream*

UntagDeliveryStream
delivery stream. (p. 1024)
aws:TagKeys
(p. 1025)
Updates the specified Write deliverystream*

UpdateDestination
destination of the specified (p. 1024)
delivery stream.
Resource types defined by Amazon Kinesis Firehose


types
arn:${Partition}:firehose: aws:ResourceTag/
deliverystream ${Region}:${Account}:deliverystream/ ${TagKey} (p. 1025)
${DeliveryStreamName}
Condition keys for Amazon Kinesis Firehose

Amazon Kinesis Firehose defines the following condition keys that can be used in the Condition
1024
Amazon Kinesis Video Streams
table (p. 2).
${TagKey} each of the tags

${TagKey} resource.

tags in the request

Kinesis Video Streams
Amazon Kinesis Video Streams (service prefix: kinesisvideo) provides the following service-specific
References:

Topics
• Actions defined by Amazon Kinesis Video Streams (p. 1025)
• Resource types defined by Amazon Kinesis Video Streams (p. 1028)
• Condition keys for Amazon Kinesis Video Streams (p. 1029)
Actions defined by Amazon Kinesis Video Streams

different actions.
1025

(*required)
Grants permission to connect Write channel*

ConnectAsMaster as a master to the signaling (p. 1029)
channel specified by the
endpoint
Grants permission to connect as Write channel*

ConnectAsViewer a viewer to the signaling channel (p. 1029)
specified by the endpoint
Grants permission to create a Write channel*

CreateSignalingChannel
signaling channel (p. 1029)
aws:RequestTag/

${TagKey}
(p. 1029)
aws:TagKeys
(p. 1029)
CreateStream Grants permission to create a Write stream*

Kinesis video stream (p. 1029)
aws:RequestTag/

${TagKey}
(p. 1029)
aws:TagKeys
(p. 1029)
Grants permission to delete an Write channel*

DeleteSignalingChannel
existing signaling channel (p. 1029)
DeleteStream Grants permission to delete an Write stream*

existing Kinesis video stream (p. 1029)
Grants permission to describe List channel*

DescribeSignalingChannel
the specified signaling channel (p. 1029)
Grants permission to describe List stream*

DescribeStream the specified Kinesis video (p. 1029)
stream
GetClip Grants permission to get a Read stream*

media clip from a video stream (p. 1029)
Grants permission to create Read stream*

GetDASHStreamingSessionURL
a URL for MPEG-DASH video (p. 1029)
streaming
Grants permission to get an Read stream*

GetDataEndpoint endpoint for a specified stream (p. 1029)
for either reading or writing
media data to Kinesis Video
Streams
1026

(*required)
Grants permission to create a Read stream*

GetHLSStreamingSessionURL
URL for HLS video streaming (p. 1029)
Grants permission to get the ICE Read channel*

GetIceServerConfig
server configuration (p. 1029)
GetMedia Grants permission to return Read stream*

media content of a Kinesis video (p. 1029)
stream
Grants permission to read and Read stream*

GetMediaForFragmentList
return media data only from (p. 1029)
persisted storage
Grants permission to get Read channel*

GetSignalingChannelEndpoint
endpoints for a specified (p. 1029)
combination of protocol and
role for a signaling channel
ListFragments Grants permission to list the List stream*

fragments from archival storage (p. 1029)
based on the pagination token
or selector type with range
specified
Grants permission to list your List

ListSignalingChannels
signaling channels
ListStreams Grants permission to list your List

Kinesis video streams
Grants permission to fetch Read channel

ListTagsForResource
the tags associated with your (p. 1029)
resource
stream
(p. 1029)
Grants permission to fetch the Read stream*

ListTagsForStreamtags associated with Kinesis (p. 1029)
video stream
PutMedia Grants permission to send media Write stream*

data to a Kinesis video stream (p. 1029)
Grants permission to send the Write channel*

SendAlexaOfferToMaster
Alexa SDP offer to the master (p. 1029)
TagResource Grants permission to attach set Tagging channel

of tags to your resource (p. 1029)
stream
(p. 1029)
1027

(*required)
aws:RequestTag/

${TagKey}
(p. 1029)
aws:TagKeys
(p. 1029)
TagStream Grants permission to attach set Tagging stream*

of tags to your Kinesis video (p. 1029)
streams
aws:RequestTag/

${TagKey}
(p. 1029)
aws:TagKeys
(p. 1029)
Grants permission to remove Tagging channel

UntagResource one or more tags from your (p. 1029)
resource
stream
(p. 1029)
aws:TagKeys
(p. 1029)
UntagStream Grants permission to remove Tagging stream*

one or more tags from your (p. 1029)
Kinesis video streams
aws:TagKeys
(p. 1029)
Grants permission to update the Write stream*

UpdateDataRetention
data retention period of your (p. 1029)
Kinesis video stream
Grants permission to update an Write channel*

UpdateSignalingChannel
existing signaling channel (p. 1029)
Grants permission to update an Write stream*

UpdateStream existing Kinesis video stream (p. 1029)
Resource types defined by Amazon Kinesis Video Streams

1028
AWS Lake Formation

types
stream arn:${Partition}:kinesisvideo:${Region}: aws:ResourceTag/

${Account}:stream/${StreamName}/ ${TagKey} (p. 1029)
${CreationTime}
channel arn:${Partition}:kinesisvideo:${Region}: aws:ResourceTag/

${Account}:channel/${ChannelName}/ ${TagKey} (p. 1029)
${CreationTime}
Condition keys for Amazon Kinesis Video Streams

Amazon Kinesis Video Streams defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters requests based on the allowed set of values for each String
${TagKey} of the tags

aws:ResourceTag/ stream.
${TagKey}
aws:TagKeys Filters requests based on the presence of mandatory tag String

keys in the request
Actions, resources, and condition keys for AWS Lake

Formation
AWS Lake Formation (service prefix: lakeformation) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Lake Formation (p. 1030)
• Resource types defined by AWS Lake Formation (p. 1031)
• Condition keys for AWS Lake Formation (p. 1031)
1029
AWS Lake Formation
Actions defined by AWS Lake Formation

different actions.

(*required)
Grants data lake permissions Permissions

BatchGrantPermissions
to one or more principals in a management
batch.
Revokes data lake permissions Permissions

BatchRevokePermissions
from one or more principals in a management
batch.
Deregisters a registered location. Write

DeregisterResource
Describes a registered location. Read

DescribeResource
Grants virtual data lake access Write

GetDataAccess permissions.
Retrieves data lake settings Read

GetDataLakeSettings
such as the list of data lake
administrators and database and
table default permissions.
Retrieves permissions attached Read

GetEffectivePermissionsForPath
to resources in the given path.
Grants data lake permissions to Permissions

GrantPermissionsa principal. management
Lists permissions filtered by List

ListPermissions principal or resource.
ListResources Lists registered locations. List
Overwrites data lake settings Permissions

PutDataLakeSettings
such as the list of data lake management
administrators and database and
table default permissions.
1030
AWS Lambda

(*required)
Registers a new location to be Write

RegisterResource managed by Lake Formation.
Revokes data lake permissions Permissions

RevokePermissions
from a principal. management
Updates a registered location. Write

UpdateResource
Resource types defined by AWS Lake Formation

AWS Lake Formation does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to AWS Lake Formation, specify “Resource”: “*” in your policy.
Condition keys for AWS Lake Formation

Lake Formation has no service-specific context keys that can be used in the Condition element of

Lambda
AWS Lambda (service prefix: lambda) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Lambda (p. 1031)
• Resource types defined by AWS Lambda (p. 1037)
• Condition keys for AWS Lambda (p. 1038)
Actions defined by AWS Lambda

different actions.
1031
AWS Lambda

(*required)
Grants permission to add Permissions layerVersion*

AddLayerVersionPermission
permissions to the resource- management (p. 1038)
based policy of a version of an
AWS Lambda layer
Grants permission to give an Permissions function*

AddPermission AWS service or another account management (p. 1038)
permission to use an AWS
Lambda function lambda:Principal

(p. 1038)
CreateAlias Grants permission to create Write function*

an alias for a Lambda function (p. 1038)
version
Grants permission to create Write code

CreateCodeSigningConfig
an AWS Lambda code signing signing
config config*
(p. 1038)
Grants permission to create Write lambda:FunctionArn

CreateEventSourceMapping
a mapping between an event (p. 1038)
source and an AWS Lambda
function
Grants permission to create an Write function*

CreateFunction AWS Lambda function (p. 1038)
lambda:Layer
(p. 1038)
lambda:VpcIds
(p. 1038)
lambda:SubnetIds
(p. 1038)
lambda:SecurityGroupIds
(p. 1038)
DeleteAlias Grants permission to delete an Write function*

AWS Lambda function alias (p. 1038)
Grants permission to delete Write code

DeleteCodeSigningConfig
config config*
(p. 1038)
1032
AWS Lambda

(*required)
Grants permission to delete Write eventSourceMapping*

DeleteEventSourceMapping
an AWS Lambda event source (p. 1038)
mapping
lambda:FunctionArn

(p. 1038)
Grants permission to delete an Write function*

DeleteFunction AWS Lambda function (p. 1038)
Grants permission to detach Write function*

DeleteFunctionCodeSigningConfig
a code signing config from an (p. 1038)
AWS Lambda function
Grants permission to remove a Write function*

DeleteFunctionConcurrency
concurrent execution limit from (p. 1038)
an AWS Lambda function
Grants permission to delete the Write function*

DeleteFunctionEventInvokeConfig
configuration for asynchronous (p. 1038)
invocation for an AWS Lambda
function, version, or alias
Grants permission to delete a Write layerVersion*

DeleteLayerVersion
version of an AWS Lambda layer (p. 1038)
Grants permission to delete Write function

DeleteProvisionedConcurrencyConfig
the provisioned concurrency alias
configuration for an AWS (p. 1038)
Lambda function
function
version
(p. 1038)
Grants permission to disable Permissions function*

DisableReplicationreplication for a Lambda@Edge management (p. 1038)
[permission function
only]
Grants permission to enable Permissions function*

EnableReplicationreplication for a Lambda@Edge management (p. 1038)
[permission function
only]

GetAccountSettings
details about an account's limits
and usage in an AWS Region
GetAlias Grants permission to view Read function*

details about an AWS Lambda (p. 1038)
function alias
Grants permission to view Read code

GetCodeSigningConfig
details about an AWS Lambda signing
code signing config config*
(p. 1038)
1033
AWS Lambda

(*required)
Grants permission to view Read eventSourceMapping*

GetEventSourceMapping
event source mapping
lambda:FunctionArn

(p. 1038)
GetFunction Grants permission to view Read function*

function
Grants permission to view the Read function*

GetFunctionCodeSigningConfig
code signing config arn attached (p. 1038)
to an AWS Lambda function
Grants permission to view Read function*

GetFunctionConcurrency
details about the reserved (p. 1038)
concurrency configuration for a
function
Grants permission to view Read function*

GetFunctionConfiguration
details about the version-specific (p. 1038)
settings of an AWS Lambda
function or version
Grants permission to view the Read function*

GetFunctionEventInvokeConfig
invocation for a function,
version, or alias
Grants permission to view Read layerVersion*

GetLayerVersion details about a version of (p. 1038)
an AWS Lambda layer. Note
this action also supports
GetLayerVersionByArn API
Grants permission to view the Read layerVersion*

GetLayerVersionPolicy
resource-based policy for a (p. 1038)
version of an AWS Lambda layer
GetPolicy Grants permission to view the Read function*

resource-based policy for an (p. 1038)
AWS Lambda function, version,
or alias
Grants permission to view Read function

GetProvisionedConcurrencyConfig
the provisioned concurrency alias
configuration for an AWS (p. 1038)
Lambda function's alias or
version function
version
(p. 1038)
InvokeAsync (Deprecated) Grants Write function*

permission to invoke a function (p. 1038)
asynchronously
1034
AWS Lambda

(*required)
Grants permission to invoke an Write function*

InvokeFunction AWS Lambda function (p. 1038)
[permission
only]
ListAliases Grants permission to retrieve List function*

a list of aliases for an AWS (p. 1038)
Lambda function

ListCodeSigningConfigs
list of AWS Lambda code signing
configs

ListEventSourceMappings
list of AWS Lambda event source
mappings
Grants permission to retrieve List function*

ListFunctionEventInvokeConfigs
a list of configurations for (p. 1038)
asynchronous invocation for a
function
ListFunctions Grants permission to retrieve a List

list of AWS Lambda functions,
with the version-specific
configuration of each function
Grants permission to retrieve a List code

ListFunctionsByCodeSigningConfig
list of AWS Lambda functions by signing
the code signing config assigned config*
(p. 1038)

ListLayerVersions a list of versions of an AWS
Lambda layer
ListLayers Grants permission to retrieve a List

list of AWS Lambda layers, with
details about the latest version
of each layer
Grants permission to retrieve a List function*

ListProvisionedConcurrencyConfigs
list of provisioned concurrency (p. 1038)
configurations for an AWS
Lambda function
ListTags Grants permission to retrieve a Read function*

list of tags for an AWS Lambda (p. 1038)
function
Grants permission to retrieve List function*

ListVersionsByFunction
a list of versions for an AWS (p. 1038)
Lambda function
1035
AWS Lambda

(*required)
Grants permission to create an Write layer*

PublishLayerVersion
AWS Lambda layer (p. 1038)
Grants permission to create an Write function*

PublishVersion AWS Lambda function version (p. 1038)
Grants permission to attach a Write code

PutFunctionCodeSigningConfig
code signing config to an AWS signing
Lambda function config*
(p. 1038)
function*
(p. 1038)
Grants permission to configure Write function*

PutFunctionConcurrency
reserved concurrency for an (p. 1038)
AWS Lambda function
Grants permission to configures Write function*

PutFunctionEventInvokeConfig
options for asynchronous (p. 1038)
invocation on an AWS Lambda
Grants permission to configure Write function

PutProvisionedConcurrencyConfig
provisioned concurrency for an alias
AWS Lambda function's alias or (p. 1038)
version
function
version
(p. 1038)
Grants permission to remove a Permissions layerVersion*

RemoveLayerVersionPermission
statement from the permissions management (p. 1038)
policy for a version of an AWS
Lambda layer
Grants permission to revoke Permissions function*

RemovePermission
function-use permission from an management (p. 1038)
AWS service or another account
lambda:Principal

(p. 1038)
TagResource Grants permission to add tags to Write function*

an AWS Lambda function (p. 1038)
Grants permission to remove Write function*

UntagResource tags from an AWS Lambda (p. 1038)
function
UpdateAlias Grants permission to update Write function*

the configuration of an AWS (p. 1038)
Lambda function's alias
1036
AWS Lambda

(*required)
Grants permission to update Write code

UpdateCodeSigningConfig
config config*
(p. 1038)
Grants permission to update Write eventSourceMapping*

UpdateEventSourceMapping
the configuration of an AWS (p. 1038)
Lambda event source mapping
lambda:FunctionArn

(p. 1038)
Grants permission to update Write function*

UpdateFunctionCode
the code of an AWS Lambda (p. 1038)
function
Grants permission to update the Write code

UpdateFunctionCodeSigningConfig
code signing config of an AWS signing
Lambda function config*
(p. 1038)
function*
(p. 1038)
Grants permission to modify the Write function*

UpdateFunctionConfiguration
version-specific settings of an (p. 1038)
AWS Lambda function
lambda:Layer
(p. 1038)
lambda:VpcIds
(p. 1038)
lambda:SubnetIds
(p. 1038)
(p. 1038)
Grants permission to modify the Write function*

UpdateFunctionEventInvokeConfig
invocation for an AWS Lambda
Resource types defined by AWS Lambda

1037
AWS Lambda

types
code signing arn:${Partition}:lambda:${Region}:

config ${Account}:codesigningconfig:
${CodeSigningConfigId}
arn:${Partition}:lambda:${Region}:
eventSourceMapping
${Account}:event-source-mapping:${UUID}
function arn:${Partition}:lambda:${Region}:
${Account}:function:${FunctionName}
function alias arn:${Partition}:lambda:${Region}:

${Account}:function:${FunctionName}:${Alias}
function arn:${Partition}:lambda:${Region}:
version ${Account}:function:${FunctionName}:
${Version}
layer arn:${Partition}:lambda:${Region}:
${Account}:layer:${LayerName}
layerVersion arn:${Partition}:lambda:${Region}:
${Account}:layer:${LayerName}:
${LayerVersion}
Condition keys for AWS Lambda

AWS Lambda defines the following condition keys that can be used in the Condition element of an IAM
Filters access by the ARN of an AWS Lambda code signing String

lambda:CodeSigningConfigArn
config
Filters access by the ARN of an AWS Lambda function ARN

lambda:FunctionArn
lambda:Layer Filters access by the ARN of an AWS Lambda layer String
lambda:Principal Filters access by restricting the AWS service or account that String
can invoke a function
Filters access by the ID of security groups configured for the String

AWS Lambda function
lambda:SubnetIds Filters access by the ID of subnets configured for the AWS String
Lambda function
lambda:VpcIds Filters access by the ID of the VPC configured for the AWS String
Lambda function
1038
Launch Wizard
Actions, resources, and condition keys for Launch

Wizard
Launch Wizard (service prefix: launchwizard) provides the following service-specific resources, actions,
References:
Topics
• Actions defined by Launch Wizard (p. 1039)
• Resource types defined by Launch Wizard (p. 1040)
• Condition keys for Launch Wizard (p. 1040)
Actions defined by Launch Wizard

different actions.

(*required)
DeleteApp Delete an application Write

[permission
only]
Describe provisioning Read

DescribeProvisionedApp
applications
[permission
only]
Describe provisioning events Read

DescribeProvisioningEvents
[permission
only]
Get infrastructure suggestion Read

GetInfrastructureSuggestion
1039
Amazon Lex

(*required)
[permission
only]
GetIpAddress Get customer's ip address Read

[permission
only]
Get resource cost estimate Read

GetResourceCostEstimate
[permission
only]
List provisioning applications List

ListProvisionedApps
[permission
only]
Start a provisioning Write

StartProvisioning
[permission
only]
Resource types defined by Launch Wizard

Launch Wizard does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to Launch Wizard, specify “Resource”: “*” in your policy.
Condition keys for Launch Wizard

Launch Wizard has no service-specific context keys that can be used in the Condition element of policy
conditions.

Lex
Amazon Lex (service prefix: lex) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by Amazon Lex (p. 1041)
• Resource types defined by Amazon Lex (p. 1045)
• Condition keys for Amazon Lex (p. 1046)
1040
Amazon Lex
Actions defined by Amazon Lex

different actions.

(*required)
Creates a new version based Write bot

CreateBotVersion on the $LATEST version of the version*
specified bot. (p. 1045)
Creates a new version based Write intent

CreateIntentVersion
on the $LATEST version of the version*
specified intent. (p. 1046)
Creates a new version based Write slottype

CreateSlotTypeVersion
on the $LATEST version of the version*
specified slot type. (p. 1046)
DeleteBot Deletes all versions of a bot. Write bot

version*
(p. 1045)
Deletes an alias for a specific Write bot alias*

DeleteBotAlias bot. (p. 1046)
Deletes the association between Write channel*

DeleteBotChannelAssociation
a Amazon Lex bot alias and a (p. 1046)
messaging platform.
Deletes a specific version of a Write bot

DeleteBotVersion bot. version*
(p. 1045)
DeleteIntent Deletes all versions of an intent. Write intent

version*
(p. 1046)
Deletes a specific version of an Write intent

DeleteIntentVersion
intent. version*
(p. 1046)
1041
Amazon Lex

(*required)
DeleteSession Removes session information for Write bot alias

a specified bot, alias, and user (p. 1046)
ID.
bot
version
(p. 1045)
Deletes all versions of a slot Write slottype

DeleteSlotType type. version*
(p. 1046)
Deletes a specific version of a Write slottype

DeleteSlotTypeVersion
slot type. version*
(p. 1046)
Deletes the information Amazon Write bot

DeleteUtterances Lex maintains for utterances on version*
a specific bot and userId. (p. 1045)
GetBot Returns information for a Read bot alias

specific bot. In addition to the (p. 1046)
bot name, the bot version or
alias is required. bot
version
(p. 1045)
GetBotAlias Returns information about a Read bot alias*

Amazon Lex bot alias. (p. 1046)
GetBotAliases Returns a list of aliases for a List

given Amazon Lex bot.
Returns information about the Read channel*

GetBotChannelAssociation
association between a Amazon (p. 1046)
Lex bot and a messaging
platform.
Returns a list of all of the List channel*

GetBotChannelAssociations
channels associated with a (p. 1046)
single bot.
Returns information for all List bot

GetBotVersions versions of a specific bot. version*
(p. 1045)
GetBots Returns information for the List

$LATEST version of all bots,
subject to filters provided by the
client.
Returns information about a Read

GetBuiltinIntent built-in intent.
Gets a list of built-in intents that Read

GetBuiltinIntents meet the specified criteria.
1042
Amazon Lex

(*required)
Gets a list of built-in slot types Read

GetBuiltinSlotTypes
that meet the specified criteria.
GetExport Exports Amazon Lex Resource in Read bot

a requested format. version*
(p. 1045)
GetImport Gets information about Read

an import job started with
StartImport.
GetIntent Returns information for a Read intent

specific intent. In addition to version*
the intent name, you must also (p. 1046)
specify the intent version.
Returns information for all List intent

GetIntentVersionsversions of a specific intent. version*
(p. 1046)
GetIntents Returns information for the List

$LATEST version of all intents,
subject to filters provided by the
client.
GetSession Returns session information for Read bot alias

a specified bot, alias, and user (p. 1046)
ID.
bot
version
(p. 1045)
GetSlotType Returns information about a Read slottype

specific version of a slot type. version*
In addition to specifying the (p. 1046)
slot type name, you must also
specify the slot type version.
Returns information for all List slottype

GetSlotTypeVersions
versions of a specific slot type. version*
(p. 1046)
GetSlotTypes Returns information for the List

$LATEST version of all slot
types, subject to filters provided
by the client.
Returns a view of aggregate List bot

GetUtterancesView
utterance data for versions of a version*
bot for a recent time period. (p. 1045)
Lists tags for a Lex resource Read bot

1043
Amazon Lex

(*required)
bot alias
(p. 1046)
channel
(p. 1046)
PostContent Sends user input (text or speech) Write bot alias

to Amazon Lex. (p. 1046)
bot
version
(p. 1045)
PostText Sends user input (text-only) to Write bot alias

Amazon Lex. (p. 1046)
bot
version
(p. 1045)
PutBot Creates or updates the $LATEST Write bot

version of a Amazon Lex version*
conversational bot. (p. 1045)
aws:TagKeys
(p. 1046)
aws:RequestTag/
${TagKey}
(p. 1046)
PutBotAlias Creates or updates an alias for Write bot alias*

the specific bot. (p. 1046)
aws:TagKeys
(p. 1046)
aws:RequestTag/
${TagKey}
(p. 1046)
PutIntent Creates or updates the $LATEST Write intent

version of an intent. version*
(p. 1046)
PutSession Creates a new session or Write bot alias

modifies an existing session with (p. 1046)
an Amazon Lex bot.
bot
version
(p. 1045)
PutSlotType Creates or updates the $LATEST Write slottype

version of a slot type. version*
(p. 1046)
1044
Amazon Lex

(*required)
StartImport Starts a job to import a resource Write

to Amazon Lex.
TagResource Adds or overwrites tags to a Lex Tagging bot

resource (p. 1045)
bot alias
(p. 1046)
channel
(p. 1046)
aws:TagKeys
(p. 1046)
aws:RequestTag/
${TagKey}
(p. 1046)
Removes tags from a Lex Tagging bot

bot alias
(p. 1046)
channel
(p. 1046)
aws:TagKeys
(p. 1046)
aws:RequestTag/
${TagKey}
(p. 1046)
Resource types defined by Amazon Lex


types
bot arn:${Partition}:lex:${Region}: aws:ResourceTag/

${Account}:bot:${BotName} ${TagKey} (p. 1046)
bot version arn:${Partition}:lex:${Region}: aws:ResourceTag/

${Account}:bot:${BotName}:${BotVersion} ${TagKey} (p. 1046)
1045
AWS License Manager

types
bot alias arn:${Partition}:lex:${Region}: aws:ResourceTag/

${Account}:bot:${BotName}:${BotAlias} ${TagKey} (p. 1046)
channel arn:${Partition}:lex:${Region}: aws:ResourceTag/

${Account}:bot-channel:${BotName}: ${TagKey} (p. 1046)
${BotAlias}:${ChannelName}
intent version arn:${Partition}:lex:${Region}:

${Account}:intent:${IntentName}:
${IntentVersion}
slottype arn:${Partition}:lex:${Region}:
version ${Account}:slottype:${SlotName}:
${SlotVersion}
Condition keys for Amazon Lex

Amazon Lex defines the following condition keys that can be used in the Condition element of an IAM
aws:RequestTag/ Filters access based on the tags in the request. String

${TagKey}
aws:ResourceTag/ Filters access by the tags attached to a Lex resource. String

${TagKey}
aws:TagKeys Filters access based on the set of tag keys in the request. String
Enables you to control access based on the intents included String

lex:associatedIntents in the request.
Enables you to control access based on the slot types String

lex:associatedSlotTypes
included in the request.
lex:channelType Enables you to control access based on the channel type String
included in the request.

License Manager
AWS License Manager (service prefix: license-manager) provides the following service-specific
References:
1046
AWS License Manager

Topics
• Actions defined by AWS License Manager (p. 1047)
• Resource types defined by AWS License Manager (p. 1050)
• Condition keys for AWS License Manager (p. 1050)
Actions defined by AWS License Manager

different actions.

(*required)
AcceptGrant Grants permission to accept a Write grant*

grant (p. 1050)
Grants permission to check in Write

CheckInLicense license entitlements back to
pool
Grants permission to check out Write license*

CheckoutBorrowLicense
license entitlements for borrow (p. 1050)
use case
Grants permission to check out Write

CheckoutLicense license entitlements
CreateGrant Grants permission to create a Write license*

new grant for license (p. 1050)
Grants permission to create new Write grant*

CreateGrantVersion
version of grant (p. 1050)
CreateLicense Grants permission to create a Write

new license
Grants permission to create a Tagging aws:RequestTag/

CreateLicenseConfiguration
new license configuration ${TagKey}
(p. 1050)
1047
AWS License Manager

(*required)
aws:TagKeys
(p. 1050)
Grants permission to create new Write license*

CreateLicenseVersion
version of license. (p. 1050)
CreateToken Grants permission to create a Write license*

new token for license (p. 1050)
DeleteGrant Deletes a grant Write grant*

(p. 1050)
DeleteLicense Grants permission to delete a Write license*

license (p. 1050)
Grants permission to Write license-

DeleteLicenseConfiguration
permanently delete a license configuration*
DeleteToken Grants permission to delete Write

token
Grants permission to extend Write

ExtendLicenseConsumption
consumption period of already
checkout license entitlements
Grants permission to get access Read

GetAccessToken token
GetGrant Grants permission to get a grant Read grant*

(p. 1050)
GetLicense Grants permission to get a Read license*

license (p. 1050)
Grants permission to get a List license-

GetLicenseConfiguration
license configuration configuration*
(p. 1050)
Grants permission to get a Read license*

GetLicenseUsage license usage (p. 1050)
Grants permission to get service List

GetServiceSettings
settings
Grants permission to list List license-

ListAssociationsForLicenseConfiguration
associations for a selected configuration*
license configuration (p. 1050)

ListDistributedGrants
distributed grants
Grants permission to list the List license-

ListFailuresForLicenseConfigurationOperations
license configuration operations configuration*
that failed (p. 1050)
1048
AWS License Manager

(*required)
Grants permission to list license List

ListLicenseConfigurations
configurations
Grants permission to list license List

ListLicenseSpecificationsForResource
specifications associated with a
selected resource
Grants permission to list license List license*

ListLicenseVersions
versions (p. 1050)
ListLicenses Grants permission to list licenses List

ListReceivedGrants
received grants

ListReceivedLicensess
received licenses

ListResourceInventory
resource inventory
Grants permission to list tags for List license-

ListTagsForResource
a selected resource configuration*
(p. 1050)
ListTokens Grants permission to list tokens List
Grants permission to list usage List license-

ListUsageForLicenseConfiguration
records for selected license configuration*
RejectGrant Grants permission to reject a Write grant*

grant (p. 1050)
TagResource Grants permission to tag a Tagging license-

selected resource configuration*
(p. 1050)
aws:RequestTag/

${TagKey}
(p. 1050)
aws:TagKeys
(p. 1050)
Grants permission to untag a Tagging license-

UntagResource selected resource configuration*
(p. 1050)
Grants permission to update an Write license-

UpdateLicenseConfiguration
existing license configuration configuration*
(p. 1050)
Grants permission to updates Write license-

UpdateLicenseSpecificationsForResource
license specifications for a configuration*
selected resource (p. 1050)
1049
AWS License Manager

(*required)
Grants permission to updates Permissions

UpdateServiceSettings
service settings management
Resource types defined by AWS License Manager


types
license- arn:${Partition}:license-manager: license-

configuration ${Region}:${Account}:license-configuration/ manager:ResourceTag/
${LicenseConfigurationId} ${TagKey} (p. 1050)
license arn:${Partition}:license-manager::
${Account}:license:${LicenseId}
grant arn:${Partition}:license-manager::
${Account}:grant:${GrantId}
Condition keys for AWS License Manager

AWS License Manager defines the following condition keys that can be used in the Condition
table (p. 2).
aws:RequestTag/ Filters create requests based on allowed set of values for String
${TagKey} each of the mandatory tags
aws:TagKeys Enforce tag keys that are used in the request String
license- Filters actions based on tag-value associated with the String

manager:ResourceTag/
resource.
${TagKey}
1050
Amazon Lightsail

Lightsail
Amazon Lightsail (service prefix: lightsail) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Lightsail (p. 1051)
• Resource types defined by Amazon Lightsail (p. 1061)
• Condition keys for Amazon Lightsail (p. 1062)
Actions defined by Amazon Lightsail

different actions.

(*required)
Creates a static IP address that Write StaticIp*

AllocateStaticIp can be attached to an instance. (p. 1062)
AttachDisk Attaches a disk to an instance. Write Disk*

(p. 1062)
Instance*
(p. 1062)
Attaches one or more instances Write Instance*

AttachInstancesToLoadBalancer
to a load balancer. (p. 1062)
LoadBalancer*

(p. 1062)
1051
Amazon Lightsail

(*required)
Attaches a TLS certificate to a Write LoadBalancer*

AttachLoadBalancerTlsCertificate
load balancer. (p. 1062)
AttachStaticIp Attaches a static IP address to an Write Instance*

instance. (p. 1062)
StaticIp*
(p. 1062)
Closes a public port of an Write Instance*

CloseInstancePublicPorts
instance. (p. 1062)
Copies a snapshot from one Write

CopySnapshot AWS Region to another in
Amazon Lightsail.
Creates a new Amazon EC2 Write ExportSnapshotRecord*

CreateCloudFormationStack
instance from an exported (p. 1062)
Amazon Lightsail snapshot.
CreateDisk Creates a disk. Write Disk*

(p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates a disk from snapshot. Write Disk*

CreateDiskFromSnapshot (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates a disk snapshot. Write Disk*

CreateDiskSnapshot (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
CreateDomain Creates a domain resource for Write Domain*

the specified domain name. (p. 1062)
1052
Amazon Lightsail

(*required)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates one or more DNS record Write Domain*

CreateDomainEntry
entries for a domain resource: (p. 1062)
Address (A), canonical name
(CNAME), mail exchanger (MX),
name server (NS), start of
authority (SOA), service locator
(SRV), or text (TXT).
Creates an instance snapshot. Write Instance*

CreateInstanceSnapshot (p. 1062)
InstanceSnapshot*

(p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates one or more instances. Write KeyPair*

CreateInstances (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates one or more instances Write Instance*

CreateInstancesFromSnapshot
based on an instance snapshot. (p. 1062)
InstanceSnapshot*

(p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
CreateKeyPair Creates a key pair used to Write KeyPair*

authenticate and connect to an (p. 1062)
instance.
1053
Amazon Lightsail

(*required)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates a load balancer. Write LoadBalancer*

CreateLoadBalancer (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates a load balancer TLS Write LoadBalancer*

CreateLoadBalancerTlsCertificate
Creates a new relational Write RelationalDatabase*

CreateRelationalDatabase
database. (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates a new relational Write RelationalDatabase*

CreateRelationalDatabaseFromSnapshot
database from a snapshot. (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Creates a relational database Write RelationalDatabaseSnapshot*

CreateRelationalDatabaseSnapshot
snapshot. (p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
DeleteDisk Deletes a disk. Write Disk*

(p. 1062)
Deletes a disk snapshot. Write Disk*

DeleteDiskSnapshot (p. 1062)
1054
Amazon Lightsail

(*required)
DeleteDomain Deletes a domain resource and Write Domain*

all of its DNS records. (p. 1062)
Deletes a DNS record entry for a Write Domain*

DeleteDomainEntry
domain resource. (p. 1062)
Deletes an instance. Write Instance*

DeleteInstance (p. 1062)
Deletes an instance snapshot. Write InstanceSnapshot*

DeleteInstanceSnapshot (p. 1062)
DeleteKeyPair Deletes a key pair used to Write KeyPair*

authenticate and connect to an (p. 1062)
instance.
Deletes the known host key or Write Instance*

DeleteKnownHostKeys
certificate used by the Amazon (p. 1062)
Lightsail browser-based SSH or
RDP clients to authenticate an
instance.
Deletes a load balancer. Write LoadBalancer*

DeleteLoadBalancer (p. 1062)
Deletes a load balancer TLS Write LoadBalancer*

DeleteLoadBalancerTlsCertificate
Deletes a relational database. Write RelationalDatabase*

DeleteRelationalDatabase (p. 1062)
Deletes relational database Write RelationalDatabaseSnapshot*

DeleteRelationalDatabaseSnapshot
snapshot. (p. 1062)
DetachDisk Detaches a disk from an Write Disk*

instance. (p. 1062)
Detaches one or more instances Write Instance*

DetachInstancesFromLoadBalancer
from a load balancer. (p. 1062)
LoadBalancer*

(p. 1062)
Detaches a static IP from an Write Instance*

DetachStaticIp instance to which it is attached. (p. 1062)
StaticIp*
(p. 1062)
Downloads the default key Write KeyPair*

DownloadDefaultKeyPair
pair used to authenticate and (p. 1062)
connect to instances in a specific
AWS Region.
Exports an Amazon Lightsail Write

ExportSnapshot snapshot to Amazon EC2.
1055
Amazon Lightsail

(*required)
Returns the names of all active Read

GetActiveNames (not deleted) resources.
GetBlueprints Returns a list of instance images, List

or blueprints. You can use
a blueprint to create a new
instance already running a
specific operating system,
as well as a pre-installed
application or development
stack. The software that runs
on your instance depends on
the blueprint you define when
creating the instance.
GetBundles Returns a list of instance List

bundles. You can use a bundle to
create a new instance with a set
of performance specifications,
such as CPU count, disk size,
RAM size, and network transfer
allowance. The cost of your
instance depends on the bundle
you define when creating the
instance.
Returns information about all List CloudFormationStackRecord*

GetCloudFormationStackRecords
CloudFormation stacks used to (p. 1062)
create Amazon EC2 resources
from exported Amazon Lightsail
snapshots.
GetDisk Returns information about a Read Disk*

disk. (p. 1062)
Returns information about a disk Read Disk*

GetDiskSnapshot snapshot. (p. 1062)
Returns information about all List Disk*

GetDiskSnapshotsdisk snapshots. (p. 1062)
GetDisks Returns information about all List

disks.
GetDomain Returns DNS records for a Read Domain*

domain resource. (p. 1062)
GetDomains Returns DNS records for all Read Domain*

domain resources. (p. 1062)
Returns information about List ExportSnapshotRecord*

GetExportSnapshotRecords
all records to export Amazon (p. 1062)
Lightsail snapshots to Amazon
EC2.
1056
Amazon Lightsail

(*required)
GetInstance Returns information about an Read Instance*

instance. (p. 1062)
Returns temporary keys you can Write Instance*

GetInstanceAccessDetails
use to authenticate and connect (p. 1062)
to an instance.
Returns the data points for the Read Instance*

GetInstanceMetricData
specified metric of an instance. (p. 1062)
Returns the port states of an Read Instance*

GetInstancePortStates
instance. (p. 1062)
Returns information about an Read InstanceSnapshot*

GetInstanceSnapshot
instance snapshot. (p. 1062)
Returns information about all List InstanceSnapshot*

GetInstanceSnapshots
instance snapshots. (p. 1062)
Returns the state of an instance. Read Instance*

GetInstanceState (p. 1062)
GetInstances Returns information about all Read Instance*

instances. (p. 1062)
GetKeyPair Returns information about a key List KeyPair*

pair. (p. 1062)
GetKeyPairs Returns information about all Read KeyPair*

key pairs. (p. 1062)
Returns information about a Read LoadBalancer*

GetLoadBalancer load balancer. (p. 1062)
Returns the data points for Read LoadBalancer*

GetLoadBalancerMetricData
the specified metric of a load (p. 1062)
balancer.
Returns information about a Read LoadBalancer*

GetLoadBalancerTlsCertificates
load balancer TLS certificate. (p. 1062)
Returns information about load Read LoadBalancer*

GetLoadBalancersbalancers. (p. 1062)
GetOperation Returns information about an Read

operation. Operations include
events such as when you create
an instance, allocate a static IP,
attach a static IP, and so on.
Returns information about all Read

GetOperations operations. Operations include
events such as when you create
an instance, allocate a static IP,
attach a static IP, and so on.
1057
Amazon Lightsail

(*required)
Returns operations for a Read Domain

GetOperationsForResource
resource. (p. 1062)
Instance
(p. 1062)
InstanceSnapshot

(p. 1062)
KeyPair
(p. 1062)
StaticIp
(p. 1062)
GetRegions Returns a list of all valid AWS List

Regions for Amazon Lightsail.
Returns information about a List RelationalDatabase*

GetRelationalDatabase
relational database. (p. 1062)
Returns a list of relational List

GetRelationalDatabaseBlueprints
database images, or blueprints.
You can use a blueprint to
create a new database running
a specific database engine.
The database engine that runs
on your database depends on
the blueprint you define when
creating the relational database.
Returns a list of relational List

GetRelationalDatabaseBundles
database bundles. You can use a
bundle to create a new database
with a set of performance
specifications, such as CPU
count, disk size, RAM size,
network transfer allowance, and
standard of high availability. The
cost of your database depends
on the bundle you define when
creating the relational database.
Returns events for a relational Read

GetRelationalDatabaseEvents
database.
Returns events for the specified Read

GetRelationalDatabaseLogEvents
log stream of a relational
database.
Returns the log streams Read

GetRelationalDatabaseLogStreams
available for a relational
database.
1058
Amazon Lightsail

(*required)
Returns the master user Write

GetRelationalDatabaseMasterUserPassword
password of a relational
database.
Returns the data points for the Read

GetRelationalDatabaseMetricData
specified metric of a relational
database.
Returns the parameters of a List

GetRelationalDatabaseParameters
relational database.
Returns information about a List RelationalDatabase*

GetRelationalDatabaseSnapshot
relational database snapshot. (p. 1062)
Returns information about all List RelationalDatabase*

GetRelationalDatabaseSnapshots
relational database snapshots. (p. 1062)
Return information about all Read RelationalDatabase*

GetRelationalDatabases
relational databases. (p. 1062)
GetStaticIp Returns information about a Read StaticIp*

static IP. (p. 1062)
GetStaticIps Returns information about all Read StaticIp*

static IPs. (p. 1062)
Imports a public key from a key Write KeyPair*

ImportKeyPair pair. (p. 1062)
IsVpcPeered Returns a boolean value Read

indicating whether the Amazon
Lightsail virtual private cloud
(VPC) is peered.
Adds, or opens a public port of Write Instance*

OpenInstancePublicPorts
an instance. (p. 1062)
PeerVpc Tries to peer the Amazon Write

(VPC) with the default VPC.
Sets the specified open ports for Write Instance*

PutInstancePublicPorts
an instance, and closes all ports (p. 1062)
for every protocol not included
in the request.
Reboots an instance that is in a Write Instance*

RebootInstance running state. (p. 1062)
Reboots a relational database Write RelationalDatabase*

RebootRelationalDatabase
that is in a running state. (p. 1062)
Deletes a static IP. Write StaticIp*

ReleaseStaticIp (p. 1062)
1059
Amazon Lightsail

(*required)
StartInstance Starts an instance that is in a Write Instance*

stopped state. (p. 1062)
Starts a relational database that Write RelationalDatabase*

StartRelationalDatabase
is in a stopped state. (p. 1062)
StopInstance Stops an instance that is in a Write Instance*

running state. (p. 1062)
Stops a relational database that Write RelationalDatabase*

StopRelationalDatabase
is in a running state. (p. 1062)
TagResource Tags a resource. Write Disk

(p. 1062)
DiskSnapshot
(p. 1062)
Domain
(p. 1062)
Instance
(p. 1062)
InstanceSnapshot

(p. 1062)
KeyPair
(p. 1062)
LoadBalancer
(p. 1062)
RelationalDatabase

(p. 1062)
RelationalDatabaseSnapshot

(p. 1062)
StaticIp
(p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
UnpeerVpc Attempts to unpeer the Amazon Write

(VPC) from the default VPC.
Untags a resource. Write Disk

1060
Amazon Lightsail

(*required)
DiskSnapshot
(p. 1062)
Domain
(p. 1062)
Instance
(p. 1062)
InstanceSnapshot

(p. 1062)
KeyPair
(p. 1062)
LoadBalancer
(p. 1062)
RelationalDatabase

(p. 1062)

(p. 1062)
StaticIp
(p. 1062)
aws:RequestTag/

${TagKey}
(p. 1062)
aws:TagKeys
(p. 1063)
Updates a domain recordset Write Domain*

UpdateDomainEntry
after it is created. (p. 1062)
Updates a load balancer Write LoadBalancer*

UpdateLoadBalancerAttribute
attribute, such as the health (p. 1062)
check path and session
stickiness.
Updates a relational database. Write RelationalDatabase*

UpdateRelationalDatabase (p. 1062)
Updates the parameters of a Write

UpdateRelationalDatabaseParameters
relational database.
Resource types defined by Amazon Lightsail

1061
Amazon Lightsail

types
Domain arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:Domain/${Id} ${TagKey} (p. 1063)
Instance arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:Instance/${Id} ${TagKey} (p. 1063)
arn:${Partition}:lightsail:${Region}: aws:ResourceTag/
InstanceSnapshot${Account}:InstanceSnapshot/${Id} ${TagKey} (p. 1063)
KeyPair arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:KeyPair/${Id} ${TagKey} (p. 1063)
StaticIp arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:StaticIp/${Id} ${TagKey} (p. 1063)
Disk arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:Disk/${Id} ${TagKey} (p. 1063)
DiskSnapshot arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:DiskSnapshot/${Id} ${TagKey} (p. 1063)
LoadBalancer arn:${Partition}:lightsail:${Region}: aws:ResourceTag/

${Account}:LoadBalancer/${Id} ${TagKey} (p. 1063)
PeeredVpc arn:${Partition}:lightsail:${Region}:
${Account}:PeeredVpc/${Id}
arn:${Partition}:lightsail:${Region}:
LoadBalancerTlsCertificate
${Account}:LoadBalancerTlsCertificate/${Id}
ExportSnapshotRecord
${Account}:ExportSnapshotRecord/${Id}
CloudFormationStackRecord
${Account}:CloudFormationStackRecord/${Id}
RelationalDatabase
${Account}:RelationalDatabase/${Id} ${TagKey} (p. 1063)
${Account}:RelationalDatabaseSnapshot/${Id} ${TagKey} (p. 1063)
Condition keys for Amazon Lightsail

Amazon Lightsail defines the following condition keys that can be used in the Condition element of
1062
Amazon Location

${TagKey}
request

Location
Amazon Location (service prefix: geo) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Location (p. 1063)
• Resource types defined by Amazon Location (p. 1066)
• Condition keys for Amazon Location (p. 1066)
Actions defined by Amazon Location

different actions.

(*required)
Grants permission to create an Write tracker*

AssociateTrackerConsumer
association between a geofence- (p. 1066)
collection and a tracker resource
1063
Amazon Location

(*required)
Grants permission to delete Write geofence-

BatchDeleteGeofence
a batch of geofences from a collection*
geofence collection (p. 1066)
Grants permission to evaluate Write geofence-

BatchEvaluateGeofences
device positions against the collection*
position of geofences in a given (p. 1066)
geofence collection
Grants permission to send a Read tracker*

BatchGetDevicePosition
batch request to retrieve device (p. 1066)
positions
Grants permission to send Write geofence-

BatchPutGeofencea batch request for adding collection*
geofences into a given geofence (p. 1066)
collection
Grants permission to upload a Write tracker*

BatchUpdateDevicePosition
position update for one or more (p. 1066)
devices to a tracker resource
Grants permission to create a Write geofence-

CreateGeofenceCollection
geofence-collection collection*
(p. 1066)
CreateMap Grants permission to create a Write map*

map resource (p. 1066)
Grants permission to create a Write place-

CreatePlaceIndex place index resource index*
(p. 1066)
CreateTracker Grants permission to create a Write tracker*

tracker resource (p. 1066)
Grants permission to deletes a Write geofence-

DeleteGeofenceCollection
geofence-collection collection*
(p. 1066)
DeleteMap Grants permission to delete a Write map*

map resource (p. 1066)
Grants permission to delete a Write place-

DeletePlaceIndex place index resource index*
(p. 1066)
DeleteTracker Grants permission to delete a Write tracker*

tracker resource (p. 1066)
Grants permission to retrieve a Read geofence-

DescribeGeofenceCollection
geofence collection details collection*
(p. 1066)
DescribeMap Grants permission to retrieve a Read map*

map resource details (p. 1066)
1064
Amazon Location

(*required)
Grants permission to retrieve a a Read place-

DescribePlaceIndex
place-index resource details index*
(p. 1066)
Grants permission to retrieve a Read tracker*

DescribeTracker tracker resource details (p. 1066)
Grants permission to remove Write tracker*

DisassociateTrackerConsumer
the association between a (p. 1066)
tracker resource and a geofence-
collection
Grants permission to retrieve the Read tracker*

GetDevicePositionlatest device position (p. 1066)
Grant permission to retrieve the Read tracker*

GetDevicePositionHistory
device position history (p. 1066)
GetGeofence Grants permission to retrieve Read geofence-

the geofence details from a collection*
geofence-collection. (p. 1066)
Grants permission to retrieve the Read map*

GetMapGlyphs glyph file for a map resource (p. 1066)

GetMapSprites sprite file for a map resource (p. 1066)

GetMapStyleDescriptor
map style descriptor from a map (p. 1066)
resource
GetMapTile Grants permission to retrieve the Read map*

map tile from the map resource (p. 1066)
Grants permission to retrieves Read map*

GetMapTileJson the map TileJSON details from a (p. 1066)
given map resource
Grants permission to lists List

ListGeofenceCollections
geofence-collections
ListGeofences Grants permission to list Read geofence-

geofences stored in a given collection*
geofence collection (p. 1066)
ListMaps Grants permission to list map List

resources

ListPlaceIndexes of place index resources
Grants permission to retrieve Read tracker*

ListTrackerConsumers
a list of geofence collections (p. 1066)
currently associated to the given
tracker resource
1065
Amazon Location

(*required)
ListTrackers Grants permission to return a list List

of tracker resources
PutGeofence Grants permission to add a new Write geofence-

geofence or update an existing collection*
geofence to a given geofence- (p. 1066)
collection
Grants permission to reverse Read place-

SearchPlaceIndexForPosition
geocodes a given coordinate index*
(p. 1066)
Grants permission to geocode Read place-

SearchPlaceIndexForText
free-form text, such as an index*
address, name, city or region (p. 1066)
Grants permission to update Write geofence-

UpdateGeofenceCollection
the description of a geofence collection*
collection (p. 1066)
Grants permission to update the Write tracker*

UpdateTracker description of a tracker resource (p. 1066)
Resource types defined by Amazon Location


types
geofence- arn:${Partition}:geo:${Region}:
collection ${Account}:geofence-collection/
${GeofenceCollectionName}
map arn:${Partition}:geo:${Region}:
${Account}:map/${MapName}
place-index arn:${Partition}:geo:${Region}:
${Account}:place-index/${IndexName}
tracker arn:${Partition}:geo:${Region}:
${Account}:tracker/${TrackerName}
Condition keys for Amazon Location

Location has no service-specific context keys that can be used in the Condition element of policy
conditions.
1066
Amazon Lookout for Vision

Lookout for Vision
Amazon Lookout for Vision (service prefix: lookoutvision) provides the following service-specific
References:

Topics
• Actions defined by Amazon Lookout for Vision (p. 1067)
• Resource types defined by Amazon Lookout for Vision (p. 1069)
• Condition keys for Amazon Lookout for Vision (p. 1069)
Actions defined by Amazon Lookout for Vision

different actions.

(*required)
CreateDataset Grants permission to associates Write project*

a dataset manifest with a project (p. 1069)
CreateModel Grants permission to create a Write project*

new anomaly detection model (p. 1069)
CreateProject Grants permission to create a Write project*

new project (p. 1069)
DeleteDataset Grants permission to delete a Write project*

dataset associated with a project (p. 1069)
DeleteModel Grants permission to delete a Write model*

model and all associated assets (p. 1069)
1067
Amazon Lookout for Vision

(*required)
project*
(p. 1069)
DeleteProject Grants permission to Write project*

permanently remove a project (p. 1069)
Grants permission to show Read project*

DescribeDataset detailed information about (p. 1069)
dataset manifest
Grants permission to show Read model*

DescribeModel detailed information about a (p. 1069)
model
project*
(p. 1069)
Grants permission to show Read project*

DescribeProject detailed information about a (p. 1069)
project
Grants permission to provides Read model*

DescribeTrialDetection
state information about a (p. 1069)
[permission running anomaly detection job
only] project*
(p. 1069)
Grants permission to invoke Read model*

DetectAnomalies detection of anomalies (p. 1069)
project*
(p. 1069)

ListDatasetEntriescontents of dataset manifest (p. 1069)
ListModels Grants permission to list all List project*

models associated with a project (p. 1069)
ListProjects Grants permission to list all List

projects
Grants permission to list all List model*

ListTrialDetectionsanomaly detection jobs (p. 1069)
[permission
only] project*
(p. 1069)
StartModel Grants permission to start Write model*

anomaly detection model (p. 1069)
project*
(p. 1069)
Grants permission to start bulk Write model*

StartTrialDetection
detection of anomalies for a set (p. 1069)
[permission of images stored in an S3 bucket
only]
1068
Amazon Machine Learning

(*required)
project*
(p. 1069)
StopModel Grants permission to stop Write model*

anomaly detection model (p. 1069)
project*
(p. 1069)

UpdateDatasetEntries
training or test dataset manifest (p. 1069)
Resource types defined by Amazon Lookout for Vision


types
model arn:${Partition}:lookoutvision:${Region}:
${Account}:model/${ProjectName}/
${ModelVersion}
project arn:${Partition}:lookoutvision:${Region}:
${Account}:project/${ProjectName}
Condition keys for Amazon Lookout for Vision

Lookout Vision has no service-specific context keys that can be used in the Condition element of policy
conditions.

Machine Learning
Amazon Machine Learning (service prefix: machinelearning) provides the following service-specific
References:

Topics
1069
• Actions defined by Amazon Machine Learning (p. 1070)

• Resource types defined by Amazon Machine Learning (p. 1073)
• Condition keys for Amazon Machine Learning (p. 1073)
Actions defined by Amazon Machine Learning

different actions.

(*required)
AddTags Adds one or more tags to an Tagging batchprediction

object, up to a limit of 10. Each (p. 1073)
tag consists of a key and an
optional value datasource
(p. 1073)
evaluation
(p. 1073)
mlmodel
(p. 1073)
Generates predictions for a Write batchprediction*

CreateBatchPrediction
group of observations (p. 1073)
datasource*
(p. 1073)
mlmodel*
(p. 1073)
Creates a DataSource object Write datasource*

CreateDataSourceFromRDS
from an Amazon RDS (p. 1073)
Creates a DataSource from a Write datasource*

CreateDataSourceFromRedshift
database hosted on an Amazon (p. 1073)
Redshift cluster
Creates a DataSource object Write datasource*

CreateDataSourceFromS3
from S3 (p. 1073)
1070

(*required)
Creates a new Evaluation of an Write datasource*

CreateEvaluation MLModel (p. 1073)
evaluation*
(p. 1073)
mlmodel*
(p. 1073)
Creates a new MLModel Write datasource*

CreateMLModel (p. 1073)
mlmodel*
(p. 1073)
Creates a real-time endpoint for Write mlmodel*

CreateRealtimeEndpoint
the MLModel (p. 1073)
Assigns the DELETED status to Write batchprediction*

DeleteBatchPrediction
a BatchPrediction, rendering it (p. 1073)
unusable
Assigns the DELETED status Write datasource*

DeleteDataSourceto a DataSource, rendering it (p. 1073)
unusable
Assigns the DELETED status Write evaluation*

DeleteEvaluation to an Evaluation, rendering it (p. 1073)
unusable
Assigns the DELETED status Write mlmodel*

DeleteMLModel to an MLModel, rendering it (p. 1073)
unusable
Deletes a real time endpoint of Write mlmodel*

DeleteRealtimeEndpoint
an MLModel (p. 1073)
DeleteTags Deletes the specified tags Tagging batchprediction

associated with an ML object. (p. 1073)
After this operation is complete,
you can't recover deleted tags datasource
(p. 1073)
evaluation
(p. 1073)
mlmodel
(p. 1073)
Returns a list of BatchPrediction List

DescribeBatchPredictions
operations that match the
search criteria in the request
Returns a list of DataSource that List

DescribeDataSources
match the search criteria in the
request
1071

(*required)
Returns a list of List

DescribeEvaluations
DescribeEvaluations that match
the search criteria in the request
Returns a list of MLModel that List

DescribeMLModels
match the search criteria in the
request
DescribeTags Describes one or more of the List batchprediction

tags for your Amazon ML object (p. 1073)
datasource
(p. 1073)
evaluation
(p. 1073)
mlmodel
(p. 1073)
Returns a BatchPrediction that Read batchprediction*

GetBatchPrediction
includes detailed metadata, (p. 1073)
status, and data file information
Returns a DataSource that Read datasource*

GetDataSource includes metadata and data (p. 1073)
file information, as well as the
current status of the DataSource
GetEvaluation Returns an Evaluation that Read datasource*

includes metadata as well as the (p. 1073)
current status of the Evaluation
GetMLModel Returns an MLModel that Read mlmodel*

includes detailed metadata, (p. 1073)
and data source information as
well as the current status of the
MLModel
Predict Generates a prediction for the Write mlmodel*

observation using the specified (p. 1073)
ML Model
Updates the Write batchprediction*

UpdateBatchPrediction
BatchPredictionName of a (p. 1073)
BatchPrediction
Updates the DataSourceName of Write datasource*

UpdateDataSource
a DataSource (p. 1073)
Updates the EvaluationName of Write evaluation*

UpdateEvaluationan Evaluation (p. 1073)
Updates the MLModelName Write mlmodel*

UpdateMLModel and the ScoreThreshold of an (p. 1073)
MLModel
1072
Amazon Macie
Resource types defined by Amazon Machine Learning


types
arn:${Partition}:machinelearning:
batchprediction ${Region}:${Account}:batchprediction/
${BatchPredictionId}
datasource arn:${Partition}:machinelearning:${Region}:
${Account}:datasource/${DatasourceId}
evaluation arn:${Partition}:machinelearning:${Region}:
${Account}:evaluation/${EvaluationId}
mlmodel arn:${Partition}:machinelearning:${Region}:
${Account}:mlmodel/${MlModelId}
Condition keys for Amazon Machine Learning

Machine Learning has no service-specific context keys that can be used in the Condition element of

Macie
Amazon Macie (service prefix: macie2) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Macie (p. 1073)
• Resource types defined by Amazon Macie (p. 1079)
• Condition keys for Amazon Macie (p. 1079)
Actions defined by Amazon Macie

1073
Amazon Macie
different actions.

(*required)
Grants permission to accept Write

AcceptInvitation an Amazon Macie membership
invitation
Grants permission to archive one Write

ArchiveFindings or more findings
Grants permission to retrieve Read CustomDataIdentifier*

BatchGetCustomDataIdentifiers
custom data identifiers
Grants permission to create Write ClassificationJob*

CreateClassificationJob
and define the settings for a (p. 1079)
classification job
aws:RequestTag/

${TagKey}
(p. 1079)
aws:TagKeys
(p. 1080)
Grants permission to create and Write CustomDataIdentifier*

CreateCustomDataIdentifier
define the settings for a custom (p. 1079)
data identifier
aws:RequestTag/

${TagKey}
(p. 1079)
aws:TagKeys
(p. 1080)
Grants permission to create and Write FindingsFilter*

CreateFindingsFilter
define the settings for a findings (p. 1079)
filter
aws:RequestTag/

${TagKey}
(p. 1079)
aws:TagKeys
(p. 1080)
1074
Amazon Macie

(*required)
Grants permission to send an Write

CreateInvitations Amazon Macie membership
invitation
Grants permission to associate Write Member*

CreateMember an account with an Amazon (p. 1079)
Macie master account
aws:RequestTag/

${TagKey}
(p. 1079)
aws:TagKeys
(p. 1080)

CreateSampleFindings
sample findings
Grants permission to decline Write

DeclineInvitationsAmazon Macie membership
invitations
Grants permission to delete a Write CustomDataIdentifier*

DeleteCustomDataIdentifier
custom data identifier (p. 1079)
Grants permission to delete a Write FindingsFilter*

DeleteFindingsFilter
findings filter (p. 1079)

DeleteInvitations Amazon Macie membership
invitations
Grants permission to delete the Write Member*

DeleteMember association between an Amazon (p. 1079)
Macie master account and an
account

DescribeBuckets statistical and other data about
S3 buckets that Amazon Macie
monitors and analyzes
Grants permission to retrieve Read ClassificationJob*

DescribeClassificationJob
information about the status (p. 1079)
and settings for a classification
job

DescribeOrganizationConfiguration
Macie configuration settings for
an AWS organization
DisableMacie Grants permission to disable an Write

Amazon Macie account, which
also deletes Macie resources for
the account
1075
Amazon Macie

(*required)

DisableOrganizationAdminAccount
an account as a delegated
administrator of Amazon Macie
for an AWS organization
Grants an Amazon Macie Write

DisassociateFromMasterAccount
member account with
permission to disassociate from
its master account
Grants an Amazon Macie master Write Member*

DisassociateMember
account with permission to (p. 1079)
disassociate from a member
account
EnableMacie Grants permission to enable Write

and specify the configuration
settings for a new Amazon
Macie account

EnableOrganizationAdminAccount
an account as a delegated
administrator of Amazon Macie
for an AWS organization

GetBucketStatistics
aggregated statistical data for
all the S3 buckets that Amazon
Macie monitors and analyzes

GetClassificationExportConfiguration
the settings for exporting data
classification results
Grants permission to retrieve Read CustomDataIdentifier*

GetCustomDataIdentifier
information about the settings (p. 1079)
for a custom data identifier

GetFindingStatistics
aggregated statistical data
about findings
GetFindings Grants permission to retrieve Read

information about one or more
findings
Grants permission to retrieve Read FindingsFilter*

GetFindingsFilter information about the settings (p. 1079)
for a findings filter

GetInvitationsCount
the count of Amazon Macie
membership invitations that
were received by an account
1076
Amazon Macie

(*required)

GetMacieSession information about the status
and configuration settings for an
Amazon Macie account

GetMasterAccountinformation about the Amazon
Macie master account for an
account
GetMember Grants permission to retrieve Read Member*

information about an account (p. 1079)
that's associated with an
Amazon Macie master account

GetUsageStatistics
quotas and aggregated usage
data for one or more accounts

GetUsageTotals aggregated usage data for an
account

ListClassificationJobs
information about the status
and settings for one or more
classification jobs

ListCustomDataIdentifiers
information about all custom
data identifiers
ListFindings Grants permission to retrieve a List

subset of information about one
or more findings

ListFindingsFiltersinformation about all findings
filters

information about all the
Amazon Macie membership
invitations that were received by
an account
ListMembers Grants permission to retrieve List

information about all the
accounts that are associated
with an Amazon Macie master
account
1077
Amazon Macie

(*required)

ListOrganizationAdminAccounts
delegated, Amazon Macie
administrator account for an
AWS organization

ListTagsForResources
the tags for an Amazon Macie
resource or member account

PutClassificationExportConfiguration
or update the settings for
exporting data classification
results
TagResource Grants permission to add or Tagging aws:RequestTag/

update the tags for an Amazon ${TagKey}
Macie resource or member (p. 1079)
account
aws:TagKeys
(p. 1080)
Grants permission to test a Write

TestCustomDataIdentifier
custom data identifier
Grants permission to reactivate Write

UnarchiveFindings(unarchive) one or more findings
Grants permission to remove Tagging aws:TagKeys

UntagResource tags from an Amazon Macie (p. 1080)
resource or member account
Grants permission to cancel a Write ClassificationJob*

UpdateClassificationJob
classification job (p. 1079)
aws:RequestTag/

${TagKey}
(p. 1079)
aws:TagKeys
(p. 1080)
Grants permission to update the Write FindingsFilter*

UpdateFindingsFilter
settings for a findings filter (p. 1079)
aws:RequestTag/

${TagKey}
(p. 1079)
aws:TagKeys
(p. 1080)
1078
Amazon Macie

(*required)
Grants permission to suspend Write

UpdateMacieSession
or re-enable an Amazon
Macie account, or update the
configuration settings for a
Macie account
Grants an Amazon Macie master Write

UpdateMemberSession
account with permission to
suspend or re-enable a member
account

UpdateOrganizationConfiguration
Amazon Macie configuration
settings for an AWS organization
Resource types defined by Amazon Macie


types
arn:${Partition}:macie2:: aws:ResourceTag/
ClassificationJob ${Account}:classification-job/${ResourceId} ${TagKey} (p. 1080)
arn:${Partition}:macie2::${Account}:custom- aws:ResourceTag/
CustomDataIdentifier
data-identifier/${ResourceId} ${TagKey} (p. 1080)
Member arn:${Partition}:macie2::${Account}:member/ aws:ResourceTag/

FindingsFilter arn:${Partition}:macie2:: aws:ResourceTag/

${Account}:findings-filter/${ResourceId} ${TagKey} (p. 1080)
Condition keys for Amazon Macie

Amazon Macie defines the following condition keys that can be used in the Condition element of an
aws:RequestTag/ Filters access based on the presence of tag key-value pairs in String
1079
Amazon Macie Classic
Filters access based on tag key-value pairs that are String

aws:ResourceTag/ associated with the resource
${TagKey}
request

Macie Classic
Amazon Macie Classic (service prefix: macie) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Macie Classic (p. 1080)
• Resource types defined by Amazon Macie Classic (p. 1081)
• Condition keys for Amazon Macie Classic (p. 1081)
Actions defined by Amazon Macie Classic

different actions.

(*required)
Enables the user to associate Write

AssociateMemberAccount
a specified AWS account with
1080
Amazon Macie Classic

(*required)
Amazon Macie as a member
account.
Enables the user to associate Write aws:SourceArn

AssociateS3Resources
specified S3 resources with (p. 1081)
Amazon Macie for monitoring
and data classification.
Enables the user to remove the Write

DisassociateMemberAccount
specified member account from
Amazon Macie.
Enables the user to remove Write aws:SourceArn

DisassociateS3Resources
specified S3 resources from (p. 1081)
being monitored by Amazon
Macie.
Enables the user to list all List

ListMemberAccounts
Amazon Macie member accounts
for the current Macie master
account.
Enables the user to list all the List

ListS3Resources S3 resources associated with
Amazon Macie.
Enables the user to update Write aws:SourceArn

UpdateS3Resources
the classification types for the (p. 1081)
specified S3 resources.
Resource types defined by Amazon Macie Classic

Amazon Macie Classic does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Amazon Macie Classic, specify “Resource”: “*” in your policy.
Condition keys for Amazon Macie Classic

Amazon Macie Classic defines the following condition keys that can be used in the Condition
table (p. 2).
aws:SourceArn Allow access to the specified actions only when the request Arn
operates on the specified aws resource
1081
Manage Amazon API Gateway
Actions, resources, and condition keys for Manage

Amazon API Gateway
Manage Amazon API Gateway (service prefix: apigateway) provides the following service-specific
References:

Topics
• Actions defined by Manage Amazon API Gateway (p. 1082)
• Resource types defined by Manage Amazon API Gateway (p. 1083)
• Condition keys for Manage Amazon API Gateway (p. 1084)
Actions defined by Manage Amazon API Gateway

different actions.

(*required)
DELETE Used to delete resources Write apigateway-

general*
(p. 1084)
aws:RequestTag/

${TagKey}
(p. 1084)
aws:TagKeys
(p. 1084)
GET Used to get information about Read apigateway-

resources general*
(p. 1084)
1082
Manage Amazon API Gateway

(*required)
PATCH Used to update resources Write apigateway-

general*
(p. 1084)
aws:RequestTag/

${TagKey}
(p. 1084)
aws:TagKeys
(p. 1084)
POST Used to create child resources Write apigateway-

general*
(p. 1084)
aws:RequestTag/

${TagKey}
(p. 1084)
aws:TagKeys
(p. 1084)
PUT Used to update resources (and, Write apigateway-

although not recommended, general*
can be used to create child (p. 1084)
resources)
aws:RequestTag/

${TagKey}
(p. 1084)
aws:TagKeys
(p. 1084)
SetWebACL Gives WebAcl permissions to Write apigateway-

WAF general*
(p. 1084)
Used to update the Resource Write apigateway-

UpdateRestApiPolicy
Policy for a given API general*
(p. 1084)
Resource types defined by Manage Amazon API Gateway

1083
Amazon Managed Blockchain

types
apigateway- arn:${Partition}:apigateway:${Region}:: aws:ResourceTag/

general ${ApiGatewayResourcePath} ${TagKey} (p. 1084)
Condition keys for Manage Amazon API Gateway

Manage Amazon API Gateway defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey}
${TagKey}
aws:TagKeys String

Managed Blockchain
Amazon Managed Blockchain (service prefix: managedblockchain) provides the following service-
References:

Topics
• Actions defined by Amazon Managed Blockchain (p. 1084)
• Resource types defined by Amazon Managed Blockchain (p. 1087)
• Condition keys for Amazon Managed Blockchain (p. 1087)
Actions defined by Amazon Managed Blockchain

different actions.
1084

(*required)
Grants permission to create a Write network*

CreateMember member of an Amazon Managed (p. 1087)
Blockchain network.

CreateNetwork Amazon Managed Blockchain
network.
CreateNode Grants permission to create a Write member*

node within a member of an (p. 1087)
network.
Grants permission to create a Write network*

CreateProposal proposal that other blockchain (p. 1087)
network members can vote on
to add or remove a member in
an Amazon Managed Blockchain
network.
Grants permission to delete Write member*

DeleteMember a member and all associated (p. 1087)
resources from an Amazon
Managed Blockchain network.
DeleteNode Grants permission to delete Write node*

a node from a member of an (p. 1087)
network.
GetMember Grants permission to return Read member*

member of an Amazon Managed
Blockchain network.
GetNetwork Grants permission to return Read network*

detailed information about an (p. 1087)
network.
GetNode Grants permission to return Read node*

node within a member of an
1085

(*required)
network.
GetProposal Grants permission to return Read proposal*

proposal of an Amazon Managed
Blockchain network.
ListInvitations Grants permission to list the List

invitations extended to the
active AWS account from any
ListMembers Grants permission to list List network*

the members of an Amazon (p. 1087)
Managed Blockchain network
and the properties of their
memberships.
ListNetworks Grants permission to return List

Managed Blockchain networks in
which the current AWS account
has members.
ListNodes Grants permission to list the List member*

nodes within a member of an (p. 1087)
network.
Grants permission to list all List proposal*

ListProposalVotesvotes for a proposal, including (p. 1087)
the value of the vote and the
unique identifier of the member
that cast the vote for the given
network.
ListProposals Grants permission to list List network*

proposals for the given Amazon (p. 1087)
Grants permission to reject the Write invitation*

RejectInvitation invitation to join the blockchain (p. 1087)
network.
Grants permission to update a Write member* iam:CreateServiceLinkedR

UpdateMember member of an Amazon Managed (p. 1087)
Blockchain network.
UpdateNode Grants permission to update Write node* iam:CreateServiceLinkedR

a node from a member of an (p. 1087)
network.
1086
Amazon Managed Service for Prometheus

(*required)
Grants permission to cast a vote Write proposal*

VoteOnProposal for a proposal on behalf of the (p. 1087)
blockchain network member
specified.
Resource types defined by Amazon Managed Blockchain


types
network arn:${Partition}:managedblockchain:
${Region}::networks/${NetworkId}
member arn:${Partition}:managedblockchain:
${Region}:${Account}:members/${MemberId}
node arn:${Partition}:managedblockchain:
${Region}:${Account}:nodes/${NodeId}
proposal arn:${Partition}:managedblockchain:
${Region}::proposals/${ProposalId}
invitation arn:${Partition}:managedblockchain:
${Region}:${Account}:invitations/
${InvitationId}
Condition keys for Amazon Managed Blockchain

Managed Blockchain has no service-specific context keys that can be used in the Condition element of

Managed Service for Prometheus
Amazon Managed Service for Prometheus (service prefix: aps) provides the following service-specific
References:

1087
Amazon Managed Service for Prometheus
Topics
• Actions defined by Amazon Managed Service for Prometheus (p. 1088)
• Resource types defined by Amazon Managed Service for Prometheus (p. 1089)
• Condition keys for Amazon Managed Service for Prometheus (p. 1089)
Actions defined by Amazon Managed Service for Prometheus

different actions.

(*required)

CreateWorkspace workspace
Grants permission to delete a Write workspace*

DeleteWorkspace workspace (p. 1089)
Grants permission to describe a Read workspace*

DescribeWorkspace
workspace (p. 1089)
GetLabels Grants permission to retrieve Read workspace*

AMP workspace labels (p. 1089)
Grants permission to retrieve the Read workspace*

GetMetricMetadata
metadata for AMP workspace (p. 1089)
metrics
GetSeries Grants permission to retrieve Read workspace*

AMP workspace time series data (p. 1089)

ListWorkspaces workspaces
QueryMetrics Grants permission to run a query Read workspace*

on AMP workspace metrics (p. 1089)
RemoteWrite Grants permission to perform Write workspace*

a remote write operation to (p. 1089)
initiate the streaming of metrics
to AMP workspace
1088
Amazon Managed Streaming for Apache Kafka

(*required)
Grants permission to modify the Write workspace*

UpdateWorkspaceAlias
alias of existing AMP workspace (p. 1089)
Resource types defined by Amazon Managed Service for

Prometheus

types
workspace arn:${Partition}:aps::${Region}:
${Account}:workspace/${ResourceId}
Condition keys for Amazon Managed Service for Prometheus

AMP has no service-specific context keys that can be used in the Condition element of policy
conditions.

Managed Streaming for Apache Kafka
Amazon Managed Streaming for Apache Kafka (service prefix: kafka) provides the following service-
References:

Topics
• Actions defined by Amazon Managed Streaming for Apache Kafka (p. 1089)
• Resource types defined by Amazon Managed Streaming for Apache Kafka (p. 1092)
• Condition keys for Amazon Managed Streaming for Apache Kafka (p. 1092)
Actions defined by Amazon Managed Streaming for Apache

Kafka
1089
different actions.

(*required)
Grants permission to associate Write kms:CreateGrant

BatchAssociateScramSecret
one or more Scram Secrets with
an Amazon MSK cluster. kms:RetireGrant
Grants permission to Write kms:RetireGrant

BatchDisassociateScramSecret
disassociate one or more Scram
Secrets from an Amazon MSK
cluster.
CreateCluster Grants permission to create a Write aws:RequestTag/

cluster ${TagKey}
(p. 1092) ec2:DescribeSubnets
aws:TagKeys ec2:DescribeVpcs
(p. 1093)
iam:AttachRolePolicy
iam:PutRolePolicy
kms:CreateGrant
kms:DescribeKey

CreateConfiguration
configuration.
DeleteCluster Grants permission to delete a Write

cluster.

DeleteConfiguration
specified MSK configuration.
Grants permission to describe a Read

DescribeCluster cluster.
Returns a description of the Read

DescribeClusterOperation
cluster operation specified by
the ARN.
1090

(*required)

DescribeConfiguration
configuration.

DescribeConfigurationRevision
configuration revision.

GetBootstrapBrokers
connection details for the broker
nodes in a cluster.
Returns a list of the Apache List

GetCompatibleKafkaVersions
Kafka versions to which you can
update this cluster.
Returns a list of all the List

ListClusterOperations
operations that have been
performed on the specified MSK
cluster.
ListClusters Grants permission to return a List

list of all clusters in the current
account.
Grants permission to return a List

ListConfigurationslist of all configurations in the
current account.
ListNodes Grants permission to return a list List

of nodes in a cluster.

ListScramSecrets of the Scram Secrets associated
with an Amazon MSK cluster.
Grants permission to list tags of List cluster

ListTagsForResource
a MSK resource. (p. 1092)
TagResource Grants permission to tag a MSK Tagging cluster

resource. (p. 1092)
aws:RequestTag/

${TagKey}
(p. 1092)
aws:TagKeys
(p. 1093)
Grants permission to remove Tagging cluster

UntagResource tags from a MSK resource. (p. 1092)
aws:TagKeys
(p. 1093)
Updates the number of broker Write

UpdateBrokerCount
nodes of the cluster.
1091

(*required)
Updates the storage size of the Write

UpdateBrokerStorage
broker nodes of the cluster
Update Kafka configuration Write

UpdateClusterConfiguration
running on a cluster.
Updates the cluster to the Write

UpdateClusterKafkaVersion
specified Apache Kafka version.

UpdateConfiguration
a new revision of the
configuration.
Updates the monitoring settings Write

UpdateMonitoringfor the cluster.
Resource types defined by Amazon Managed Streaming for

Apache Kafka

types
cluster arn:${Partition}:kafka:${Region}: aws:ResourceTag/

${Account}:cluster/${ClusterName}/${UUID} ${TagKey} (p. 1092)
Condition keys for Amazon Managed Streaming for Apache

Kafka
Amazon Managed Streaming for Apache Kafka defines the following condition keys that can be used
aws:RequestTag/ Filters access based on the allowed set of values for each of String
${TagKey} the tags
aws:ResourceTag/ Filters access based on tag-value associated with a MSK String

${TagKey} resource
1092
Amazon Managed Workflows for Apache Airflow
aws:TagKeys Filters access based on the presence of mandatory tag keys String
in the request

Managed Workflows for Apache Airflow
Amazon Managed Workflows for Apache Airflow (service prefix: airflow) provides the following
References:

Topics
• Actions defined by Amazon Managed Workflows for Apache Airflow (p. 1093)
• Resource types defined by Amazon Managed Workflows for Apache Airflow (p. 1095)
• Condition keys for Amazon Managed Workflows for Apache Airflow (p. 1096)
Actions defined by Amazon Managed Workflows for Apache

Airflow
different actions.

(*required)
Grants permission to create a Write environment*

CreateCliToken short-lived token that allows a (p. 1095)
user to invoke Airflow CLI via an
endpoint on the Apache Airflow
Webserver
1093

(*required)
Grants permission to create an Write environment*

CreateEnvironment
Amazon MWAA environment (p. 1095)
aws:ResourceTag/

${TagKey}
(p. 1096)
aws:RequestTag/
${TagKey}
(p. 1096)
aws:TagKeys
(p. 1096)
Grants permission to create a Write rbac-role*

CreateWebLoginToken
short-lived token that allows a (p. 1095)
user to log into Apache Airflow
web UI
Grants permission to delete an Write environment*

DeleteEnvironment
aws:ResourceTag/

${TagKey}
(p. 1096)
Grants permission to view Read environment*

GetEnvironment details about an Amazon MWAA (p. 1095)
environment
aws:ResourceTag/

${TagKey}
(p. 1096)

ListEnvironments Amazon MWAA environments in
your account
Grants permission to lists tag for Read environment

ListTagsForResource
an Amazon MWAA environment (p. 1095)
aws:ResourceTag/

${TagKey}
(p. 1096)
Grants permission to publish Write environment*

PublishMetrics metrics for an Amazon MWAA (p. 1095)
environment
TagResource Grants permission to tag an Tagging environment

1094

(*required)
aws:TagKeys
(p. 1096)
aws:RequestTag/
${TagKey}
(p. 1096)
aws:ResourceTag/
${TagKey}
(p. 1096)
Grants permission to untag an Tagging environment

UntagResource Amazon MWAA environment (p. 1095)
aws:TagKeys
(p. 1096)
aws:ResourceTag/
${TagKey}
(p. 1096)
Grants permission to modify an Write environment*

UpdateEnvironment
aws:ResourceTag/

${TagKey}
(p. 1096)
Resource types defined by Amazon Managed Workflows for

Apache Airflow

types
environment arn:${Partition}:airflow:${Region}:
${Account}:environment/${EnvironmentName}
rbac-role arn:${Partition}:airflow:${Region}:
${Account}:role/${EnvironmentName}/
${RoleName}
1095
AWS Marketplace
Condition keys for Amazon Managed Workflows for Apache

Airflow
Amazon Managed Workflows for Apache Airflow defines the following condition keys that can be used

${TagKey}
request

Marketplace
AWS Marketplace (service prefix: aws-marketplace) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Marketplace (p. 1096)
• Resource types defined by AWS Marketplace (p. 1098)
• Condition keys for AWS Marketplace (p. 1098)
Actions defined by AWS Marketplace

different actions.
1096
AWS Marketplace

(*required)
Allows users to approve Write

AcceptAgreementApprovalRequest
an incoming subscription
request (for providers who
provide products that require
subscription verification).
Allows users to cancel Write

CancelAgreementRequest
pending subscription requests
for products that require
subscription verification.
Returns metadata about the Read

DescribeAgreement
agreement.
Allows users to view the details Read

GetAgreementApprovalRequest
of their incoming subscription
requests (for providers who
Allows users to view the details Read

GetAgreementRequest
of their subscription requests
for data products that require
Returns a list of terms for an List

GetAgreementTerms
agreement.
Allows users to list their List

ListAgreementApprovalRequests
incoming subscription
Allows users to list their List

ListAgreementRequests
subscription requests
for products that require
Allows users to decline Write

RejectAgreementApprovalRequest
an incoming subscription
Allows users to search their List

SearchAgreements
agreements.
Subscribe Allows users to subscribe to AWS Write

Marketplace products. Includes
1097
AWS Marketplace

(*required)
the ability to send a subscription
request for products that
require subscription verification.
Includes the ability to enable
auto-renewal for an existing
subscription.
Unsubscribe Allows users to remove Write

subscriptions to AWS
Marketplace products. Includes
the ability to disable auto-
renewal for an existing
subscription.
Allows users to make changes Write

UpdateAgreementApprovalRequest
to an incoming subscription
request, including the ability
to delete the prospective
subscriber's information (for
providers who provide products
that require subscription
verification).
Allows users to see their List

ViewSubscriptionsaccount's subscriptions.
Resource types defined by AWS Marketplace

AWS Marketplace does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Marketplace, specify “Resource”: “*” in your policy.
Condition keys for AWS Marketplace

AWS Marketplace defines the following condition keys that can be used in the Condition element of
aws- Enables you to control access based on the type of the String
marketplace:AgreementType
agreement.
aws- Enables you to control access based on the party type of the String
marketplace:PartyType
agreement.
1098
AWS Marketplace Catalog

Marketplace Catalog
AWS Marketplace Catalog (service prefix: aws-marketplace) provides the following service-specific
References:

Topics
• Actions defined by AWS Marketplace Catalog (p. 1099)
• Resource types defined by AWS Marketplace Catalog (p. 1100)
• Condition keys for AWS Marketplace Catalog (p. 1100)
Actions defined by AWS Marketplace Catalog

different actions.

(*required)
Cancels a running change set. Write

CancelChangeSet
CompleteTask Complete an existing task Write

and submit the content to the
associated change.
Returns the details of an existing Read

DescribeChangeSet
change set.
Returns the details of an existing Read

DescribeEntity entity.
1099
AWS Marketplace Catalog

(*required)
DescribeTask Returns the details of an existing Read

task.
Lists existing change sets. Read

ListChangeSets
ListEntities Lists existing entities. Read
ListTasks Lists existing tasks. List
Requests a new change set. Write catalog:ChangeType

StartChangeSet (p. 1100)
UpdateTask Update the content of an Write

existing task.
Resource types defined by AWS Marketplace Catalog


types
Entity arn:${Partition}:aws-marketplace:${Region}:
${Account}:${Catalog}/${EntityType}/
${ResourceId}
ChangeSet arn:${Partition}:aws-marketplace:
${Region}:${Account}:${Catalog}/ChangeSet/
${ResourceId}
Condition keys for AWS Marketplace Catalog

AWS Marketplace Catalog defines the following condition keys that can be used in the Condition
table (p. 2).
Enables you to verify change type in the StartChangeSet String

catalog:ChangeType request.
1100
AWS Marketplace Commerce Analytics Service

Marketplace Commerce Analytics Service
AWS Marketplace Commerce Analytics Service (service prefix: marketplacecommerceanalytics)
provides the following service-specific resources, actions, and condition context keys for use in IAM
permission policies.
References:
Topics
• Actions defined by AWS Marketplace Commerce Analytics Service (p. 1101)
• Resource types defined by AWS Marketplace Commerce Analytics Service (p. 1102)
• Condition keys for AWS Marketplace Commerce Analytics Service (p. 1102)
Actions defined by AWS Marketplace Commerce Analytics

Service
different actions.

(*required)
Request a data set to be Write

GenerateDataSet published to your Amazon S3
bucket.
Request a support data set to Write

StartSupportDataExport
be published to your Amazon S3
bucket.
1101
AWS Marketplace Entitlement Service
Resource types defined by AWS Marketplace Commerce

Analytics Service
AWS Marketplace Commerce Analytics Service does not support specifying a resource ARN in the
Resource element of an IAM policy statement. To allow access to AWS Marketplace Commerce Analytics
Service, specify “Resource”: “*” in your policy.
Condition keys for AWS Marketplace Commerce Analytics

Service
CAS has no service-specific context keys that can be used in the Condition element of policy
conditions.

Marketplace Entitlement Service
AWS Marketplace Entitlement Service (service prefix: aws-marketplace) provides the following service-
Topics
• Actions defined by AWS Marketplace Entitlement Service (p. 1102)
• Resource types defined by AWS Marketplace Entitlement Service (p. 1103)
• Condition keys for AWS Marketplace Entitlement Service (p. 1103)
Actions defined by AWS Marketplace Entitlement Service

different actions.

(*required)
Retrieves entitlement values for Read

GetEntitlements a given product. The results can
be filtered based on customer
identifier or product dimensions
1102
AWS Marketplace Image Building Service
Resource types defined by AWS Marketplace Entitlement Service

AWS Marketplace Entitlement Service does not support specifying a resource ARN in the Resource
element of an IAM policy statement. To allow access to AWS Marketplace Entitlement Service, specify
“Resource”: “*” in your policy.
Condition keys for AWS Marketplace Entitlement Service

Marketplace Entitlement has no service-specific context keys that can be used in the Condition

Marketplace Image Building Service
AWS Marketplace Image Building Service (service prefix: aws-marketplace) provides the following
References:

Topics
• Actions defined by AWS Marketplace Image Building Service (p. 1103)
• Resource types defined by AWS Marketplace Image Building Service (p. 1104)
• Condition keys for AWS Marketplace Image Building Service (p. 1104)
Actions defined by AWS Marketplace Image Building Service

different actions.

(*required)
Describes Image Builds Read

DescribeBuilds identified by a build Id
1103
AWS Marketplace Management Portal

(*required)
[permission
only]
ListBuilds Lists Image Builds. Read

[permission
only]
StartBuild Starts an Image Build Write

[permission
only]
Resource types defined by AWS Marketplace Image Building

Service
AWS Marketplace Image Building Service does not support specifying a resource ARN in the Resource
element of an IAM policy statement. To allow access to AWS Marketplace Image Building Service, specify
Condition keys for AWS Marketplace Image Building Service

Marketplace Image Build has no service-specific context keys that can be used in the Condition

Marketplace Management Portal
AWS Marketplace Management Portal (service prefix: aws-marketplace-management) provides
the following service-specific resources, actions, and condition context keys for use in IAM permission
policies.
References:

Topics
• Actions defined by AWS Marketplace Management Portal (p. 1104)
• Resource types defined by AWS Marketplace Management Portal (p. 1105)
• Condition keys for AWS Marketplace Management Portal (p. 1105)
Actions defined by AWS Marketplace Management Portal

1104
AWS Marketplace Management Portal
different actions.

(*required)
uploadFiles Allows access to the File Write

[permission Upload page inside the AWS
only] Marketplace Management
Portal.
Allows access to the Marketing List

viewMarketing page inside the AWS
[permission Marketplace Management
only] Portal.
viewReports Allows access to the Reports List

[permission page inside the AWS
Portal.
viewSettings Allows access to the Settings List

[permission page inside the AWS
Portal.
viewSupport Allows access to the Customer List

[permission Support Eligibility page
only] inside the AWS Marketplace
Management Portal.
Resource types defined by AWS Marketplace Management

Portal
AWS Marketplace Management Portal does not support specifying a resource ARN in the Resource
element of an IAM policy statement. To allow access to AWS Marketplace Management Portal, specify
Condition keys for AWS Marketplace Management Portal

Marketplace Portal has no service-specific context keys that can be used in the Condition element of
1105
AWS Marketplace Metering Service

Marketplace Metering Service
AWS Marketplace Metering Service (service prefix: aws-marketplace) provides the following service-
References:

Topics
• Actions defined by AWS Marketplace Metering Service (p. 1106)
• Resource types defined by AWS Marketplace Metering Service (p. 1107)
• Condition keys for AWS Marketplace Metering Service (p. 1107)
Actions defined by AWS Marketplace Metering Service

different actions.

(*required)
Called from a SaaS application Write

BatchMeterUsagelisted on the AWS Marketplace
to post metering records for a
set of customers.
MeterUsage Emits metering records. Write
RegisterUsage Allows you to verify that the Write

customer running your paid
software is subscribed to your
product on AWS Marketplace,
enabling you to guard against
unauthorized use. Meters
software use per ECS task, per
1106
AWS Marketplace Procurement Systems Integration

(*required)
hour, with usage prorated to the
second.
Resolves a registration token to Write

ResolveCustomer obtain a CustomerIdentifier and
product code.
Resource types defined by AWS Marketplace Metering Service

AWS Marketplace Metering Service does not support specifying a resource ARN in the Resource
element of an IAM policy statement. To allow access to AWS Marketplace Metering Service, specify
Condition keys for AWS Marketplace Metering Service

Marketplace Metering has no service-specific context keys that can be used in the Condition element

Marketplace Procurement Systems Integration
AWS Marketplace Procurement Systems Integration (service prefix: aws-marketplace) provides the
following service-specific resources, actions, and condition context keys for use in IAM permission
policies.
References:

Topics
• Actions defined by AWS Marketplace Procurement Systems Integration (p. 1107)
• Resource types defined by AWS Marketplace Procurement Systems Integration (p. 1108)
• Condition keys for AWS Marketplace Procurement Systems Integration (p. 1108)
Actions defined by AWS Marketplace Procurement Systems

Integration
different actions.
1107
Amazon Mechanical Turk

(*required)
Describes the Procurement Read

DescribeProcurementSystemConfiguration
System integration
[permission configuration (e.g. Coupa) for
only] the individual account, or for
the entire AWS Organization
if one exists. This action can
only be performed by the
master account if using an AWS
Organization.
Creates or updates the Write

PutProcurementSystemConfiguration
Procurement System integration
[permission configuration (e.g. Coupa) for
only] the individual account, or for
Organization.
Resource types defined by AWS Marketplace Procurement

Systems Integration
AWS Marketplace Procurement Systems Integration does not support specifying a resource ARN in
the Resource element of an IAM policy statement. To allow access to AWS Marketplace Procurement
Systems Integration, specify “Resource”: “*” in your policy.
Condition keys for AWS Marketplace Procurement Systems

Integration
Marketplace Procurement Integration has no service-specific context keys that can be used in the
Condition element of policy statements. For the list of the global context keys that are available to all
services, see Available keys for conditions.

Mechanical Turk
Amazon Mechanical Turk (service prefix: mechanicalturk) provides the following service-specific
References:
1108

Topics
• Actions defined by Amazon Mechanical Turk (p. 1109)
• Resource types defined by Amazon Mechanical Turk (p. 1113)
• Condition keys for Amazon Mechanical Turk (p. 1113)
Actions defined by Amazon Mechanical Turk

different actions.

(*required)
The AcceptQualificationRequest Write

AcceptQualificationRequest
operation grants a Worker's
request for a Qualification
The ApproveAssignment Write

ApproveAssignment
operation approves the results
of a completed assignment
The Write
AssociateQualificationWithWorker
AssociateQualificationWithWorker
operation gives a Worker a
Qualification
The Write
CreateAdditionalAssignmentsForHIT
CreateAdditionalAssignmentsForHIT
operation increases the
maximum number of
assignments of an existing HIT
CreateHIT The CreateHIT operation creates Write

a new HIT (Human Intelligence
Task)
1109

(*required)
The CreateHITType operation Write

CreateHITType creates a new HIT type
The CreateHITWithHITType Write

CreateHITWithHITType
operation creates a new Human
Intelligence Task (HIT) using an
existing HITTypeID generated by
the CreateHITType operation
The CreateQualificationType Write

CreateQualificationType
operation creates a
new Qualification type,
which is represented by a
QualificationType data structure
The CreateWorkerBlock Write

CreateWorkerBlock
operation allows you to prevent
a Worker from working on your
HITs
DeleteHIT The DeleteHIT operation Write

disposes of a HIT that is no
longer needed
The DeleteQualificationType Write

DeleteQualificationType
disposes a Qualification type
and disposes any HIT types
that are associated with the
Qualification type
The DeleteWorkerBlock Write

DeleteWorkerBlock
operation allows you to reinstate
a blocked Worker to work on
your HITs
The Write
DisassociateQualificationFromWorker
DisassociateQualificationFromWorker
revokes a previously granted
Qualification from a user
The GetAccountBalance Read

GetAccountBalance
operation retrieves the amount
of money in your Amazon
Mechanical Turk account
The GetAssignment retrieves Read

GetAssignment an assignment with an
AssignmentStatus value of
Submitted, Approved, or
Rejected, using the assignment's
ID
The GetFileUploadURL operation Read

GetFileUploadURLgenerates and returns a
temporary URL
1110

(*required)
GetHIT The GetHIT operation retrieves Read

the details of the specified HIT
The GetQualificationScore Read

GetQualificationScore
operation returns the value of
a Worker's Qualification for a
given Qualification type
The GetQualificationType Read

GetQualificationType
operation retrieves information
about a Qualification type using
its ID
The ListAssignmentsForHIT List

ListAssignmentsForHIT
operation retrieves completed
assignments for a HIT
The ListBonusPayments List

ListBonusPayments
operation retrieves the amounts
of bonuses you have paid to
Workers for a given HIT or
assignment
ListHITs The ListHITs operation returns List

all of a Requester's HITs
The List
ListHITsForQualificationType
ListHITsForQualificationType
operation returns the HITs that
use the given QualififcationType
for a QualificationRequirement
The ListQualificationRequests List

ListQualificationRequests
operation retrieves requests for
Qualifications of a particular
Qualification type
The ListQualificationTypes List

ListQualificationTypes
operation searches for
Qualification types using the
specified search query, and
returns a list of Qualification
types
The List
ListReviewPolicyResultsForHIT
ListReviewPolicyResultsForHIT
operation retrieves the
computed results and the
actions taken in the course of
executing your Review Policies
during a CreateHIT operation
1111

(*required)
The ListReviewableHITs List

ListReviewableHITs
operation returns all of a
Requester's HITs that have not
been approved or rejected
The ListWorkersBlocks operation List

ListWorkerBlocks retrieves a list of Workers who
are blocked from working on
your HITs
The List
ListWorkersWithQualificationType
ListWorkersWithQualificationType
operation returns all of
the Workers with a given
Qualification type
The NotifyWorkers operation Write

NotifyWorkers sends an email to one or more
Workers that you specify with
the Worker ID
The RejectAssignment Write

RejectAssignmentoperation rejects the results of a
completed assignment
The RejectQualificationRequest Write

RejectQualificationRequest
operation rejects a user's request
for a Qualification
SendBonus The SendBonus operation issues Write

a payment of money from your
account to a Worker
The SendTestEventNotification Write

SendTestEventNotification
operation causes Amazon
Mechanical Turk to send a
notification message as if a
HIT event occurred, according
to the provided notification
specification
The UpdateExpirationForHIT Write

UpdateExpirationForHIT
operation allows you extend the
expiration time of a HIT beyond
is current expiration or expire a
HIT immediately
The UpdateHITReviewStatus Write

UpdateHITReviewStatus
operation toggles the status of a
HIT
The UpdateHITTypeOfHIT Write

UpdateHITTypeOfHIT
operation allows you to change
the HITType properties of a HIT
1112
Amazon Message Delivery Service

(*required)
The UpdateNotificationSettings Write

UpdateNotificationSettings
operation creates, updates,
disables or re-enables
notifications for a HIT type
The UpdateQualificationType Write

UpdateQualificationType
operation modifies the
attributes of an existing
Qualification type, which
is represented by a
QualificationType data structure
Resource types defined by Amazon Mechanical Turk

Amazon Mechanical Turk does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Amazon Mechanical Turk, specify “Resource”: “*” in your
policy.
Condition keys for Amazon Mechanical Turk

MechanicalTurk has no service-specific context keys that can be used in the Condition element of

Message Delivery Service
Amazon Message Delivery Service (service prefix: ec2messages) provides the following service-specific
Topics
• Actions defined by Amazon Message Delivery Service (p. 1113)
• Resource types defined by Amazon Message Delivery Service (p. 1114)
• Condition keys for Amazon Message Delivery Service (p. 1114)
Actions defined by Amazon Message Delivery Service

different actions.
1113
AWS Migration Hub

(*required)
Acknowledges a message, Write

AcknowledgeMessage
ensuring it will not be delivered
again
Deletes a message Write

DeleteMessage
FailMessage Fails a message, signifying the Write

message could not be processed
successfully, ensuring it cannot
be replied to or delivered again
GetEndpoint Routes traffic to the correct Read

endpoint based on the given
destination for the messages
GetMessages Delivers messages to clients/ Read

instances using long polling
SendReply Sends replies from clients/ Write

instances to upstream service
Resource types defined by Amazon Message Delivery Service

Amazon Message Delivery Service does not support specifying a resource ARN in the Resource element
of an IAM policy statement. To allow access to Amazon Message Delivery Service, specify “Resource”:
Condition keys for Amazon Message Delivery Service

EC2 Messages has no service-specific context keys that can be used in the Condition element of policy
conditions.

Migration Hub
AWS Migration Hub (service prefix: mgh) provides the following service-specific resources, actions, and
References:

1114
AWS Migration Hub
Topics
• Actions defined by AWS Migration Hub (p. 1115)
• Resource types defined by AWS Migration Hub (p. 1116)
• Condition keys for AWS Migration Hub (p. 1116)
Actions defined by AWS Migration Hub

different actions.

(*required)
Associate a given AWS artifact to Write migrationTask*

AssociateCreatedArtifact
a MigrationTask (p. 1116)
Associate a given ADS resource Write migrationTask*

AssociateDiscoveredResource
to a MigrationTask (p. 1116)
Create a Migration Hub Home Write

CreateHomeRegionControl
Region Control
Create a ProgressUpdateStream Write progressUpdateStream*

CreateProgressUpdateStream (p. 1116)
Delete a ProgressUpdateStream Write progressUpdateStream*

DeleteProgressUpdateStream (p. 1116)
Get an Application Discovery Read

DescribeApplicationState
Service Application's state
List Home Region Controls List

DescribeHomeRegionControls
Describe a MigrationTask Read migrationTask*

DescribeMigrationTask (p. 1116)
Disassociate a given AWS Write migrationTask*

DisassociateCreatedArtifact
artifact from a MigrationTask (p. 1116)
Disassociate a given ADS Write migrationTask*

DisassociateDiscoveredResource
resource from a MigrationTask (p. 1116)
1115
AWS Migration Hub

(*required)
Get the Migration Hub Home Read

GetHomeRegion Region
Import a MigrationTask Write migrationTask*

ImportMigrationTask (p. 1116)
List associated created artifacts List migrationTask*

ListCreatedArtifacts
for a MigrationTask (p. 1116)
List associated ADS resources List migrationTask*

ListDiscoveredResources
from MigrationTask (p. 1116)
List MigrationTasks List

ListMigrationTasks
List ProgressUpdateStreams List

ListProgressUpdateStreams
Update an Application Discovery Write

NotifyApplicationState
Service Application's state
Notify latest MigrationTask state Write migrationTask*

NotifyMigrationTaskState (p. 1116)
Put ResourceAttributes Write migrationTask*

PutResourceAttributes (p. 1116)
Resource types defined by AWS Migration Hub


types
arn:${Partition}:mgh:${Region}:
progressUpdateStream
${Account}:progressUpdateStream/${Stream}
migrationTask arn:${Partition}:mgh:${Region}:
${Account}:progressUpdateStream/${Stream}/
migrationTask/${Task}
Condition keys for AWS Migration Hub

Migration Hub has no service-specific context keys that can be used in the Condition element of policy
conditions.
1116
Amazon Mobile Analytics

Mobile Analytics
Amazon Mobile Analytics (service prefix: mobileanalytics) provides the following service-specific
References:

Topics
• Actions defined by Amazon Mobile Analytics (p. 1117)
• Resource types defined by Amazon Mobile Analytics (p. 1118)
• Condition keys for Amazon Mobile Analytics (p. 1118)
Actions defined by Amazon Mobile Analytics

different actions.

(*required)
Grant access to financial metrics Read

GetFinancialReports
for an app
GetReports Grant access to standard metrics Read

for an app
PutEvents The PutEvents operation records Write

one or more events
1117
AWS Mobile Hub
Resource types defined by Amazon Mobile Analytics

Amazon Mobile Analytics does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Amazon Mobile Analytics, specify “Resource”: “*” in your
policy.
Condition keys for Amazon Mobile Analytics

Mobile Analytics has no service-specific context keys that can be used in the Condition element of

Mobile Hub
AWS Mobile Hub (service prefix: mobilehub) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS Mobile Hub (p. 1118)
• Resource types defined by AWS Mobile Hub (p. 1120)
• Condition keys for AWS Mobile Hub (p. 1120)
Actions defined by AWS Mobile Hub

different actions.

(*required)
CreateProject Create a project Write
1118
AWS Mobile Hub

(*required)
Enable AWS Mobile Hub in the Write

CreateServiceRoleaccount by creating the required
service role
DeleteProject Delete the specified project Write project*

(p. 1120)
Delete a saved snapshot of Write

DeleteProjectSnapshot
project configuration
Deploy changes to the specified Write

DeployToStage stage
Describe the download bundle Read

DescribeBundle
ExportBundle Export the download bundle Read
ExportProject Export the project configuration Read project*

(p. 1120)
Generate project parameters Read project*

GenerateProjectParameters
required for code generation (p. 1120)
GetProject Get project configuration and Read project*

resources (p. 1120)
Fetch the previously exported Read

GetProjectSnapshot
project configuration snapshot
ImportProject Create a new project from the Write

previously exported project
configuration
InstallBundle Install a bundle in the project Write

deployments S3 bucket
List the available SaaS (Software List

ListAvailableConnectors
as a Service) connectors
List available features List

ListAvailableFeatures
List available regions for projects List

ListAvailableRegions
ListBundles List the available download List

bundles
List saved snapshots of project List

ListProjectSnapshots
configuration
ListProjects List projects List
Synchronize state of resources Write project*

SynchronizeProject
into project (p. 1120)
1119
Amazon Monitron

(*required)
Update project Write project*

Validate a mobile hub project. Read

ValidateProject
Verify AWS Mobile Hub is Read

VerifyServiceRoleenabled in the account
Resource types defined by AWS Mobile Hub


types
project arn:${Partition}:mobilehub:${Region}:
${Account}:project/${ProjectId}
Condition keys for AWS Mobile Hub

Mobile Hub has no service-specific context keys that can be used in the Condition element of policy
conditions.

Monitron
Amazon Monitron (service prefix: monitron) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Monitron (p. 1121)
• Resource types defined by Amazon Monitron (p. 1122)
• Condition keys for Amazon Monitron (p. 1123)
1120
Amazon Monitron
Actions defined by Amazon Monitron

different actions.

(*required)
Grants permission to associate Permissions project* sso-

AssociateProjectAdminUser
a user with the project as an management (p. 1123) directory:DescribeUsers
[permission administrator
only] sso:AssociateProfile
sso:GetManagedApplicati
sso:ListDirectoryAssociati
sso:ListProfiles
CreateProject Grants permission to create a Write aws:RequestTag/

[permission project ${TagKey}
only] (p. 1123) kms:CreateGrant
aws:TagKeys sso:CreateManagedApplic
(p. 1123)
sso:DeleteManagedApplic
DeleteProject Grants permission to delete a Write project* sso:DeleteManagedApplic

[permission project (p. 1123)
only]
Grants permission to Permissions project* sso-

DisassociateProjectAdminUser
disassociate an administrator management (p. 1123) directory:DescribeUsers
[permission from the project
only] sso:DisassociateProfile
sso:GetManagedApplicati
sso:ListDirectoryAssociati
sso:ListProfiles
GetProject Grants permission to get Read project*

[permission information about a project (p. 1123)
only]
1121
Amazon Monitron

(*required)
Grants permission to describe an Read project* sso-

GetProjectAdminUser
administrator who is associated (p. 1123) directory:DescribeUsers
[permission with the project
only] sso:GetManagedApplicati
Grants permission to list all Permissions project* sso-

ListProjectAdminUsers
administrators associated with management (p. 1123) directory:DescribeUsers
[permission the project
only] sso:GetManagedApplicati
ListProjects Grants permission to list all List

[permission projects
only]
Grants permission to list all tags Read project

ListTagsForResource
for a resource (p. 1123)
[permission
only] aws:TagKeys
(p. 1123)
aws:RequestTag/
${TagKey}
(p. 1123)
TagResource Grants permission to tag a Tagging project

[permission resource (p. 1123)
only]
aws:TagKeys
(p. 1123)
aws:RequestTag/
${TagKey}
(p. 1123)
Grants permission to untag a Tagging project

[permission
only] aws:TagKeys
(p. 1123)

[permission
only] aws:TagKeys
(p. 1123)
aws:RequestTag/
${TagKey}
(p. 1123)
Resource types defined by Amazon Monitron

1122
Amazon MQ

types
project arn:${Partition}:monitron:${Region}: aws:ResourceTag/

${Account}:project/${ResourceId} ${TagKey} (p. 1123)
Condition keys for Amazon Monitron

Amazon Monitron defines the following condition keys that can be used in the Condition element of
${TagKey}

aws:ResourceTag/
${TagKey}

MQ
Amazon MQ (service prefix: mq) provides the following service-specific resources, actions, and condition
References:
Topics
• Actions defined by Amazon MQ (p. 1123)
• Resource types defined by Amazon MQ (p. 1126)
• Condition keys for Amazon MQ (p. 1126)
Actions defined by Amazon MQ

1123
Amazon MQ
different actions.

(*required)
CreateBroker Grants permission to create a Write aws:RequestTag/

broker. ${TagKey}
(p. 1127) ec2:CreateNetworkInterfa
aws:TagKeys ec2:CreateSecurityGroup
(p. 1127)
ec2:CreateVpcEndpoint
ec2:DescribeInternetGate
ec2:DescribeSubnets
ec2:DescribeVpcEndpoint
ec2:DescribeVpcs
ec2:ModifyNetworkInterf
route53:AssociateVPCWit

CreateConfiguration
a new configuration for the ${TagKey}
specified configuration name. (p. 1127)
Amazon MQ uses the default
configuration (the engine type aws:TagKeys
and engine version). (p. 1127)
CreateTags Grants permission to create tags. Write brokers

(p. 1126)
configurations

(p. 1126)
1124
Amazon MQ

(*required)
aws:RequestTag/

${TagKey}
(p. 1127)
aws:TagKeys
(p. 1127)
CreateUser Grants permission to create an Write brokers*

ActiveMQ user. (p. 1126)
DeleteBroker Grants permission to delete a Write brokers* ec2:DeleteNetworkInterfa

broker. (p. 1126)
ec2:DeleteVpcEndpoints
ec2:DetachNetworkInterf
DeleteTags Grants permission to delete Write brokers

tags. (p. 1126)
configurations

(p. 1126)
aws:TagKeys
(p. 1127)
DeleteUser Grants permission to delete an Write brokers*

ActiveMQ user. (p. 1126)
Grants permission to return Read brokers*

DescribeBroker information about the specified (p. 1126)
broker.

DescribeBrokerEngineTypes
information about broker
engines.

DescribeBrokerInstanceOptions
information about the broker
instance options
Grants permission to return Read configurations*

DescribeConfiguration
configuration.
Grants permission to return the Read configurations*

DescribeConfigurationRevision
specified configuration revision (p. 1126)
for the specified configuration.
DescribeUser Grants permission to return Read brokers*

information about an ActiveMQ (p. 1126)
user.
ListBrokers Grants permission to return a list List

of all brokers.
1125
Amazon MQ

(*required)
Grants permission to return a list List configurations*

ListConfigurationRevisions
of all existing revisions for the (p. 1126)
specified configuration.

ListConfigurationsof all configurations.
ListTags Grants permission to return a list List brokers

of tags. (p. 1126)
configurations

(p. 1126)
ListUsers Grants permission to return a list List brokers*

of all ActiveMQ users. (p. 1126)
RebootBroker Grants permission to reboot a Write brokers*

broker. (p. 1126)
UpdateBroker Grants permission to add a Write brokers*

pending configuration change to (p. 1126)
a broker.
Grants permission to update the Write configurations*

UpdateConfiguration
specified configuration. (p. 1126)
UpdateUser Grants permission to update the Write brokers*

information for an ActiveMQ (p. 1126)
user.
Resource types defined by Amazon MQ


types
brokers arn:${Partition}:mq:${Region}: aws:ResourceTag/

${Account}:broker:${broker-id} ${TagKey} (p. 1127)
configurations arn:${Partition}:mq:${Region}: aws:ResourceTag/

${Account}:configuration:${configuration-id} ${TagKey} (p. 1127)
Condition keys for Amazon MQ

Amazon MQ defines the following condition keys that can be used in the Condition element of an IAM
1126
Amazon Neptune
${TagKey}
${TagKey}
aws:TagKeys String

Neptune
Amazon Neptune (service prefix: neptune-db) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Neptune (p. 1127)
• Resource types defined by Amazon Neptune (p. 1128)
• Condition keys for Amazon Neptune (p. 1128)
Actions defined by Amazon Neptune

different actions.

(*required)
connect Connect to database Write database*

(p. 1128)
1127
AWS Network Firewall
Resource types defined by Amazon Neptune


types
database arn:${Partition}:neptune-db:${Region}:
${Account}:${RelativeId}/database
Condition keys for Amazon Neptune

Neptune has no service-specific context keys that can be used in the Condition element of policy
conditions.

Network Firewall
AWS Network Firewall (service prefix: network-firewall) provides the following service-specific
References:

Topics
• Actions defined by AWS Network Firewall (p. 1128)
• Resource types defined by AWS Network Firewall (p. 1132)
• Condition keys for AWS Network Firewall (p. 1133)
Actions defined by AWS Network Firewall

different actions.
1128

(*required)
Grants permission to create an Write Firewall*

AssociateFirewallPolicy
association between a firewall (p. 1133)
policy and a firewall
FirewallPolicy*

(p. 1133)
Grants permission to associate Write Firewall*

AssociateSubnetsVPC subnets to a firewall (p. 1133)
CreateFirewall Grants permission to create an Write Firewall* iam:CreateServiceLinkedR

AWS Network Firewall firewall (p. 1133)
FirewallPolicy*

(p. 1133)
aws:RequestTag/

${TagKey}
(p. 1133)
aws:TagKeys
(p. 1133)
Grants permission to create an Write FirewallPolicy*

CreateFirewallPolicy
AWS Network Firewall firewall (p. 1133)
policy
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
aws:RequestTag/

${TagKey}
(p. 1133)
aws:TagKeys
(p. 1133)
Grants permission to create Write StatefulRuleGroup

CreateRuleGroup an AWS Network Firewall rule (p. 1133)
group
StatelessRuleGroup

(p. 1133)
aws:RequestTag/

${TagKey}
(p. 1133)
aws:TagKeys
(p. 1133)
1129

(*required)
DeleteFirewall Grants permission to delete a Write Firewall*

firewall (p. 1133)
Grants permission to delete a Write FirewallPolicy*

DeleteFirewallPolicy
firewall policy (p. 1133)
Grants permission to delete a Write FirewallPolicy

resource policy for a firewall (p. 1133)
policy or rule group
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to delete a Write StatefulRuleGroup

DeleteRuleGroup rule group (p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to retrieve Read Firewall*

DescribeFirewall the data objects that define a (p. 1133)
firewall
Grants permission to retrieve Read FirewallPolicy*

DescribeFirewallPolicy
the data objects that define a (p. 1133)
firewall policy
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to describe Read Firewall*

DescribeLoggingConfiguration
the logging configuration of a (p. 1133)
firewall
Grants permission to describe Read FirewallPolicy

DescribeResourcePolicy
a resource policy for a firewall (p. 1133)
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to retrieve the Read StatefulRuleGroup

DescribeRuleGroup
data objects that define a rule (p. 1133)
group
StatelessRuleGroup

(p. 1133)
Grants permission to Write Firewall*

DisassociateSubnets
disassociate VPC subnets from a (p. 1133)
firewall
1130

(*required)
Grants permission to retrieve the List FirewallPolicy*

ListFirewallPolicies
metadata for firewall policies (p. 1133)
ListFirewalls Grants permission to retrieve the List Firewall*

metadata for firewalls (p. 1133)
Grants permission to retrieve the List

ListRuleGroups metadata for rule groups
Grants permission to retrieve the List Firewall*

ListTagsForResource
tags for a resource (p. 1133)
FirewallPolicy*

(p. 1133)
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to put a Write FirewallPolicy

PutResourcePolicyresource policy for a firewall (p. 1133)
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
TagResource Grants permission to attach tags Tagging Firewall*

to a resource (p. 1133)
FirewallPolicy*

(p. 1133)
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
aws:RequestTag/

${TagKey}
(p. 1133)
aws:TagKeys
(p. 1133)
Grants permission to remove Tagging Firewall*

UntagResource tags from a resource (p. 1133)
FirewallPolicy*

(p. 1133)
1131

(*required)
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
aws:TagKeys
(p. 1133)
Grants permission to add or Write Firewall*

UpdateFirewallDeleteProtection
remove delete protection for a (p. 1133)
firewall
Grants permission to modify the Write Firewall*

UpdateFirewallDescription
description for a firewall (p. 1133)
Grants permission to modify a Write FirewallPolicy*

UpdateFirewallPolicy
firewall policy (p. 1133)
StatefulRuleGroup

(p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to add or Write Firewall*

UpdateFirewallPolicyChangeProtection
remove firewall policy change (p. 1133)
protection for a firewall
Grants permission to modify Write Firewall*

UpdateLoggingConfiguration
the logging configuration of a (p. 1133)
firewall
Grants permission to modify a Write StatefulRuleGroup

UpdateRuleGrouprule group (p. 1133)
StatelessRuleGroup

(p. 1133)
Grants permission to add Write Firewall*

UpdateSubnetChangeProtection
or remove subnet change (p. 1133)
protection for a firewall
Resource types defined by AWS Network Firewall

1132
Network Manager

types
Firewall arn:${Partition}:network-firewall:${Region}: aws:ResourceTag/

${Account}:firewall/${Name} ${TagKey} (p. 1133)
FirewallPolicy arn:${Partition}:network-firewall:${Region}: aws:ResourceTag/

${Account}:firewall-policy/${Name} ${TagKey} (p. 1133)
arn:${Partition}:network-firewall:${Region}: aws:ResourceTag/
StatefulRuleGroup${Account}:stateful-rulegroup/${Name} ${TagKey} (p. 1133)
arn:${Partition}:network-firewall:${Region}: aws:ResourceTag/
StatelessRuleGroup
${Account}:stateless-rulegroup/${Name} ${TagKey} (p. 1133)
Condition keys for AWS Network Firewall

AWS Network Firewall defines the following condition keys that can be used in the Condition
table (p. 2).
${TagKey} the tags
${TagKey}

the request
Actions, resources, and condition keys for Network

Manager
Network Manager (service prefix: networkmanager) provides the following service-specific resources,
References:

Topics
• Actions defined by Network Manager (p. 1134)
• Resource types defined by Network Manager (p. 1140)
• Condition keys for Network Manager (p. 1140)
1133
Network Manager
Actions defined by Network Manager

different actions.

(*required)
Grants permission to associate a Write device*

AssociateCustomerGateway
customer gateway to a device (p. 1140)
global-
network*
(p. 1140)
link
(p. 1140)
networkmanager:cgwArn

(p. 1141)
AssociateLink Grants permission to associate a Write device*

link to a device (p. 1140)
global-
network*
(p. 1140)
link*
(p. 1140)
Grants permission to associate a Write device*

AssociateTransitGatewayConnectPeer
transit gateway connect peer to (p. 1140)
a device
global-
network*
(p. 1140)
link
(p. 1140)
networkmanager:tgwConnectPeerArn

(p. 1141)
1134
Network Manager

(*required)
Grants permission to create a Write global-

CreateConnectionnew connection network*
(p. 1140)
aws:RequestTag/

${TagKey}
(p. 1140)
aws:TagKeys
(p. 1141)
CreateDevice Grants permission to create a Write global-

new device network*
(p. 1140)
aws:RequestTag/

${TagKey}
(p. 1140)
aws:TagKeys
(p. 1141)

CreateGlobalNetwork
new global network ${TagKey}
(p. 1140)
aws:TagKeys
(p. 1141)
CreateLink Grants permission to create a Write global-

new link network*
(p. 1140)
site
(p. 1140)
aws:RequestTag/

${TagKey}
(p. 1140)
aws:TagKeys
(p. 1141)
CreateSite Grants permission to create a Write global-

new site network*
(p. 1140)
aws:RequestTag/

${TagKey}
(p. 1140)
aws:TagKeys
(p. 1141)
1135
Network Manager

(*required)
Grants permission to delete a Write connection*

DeleteConnectionconnection (p. 1140)
global-
network*
(p. 1140)
DeleteDevice Grants permission to delete a Write device*

device (p. 1140)
global-
network*
(p. 1140)
Grants permission to delete a Write global-

DeleteGlobalNetwork
global network network*
(p. 1140)
DeleteLink Grants permission to delete a Write global-

link network*
(p. 1140)
link*
(p. 1140)
DeleteSite Grants permission to delete a Write global-

site network*
(p. 1140)
site*
(p. 1140)
Grants permission to deregister Write global-

DeregisterTransitGateway
a transit gateway from a global network*
network (p. 1140)
networkmanager:tgwArn

(p. 1141)
Grants permission to describe List global-

DescribeGlobalNetworks
global networks network
(p. 1140)
Grants permission to Write global-

DisassociateCustomerGateway
disassociate a customer gateway network*
from a device (p. 1140)

(p. 1141)
Grants permission to Write device*

DisassociateLink disassociate a link from a device (p. 1140)
global-
network*
(p. 1140)
1136
Network Manager

(*required)
link*
(p. 1140)
Grants permission to Write global-

DisassociateTransitGatewayConnectPeer
disassociate a transit gateway network*
connect peer from a device (p. 1140)

(p. 1141)

GetConnections connections network*
(p. 1140)
connection
(p. 1140)

GetCustomerGatewayAssociations
customer gateway associations network*
(p. 1140)
GetDevices Grants permission to describe List global-

devices network*
(p. 1140)
device
(p. 1140)

GetLinkAssociations
link associations network*
(p. 1140)
device
(p. 1140)
link
(p. 1140)
GetLinks Grants permission to describe List global-

links network*
(p. 1140)
link
(p. 1140)
GetSites Grants permission to describe List global-

global networks network*
(p. 1140)
site
(p. 1140)

GetTransitGatewayConnectPeerAssociations
transit gateway connect peer network*
associations (p. 1140)
1137
Network Manager

(*required)

GetTransitGatewayRegistrations
transit gateway registrations network*
(p. 1140)
Grants permission to lists tag for Read connection

ListTagsForResource
a Network Manager resource (p. 1140)
device
(p. 1140)
global-
network
(p. 1140)
link
(p. 1140)
site
(p. 1140)
aws:ResourceTag/

${TagKey}
(p. 1141)
Grants permission to register Write global-

RegisterTransitGateway
a transit gateway to a global network*
network (p. 1140)

(p. 1141)
TagResource Grants permission to tag a Tagging connection

Network Manager resource (p. 1140)
device
(p. 1140)
global-
network
(p. 1140)
link
(p. 1140)
site
(p. 1140)
1138
Network Manager

(*required)
aws:TagKeys
(p. 1141)
aws:RequestTag/
${TagKey}
(p. 1140)
aws:ResourceTag/
${TagKey}
(p. 1141)
Grants permission to untag a Tagging connection

UntagResource Network Manager resource (p. 1140)
device
(p. 1140)
global-
network
(p. 1140)
link
(p. 1140)
site
(p. 1140)
aws:TagKeys
(p. 1141)
Grants permission to update a Write connection*

UpdateConnection
connection (p. 1140)
global-
network*
(p. 1140)
UpdateDevice Grants permission to update a Write device*

device (p. 1140)
global-
network*
(p. 1140)
Grants permission to update a Write global-

UpdateGlobalNetwork
global network network*
(p. 1140)
UpdateLink Grants permission to update a Write global-

link network*
(p. 1140)
link*
(p. 1140)
1139
Network Manager

(*required)
UpdateSite Grants permission to update a Write global-

site network*
(p. 1140)
site*
(p. 1140)
Resource types defined by Network Manager


types
global- arn:${Partition}:networkmanager:: aws:ResourceTag/

network ${Account}:global-network/${ResourceId} ${TagKey} (p. 1141)
site arn:${Partition}:networkmanager:: aws:ResourceTag/

${Account}:site/${GlobalNetworkId}/ ${TagKey} (p. 1141)
${ResourceId}
link arn:${Partition}:networkmanager:: aws:ResourceTag/

${Account}:link/${GlobalNetworkId}/ ${TagKey} (p. 1141)
${ResourceId}
device arn:${Partition}:networkmanager:: aws:ResourceTag/

${Account}:device/${GlobalNetworkId}/ ${TagKey} (p. 1141)
${ResourceId}
connection arn:${Partition}:networkmanager:: aws:ResourceTag/

${Account}:connection/${GlobalNetworkId}/ ${TagKey} (p. 1141)
${ResourceId}
Condition keys for Network Manager

Network Manager defines the following condition keys that can be used in the Condition element of
${TagKey} request
1140
AWS OpsWorks

${TagKey}
request
Controls which customer gateways can be associated or String

disassociated
Controls which transit gateways can be registered or String

deregistered
Controls which connect peers can be associated or String

disassociated

OpsWorks
AWS OpsWorks (service prefix: opsworks) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS OpsWorks (p. 1141)
• Resource types defined by AWS OpsWorks (p. 1146)
• Condition keys for AWS OpsWorks (p. 1146)
Actions defined by AWS OpsWorks

different actions.
1141
AWS OpsWorks

(*required)
Assign a registered instance to a Write stack

AssignInstance layer (p. 1146)
AssignVolume Assigns one of the stack's Write stack

registered Amazon EBS volumes (p. 1146)
to a specified instance
Associates one of the stack's Write stack

AssociateElasticIpregistered Elastic IP addresses (p. 1146)
with a specified instance
Attaches an Elastic Load Write stack

AttachElasticLoadBalancer
Balancing load balancer to a (p. 1146)
specified layer
CloneStack Creates a clone of a specified Write stack

stack (p. 1146)
CreateApp Creates an app for a specified Write stack

stack (p. 1146)
Runs deployment or stack Write stack

CreateDeployment
commands (p. 1146)
Creates an instance in a specified Write stack

CreateInstance stack (p. 1146)
CreateLayer Creates a layer Write stack

(p. 1146)
CreateStack Creates a new stack Write
Creates a new user profile Write

CreateUserProfile
DeleteApp Deletes a specified app Write stack

(p. 1146)
Deletes a specified instance, Write stack

DeleteInstance which terminates the associated (p. 1146)
Amazon EC2 instance
DeleteLayer Deletes a specified layer Write stack

(p. 1146)
DeleteStack Deletes a specified stack Write stack

(p. 1146)
Deletes a user profile Write

DeleteUserProfile
Deletes a user profile Write stack

DeregisterEcsCluster (p. 1146)
Deregisters a specified Elastic IP Write stack

DeregisterElasticIp
address (p. 1146)
1142
AWS OpsWorks

(*required)
Deregister a registered Amazon Write stack

DeregisterInstanceEC2 or on-premises instance (p. 1146)
Deregisters an Amazon RDS Write stack

DeregisterRdsDbInstance
instance (p. 1146)
Deregisters an Amazon EBS Write stack

DeregisterVolumevolume (p. 1146)
Describes the available AWS List stack

DescribeAgentVersions
OpsWorks agent versions (p. 1146)
DescribeApps Requests a description of a List stack

specified set of apps (p. 1146)
Describes the results of specified List stack

DescribeCommands
commands (p. 1146)
Requests a description of a List stack

DescribeDeployments
specified set of deployments (p. 1146)
Describes Amazon ECS clusters List stack

DescribeEcsClusters
that are registered with a stack (p. 1146)
Describes Elastic IP addresses List stack

DescribeElasticIps (p. 1146)
Describes a stack's Elastic Load List stack

DescribeElasticLoadBalancers
Balancing instances (p. 1146)
Requests a description of a set List stack

DescribeInstancesof instances (p. 1146)
Requests a description of one or List stack

DescribeLayers more layers in a specified stack (p. 1146)
Describes load-based auto List stack

DescribeLoadBasedAutoScaling
scaling configurations for (p. 1146)
specified layers
Describes a user's SSH List

DescribeMyUserProfile
information
Describes the permissions for a List stack

DescribePermissions
specified stack (p. 1146)
Describe an instance's RAID List stack

DescribeRaidArrays
arrays (p. 1146)
Describes Amazon RDS instances List stack

DescribeRdsDbInstances (p. 1146)
Describes AWS OpsWorks service List stack

DescribeServiceErrors
errors (p. 1146)
1143
AWS OpsWorks

(*required)
Requests a description of a List stack

DescribeStackProvisioningParameters
stack's provisioning parameters (p. 1146)
Describes the number of List stack

DescribeStackSummary
layers and apps in a specified (p. 1146)
stack, and the number of
instances in each state, such as
running_setup or online
Requests a description of one or List stack

DescribeStacks more stacks (p. 1146)
Describes time-based auto List stack

DescribeTimeBasedAutoScaling
scaling configurations for (p. 1146)
specified instances
Describe specified users List

DescribeUserProfiles
Describes an instance's Amazon List stack

DescribeVolumes EBS volumes (p. 1146)
Detaches a specified Elastic Load Write stack

DetachElasticLoadBalancer
Balancing instance from its layer (p. 1146)
Disassociates an Elastic IP Write stack

DisassociateElasticIp
address from its instance (p. 1146)
Gets a generated host name for Read stack

GetHostnameSuggestion
the specified layer, based on the (p. 1146)
current host name theme
GrantAccess Grants RDP access to a Windows Write stack

instance for a specified time (p. 1146)
period
ListTags Returns a list of tags that are List stack

applied to the specified stack or (p. 1146)
layer
Reboots a specified instance Write stack

RebootInstance (p. 1146)
Registers a specified Amazon Write stack

RegisterEcsClusterECS cluster with a stack (p. 1146)
Registers an Elastic IP address Write stack

RegisterElasticIp with a specified stack (p. 1146)
Registers instances with a Write stack

RegisterInstance specified stack that were created (p. 1146)
outside of AWS OpsWorks
Registers an Amazon RDS Write stack

RegisterRdsDbInstance
instance with a stack (p. 1146)
1144
AWS OpsWorks

(*required)
Registers an Amazon EBS Write stack

RegisterVolume volume with a specified stack (p. 1146)
Specify the load-based auto Write stack

SetLoadBasedAutoScaling
scaling configuration for a (p. 1146)
specified layer
SetPermission Specifies a user's permissions Permissions stack

management (p. 1146)
Specify the time-based auto Write stack

SetTimeBasedAutoScaling
scaling configuration for a (p. 1146)
specified instance
StartInstance Starts a specified instance Write stack

(p. 1146)
StartStack Starts a stack's instances Write stack

(p. 1146)
StopInstance Stops a specified instance Write stack

(p. 1146)
StopStack Stops a specified stack Write stack

(p. 1146)
TagResource Apply tags to a specified stack or Write stack

layer (p. 1146)
Unassigns a registered instance Write stack

UnassignInstance from all of it's layers (p. 1146)
Unassigns an assigned Amazon Write stack

UnassignVolume EBS volume (p. 1146)
Removes tags from a specified Write stack

UntagResource stack or layer (p. 1146)
UpdateApp Updates a specified app Write stack

(p. 1146)
Updates a registered Elastic IP Write stack

UpdateElasticIp address's name (p. 1146)
Updates a specified instance Write stack

UpdateInstance (p. 1146)
UpdateLayer Updates a specified layer Write stack

(p. 1146)
Updates a user's SSH public key Write

UpdateMyUserProfile
Updates an Amazon RDS Write stack

UpdateRdsDbInstance
instance (p. 1146)
1145
AWS OpsWorks Configuration Management

(*required)
UpdateStack Updates a specified stack Write stack

(p. 1146)
Updates a specified user profile Permissions

UpdateUserProfile management
Updates an Amazon EBS Write stack

UpdateVolume volume's name or mount point (p. 1146)
Resource types defined by AWS OpsWorks


types
stack arn:${Partition}:opsworks:${Region}:
${Account}:stack/${StackId}/
Condition keys for AWS OpsWorks

OpsWorks has no service-specific context keys that can be used in the Condition element of policy
conditions.

OpsWorks Configuration Management
AWS OpsWorks Configuration Management (service prefix: opsworks-cm) provides the following
References:

Topics
• Actions defined by AWS OpsWorks Configuration Management (p. 1147)
• Resource types defined by AWS OpsWorks Configuration Management (p. 1148)
• Condition keys for AWS OpsWorks Configuration Management (p. 1148)
1146
AWS OpsWorks Configuration Management
Actions defined by AWS OpsWorks Configuration Management

different actions.

(*required)
Associate a node to a Write

AssociateNode configuration management
server.
CreateBackup Create a backup for the specified Write

server.
CreateServer Create a new server. Write
DeleteBackup Delete the specified backup and Write

possibly its S3 bucket.
DeleteServer Deletes the specified server with Write

his corresponding CF stack and
possibly the S3 bucket.
Describe the service limits for List

the user's account.
Describe a single backup, all List

DescribeBackups backups of a specified server or
all backups of the user's account.
Describe all events of the List

DescribeEvents specified server.
Describe the association status List

DescribeNodeAssociationStatus
for the specified node token and
the specified server.
Describes the specified server or List

DescribeServers all servers of the user's account.
Disassociates a specified node Write

DisassociateNodefrom a server.
1147
AWS Organizations

(*required)
List the tags that are applied to List

ListTagsForResource
the specified server or backup.
RestoreServer Applies a backup to specified Write

server. Possibly swaps out the
ec2-instance if specified.
Start the server maintenance Write

StartMaintenanceimmediately.
TagResource Applies tags to the specified Tagging

server or backup.
Removes tags from the specified Tagging

UntagResource server or backup.
UpdateServer Update general server settings. Write
Update server settings Write

UpdateServerEngineAttributes
specific to the configuration
management type.
Resource types defined by AWS OpsWorks Configuration

Management
AWS OpsWorks Configuration Management does not support specifying a resource ARN in the
Resource element of an IAM policy statement. To allow access to AWS OpsWorks Configuration
Management, specify “Resource”: “*” in your policy.
Condition keys for AWS OpsWorks Configuration Management

OpsworksCM has no service-specific context keys that can be used in the Condition element of policy
conditions.

Organizations
AWS Organizations (service prefix: organizations) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Organizations (p. 1149)
• Resource types defined by AWS Organizations (p. 1155)
1148
AWS Organizations
• Condition keys for AWS Organizations (p. 1156)
Actions defined by AWS Organizations

different actions.

(*required)
Grants permission to send Write handshake*

AcceptHandshakea response to the originator (p. 1156)
of a handshake agreeing to
the action proposed by the
handshake request.
AttachPolicy Grants permission to Write policy*

attach a policy to a root, an (p. 1156)
organizational unit, or an
individual account. account
(p. 1156)
organizationalunit

(p. 1156)
root
(p. 1156)
organizations:PolicyType

(p. 1156)
Grants permission to cancel a Write handshake*

CancelHandshakehandshake. (p. 1156)

CreateAccount an AWS account that is ${TagKey}
automatically a member of the (p. 1156)
organization with the credentials
that made the request. aws:TagKeys
(p. 1156)

CreateGovCloudAccount
AWS GovCloud (US) account. ${TagKey}
(p. 1156)
1149
AWS Organizations

(*required)
aws:TagKeys
(p. 1156)

CreateOrganization
organization. The account with
the credentials that calls the
CreateOrganization operation
automatically becomes the
master account of the new
organization.
Grants permission to create an Write organizationalunit

CreateOrganizationalUnit
organizational unit (OU) within a (p. 1156)
root or parent OU.
root
(p. 1156)
aws:RequestTag/

${TagKey}
(p. 1156)
aws:TagKeys
(p. 1156)
CreatePolicy Grants permission to create Write organizations:PolicyType

a policy that you can attach (p. 1156)
to a root, an organizational
unit (OU), or an individual AWS aws:RequestTag/
account. ${TagKey}
(p. 1156)
aws:TagKeys
(p. 1156)
Grants permission to decline a Write handshake*

DeclineHandshakehandshake request. This sets the (p. 1156)
handshake state to DECLINED
and effectively deactivates the
request.

DeleteOrganization
organization.
Grants permission to delete an Write organizationalunit*

DeleteOrganizationalUnit
organizational unit from a root (p. 1156)
or another OU.
DeletePolicy Grants permission to delete a Write policy*

policy from your organization. (p. 1156)

(p. 1156)
1150
AWS Organizations

(*required)
Grants permission to deregister Write account*

DeregisterDelegatedAdministrator
the specified member AWS (p. 1156)
account as a delegated
administrator for the AWS organizations:ServicePrincipal

service that is specified by (p. 1156)
ServicePrincipal.
Grants permission to retrieve Read account*

DescribeAccount Organizations-related details (p. 1156)
about the specified account.

DescribeCreateAccountStatus
the current status of an
asynchronous request to create
an account.
Grants permission to retrieve the Read account*

DescribeEffectivePolicy
effective policy for an account. (p. 1156)

(p. 1156)
Grants permission to retrieve Read handshake*

DescribeHandshake
details about a previously (p. 1156)
requested handshake.
Grants permission to retrieves Read

DescribeOrganization
details about the organization
that the calling credentials
belong to.
Grants permission to retrieve Read organizationalunit*

DescribeOrganizationalUnit
details about an organizational (p. 1156)
unit (OU).
Grants permission to retrieves Read policy*

DescribePolicy details about a policy. (p. 1156)

(p. 1156)
DetachPolicy Grants permission to detach Write policy*

a policy from a target root, (p. 1156)
organizational unit, or account.
account
(p. 1156)
organizationalunit

(p. 1156)
root
(p. 1156)

(p. 1156)
1151
AWS Organizations

(*required)
Grants permission to disable Write organizations:ServicePrincipal

DisableAWSServiceAccess
integration of an AWS service (p. 1156)
(the service that is specified
by ServicePrincipal) with AWS
Organizations.
Grants permission to disable Write root*

DisablePolicyTypean organization policy type in a (p. 1156)
root.

(p. 1156)
Grants permission to enable Write organizations:ServicePrincipal

EnableAWSServiceAccess
integration of an AWS service (p. 1156)
(the service that is specified
by ServicePrincipal) with AWS
Organizations.
Grants permission to start the Write

EnableAllFeaturesprocess to enable all features
in an organization, upgrading
it from supporting only
Consolidated Billing features.
Grants permission to enable a Write root*

EnablePolicyTypepolicy type in a root. (p. 1156)

(p. 1156)
Grants permission to send Write account

InviteAccountToOrganization
an invitation to another AWS (p. 1156)
account, asking it to join your
organization as a member aws:RequestTag/

account. ${TagKey}
(p. 1156)
aws:TagKeys
(p. 1156)
Grants permission to remove a Write

LeaveOrganization
member account from its parent
organization.

ListAWSServiceAccessForOrganization
the list of the AWS services for
which you enabled integration
with your organization.
ListAccounts Grants permission to list all List

of the the accounts in the
organization.
1152
AWS Organizations

(*required)
Grants permission to list the List organizationalunit

ListAccountsForParent
accounts in an organization (p. 1156)
that are contained by a root or
organizational unit (OU). root
(p. 1156)
ListChildren Grants permission to list all of List organizationalunit

the OUs or accounts that are (p. 1156)
contained in a parent OU or
root. root
(p. 1156)

ListCreateAccountStatus
asynchronous account creation
requests that are currently being
tracked for the organization.
Grants permission to list List organizations:ServicePrincipal

ListDelegatedAdministrators
the AWS accounts that are (p. 1156)
designated as delegated
administrators in this
organization.
Grants permission to list List account*

ListDelegatedServicesForAccount
the AWS services for which (p. 1156)
the specified account is a
delegated administrator in this
organization.

ListHandshakesForAccount
of the handshakes that are
associated with an account.

ListHandshakesForOrganization
handshakes that are associated
with the organization.
Grants permission to lists all of List organizationalunit

ListOrganizationalUnitsForParent
the organizational units (OUs) in (p. 1156)
a parent organizational unit or
root. root
(p. 1156)
ListParents Grants permission to list List account

the root or organizational (p. 1156)
units (OUs) that serve as the
immediate parent of a child OU organizationalunit

or account. (p. 1156)
ListPolicies Grants permission to list all of List organizations:PolicyType

the policies in an organization. (p. 1156)
1153
AWS Organizations

(*required)
Grants permission to list List account

ListPoliciesForTarget
all of the policies that are (p. 1156)
directly attached to a root,
organizational unit (OU), or organizationalunit

account. (p. 1156)
root
(p. 1156)

(p. 1156)
ListRoots Grants permission to list all of List

the roots that are defined in the
organization.
Grants permission to list all tags List account

ListTagsForResource
for the specified resource. (p. 1156)
organizationalunit

(p. 1156)
policy
(p. 1156)
root
(p. 1156)
Grants permission to list all the List policy*

ListTargetsForPolicy
roots, OUs, and accounts to (p. 1156)
which a policy is attached.

(p. 1156)
MoveAccount Grants permission to move an Write account*

account from its current root or (p. 1156)
OU to another parent root or
OU. organizationalunit

(p. 1156)
root
(p. 1156)
Grants permission to register Write account*

RegisterDelegatedAdministrator
the specified member account (p. 1156)
to administer the Organizations
features of the AWS service that organizations:ServicePrincipal

is specified by ServicePrincipal. (p. 1156)
Grants permission to removes Write account*

RemoveAccountFromOrganization
the specified account from the (p. 1156)
organization.
TagResource Grants permission to add one Tagging account

or more tags to the specified (p. 1156)
resource.
1154
AWS Organizations

(*required)
organizationalunit

(p. 1156)
policy
(p. 1156)
root
(p. 1156)
aws:TagKeys
(p. 1156)
aws:RequestTag/
${TagKey}
(p. 1156)
Grants permission to remove Tagging account

UntagResource one or more tags from the (p. 1156)
organizationalunit

(p. 1156)
policy
(p. 1156)
root
(p. 1156)
aws:TagKeys
(p. 1156)
Grants permission to rename an Write organizationalunit*

UpdateOrganizationalUnit
organizational unit (OU). (p. 1156)
UpdatePolicy Grants permission to update an Write policy*

existing policy with a new name, (p. 1156)
description, or content.

(p. 1156)
Resource types defined by AWS Organizations

1155
AWS Organizations

types
account arn:${Partition}:organizations:: aws:ResourceTag/

${MasterAccountId}:account/o- ${TagKey} (p. 1156)
${OrganizationId}/${AccountId}
handshake arn:${Partition}:organizations::
${MasterAccountId}:handshake/o-
${OrganizationId}/${HandshakeType}/h-
${HandshakeId}
organization arn:${Partition}:organizations::
${MasterAccountId}:organization/o-
${OrganizationId}
arn:${Partition}:organizations:: aws:ResourceTag/
organizationalunit${MasterAccountId}:ou/o-${OrganizationId}/ ${TagKey} (p. 1156)
ou-${OrganizationalUnitId}
policy arn:${Partition}:organizations:: aws:ResourceTag/

${MasterAccountId}:policy/o- ${TagKey} (p. 1156)
${OrganizationId}/${PolicyType}/p-
${PolicyId}
awspolicy arn:${Partition}:organizations::aws:policy/
${PolicyType}/p-${PolicyId}
root arn:${Partition}:organizations:: aws:ResourceTag/

${MasterAccountId}:root/o-${OrganizationId}/ ${TagKey} (p. 1156)
r-${RootId}
Condition keys for AWS Organizations

AWS Organizations defines the following condition keys that can be used in the Condition element of

${TagKey}
request
Enables you to filter the request to only the specified policy String
type names.
Enables you to filter the request to only the specified service String
organizations:ServicePrincipal
principal names.
1156
AWS Outposts

Outposts
AWS Outposts (service prefix: outposts) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Outposts (p. 1157)
• Resource types defined by AWS Outposts (p. 1158)
• Condition keys for AWS Outposts (p. 1158)
Actions defined by AWS Outposts

different actions.

(*required)

CreateOutpost Outpost

DeleteOutpost outpost
DeleteSite Grants permission to delete an Write

site
GetOutpost Grants permission to get Read

information about the specified
Outpost
1157
AWS Panorama

(*required)

GetOutpostInstanceTypes
instance types for the specified
Outpost
ListOutposts Grants permission to list the List

Outposts for your AWS account
ListSites Grants permission to list the List

sites for your AWS account
Resource types defined by AWS Outposts

AWS Outposts does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Outposts, specify “Resource”: “*” in your policy.
Condition keys for AWS Outposts

Outposts has no service-specific context keys that can be used in the Condition element of policy
conditions.

Panorama
AWS Panorama (service prefix: panorama) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by AWS Panorama (p. 1158)
• Resource types defined by AWS Panorama (p. 1163)
• Condition keys for AWS Panorama (p. 1164)
Actions defined by AWS Panorama

different actions.
1158
AWS Panorama

(*required)
CreateApp Grants permission to create an Write aws:TagKeys

[permission AWS Panorama application (p. 1164)
only]
aws:RequestTag/
${TagKey}
(p. 1164)
Grants permission to deploy an Write

CreateAppDeployment
AWS Panorama application
[permission
only]
Grants permission to create a Write appVersion*

CreateAppVersionversion of an AWS Panorama (p. 1164)
[permission application
only]
Grants permission to create an Write device*

CreateDataSourceAWS Panorama datasource (p. 1163)
[permission
only] aws:TagKeys
(p. 1164)
aws:RequestTag/
${TagKey}
(p. 1164)
Grants permission to configure Write

CreateDeploymentConfiguration
a deployment for an AWS
[permission Panorama application
only]
CreateDevice Grants permission to register an Write aws:TagKeys

[permission AWS Panorama Appliance (p. 1164)
only]
aws:RequestTag/
${TagKey}
(p. 1164)
Grants permission to apply a Write

CreateDeviceUpdate
software update to an AWS
[permission Panorama Appliance
only]
CreateInputs Grants permission to generate Write device*

[permission a list of cameras on the same (p. 1163)
only] network as an AWS Panorama
Appliance
1159
AWS Panorama

(*required)
CreateModel Grants permission to import a Write aws:TagKeys

[permission machine learning model into (p. 1164)
only] AWS Panorama
aws:RequestTag/
${TagKey}
(p. 1164)
Grants permission to generate Write device*

CreateStreams a list of streams available to an (p. 1163)
[permission AWS Panorama Appliance
only]
DeleteApp Grants permission to delete an Write app*

only]
Grants permission to delete a Write app*

DeleteAppVersionversion of an AWS Panorama (p. 1164)
[permission application
only]
Grants permission to delete an Write dataSource*

DeleteDataSourceAWS Panorama datasource (p. 1163)
[permission
only]
DeleteDevice Grants permission to deregister Write device*

[permission an AWS Panorama Appliance (p. 1163)
only]
DeleteModel Grants permission to delete a Write model*

[permission machine learning model from (p. 1163)
only] AWS Panorama
DescribeApp Grants permission to view Read app*

[permission details about an AWS Panorama (p. 1164)
only] application

DescribeAppDeployment
details about a deployment for
[permission an AWS Panorama application
only]
Grants permission to view Read app*

DescribeAppVersion
details about a version of an (p. 1164)
[permission AWS Panorama application
only]
Grants permission to view Read dataSource*

DescribeDataSource
details about a datasource in (p. 1163)
[permission AWS Panorama
only]
1160
AWS Panorama

(*required)
Grants permission to view Read device*

DescribeDevice details about an AWS Panorama (p. 1163)
[permission Appliance
only]

DescribeDeviceUpdate
details about a software update
[permission for an AWS Panorama Appliance
only]
Grants permission to view Read model*

DescribeModel details about a machine learning (p. 1163)
[permission model in AWS Panorama
only]

DescribeSoftwaredetails about a software
[permission version for the AWS Panorama
only] Appliance

GetDeploymentConfiguration
details about a deployment
[permission configuration for an AWS
only] Panorama application
GetInputs Grants permission to retrieve a Read device*

[permission list of cameras generated with (p. 1163)
only] CreateInputs
GetStreams Grants permission to retrieve a Read device*

[permission list of streams generated with (p. 1163)
only] CreateStreams
Grants permission to generate Read

GetWebSocketURL
a WebSocket endpoint for
[permission communication with AWS
only] Panorama

ListAppDeploymentOperations
list of deployments for an AWS
[permission Panorama application
only]
Grants permission to retrieve List app*

ListAppVersions a list of application versions in (p. 1164)
[permission AWS Panorama
only]
ListApps Grants permission to retrieve List

[permission a list of applications in AWS
only] Panorama
1161
AWS Panorama

(*required)
Grants permission to retrieve List device*

ListDataSources a list of datasources in AWS (p. 1163)
[permission Panorama
only]
Grants permission to List

ListDeploymentConfigurations
retrieve a list of deployment
[permission configurations in AWS Panorama
only]

ListDeviceUpdateslist of software updates for an
[permission AWS Panorama Appliance
only]
ListDevices Grants permission to retrieve List

[permission a list of appliances in AWS
only] Panorama
ListModels Grants permission to retrieve a List

[permission list of models in AWS Panorama
only]
Grants permission to retrieve a List app

ListTagsForResource
list of tags for a resource in AWS (p. 1164)
only] dataSource
(p. 1163)
device
(p. 1163)
model
(p. 1163)
TagResource Grants permission to add tags to Tagging app

[permission a resource in AWS Panorama (p. 1164)
only]
dataSource
(p. 1163)
device
(p. 1163)
model
(p. 1163)
aws:TagKeys
(p. 1164)
aws:RequestTag/
${TagKey}
(p. 1164)
1162
AWS Panorama

(*required)
Grants permission to remove Tagging app

UntagResource tags from a resource in AWS (p. 1164)
only] dataSource
(p. 1163)
device
(p. 1163)
model
(p. 1163)
aws:TagKeys
(p. 1164)
UpdateApp Grants permission to modify an Write app*

only]
Grants permission to modify the Write app*

UpdateAppConfiguration
version-specific configuration of (p. 1164)
[permission an AWS Panorama application
only]
Grants permission to modify an Write dataSource*

UpdateDataSource
AWS Panorama datasource (p. 1163)
[permission
only]
UpdateDevice Grants permission to modify Write

[permission basic settings for an AWS
only] Panorama Appliance
Resource types defined by AWS Panorama


types
device arn:${Partition}:panorama:${Region}: aws:ResourceTag/

${AccountId}:device/${DeviceName} ${TagKey} (p. 1164)
dataSource arn:${Partition}:panorama:${Region}: aws:ResourceTag/

${AccountId}:dataSource/${DeviceName}/ ${TagKey} (p. 1164)
${DataSourceName}
model arn:${Partition}:panorama:${Region}: aws:ResourceTag/

${AccountId}:model/${ModelName} ${TagKey} (p. 1164)
1163
AWS Performance Insights

types
app arn:${Partition}:panorama:${Region}: aws:ResourceTag/

${Account}:app/${AppName} ${TagKey} (p. 1164)
appVersion arn:${Partition}:panorama:${Region}:
${Account}:app/${AppName}:{AppVersion}
Condition keys for AWS Panorama

AWS Panorama defines the following condition keys that can be used in the Condition element of an
${TagKey} request

${TagKey}
request

Performance Insights
AWS Performance Insights (service prefix: pi) provides the following service-specific resources, actions,
Topics
• Actions defined by AWS Performance Insights (p. 1164)
• Resource types defined by AWS Performance Insights (p. 1165)
• Condition keys for AWS Performance Insights (p. 1165)
Actions defined by AWS Performance Insights

different actions.
1164
Amazon Personalize

(*required)
For a specific time period, Read metric-

DescribeDimensionKeys
retrieve the top N dimension resource*
keys for a metric. (p. 1165)
Retrieve PI metrics for a set of Read metric-

GetResourceMetrics
data sources, over a time period. resource*
(p. 1165)
Resource types defined by AWS Performance Insights


types
metric- arn:${Partition}:pi:${Region}:
resource ${Account}:metrics/${ServiceType}/
${Identifier}
Condition keys for AWS Performance Insights

Performance Insights has no service-specific context keys that can be used in the Condition element of

Personalize
Amazon Personalize (service prefix: personalize) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon Personalize (p. 1166)
1165
Amazon Personalize
• Resource types defined by Amazon Personalize (p. 1168)

• Condition keys for Amazon Personalize (p. 1169)
Actions defined by Amazon Personalize

different actions.

(*required)
Creates a batch inference job Write batchInferenceJob*

CreateBatchInferenceJob (p. 1169)
Creates a campaign Write campaign*

CreateCampaign (p. 1169)
CreateDataset Creates a dataset Write dataset*

(p. 1169)
Creates a dataset group Write datasetGroup*

CreateDatasetGroup (p. 1169)
Creates a dataset import job Write datasetImportJob*

CreateDatasetImportJob (p. 1169)
Creates an event tracker Write eventTracker*

CreateEventTracker (p. 1169)
CreateFilter Creates a filter Write filter*

(p. 1169)
Creates a schema Write schema*

CreateSchema (p. 1169)
Creates a solution Write solution*

CreateSolution (p. 1169)
Creates a solution version Write solution*

CreateSolutionVersion (p. 1169)
Deletes a campaign Write campaign*

DeleteCampaign (p. 1169)
1166
Amazon Personalize

(*required)
DeleteDataset Deletes a dataset Write dataset*

(p. 1169)
Deletes a dataset group Write datasetGroup*

DeleteDatasetGroup (p. 1169)
Deletes an event tracker Write eventTracker*

DeleteEventTracker (p. 1169)
DeleteFilter Deletes a filter Write filter*

(p. 1169)
Deletes a schema Write schema*

DeleteSchema (p. 1169)
Deletes a solution including all Write solution*

DeleteSolution versions of the solution (p. 1169)
Describes an algorithm Read algorithm*

DescribeAlgorithm (p. 1169)
Describes a batch inference job Read batchInferenceJob*

DescribeBatchInferenceJob (p. 1169)
Describes a campaign Read campaign*

DescribeCampaign (p. 1169)
Describes a dataset Read dataset*

DescribeDataset (p. 1169)
Describes a dataset group Read datasetGroup*

DescribeDatasetGroup (p. 1169)
Describes a dataset import job Read datasetImportJob*

DescribeDatasetImportJob (p. 1169)
Describes an event tracker Read eventTracker*

DescribeEventTracker (p. 1169)
Describes a feature Read featureTransformation*

DescribeFeatureTransformation
transformation (p. 1169)
DescribeFilter Describes a filter Read filter*

(p. 1169)
Describes a recipe Read recipe*

DescribeRecipe (p. 1169)
Describes a schema Read schema*

DescribeSchema (p. 1169)
Describes a solution Read solution*

DescribeSolution (p. 1169)
Describes a version of a solution Read solution*

DescribeSolutionVersion (p. 1169)
1167
Amazon Personalize

(*required)
Gets a re-ranked list of Read campaign*

GetPersonalizedRanking
recommendations (p. 1169)
Gets a list of recommendations Read campaign*

GetRecommendations
from a campaign (p. 1169)
Gets metrics for a solution Read solution*

GetSolutionMetrics
version (p. 1169)
Lists batch inference jobs List

ListBatchInferenceJobs
Lists campaigns List

ListCampaigns
Lists dataset groups List

ListDatasetGroups
Lists dataset import jobs List

ListDatasetImportJobs
ListDatasets Lists datasets List
Lists event trackers List

ListEventTrackers
ListFilters Lists filters List
ListRecipes Lists recipes List
ListSchemas Lists schemas List
Lists versions of a solution List

ListSolutionVersions
ListSolutions Lists solutions List
PutEvents Records real time event data Write eventTracker*

(p. 1169)
PutItems Ingest Items data Write dataset*

(p. 1169)
PutUsers Ingest Users data Write dataset*

(p. 1169)
Updates a campaign Write campaign*

UpdateCampaign (p. 1169)
Resource types defined by Amazon Personalize

1168
Amazon Pinpoint

types
schema arn:${Partition}:personalize:${Region}:
${Account}:schema/${ResourceId}
arn:${Partition}:personalize:${Region}:
featureTransformation
${Account}:feature-transformation/
${ResourceId}
dataset arn:${Partition}:personalize:${Region}:
${Account}:dataset/${ResourceId}
datasetGroup arn:${Partition}:personalize:${Region}:
${Account}:dataset-group/${ResourceId}
datasetImportJob${Account}:dataset-import-job/${ResourceId}
solution arn:${Partition}:personalize:${Region}:
${Account}:solution/${ResourceId}
campaign arn:${Partition}:personalize:${Region}:
${Account}:campaign/${ResourceId}
eventTracker arn:${Partition}:personalize:${Region}:
${Account}:event-tracker/${ResourceId}
recipe arn:${Partition}:personalize:${Region}:
${Account}:recipe/${ResourceId}
algorithm arn:${Partition}:personalize:${Region}:
${Account}:algorithm/${ResourceId}
batchInferenceJob${Account}:batch-inference-job/${ResourceId}
filter arn:${Partition}:personalize:${Region}:
${Account}:filter/${ResourceId}
Condition keys for Amazon Personalize

Personalize has no service-specific context keys that can be used in the Condition element of policy
conditions.

Pinpoint
Amazon Pinpoint (service prefix: mobiletargeting) provides the following service-specific resources,
References:
1169
Amazon Pinpoint

Topics
• Actions defined by Amazon Pinpoint (p. 1170)
• Resource types defined by Amazon Pinpoint (p. 1180)
• Condition keys for Amazon Pinpoint (p. 1181)
Actions defined by Amazon Pinpoint

different actions.

(*required)
CreateApp Create an app. Write aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Create a campaign for an app. Write apps*

CreateCampaign (p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
1170
Amazon Pinpoint

(*required)
Create an email template. Write aws:RequestTag/

CreateEmailTemplate ${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Create an export job that Write apps*

CreateExportJob exports endpoint definitions to (p. 1181)
Amazon S3.
Import endpoint definitions Write apps*

CreateImportJob from to create a segment. (p. 1181)
Create a Journey for an app. Write apps*

CreateJourney (p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Create a push notification Write aws:RequestTag/

CreatePushTemplate
template. ${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Create an Amazon Pinpoint Write

CreateRecommenderConfiguration
configuration for a
recommender model.
1171
Amazon Pinpoint

(*required)
Create a segment that is based Write apps*

CreateSegment on endpoint data reported to (p. 1181)
Pinpoint by your app. To allow
a user to create a segment by aws:RequestTag/

importing endpoint data from ${TagKey}
outside of Pinpoint, allow the (p. 1181)
mobiletargeting:CreateImportJob
action. aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Create an sms message Write aws:RequestTag/

CreateSmsTemplate
template. ${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Create a voice message Write aws:RequestTag/

CreateVoiceTemplate
template. ${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
aws:ResourceTag/
${TagKey}
(p. 1181)
Delete the ADM channel for an Write apps*

DeleteAdmChannel
app. (p. 1181)
Delete the APNs channel for an Write apps*

DeleteApnsChannel
app. (p. 1181)
Delete the APNs sandbox Write apps*

DeleteApnsSandboxChannel
channel for an app. (p. 1181)
Delete the APNs VoIP channel Write apps*

DeleteApnsVoipChannel
for an app. (p. 1181)
Delete the APNs VoIP sandbox Write apps*

DeleteApnsVoipSandboxChannel
channel for an app. (p. 1181)
DeleteApp Delete a specific campaign. Write apps*

(p. 1181)
Delete the Baidu channel for an Write apps*

DeleteBaiduChannel
app. (p. 1181)
1172
Amazon Pinpoint

(*required)
Delete a specific campaign. Write apps*

DeleteCampaign (p. 1181)
campaigns*
(p. 1181)
Delete the email channel for an Write apps*

DeleteEmailChannel
app. (p. 1181)
Delete an email template or an Write templates*

DeleteEmailTemplate
email template version. (p. 1181)
Delete an endpoint. Write apps*

DeleteEndpoint (p. 1181)
Delete the event stream for an Write apps*

DeleteEventStream
app. (p. 1181)
Delete the GCM channel for an Write apps*

DeleteGcmChannel
app. (p. 1181)
Delete a specific journey. Write apps*

DeleteJourney (p. 1181)
journeys*
(p. 1181)
Delete a push notification Write templates*

DeletePushTemplate
template or a push notification (p. 1181)
template version.
Delete an Amazon Pinpoint Write recommenders*

DeleteRecommenderConfiguration
configuration for a (p. 1181)
recommender model.
Delete a specific segment. Write apps*

DeleteSegment (p. 1181)
segments*
(p. 1181)
Delete the SMS channel for an Write apps*

DeleteSmsChannel
app. (p. 1181)
Delete an sms message template Write templates*

DeleteSmsTemplate
or an sms message template (p. 1181)
version.
Delete all of the endpoints that Write apps*

DeleteUserEndpoints
are associated with a user ID. (p. 1181)
Delete the Voice channel for an Write apps*

DeleteVoiceChannel
app. (p. 1181)
1173
Amazon Pinpoint

(*required)
Delete a voice message template Write templates*

DeleteVoiceTemplate
or a voice message template (p. 1181)
version.
Retrieve information about Read apps*

GetAdmChannel the Amazon Device Messaging (p. 1181)
(ADM) channel for an app.
Retrieve information about the Read apps*

GetApnsChannel APNs channel for an app. (p. 1181)

GetApnsSandboxChannel
APNs sandbox channel for an (p. 1181)
app.

GetApnsVoipChannel
APNs VoIP channel for an app. (p. 1181)

GetApnsVoipSandboxChannel
APNs VoIP sandbox channel for (p. 1181)
an app.
GetApp Retrieve information about a Read apps*

specific app in your Amazon (p. 1181)
Pinpoint account.
Retrieve the default settings for List apps*

GetApplicationSettings
an app. (p. 1181)
GetApps Retrieve a list of apps in your List apps*

Amazon Pinpoint account. (p. 1181)

GetBaiduChannel Baidu channel for an app. (p. 1181)
GetCampaign Retrieve information about a Read apps*

specific campaign. (p. 1181)
campaigns*
(p. 1181)
Retrieve information about List apps*

GetCampaignActivities
the activities performed by a (p. 1181)
campaign.
campaigns*
(p. 1181)
Retrieve information about a Read apps*

GetCampaignVersion
specific campaign version. (p. 1181)
campaigns*
(p. 1181)
Retrieve information about the List apps*

GetCampaignVersions
current and prior versions of a (p. 1181)
campaign.
1174
Amazon Pinpoint

(*required)
campaigns*
(p. 1181)
Retrieve information about all List apps*

GetCampaigns campaigns for an app. (p. 1181)
GetChannels Get all channels information for List apps*

your app. (p. 1181)
Obtain information about the Read apps*

GetEmailChannel email channel in an app. (p. 1181)
Retrieve information about a Read templates*

GetEmailTemplatespecific or the active version of (p. 1181)
an email template.
GetEndpoint Retrieve information about a Read apps*

specific endpoint. (p. 1181)

GetEventStream event stream for an app. (p. 1181)
GetExportJob Obtain information about a Read apps*

specific export job. (p. 1181)
Retrieve a list of all of the export List apps*

GetExportJobs jobs for an app. (p. 1181)

GetGcmChannel GCM channel for an app. (p. 1181)
GetImportJob Retrieve information about a Read apps*

specific import job. (p. 1181)
Retrieve information about all List apps*

GetImportJobs import jobs for an app. (p. 1181)
GetJourney Retrieve information about a Read apps*

specific journey. (p. 1181)
journeys*
(p. 1181)

GetPushTemplatespecific or the active version of (p. 1181)
an push notification template.
Retrieve information about an Read recommenders*

GetRecommenderConfiguration
Amazon Pinpoint configuration (p. 1181)
for a recommender model.
Retrieve information about List

GetRecommenderConfigurations
all the recommender model
configurations that are
associated with an Amazon
Pinpoint account.
1175
Amazon Pinpoint

(*required)
GetSegment Retrieve information about a Read apps*

specific segment. (p. 1181)
segments*
(p. 1181)
Retrieve information about jobs List apps*

GetSegmentExportJobs
that export endpoint definitions (p. 1181)
from segments to Amazon S3.
segments*
(p. 1181)
Retrieve information about List apps*

GetSegmentImportJobs
jobs that create segments by (p. 1181)
importing endpoint definitions
from . segments*
(p. 1181)
Retrieve information about a Read apps*

GetSegmentVersion
specific segment version. (p. 1181)
segments*
(p. 1181)
Retrieve information about the List apps*

GetSegmentVersions
current and prior versions of a (p. 1181)
segment.
segments*
(p. 1181)
GetSegments Retrieve information about the List apps*

segments for an app. (p. 1181)

GetSmsChannel SMS channel in an app. (p. 1181)

GetSmsTemplate specific or the active version of (p. 1181)
an sms message template.

GetUserEndpointsendpoints that are associated (p. 1181)
with a user ID.

GetVoiceChannel Voice channel in an app. (p. 1181)

GetVoiceTemplatespecific or the active version of a (p. 1181)
voice message template.
ListJourneys Retrieve information about all List apps*

journeys for an app. (p. 1181)
List tags for a resource. List apps

1176
Amazon Pinpoint

(*required)
campaigns
(p. 1181)
segments
(p. 1181)
Retrieve all versions about a List templates*

ListTemplateVersions
specific template. (p. 1181)
ListTemplates Retrieve metadata about the List templates*

queried templates. (p. 1181)
Obtain metadata for a phone Read apps*

PhoneNumberValidate
number, such as the number (p. 1181)
type (mobile, landline, or VoIP),
location, and provider.
Create or update an event Write apps*

PutEventStream stream for an app. (p. 1181)
PutEvents Create or update events for an Write apps*

app. (p. 1181)
Used to remove the attributes Write apps*

RemoveAttributesfor an app. (p. 1181)
Send an SMS message or Write apps*

SendMessages push notification to specific (p. 1181)
endpoints.
Send an SMS message or push Write apps*

SendUsersMessages
notification to all endpoints that (p. 1181)
are associated with a specific
user ID.
TagResource Adds tags to a resource. Tagging apps

(p. 1181)
campaigns
(p. 1181)
segments
(p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Removes tags from a resource. Tagging apps

campaigns
(p. 1181)
1177
Amazon Pinpoint

(*required)
segments
(p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Update the Amazon Device Write apps*

UpdateAdmChannel
Messaging (ADM) channel for an (p. 1181)
app.
Update the Apple Push Write apps*

UpdateApnsChannel
Notification service (APNs) (p. 1181)
channel for an app.

UpdateApnsSandboxChannel
Notification service (APNs) (p. 1181)
sandbox channel for an app.

UpdateApnsVoipChannel
Notification service (APNs) VoIP (p. 1181)
channel for an app.

UpdateApnsVoipSandboxChannel
Notification service (APNs) VoIP (p. 1181)
sandbox channel for an app.
Update the default settings for Write apps*

UpdateApplicationSettings
an app. (p. 1181)
Update the Baidu channel for an Write apps*

UpdateBaiduChannel
app. (p. 1181)
Update a specific campaign. Write apps*

UpdateCampaign (p. 1181)
campaigns*
(p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Update the email channel for an Write apps*

UpdateEmailChannel
app. (p. 1181)
Update a specific email template Write templates*

UpdateEmailTemplate
under the same version or (p. 1181)
generate a new version.
1178
Amazon Pinpoint

(*required)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Create an endpoint or update Write apps*

UpdateEndpoint the information for an endpoint. (p. 1181)
Create or update endpoints as a Write apps*

UpdateEndpointsBatch
batch operation. (p. 1181)
Update the Firebase Cloud Write apps*

UpdateGcmChannel
Messaging (FCM) or Google (p. 1181)
Cloud Messaging (GCM) API
key that allows to send push
notifications to your Android
app.
Update a specific journey. Write apps*

UpdateJourney (p. 1181)
journeys*
(p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Update a specific journey state. Write apps*

UpdateJourneyState (p. 1181)
journeys*
(p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Update a specific push Write templates*

UpdatePushTemplate
notification template under the (p. 1181)
same version or generate a new
version. aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
1179
Amazon Pinpoint

(*required)
Update an Amazon Write recommenders*

UpdateRecommenderConfiguration
Pinpoint configuration for a (p. 1181)
recommender model.
Update a specific segment. Write apps*

UpdateSegment (p. 1181)
segments*
(p. 1181)
aws:RequestTag/

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Update the SMS channel for an Write apps*

UpdateSmsChannel
app. (p. 1181)
Update a specific sms message Write templates*

UpdateSmsTemplate
template under the same (p. 1181)
version or generate a new

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Upate the active version Write templates*

UpdateTemplateActiveVersion
parameter of a specific (p. 1181)
template.
Update the Voice channel for an Write apps*

UpdateVoiceChannel
app. (p. 1181)
Update a specific voice message Write templates*

UpdateVoiceTemplate
template under the same (p. 1181)
version or generate a new

${TagKey}
(p. 1181)
aws:TagKeys
(p. 1181)
Resource types defined by Amazon Pinpoint

1180
Amazon Pinpoint Email Service

types
apps arn:${Partition}:mobiletargeting:${Region}: aws:ResourceTag/

${Account}:apps/${AppId} ${TagKey} (p. 1181)
campaigns arn:${Partition}:mobiletargeting:${Region}: aws:ResourceTag/

${Account}:apps/${AppId}/campaigns/ ${TagKey} (p. 1181)
${CampaignId}
journeys arn:${Partition}:mobiletargeting:${Region}: aws:ResourceTag/

${Account}:apps/${AppId}/journeys/ ${TagKey} (p. 1181)
${JourneyId}
segments arn:${Partition}:mobiletargeting:${Region}: aws:ResourceTag/

${Account}:apps/${AppId}/segments/ ${TagKey} (p. 1181)
${SegmentId}
templates arn:${Partition}:mobiletargeting:${Region}: aws:ResourceTag/

${Account}:templates/${TemplateName}/ ${TagKey} (p. 1181)
${ChannelType}
arn:${Partition}:mobiletargeting:${Region}:
recommenders ${Account}:recommenders/${RecommenderId}
Condition keys for Amazon Pinpoint

Amazon Pinpoint defines the following condition keys that can be used in the Condition element of
${TagKey} makes to the pinpoint service.

aws:ResourceTag/
${TagKey}
the request the user makes to the pinpoint service.

Pinpoint Email Service
Amazon Pinpoint Email Service (service prefix: ses) provides the following service-specific resources,
References:
1181
Topics
• Actions defined by Amazon Pinpoint Email Service (p. 1182)
• Resource types defined by Amazon Pinpoint Email Service (p. 1187)
• Condition keys for Amazon Pinpoint Email Service (p. 1187)
Actions defined by Amazon Pinpoint Email Service

different actions.

(*required)
Create a configuration set. Write configuration-

CreateConfigurationSet
Configuration sets are groups of set*
rules that you can apply to the (p. 1187)
emails you send using Amazon
Pinpoint aws:TagKeys
(p. 1187)
aws:RequestTag/
${TagKey}
(p. 1187)
Create an event destination Write configuration-

CreateConfigurationSetEventDestination set*
(p. 1187)
Create a new pool of dedicated Write dedicated-

CreateDedicatedIpPool
IP addresses ip-pool*
(p. 1187)
aws:TagKeys
(p. 1187)
aws:RequestTag/
${TagKey}
(p. 1187)
Create a new predictive inbox Write identity*

CreateDeliverabilityTestReport
placement test. (p. 1187)
1182

(*required)
aws:TagKeys
(p. 1187)
aws:RequestTag/
${TagKey}
(p. 1187)
Verifies an email identity for use Write identity*

CreateEmailIdentity
with Amazon Pinpoint (p. 1187)
aws:TagKeys
(p. 1187)
aws:RequestTag/
${TagKey}
(p. 1187)
Delete an existing configuration Write configuration-

DeleteConfigurationSet
set set*
(p. 1187)
Delete an event destination Write configuration-

DeleteConfigurationSetEventDestination set*
(p. 1187)
Delete a dedicated IP pool Write dedicated-

DeleteDedicatedIpPool ip-pool*
(p. 1187)
Deletes an email identity that Write identity*

DeleteEmailIdentity
you previously verified for use (p. 1187)
with Amazon Pinpoint
GetAccount Obtain information about Read

the email-sending status and
capabilities
Retrieve a list of the blacklists Read

GetBlacklistReports
that your dedicated IP addresses
appear on
Get information about an Read configuration-

GetConfigurationSet
existing configuration set set*
(p. 1187)
Retrieve a list of event Read configuration-

GetConfigurationSetEventDestinations
destinations that are associated set*
with a configuration set (p. 1187)
Get information about a Read

GetDedicatedIp dedicated IP address
List the dedicated IP addresses Read dedicated-

GetDedicatedIps that are associated with your ip-pool*
Amazon Pinpoint account (p. 1187)
1183

(*required)
Show the status of the Read

GetDeliverabilityDashboardOptions
Deliverability dashboard
Retrieve the results of a Read deliverability-

GetDeliverabilityTestReport
predictive inbox placement test test-
report*
(p. 1187)
Retrieve inbox placement and Read identity*

GetDomainStatisticsReport
engagement rates for the (p. 1187)
domains that you use to send
email
Provides information about a Read identity*

GetEmailIdentity specific identity associated with (p. 1187)
your Amazon Pinpoint account
List all of the configuration sets List

ListConfigurationSets
Pinpoint account in the current
region
List all of the dedicated IP List

ListDedicatedIpPools
pools that exist in your Amazon
Pinpoint account in the current
AWS Region
Show a list of the predictive List

ListDeliverabilityTestReports
inbox placement tests that
you've performed, regardless of
their statuses
Returns a list of all of the email List

ListEmailIdentitiesidentities that are associated
with your Amazon Pinpoint
account
Retrieve a list of the tags (keys Read configuration-

ListTagsForResource
and values) that are associated set
with a specific resource. (p. 1187)
dedicated-
ip-pool
(p. 1187)
deliverability-
test-report
(p. 1187)
identity
(p. 1187)
Enable or disable the automatic Write

PutAccountDedicatedIpWarmupAttributes
warm-up feature for dedicated
IP addresses
1184

(*required)
Enable or disable the ability of Write

PutAccountSendingAttributes
your account to send email
Associate a configuration set Write configuration-

PutConfigurationSetDeliveryOptions
with a dedicated IP pool set*
(p. 1187)
Enable or disable collection of Write configuration-

PutConfigurationSetReputationOptions
reputation metrics for emails set*
that you send using a particular (p. 1187)
configuration set in a specific
AWS Region
Enable or disable email sending Write configuration-

PutConfigurationSetSendingOptions
for messages that use a set*
particular configuration set in a (p. 1187)
specific AWS Region
Specify a custom domain to Write configuration-

PutConfigurationSetTrackingOptions
use for open and click tracking set*
elements in email that you send (p. 1187)
using Amazon Pinpoint
Move a dedicated IP address to Write dedicated-

PutDedicatedIpInPool
an existing dedicated IP pool ip-pool*
(p. 1187)
Put Dedicated IP warm up Write

PutDedicatedIpWarmupAttributes
attributes
Enable or disable the Write

PutDeliverabilityDashboardOption
Deliverability dashboard
Used to enable or disable DKIM Write identity*

PutEmailIdentityDkimAttributes
authentication for an email (p. 1187)
identity
Used to enable or disable Write identity*

PutEmailIdentityFeedbackAttributes
feedback forwarding for an (p. 1187)
identity
Used to enable or disable the Write identity*

PutEmailIdentityMailFromAttributes
custom Mail-From domain (p. 1187)
configuration for an email
identity
SendEmail Sends an email message Write identity*

(p. 1187)
1185

(*required)
ses:FeedbackAddress

(p. 1187)
ses:FromAddress
(p. 1187)
ses:FromDisplayName
(p. 1188)
ses:Recipients
(p. 1188)
TagResource Add one or more tags (keys and Tagging configuration-

values) to a specified resource. set
(p. 1187)
dedicated-
ip-pool
(p. 1187)
deliverability-
test-report
(p. 1187)
identity
(p. 1187)
aws:TagKeys
(p. 1187)
aws:RequestTag/
${TagKey}
(p. 1187)
Remove one or more tags (keys Tagging configuration-

UntagResource and values) from a specified set
resource. (p. 1187)
dedicated-
ip-pool
(p. 1187)
deliverability-
test-report
(p. 1187)
identity
(p. 1187)
aws:TagKeys
(p. 1187)
Update the configuration of Write configuration-

UpdateConfigurationSetEventDestination
an event destination for a set*
configuration set (p. 1187)
1186
Resource types defined by Amazon Pinpoint Email Service


types
configuration- arn:${Partition}:ses:${Region}: aws:ResourceTag/

set ${Account}:configuration-set/ ${TagKey} (p. 1187)
${ConfigurationSetName}
dedicated-ip- arn:${Partition}:ses:${Region}: aws:ResourceTag/

pool ${Account}:dedicated-ip-pool/ ${TagKey} (p. 1187)
${CustomVerificationEmailTemplateName}
deliverability- arn:${Partition}:ses:${Region}: aws:ResourceTag/

test-report ${Account}:deliverability-test-report/ ${TagKey} (p. 1187)
${CustomVerificationEmailTemplateName}
event- arn:${Partition}:ses:${Region}:
destination ${Account}:configuration-set/
${ConfigurationSetName}:event-destination/
${EventDestinationName}
identity arn:${Partition}:ses:${Region}: aws:ResourceTag/

${Account}:identity/${IdentityName} ${TagKey} (p. 1187)
Condition keys for Amazon Pinpoint Email Service

Amazon Pinpoint Email Service defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request
The "Return-Path" address, which specifies where bounces String

ses:FeedbackAddress and complaints are sent by email feedback forwarding.
ses:FromAddress The "From" address of a message. String
1187
Amazon Pinpoint SMS and Voice Service
The "From" address that is used as the display name of a String

ses:FromDisplayNamemessage.
ses:Recipients The recipient addresses of a message, which include the "To", String
"CC", and "BCC" addresses.

Pinpoint SMS and Voice Service
Amazon Pinpoint SMS and Voice Service (service prefix: sms-voice) provides the following service-
References:

Topics
• Actions defined by Amazon Pinpoint SMS and Voice Service (p. 1188)
• Resource types defined by Amazon Pinpoint SMS and Voice Service (p. 1189)
• Condition keys for Amazon Pinpoint SMS and Voice Service (p. 1189)
Actions defined by Amazon Pinpoint SMS and Voice Service

different actions.

(*required)
Create a new configuration Write

CreateConfigurationSet
set. After you create the
configuration set, you can add
1188
Amazon Pinpoint SMS and Voice Service

(*required)
one or more event destinations
to it.
Create a new event destination Write iam:PassRole

CreateConfigurationSetEventDestination
in a configuration set.
Deletes an existing configuration Write

DeleteConfigurationSet
set.
Deletes an event destination in a Write

DeleteConfigurationSetEventDestination
configuration set.
Obtain information about an Read

GetConfigurationSetEventDestinations
event destination, including the
types of events it reports, the
Amazon Resource Name (ARN)
of the destination, and the name
of the event destination.
Return a list of configuration Read

ListConfigurationSets
sets. This operation only returns
the configuration sets that are
associated with your account in
the current AWS Region.
Create a new voice message and Write

SendVoiceMessage
send it to a recipient's phone
number.
Update an event destination in Write iam:PassRole

UpdateConfigurationSetEventDestination
a configuration set. An event
destination is a location that you
publish information about your
voice calls to. For example, you
can log an event to an Amazon
CloudWatch destination when a
call fails.
Resource types defined by Amazon Pinpoint SMS and Voice

Service
Amazon Pinpoint SMS and Voice Service does not support specifying a resource ARN in the Resource
element of an IAM policy statement. To allow access to Amazon Pinpoint SMS and Voice Service, specify
Condition keys for Amazon Pinpoint SMS and Voice Service

Pinpoint SMS Voice has no service-specific context keys that can be used in the Condition element of
1189
Amazon Polly

Polly
Amazon Polly (service prefix: polly) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Polly (p. 1190)
• Resource types defined by Amazon Polly (p. 1191)
• Condition keys for Amazon Polly (p. 1191)
Actions defined by Amazon Polly

different actions.

(*required)
DeleteLexicon Grants permissions to delete the Write lexicon*

specified pronunciation lexicon (p. 1191)
stored in an AWS Region
Grants permissions to describe List

DescribeVoices the list of voices that are
available for use when
requesting speech synthesis
GetLexicon Grants permissions to retrieve Read lexicon*

the content of the specified (p. 1191)
pronunciation lexicon stored in
an AWS Region
1190
AWS Price List

(*required)
Grants permissions to get Read

GetSpeechSynthesisTask
information about specific
speech synthesis task
ListLexicons Grants permisions to list the List

pronunciation lexicons stored in
an AWS Region
Grants permissions to list List

ListSpeechSynthesisTasks
requested speech synthesis tasks
PutLexicon Grants permissions to store a Write lexicon*

pronunciation lexicon in an AWS (p. 1191)
Region
Grants permissions to synthesize Write lexicon s3:PutObject

StartSpeechSynthesisTask
long inputs to the provided S3 (p. 1191)
location
Grants permissions to synthesize Read lexicon

SynthesizeSpeechspeech (p. 1191)
Resource types defined by Amazon Polly


types
lexicon arn:${Partition}:polly:${Region}:
${Account}:lexicon/${LexiconName}
Condition keys for Amazon Polly

Polly has no service-specific context keys that can be used in the Condition element of policy
conditions.
Actions, resources, and condition keys for AWS Price

List
AWS Price List (service prefix: pricing) provides the following service-specific resources, actions, and
References:
1191
AWS Price List

Topics
• Actions defined by AWS Price List (p. 1192)
• Resource types defined by AWS Price List (p. 1192)
• Condition keys for AWS Price List (p. 1192)
Actions defined by AWS Price List

different actions.

(*required)
Returns the service details Read

DescribeServices for all (paginated) services (if
serviceCode is not set) or service
detail for a particular service (if
given serviceCode).
Returns all (paginated) possible Read

GetAttributeValues
values for a given attribute.
GetProducts Returns all matching products Read

with given search criteria.
Resource types defined by AWS Price List

AWS Price List does not support specifying a resource ARN in the Resource element of an IAM policy
statement. To allow access to AWS Price List, specify “Resource”: “*” in your policy.
Condition keys for AWS Price List

Price List has no service-specific context keys that can be used in the Condition element of policy
conditions.
1192
AWS Private Marketplace

Private Marketplace
AWS Private Marketplace (service prefix: aws-marketplace) provides the following service-specific
References:

Topics
• Actions defined by AWS Private Marketplace (p. 1193)
• Resource types defined by AWS Private Marketplace (p. 1197)
• Condition keys for AWS Private Marketplace (p. 1197)
Actions defined by AWS Private Marketplace

different actions.

(*required)
Adds new approved products to Write

AssociateProductsWithPrivateMarketplace
the Private Marketplace. Also
[permission allows to approve a request
only] for a product to be associated
with the Private Marketplace.
This action can be performed
by any account in an AWS
Organization, provided the
user has permissions to do so,
and the Organization's Service
Control Policies allow it.
Creates a Private Marketplace Write

CreatePrivateMarketplace
for the individual account, or
1193

(*required)
[permission for the entire AWS Organization
only] if one exists. This action can
Organization.
Creates a Private Marketplace Write

CreatePrivateMarketplaceProfile
Profile that customizes the
[permission white label experience on the
only] AWS Marketplace website for
the individual account, or for
Organization.
Creates a new request for a Write

CreatePrivateMarketplaceRequests
product or products to be
[permission associated with the Private
only] Marketplace. This action
can be performed by any
account in an in an AWS
Describes the status of List

DescribePrivateMarketplaceProducts
requested products in the
[permission Private Marketplace for
only] administrative purposes. This
action can be performed
Describes details about the Read

DescribePrivateMarketplaceProfile
Private Marketplace Profile
[permission for administrative purposes.
only] This action can be performed
1194

(*required)
Describes requests and List

DescribePrivateMarketplaceRequests
associated products in the
[permission Private Marketplace. This
only] action can be performed
Describes the Private Read

DescribePrivateMarketplaceSettings
Marketplace settings. This
[permission includes setting for enabling
only] requests from end users and
preferences for notifications.
Describes the status of the Read

DescribePrivateMarketplaceStatus
Private Marketplace for
[permission administrative purposes. This
Removes approved products Write

DisassociateProductsFromPrivateMarketplace
from the Private Marketplace.
[permission Also allows to decline a request
only] for a product to be associated
with the Private Marketplace.
1195

(*required)
Queryable list for the products List

ListPrivateMarketplaceProducts
and status of products in
[permission the Private Marketplace for
only] administrative purposes. This
Queryable list for requests List

ListPrivateMarketplaceRequests
and associated products in
[permission the Private Marketplace. This
Starts the Private Marketplace, Write

StartPrivateMarketplace
enabling the customized AWS
[permission Marketplace experience, and
only] enabling restrictions on the
procurement of products
based on what is available
in the Private Marketplace.
Stops the Private Marketplace, Write

StopPrivateMarketplace
disabling the customized
[permission AWS Marketplace experience
only] and removing the Private
Marketplace procurement
restrictions on products. This
1196
AWS Proton

(*required)
Updates the Private Marketplace Write

UpdatePrivateMarketplaceProfile
Profile that customizes the
[permission white label experience on the
only] AWS Marketplace website for
the individual account, or for
the entire AWS Organization if
one exists. This action can be
performed by any account in an
AWS Organization, provided the
Updates the Private Marketplace Write

UpdatePrivateMarketplaceSettings
settings. This includes setting
[permission for enabling requests from
only] end users and preferences for
notifications. This action can be
performed by any account in an
AWS Organization, provided the
Resource types defined by AWS Private Marketplace

AWS Private Marketplace does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to AWS Private Marketplace, specify “Resource”: “*” in your
policy.
Condition keys for AWS Private Marketplace

Private Marketplace has no service-specific context keys that can be used in the Condition element of

Proton
AWS Proton (service prefix: proton) provides the following service-specific resources, actions, and
References:

Topics
1197
AWS Proton
• Actions defined by AWS Proton (p. 1198)

• Resource types defined by AWS Proton (p. 1201)
• Condition keys for AWS Proton (p. 1202)
Actions defined by AWS Proton

different actions.

(*required)
Grants permission to create an Write environment* iam:PassRole

CreateEnvironment
Grants permission to create an Write environment-

CreateEnvironmentTemplate
environment template template*
(p. 1201)

CreateEnvironmentTemplateMajorVersion
environment template major template*
version (p. 1201)

CreateEnvironmentTemplateMinorVersion
environment template minor template*
version (p. 1201)
CreateService Grants permission to create a Write service* codestar-

service (p. 1202) connections:PassConnect
Grants permission to create a Write service-

CreateServiceTemplate
service template template*
(p. 1202)

CreateServiceTemplateMajorVersion
service template major version template*
(p. 1202)

CreateServiceTemplateMinorVersion
service template minor version template*
(p. 1202)
1198
AWS Proton

(*required)

DeleteAccountRoles
account role settings
Grants permission to delete an Write environment*

DeleteEnvironment
Grants permission to delete an Write environment-

DeleteEnvironmentTemplate
(p. 1201)

DeleteEnvironmentTemplateMajorVersion
version (p. 1201)

DeleteEnvironmentTemplateMinorVersion
version (p. 1201)
DeleteService Grants permission to delete a Write service*

service (p. 1202)
Grants permission to delete a Write service-

DeleteServiceTemplate
(p. 1202)

DeleteServiceTemplateMajorVersion
(p. 1202)

DeleteServiceTemplateMinorVersion
(p. 1202)

GetAccountRoles the account role settings
Grants permission to describe an Read environment*

GetEnvironment environment (p. 1202)
Grants permission to describe an Read environment-

GetEnvironmentTemplate
(p. 1201)
Grants permission to describe Read environment-

GetEnvironmentTemplateMajorVersion
an environment template major template*
version (p. 1201)
Grants permission to describe Read environment-

GetEnvironmentTemplateMinorVersion
an environment template minor template*
version (p. 1201)
GetService Grants permission to describe a Read service*

service (p. 1202)
1199
AWS Proton

(*required)
Grants permission to describe a Read service-

GetServiceInstance
service instance instance*
(p. 1202)

GetServiceTemplate
(p. 1202)

GetServiceTemplateMajorVersion
(p. 1202)

GetServiceTemplateMinorVersion
(p. 1202)
Grants permission to list List environment-

ListEnvironmentTemplateMajorVersions
versions (p. 1201)
Grants permission to list List environment-

ListEnvironmentTemplateMinorVersions
versions (p. 1201)

ListEnvironmentTemplates
environment templates

ListEnvironments environments
Grants permission to list service List

ListServiceInstances
instances
Grants permission to list service List service-

ListServiceTemplateMajorVersions
template major versions template*
(p. 1202)
Grants permission to list service List service-

ListServiceTemplateMinorVersions
template minor versions template*
(p. 1202)
Grants permission to list service List

ListServiceTemplates
templates
ListServices Grants permission to list services List
Grants permission to update the Write iam:PassRole

UpdateAccountRoles
account role settings
Grants permission to update an Write environment* iam:PassRole

UpdateEnvironment
Grants permission to update an Write environment-

UpdateEnvironmentTemplate
(p. 1201)
1200
AWS Proton

(*required)

UpdateEnvironmentTemplateMajorVersion
version (p. 1201)

UpdateEnvironmentTemplateMinorVersion
version (p. 1201)
Grants permission to update a Write service*

UpdateService service (p. 1202)
Grants permission to update a Write service-

UpdateServiceInstance
service instance instance*
(p. 1202)
Grants permission to update a Write service*

UpdateServicePipeline
service pipeline (p. 1202)

UpdateServiceTemplate
(p. 1202)

UpdateServiceTemplateMajorVersion
(p. 1202)

UpdateServiceTemplateMinorVersion
(p. 1202)
Resource types defined by AWS Proton


types
environment- arn:${Partition}:proton:${Region}:
template ${Account}:environment-template/
${TemplateName}
template- ${Account}:environment-template/
major-version ${TemplateName}:${MajorVersionId}
template- ${Account}:environment-template/
minor-version ${TemplateName}:${MajorVersionId}.
${MinorVersionId}
1201
AWS Purchase Orders Console

types
servicearn:${Partition}:proton:${Region}:
template ${Account}:service-template/${TemplateName}
template- ${Account}:service-template/${TemplateName}:
major-version ${MajorVersionId}
template- ${Account}:service-template/${TemplateName}:
minor-version ${MajorVersionId}.${MinorVersionId}
environment arn:${Partition}:proton:${Region}:
${Account}:environment/${EnvironmentName}
service arn:${Partition}:proton:${Region}:
${Account}:service/${ServiceName}
instance ${Account}:service/${ServiceName}/service-
instance/${ServiceInstanceName}
Condition keys for AWS Proton

Proton has no service-specific context keys that can be used in the Condition element of policy
conditions.

Purchase Orders Console
AWS Purchase Orders Console (service prefix: purchase-orders) provides the following service-specific
References:

Topics
• Actions defined by AWS Purchase Orders Console (p. 1202)
• Resource types defined by AWS Purchase Orders Console (p. 1203)
• Condition keys for AWS Purchase Orders Console (p. 1203)
Actions defined by AWS Purchase Orders Console

1202
Amazon QLDB
different actions.

(*required)
Modify purchase orders and Write

ModifyPurchaseOrders
details
[permission
only]
View purchase orders and details Read

ViewPurchaseOrders
[permission
only]
Resource types defined by AWS Purchase Orders Console

AWS Purchase Orders Console does not support specifying a resource ARN in the Resource element of
an IAM policy statement. To allow access to AWS Purchase Orders Console, specify “Resource”: “*” in
your policy.
Condition keys for AWS Purchase Orders Console

Purchase Orders has no service-specific context keys that can be used in the Condition element of

QLDB
Amazon QLDB (service prefix: qldb) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon QLDB (p. 1204)
• Resource types defined by Amazon QLDB (p. 1206)
1203
Amazon QLDB
• Condition keys for Amazon QLDB (p. 1206)
Actions defined by Amazon QLDB

different actions.

(*required)
Grants permission to cancel a Write stream*

CancelJournalKinesisStream
journal kinesis stream (p. 1206)
CreateLedger Grants permission to create a Write ledger*

ledger (p. 1206)
aws:RequestTag/

${TagKey}
(p. 1206)
aws:TagKeys
(p. 1206)
DeleteLedger Grants permission to delete a Write ledger*

ledger (p. 1206)
Grants permission to describe Read stream*

DescribeJournalKinesisStream
information about a journal (p. 1206)
kinesis stream
Grants permission to describe Read ledger*

DescribeJournalS3Export
information about a journal (p. 1206)
export job
Grants permission to describe a Read ledger*

DescribeLedger ledger (p. 1206)
Grants permission to send Write ledger*

ExecuteStatementcommands to a ledger via the (p. 1206)
console
Grants permission to export Write ledger*

ExportJournalToS3
journal contents to an Amazon (p. 1206)
S3 bucket
1204
Amazon QLDB

(*required)
GetBlock Grants permission to retrieve a Read ledger*

block from a ledger for a given (p. 1206)
BlockAddress
GetDigest Grants permission to retrieve a Read ledger*

digest from a ledger for a given (p. 1206)
BlockAddress
GetRevision Grants permission to retrieve a Read ledger*

revision for a given document ID (p. 1206)
and a given BlockAddress
Grants permission to insert Write ledger*

InsertSampleDatasample application data via the (p. 1206)
console
Grants permission to list journal List stream*

ListJournalKinesisStreamsForLedger
kinesis streams for a specified (p. 1206)
ledger
Grants permission to list journal List

ListJournalS3Exports
export jobs for all ledgers
Grants permission to list journal List ledger*

ListJournalS3ExportsForLedger
export jobs for a specified ledger (p. 1206)
ListLedgers Grants permission to list existing List

ledgers
Grants permission to list tags for Read ledger

ListTagsForResource
a resource (p. 1206)
Grants permission to send Write ledger*

SendCommand commands to a ledger (p. 1206)
ShowCatalog Grants permission to view a Write ledger*

ledger's catalog via the console (p. 1206)
Grants permission to stream Write stream*

StreamJournalToKinesis
journal contents to a Kinesis (p. 1206)
Data Stream
TagResource Grants permission to add one or Tagging ledger

more tags to a resource (p. 1206)
aws:RequestTag/

${TagKey}
(p. 1206)
aws:TagKeys
(p. 1206)
Grants permission to remove Tagging ledger

UntagResource one or more tags to a resource (p. 1206)
1205
Amazon QuickSight

(*required)
aws:TagKeys
(p. 1206)
UpdateLedger Grants permission to update Write ledger*

properties on a ledger (p. 1206)
Resource types defined by Amazon QLDB


types
ledger arn:${Partition}:qldb:${Region}: aws:ResourceTag/

${Account}:ledger/${LedgerName} ${TagKey} (p. 1206)
stream arn:${Partition}:qldb:${Region}: aws:ResourceTag/

${Account}:stream/${LedgerName}/${StreamId} ${TagKey} (p. 1206)
Condition keys for Amazon QLDB

Amazon QLDB defines the following condition keys that can be used in the Condition element of an

${TagKey}
request

QuickSight
Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources,
1206
Amazon QuickSight
References:

Topics
• Actions defined by Amazon QuickSight (p. 1207)
• Resource types defined by Amazon QuickSight (p. 1218)
• Condition keys for Amazon QuickSight (p. 1219)
Actions defined by Amazon QuickSight

different actions.

(*required)
Grants permission to cancel a Write ingestion*

CancelIngestion SPICE ingestions on a dataset (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)

CreateAccountCustomization
an account customization ${TagKey}
for QuickSight account or (p. 1219)
namespace
aws:TagKeys
(p. 1219)
CreateAdmin CreateAdmin enables the user Write user*

[permission to provision Amazon QuickSight (p. 1218)
only] administrators, authors, and
readers.
1207
Amazon QuickSight

(*required)
Creates an analysis from a Write analysis*

CreateAnalysis template (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)

CreateCustomPermissions
custom permissions resource for
[permission restricting user access
only]
Creates a dashboard from a Write dashboard*

CreateDashboard template (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to create a Write datasource*

CreateDataSet dataset (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)

CreateDataSourcedata source ${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
CreateGroup Create a QuickSight group. Write group*

(p. 1218)
Add a QuickSight user to a Write group* quicksight:UserName

CreateGroupMembership
QuickSight group. (p. 1218) (p. 1220)
Creates an assignment with one Write assignment*

CreateIAMPolicyAssignment
specified IAM Policy ARN that (p. 1219)
will be assigned to specified
groups or users of QuickSight.
Grants permission to start a Write ingestion*

CreateIngestion SPICE ingestion on a dataset (p. 1219)
1208
Amazon QuickSight

(*required)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to create an Write namespace*

CreateNamespaceQuickSight namespace (p. 1219)
CreateReader CreateReader enables the user Write user*

[permission to provision Amazon QuickSight (p. 1218)
only] readers.
Creates a template from an Write template*

CreateTemplate existing QuickSight analysis or (p. 1219)
template
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Creates a template alias for a Write template*

CreateTemplateAlias
template (p. 1219)
CreateTheme Creates a QuickSight theme Write theme*

(p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Creates a theme alias for a Write theme*

CreateThemeAliastheme (p. 1219)
CreateUser CreateUser enables the user to Write user*

[permission provision Amazon QuickSight (p. 1218)
only] authors and readers.
Grants permission to delete Write customization*

DeleteAccountCustomization
an account customization (p. 1219)
for QuickSight account or
namespace
Deletes an analysis Write analysis*

DeleteAnalysis (p. 1219)
Deletes a dashboard Write dashboard*

DeleteDashboard (p. 1219)
1209
Amazon QuickSight

(*required)
Grants permission to delete a Write dataset*

DeleteDataSet dataset (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to delete a Write datasource*

DeleteDataSourcedata source (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
DeleteGroup Remove a user group from Write group*

QuickSight. (p. 1218)
Remove a user from a group Write group* quicksight:UserName

DeleteGroupMembership
so that he/she is no longer a (p. 1218) (p. 1220)
member of the group.
Update an existing assignment. Write assignment*

DeleteIAMPolicyAssignment (p. 1219)
Grants permission to delete a Write namespace*

DeleteNamespaceQuickSight namespace (p. 1219)
Deletes a template Write template*

DeleteTemplate (p. 1219)
Deletes the item that the Write template*

DeleteTemplateAlias
specified template alias points (p. 1219)
to
DeleteTheme Deletes a theme Write theme*

(p. 1219)
Deletes the item that the Write theme*

DeleteThemeAliasspecified theme alias points to (p. 1219)
DeleteUser Delete the QuickSight user that Write user*

is associated with the identity (p. 1218)
of the IAM user/role making the
call. The IAM user is not deleted
as a result of this call.
Deletes a user identified by its Write user*

DeleteUserByPrincipalId
principal ID. (p. 1218)
1210
Amazon QuickSight

(*required)
Grants permission to describe Read customization*

DescribeAccountCustomization
namespace

DescribeAccountSettings
the administrative account
settings for QuickSight account
Provides a summary for an Read analysis*

DescribeAnalysis analysis (p. 1219)
Describes read and write Read analysis*

DescribeAnalysisPermissions
permissions for an analysis (p. 1219)
Grants permission to describe a Write

DescribeCustomPermissions
custom permissions resource in a
[permission QuickSight account
only]
Provides a summary for a Read dashboard*

DescribeDashboard
dashboard (p. 1219)
Describes read and write Read dashboard*

DescribeDashboardPermissions
permissions for a dashboard (p. 1219)
Grants permission to describe a Read dataset*

DescribeDataSet dataset (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to describe Permissions dataset*

DescribeDataSetPermissions
the resource policy of a dataset management (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to describe a Read datasource*

DescribeDataSource
data source (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
1211
Amazon QuickSight

(*required)
Grants permission to describe Permissions datasource*

DescribeDataSourcePermissions
the resource policy of a data management (p. 1219)
source
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Return a QuickSight group’s Read group*

DescribeGroup description and ARN. (p. 1218)
Describe an existing assignment. Read assignment*

DescribeIAMPolicyAssignment (p. 1219)
Grants permission to describe a Read ingestion*

DescribeIngestionSPICE ingestion on a dataset (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to describe a Read namespace*

DescribeNamespace
QuickSight namespace (p. 1219)
Describes a template's metadata Read template*

DescribeTemplate (p. 1219)
Describes the template alias for Read template*

DescribeTemplateAlias
a template (p. 1219)
Describes read and write Read template*

DescribeTemplatePermissions
permissions on a template (p. 1219)
Describes a theme's metadata Read theme*

DescribeTheme (p. 1219)
Describes the theme alias for a Read theme*

DescribeThemeAlias
theme (p. 1219)
Describes read and write Read theme*

DescribeThemePermissions
permissions on a theme (p. 1219)
DescribeUser Return information about a user, Read user*

given the user name. (p. 1218)
GetAuthCode Return an auth code Read user*

[permission representing a QuickSight user. (p. 1218)
only]
Return a QuickSight dashboard Read dashboard*

GetDashboardEmbedUrl
embedding URL. (p. 1219)
1212
Amazon QuickSight

(*required)
GetGroupMapping is used Read

GetGroupMappingonly in Amazon QuickSight
[permission Enterprise edition accounts. It
only] enables the user to use Amazon
QuickSight to identify and
display the Microsoft Active
Directory (Microsoft Active
Directory) directory groups that
are mapped to roles in Amazon
QuickSight.
Grants permission to get a URL Read

GetSessionEmbedUrl
to embed QuickSight console
experience.
ListAnalyses Lists analyses in an AWS account List analysis*

(p. 1219)
Grants permission to list Write

ListCustomPermissions
custom permissions resources in
[permission QuickSight account
only]
Lists all the versions of the List dashboard*

ListDashboardVersions
dashboards in the QuickSight (p. 1219)
subscription
Lists dashboards in an AWS List dashboard*

ListDashboards account (p. 1219)
ListDataSets Grants permission to list all List aws:RequestTag/

datasets ${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to list all data List aws:RequestTag/

ListDataSources sources ${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Return a list of member users in List group*

ListGroupMemberships
a group. (p. 1218)
ListGroups Get a list of all user groups in List group*

QuickSight. (p. 1218)
List all assignments in the List assignment*

ListIAMPolicyAssignments
current Amazon QuickSight (p. 1219)
account.
1213
Amazon QuickSight

(*required)
List all assignments assigned to List assignment*

ListIAMPolicyAssignmentsForUser
a user and the groups it belongs (p. 1219)
ListIngestions Grants permission to list all Read aws:RequestTag/

SPICE ingestions on a dataset ${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to lists all Write

ListNamespaces namespaces in a QuickSight
account
List tags of a QuickSight List customization

ListTagsForResource
resource. (p. 1219)
dashboard
(p. 1219)
template
(p. 1219)
theme
(p. 1219)
Lists all the aliases of a template List template*

ListTemplateAliases (p. 1219)
Lists all the versions of the List template*

ListTemplateVersions
templates in the current Amazon (p. 1219)
QuickSight account
ListTemplates Lists all the templates in the List template*

account
Lists all the aliases of a theme List theme*

ListThemeAliases (p. 1219)
Lists all the versions of a theme List theme*

ListThemeVersions (p. 1219)
ListThemes Lists all the themes in the List theme*

account
Return a list of groups that a List user*

ListUserGroups given user is a member of. (p. 1218)
ListUsers Return a list of all of the List user*

QuickSight users belonging to (p. 1218)
this account.
1214
Amazon QuickSight

(*required)
PassDataSet Grants permission to use a Read dataset*

[permission dataset for a template (p. 1219)
only]
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to use a data Read datasource*

PassDataSource source for a data set (p. 1219)
[permission
only] aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
RegisterUser Create a QuickSight user, whose Write user* quicksight:IamArn

identity is associated with the (p. 1218) (p. 1219)
IAM identity/role specified in the
request. quicksight:SessionName
(p. 1220)
Restores a deleted analysis Write analysis*

RestoreAnalysis (p. 1219)
Searches for analyses that List analysis*

SearchAnalyses belong to the user specified in (p. 1219)
the filter
Searches for dashboards that List dashboard*

SearchDashboardsbelong to a user (p. 1219)
SearchDirectoryGroups is used Write

SearchDirectoryGroups
only in Amazon QuickSight
QuickSight to display your
directory groups so that you can
choose which ones to map to
roles in Amazon QuickSight.
SearchDirectoryGroups is used Write

SetGroupMappingonly in Amazon QuickSight
QuickSight to display your
directory groups so that you can
choose which ones to map to
roles in Amazon QuickSight.
1215
Amazon QuickSight

(*required)
Subscribe Subscribe enables the user to Write

[permission subscribe to Amazon QuickSight.
only] Enabling this action also
allows the user to upgrade
the subscription to Enterprise
edition.
TagResource Add tags to a QuickSight Tagging customization

resource (p. 1219)
dashboard
(p. 1219)
template
(p. 1219)
theme
(p. 1219)
aws:TagKeys
(p. 1219)
aws:RequestTag/
${TagKey}
(p. 1219)
Unsubscribe Unsubscribe enables the user Write

[permission to unsubscribe from Amazon
only] QuickSight, which permanently
deletes all users and their
resources from Amazon
QuickSight.
Remove tags from a QuickSight Tagging customization

dashboard
(p. 1219)
template
(p. 1219)
theme
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to update Write customization*

UpdateAccountCustomization
namespace

UpdateAccountSettings
administrative account settings
for QuickSight account
1216
Amazon QuickSight

(*required)
Updates an analysis in an AWS Write analysis*

UpdateAnalysis account (p. 1219)
Updates read and write Write analysis*

UpdateAnalysisPermissions
permissions on an analysis (p. 1219)

UpdateCustomPermissions
custom permissions resource
[permission
only]
Updates a dashboard in an AWS Write dashboard*

UpdateDashboardaccount (p. 1219)
Updates read and write Write dashboard*

UpdateDashboardPermissions
permissions on a dashboard (p. 1219)
Updates the published version Write dashboard*

UpdateDashboardPublishedVersion
of a dashboard (p. 1219)
Grants permission to update a Write dataset*

UpdateDataSet dataset (p. 1219)
datasource
(p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to update the Permissions dataset*

UpdateDataSetPermissions
resource policy of a dataset management (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to update a Write datasource*

UpdateDataSource
data source (p. 1219)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
Grants permission to update the Permissions datasource*

UpdateDataSourcePermissions
resource policy of a data source management (p. 1219)
1217
Amazon QuickSight

(*required)
aws:RequestTag/

${TagKey}
(p. 1219)
aws:TagKeys
(p. 1219)
UpdateGroup Change group description. Write group*

(p. 1218)
Update an existing assignment. Write assignment*

UpdateIAMPolicyAssignment (p. 1219)
Updates a template from an Write template*

UpdateTemplate existing Amazon QuickSight (p. 1219)
analysis or another template
Updates the template alias of a Write template*

UpdateTemplateAlias
template (p. 1219)
Updates the resource Write template*

UpdateTemplatePermissions
permissions for a template (p. 1219)
UpdateTheme Updates a theme Write theme*

(p. 1219)
Updates the theme alias of a Write theme*

UpdateThemeAlias
theme (p. 1219)
Updates the resource Write theme*

UpdateThemePermissions
permissions for a theme (p. 1219)
UpdateUser Updates an Amazon QuickSight Write user*

user. (p. 1218)
Resource types defined by Amazon QuickSight


types
user arn:${Partition}:quicksight:${Region}:
${Account}:user/${ResourceId}
group arn:${Partition}:quicksight:${Region}:
${Account}:group/${ResourceId}
1218
Amazon QuickSight

types
analysis arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

${Account}:analysis/${ResourceId} ${TagKey} (p. 1219)
dashboard arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

${Account}:dashboard/${ResourceId} ${TagKey} (p. 1219)
template arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

${Account}:template/${ResourceId} ${TagKey} (p. 1219)
datasource arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

${Account}:datasource/${ResourceId} ${TagKey} (p. 1219)
dataset arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

ingestion arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

${Account}:dataset/${DatasetId}/ingestion/ ${TagKey} (p. 1219)
${ResourceId}
theme arn:${Partition}:quicksight:${Region}: aws:ResourceTag/

${Account}:theme/${ResourceId} ${TagKey} (p. 1219)
assignment arn:${Partition}:quicksight::
${Account}:assignment/${ResourceId}
customization arn:${Partition}:quicksight:: aws:ResourceTag/

${Account}:customization/${ResourceId} ${TagKey} (p. 1219)
namespace arn:${Partition}:quicksight::
${Account}:namespace/${ResourceId}
Condition keys for Amazon QuickSight

Amazon QuickSight defines the following condition keys that can be used in the Condition element of

${TagKey}
request
IAM user ARN or role ARN. String

quicksight:IamArn
1219
Amazon RDS
The session name. String

quicksight:SessionName
The user name. String

quicksight:UserName

RDS
Amazon RDS (service prefix: rds) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by Amazon RDS (p. 1220)
• Resource types defined by Amazon RDS (p. 1239)
• Condition keys for Amazon RDS (p. 1241)
Actions defined by Amazon RDS

different actions.

(*required)
Grants permission to associate Write cluster* iam:PassRole

AddRoleToDBCluster
an Identity and Access (p. 1239)
Management (IAM) role from an
Aurora DB cluster
1220
Amazon RDS

(*required)
Grants permission to associate Write db* iam:PassRole

AddRoleToDBInstance
an AWS Identity and Access (p. 1239)
Management (IAM) role with a
DB instance
Grants permission to add Write es*

AddSourceIdentifierToSubscription
a source identifier to an (p. 1240)
existing RDS event notification
subscription
Grants permission to add Tagging db

AddTagsToResource
metadata tags to an Amazon (p. 1239)
RDS resource
es
(p. 1240)
og
(p. 1240)
pg
(p. 1240)
proxy
(p. 1240)
ri
(p. 1240)
secgrp
(p. 1240)
snapshot
(p. 1240)
subgrp
(p. 1241)
target-
group
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to apply a Write cluster

ApplyPendingMaintenanceAction
pending maintenance action to a (p. 1239)
resource
1221
Amazon RDS

(*required)
db
(p. 1239)
Grants permission to enable Permissions secgrp*

AuthorizeDBSecurityGroupIngress
ingress to a DBSecurityGroup management (p. 1240)
using one of two forms of
authorization
Grants permission to backtrack Write cluster*

BacktrackDBCluster
a DB cluster to a specific time, (p. 1239)
without creating a new DB
cluster
Grants permission to cancel an Write

CancelExportTaskexport task in progress
Grants permission to copy the Write cluster-

CopyDBClusterParameterGroup
specified DB cluster parameter pg*
group (p. 1239)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to create a Write cluster-

CopyDBClusterSnapshot
snapshot of a DB cluster snapshot*
(p. 1239)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to copy the Write pg*

CopyDBParameterGroup
specified DB parameter group (p. 1240)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to copy the Write snapshot*

CopyDBSnapshot specified DB snapshot (p. 1240)
1222
Amazon RDS

(*required)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to copy the Write og*

CopyOptionGroupspecified option group (p. 1240)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to create a Write cluster* iam:PassRole

CreateDBCluster new Amazon Aurora DB cluster (p. 1239)
cluster-
pg*
(p. 1239)
og*
(p. 1240)
subgrp*
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
rds:DatabaseEngine
(p. 1241)
rds:DatabaseName
(p. 1241)
rds:StorageEncrypted
(p. 1242)
Grants permission to create Write cluster*

CreateDBClusterEndpoint
a new custom endpoint and (p. 1239)
associates it with an Amazon
Aurora DB cluster
1223
Amazon RDS

(*required)
cluster-
endpoint*
(p. 1239)
rds:EndpointType

(p. 1241)
aws:RequestTag/
${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to create a Write cluster-

CreateDBClusterParameterGroup
new DB cluster parameter group pg*
(p. 1239)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create a Write cluster*

CreateDBClusterSnapshot
snapshot of a DB cluster (p. 1239)
cluster-
snapshot*
(p. 1239)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create a Write db* iam:PassRole

CreateDBInstancenew DB instance (p. 1239)
og*
(p. 1240)
1224
Amazon RDS

(*required)
pg*
(p. 1240)
secgrp*
(p. 1240)
subgrp*
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create a Write db* iam:PassRole

CreateDBInstanceReadReplica
DB instance that acts as a Read (p. 1239)
Replica of a source DB instance
og*
(p. 1240)
subgrp*
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create a Write pg*

CreateDBParameterGroup
new DB parameter group (p. 1240)
1225
Amazon RDS

(*required)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)

iam:PassRole
CreateDBProxy database proxy ${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to create Write secgrp*

CreateDBSecurityGroup
a new DB security group. DB (p. 1240)
security groups control access to
a DB instance aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create a Write db*

CreateDBSnapshot
DBSnapshot (p. 1239)
snapshot*
(p. 1240)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create a Write subgrp*

CreateDBSubnetGroup
new DB subnet group (p. 1241)
1226
Amazon RDS

(*required)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create Write es*

an RDS event notification (p. 1240)
subscription
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create an Write cluster*

CreateGlobalCluster
Aurora global database spread (p. 1239)
across multiple regions
global-
cluster*
(p. 1240)
Grants permission to create a Write og*

CreateOptionGroup
new option group (p. 1240)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to access a Write

CrossRegionCommunication
resource in the remote Region
[permission when executing cross-Region
only] operations, such as cross-Region
snapshot copy or cross-Region
read replica creation
1227
Amazon RDS

(*required)
Grants permission to delete Write cluster*

DeleteDBCluster a previously provisioned DB (p. 1239)
cluster
cluster-
snapshot*
(p. 1239)
Grants permission to delete a Write cluster-

DeleteDBClusterEndpoint
custom endpoint and removes endpoint*
it from an Amazon Aurora DB (p. 1239)
cluster
Grants permission to delete a Write cluster-

DeleteDBClusterParameterGroup
specified DB cluster parameter pg*
group (p. 1239)
Grants permission to delete a DB Write cluster-

DeleteDBClusterSnapshot
cluster snapshot snapshot*
(p. 1239)
Grants permission to delete Write db*

DeleteDBInstancea previously provisioned DB (p. 1239)
instance
Grants permission to deletes Write

DeleteDBInstanceAutomatedBackup
automated backups based
on the source instance's
DbiResourceId value or the
restorable instance's resource ID
Grants permission to delete a Write pg*

DeleteDBParameterGroup
specified DBParameterGroup (p. 1240)
Grants permission to delete a Write proxy*

DeleteDBProxy database proxy (p. 1240)
Grants permission to delete a DB Write secgrp*

DeleteDBSecurityGroup
security group (p. 1240)
Grants permission to delete a Write snapshot*

DeleteDBSnapshot
DBSnapshot (p. 1240)
Grants permission to delete a DB Write subgrp*

DeleteDBSubnetGroup
subnet group (p. 1241)
Grants permission to delete Write es*

an RDS event notification (p. 1240)
subscription
Grants permission to delete a Write global-

DeleteGlobalCluster
global database cluster cluster*
(p. 1240)
Grants permission to delete an Write og*

DeleteOptionGroup
existing option group (p. 1240)
1228
Amazon RDS

(*required)
Grants permission to remove Write cluster*

DeregisterDBProxyTargets
targets from a database proxy (p. 1239)
target group
db*
(p. 1239)
proxy*
(p. 1240)
target-
group*
(p. 1241)
Grants permission to list all of List

the attributes for a customer
account
Lists the set of CA certificates List

DescribeCertificates
provided by Amazon RDS for this
AWS account
Grants permission to return List cluster*

DescribeDBClusterBacktracks
information about backtracks (p. 1239)
for a DB cluster
Grants permission to return List cluster-

DescribeDBClusterEndpoints
information about endpoints for endpoint*
an Amazon Aurora DB cluster (p. 1239)
cluster
(p. 1239)
Grants permission to return a List cluster-

DescribeDBClusterParameterGroups
list of DBClusterParameterGroup pg*
descriptions (p. 1239)
Grants permission to return the List cluster-

DescribeDBClusterParameters
detailed parameter list for a pg*
particular DB cluster parameter (p. 1239)
group
Grants permission to return a list List cluster-

DescribeDBClusterSnapshotAttributes
of DB cluster snapshot attribute snapshot*
names and values for a manual (p. 1239)
DB cluster snapshot
Grants permission to return List cluster-

DescribeDBClusterSnapshots
information about DB cluster snapshot*
snapshots (p. 1239)
Grants permission to return List cluster*

DescribeDBClusters
information about provisioned (p. 1239)
Aurora DB clusters

DescribeDBEngineVersions
of the available DB engines
1229
Amazon RDS

(*required)
Grants permission to return a list List db

DescribeDBInstanceAutomatedBackups
of automated backups for both (p. 1239)
current and deleted instances
Grants permission to return List db*

DescribeDBInstances
information about provisioned (p. 1239)
RDS instances
Grants permission to return a List db*

DescribeDBLogFiles
list of DB log files for the DB (p. 1239)
instance
Grants permission to return List pg*

DescribeDBParameterGroups
a list of DBParameterGroup (p. 1240)
descriptions
Grants permission to return the List pg*

DescribeDBParameters
detailed parameter list for a (p. 1240)
particular DB parameter group
Grants permission to view List proxy*

DescribeDBProxiesproxies (p. 1240)
Grants permission to view List proxy*

DescribeDBProxyTargetGroups
database proxy target group (p. 1240)
details
Grants permission to view List cluster*

DescribeDBProxyTargets
database proxy target details (p. 1239)
db*
(p. 1239)
proxy*
(p. 1240)
target-
group*
(p. 1241)
Grants permission to return a list List secgrp*

DescribeDBSecurityGroups
of DBSecurityGroup descriptions (p. 1240)
Grants permission to return a List snapshot*

DescribeDBSnapshotAttributes
list of DB snapshot attribute (p. 1240)
names and values for a manual
DB snapshot
Grants permission to return List snapshot*

DescribeDBSnapshots
information about DB snapshots (p. 1240)
db
(p. 1239)
Grants permission to return a list List subgrp*

DescribeDBSubnetGroups
of DBSubnetGroup descriptions (p. 1241)
1230
Amazon RDS

(*required)
Grants permission to return List

DescribeEngineDefaultClusterParameters
the default engine and system
parameter information for the
cluster database engine

the default engine and system
parameter information for the
specified database engine
Grants permission to display a List

list of categories for all event
source types, or, if specified, for
a specified source type
Grants permission to list all the List es*

subscription descriptions for a (p. 1240)
customer account

DescribeEvents events related to DB instances,
DB security groups, DB
snapshots, and DB parameter
groups for the past 14 days

DescribeExportTasks
information about the export
tasks
Grants permission to return List global-

DescribeGlobalClusters
information about Aurora global cluster*
database clusters (p. 1240)
Grants permission to describe all List og*

DescribeOptionGroupOptions
available options (p. 1240)
Grants permission to describe List og*

DescribeOptionGroups
the available option groups (p. 1240)

DescribeOrderableDBInstanceOptions
of orderable DB instance options
for the specified engine
Grants permission to return a list List cluster

DescribePendingMaintenanceActions
of resources (for example, DB (p. 1239)
instances) that have at least one
pending maintenance action db
(p. 1239)
Grants permission to return List ri*

DescribeReservedDBInstances
information about reserved DB (p. 1240)
instances for this account, or
about a specified reserved DB
instance
1231
Amazon RDS

(*required)

DescribeReservedDBInstancesOfferings
available reserved DB instance
offerings
Grants permission to return a List

DescribeSourceRegions
list of the source AWS Regions
where the current AWS Region
can create a Read Replica or
copy a DB snapshot from
Grants permission to list List db*

DescribeValidDBInstanceModifications
available modifications you can (p. 1239)
make to your DB instance
Grants permission to download Read db*

DownloadDBLogFilePortion
all or a portion of the specified (p. 1239)
log file, up to 1 MB in size
Grants permission to force a Write cluster*

FailoverDBClusterfailover for a DB cluster (p. 1239)
Grants permission to list all tags Read db

ListTagsForResource
on an Amazon RDS resource (p. 1239)
es
(p. 1240)
og
(p. 1240)
pg
(p. 1240)
proxy
(p. 1240)
ri
(p. 1240)
secgrp
(p. 1240)
snapshot
(p. 1240)
subgrp
(p. 1241)
target-
group
(p. 1241)
Grants permission to modify Write cluster*

ModifyCurrentDBClusterCapacity
current cluster capacity for an (p. 1239)
Amazon Aurora Severless DB
cluster
1232
Amazon RDS

(*required)
Grants permission to modify a Write cluster* iam:PassRole

ModifyDBCluster setting for an Amazon Aurora (p. 1239)
DB cluster
cluster-
pg*
(p. 1239)
og*
(p. 1240)
Grants permission to modify the Write cluster-

ModifyDBClusterEndpoint
properties of an endpoint in an endpoint*
Amazon Aurora DB cluster (p. 1239)
Grants permission to modify Write cluster-

ModifyDBClusterParameterGroup
the parameters of a DB cluster pg*
parameter group (p. 1239)
Grants permission to add an Write cluster-

ModifyDBClusterSnapshotAttribute
attribute and values to, or snapshot*
removes an attribute and values (p. 1239)
from, a manual DB cluster
snapshot
Grants permission to modify Write db* iam:PassRole

ModifyDBInstancesettings for a DB instance (p. 1239)
og*
(p. 1240)
pg*
(p. 1240)
secgrp*
(p. 1240)
Grants permission to modify the Write pg*

ModifyDBParameterGroup
parameters of a DB parameter (p. 1240)
group
Grants permission to modify Write proxy* iam:PassRole

ModifyDBProxy database proxy (p. 1240)
Grants permission to modify Write target-

ModifyDBProxyTargetGroup
target group for a database group*
proxy (p. 1241)
Grants permission to update a Write snapshot*

ModifyDBSnapshot
manual DB snapshot, which can (p. 1240)
be encrypted or not encrypted,
with a new engine version
Grants permission to add an Write snapshot*

ModifyDBSnapshotAttribute
attribute and values to, or (p. 1240)
removes an attribute and values
from, a manual DB snapshot
1233
Amazon RDS

(*required)
Grants permission to modify an Write subgrp*

ModifyDBSubnetGroup
existing DB subnet group (p. 1241)
Grants permission to modify an Write es*

existing RDS event notification (p. 1240)
subscription
Grants permission to modify a Write global-

ModifyGlobalCluster
setting for an Amazon Aurora cluster*
global cluster (p. 1240)
Grants permission to modify an Write og* iam:PassRole

ModifyOptionGroup
existing option group (p. 1240)
Grants permission to promote Write db*

PromoteReadReplica
a Read Replica DB instance to a (p. 1239)
standalone DB instance
Grants permission to promote Write cluster*

PromoteReadReplicaDBCluster
a Read Replica DB cluster to a (p. 1239)
standalone DB cluster
Grants permission to purchase a Write ri*

PurchaseReservedDBInstancesOffering
reserved DB instance offering (p. 1240)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
Grants permission to restart the Write db*

RebootDBInstancedatabase engine service (p. 1239)
Grants permission to add targets Write target-

RegisterDBProxyTargets
to a database proxy target group group*
(p. 1241)
Grants permission to detach Write cluster*

RemoveFromGlobalCluster
an Aurora secondary cluster (p. 1239)
from an Aurora global database
cluster global-
cluster*
(p. 1240)
Grants permission to Write cluster* iam:PassRole

RemoveRoleFromDBCluster
disassociate an AWS Identity (p. 1239)
and Access Management (IAM)
role from an Amazon Aurora DB
cluster
Grants permission to Write db* iam:PassRole

RemoveRoleFromDBInstance
disassociate an AWS Identity and (p. 1239)
Access Management (IAM) role
from a DB instance
1234
Amazon RDS

(*required)
Grants permission to remove Write es*

RemoveSourceIdentifierFromSubscription
a source identifier from an (p. 1240)
existing RDS event notification
subscription
Grants permission to remove Tagging db

metadata tags from an Amazon (p. 1239)
RDS resource
es
(p. 1240)
og
(p. 1240)
pg
(p. 1240)
proxy
(p. 1240)
ri
(p. 1240)
secgrp
(p. 1240)
snapshot
(p. 1240)
subgrp
(p. 1241)
target-
group
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to modify Write cluster-

ResetDBClusterParameterGroup
the parameters of a DB cluster pg*
parameter group to the default (p. 1239)
value
1235
Amazon RDS

(*required)
Grants permission to modify the Write pg*

ResetDBParameterGroup
parameters of a DB parameter (p. 1240)
group to the engine/system
default value
Grants permission to create an Write cluster* iam:PassRole

RestoreDBClusterFromS3
Amazon Aurora DB cluster from (p. 1239)
data stored in an Amazon S3
bucket aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
rds:DatabaseEngine
(p. 1241)
rds:DatabaseName
(p. 1241)
(p. 1242)
Grants permission to create a Write cluster* iam:PassRole

RestoreDBClusterFromSnapshot
new DB cluster from a DB cluster (p. 1239)
snapshot
cluster-
snapshot*
(p. 1239)
og*
(p. 1240)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to restore a Write cluster* iam:PassRole

RestoreDBClusterToPointInTime
DB cluster to an arbitrary point (p. 1239)
in time
1236
Amazon RDS

(*required)
og*
(p. 1240)
subgrp*
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create Write db* iam:PassRole

RestoreDBInstanceFromDBSnapshot
a new DB instance from a DB (p. 1239)
snapshot
og*
(p. 1240)
snapshot*
(p. 1240)
subgrp*
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to create Write db* iam:PassRole

RestoreDBInstanceFromS3
a new DB instance from an (p. 1239)
Amazon S3 bucket
1237
Amazon RDS

(*required)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to restore a Write db* iam:PassRole

RestoreDBInstanceToPointInTime
DB instance to an arbitrary point (p. 1239)
in time
og*
(p. 1240)
subgrp*
(p. 1241)
aws:RequestTag/

${TagKey}
(p. 1241)
aws:TagKeys
(p. 1241)
rds:req-
tag/
${TagKey}
(p. 1242)
Grants permission to revoke Write secgrp*

RevokeDBSecurityGroupIngress
ingress from a DBSecurityGroup (p. 1240)
for previously authorized IP
ranges or EC2 or VPC Security
Groups
Grants permission to start Write cluster*

StartActivityStream
Activity Stream (p. 1239)
Starts the DB cluster Write cluster*

StartDBCluster (p. 1239)
Grants permission to start the Write db*

StartDBInstance DB instance (p. 1239)
Grants permission to start a new Write iam:PassRole

StartExportTask Export task for a DB snapshot
Grants permission to stop Write cluster*

StopActivityStream
Activity Stream (p. 1239)
Grants permission to stop the Write cluster*

StopDBCluster DB cluster (p. 1239)
1238
Amazon RDS

(*required)
Grants permission to stop the Write db*

StopDBInstance DB instance (p. 1239)
Resource types defined by Amazon RDS


types
cluster arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:cluster:${DbClusterInstanceName} ${TagKey} (p. 1241)
rds:cluster-tag/
${TagKey} (p. 1242)
cluster- arn:${Partition}:rds:${Region}: aws:ResourceTag/

endpoint ${Account}:cluster-endpoint: ${TagKey} (p. 1241)
${DbClusterEndpoint}
cluster-pg arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:cluster-pg: ${TagKey} (p. 1241)
${ClusterParameterGroupName}
rds:cluster-pg-tag/
${TagKey} (p. 1242)
cluster- arn:${Partition}:rds:${Region}: aws:ResourceTag/

snapshot ${Account}:cluster-snapshot: ${TagKey} (p. 1241)
${ClusterSnapshotName}
rds:cluster-snapshot-
tag/${TagKey}
(p. 1242)
db arn:${Partition}:rds:${Region}: aws:ResourceTag/
${Account}:db:${DbInstanceName} ${TagKey} (p. 1241)
rds:DatabaseClass
(p. 1241)
rds:DatabaseEngine
(p. 1241)
rds:DatabaseName
(p. 1241)
rds:MultiAz (p. 1241)
rds:Piops (p. 1241)
1239
Amazon RDS

types
(p. 1242)
rds:StorageSize
(p. 1242)
rds:Vpc (p. 1242)
rds:db-tag/${TagKey}
(p. 1242)
es arn:${Partition}:rds:${Region}: aws:ResourceTag/
${Account}:es:${SubscriptionName} ${TagKey} (p. 1241)
rds:es-tag/${TagKey}
(p. 1242)
global-cluster arn:${Partition}:rds::${Account}:global-
cluster:${GlobalCluster}
og arn:${Partition}:rds:${Region}: aws:ResourceTag/
${Account}:og:${OptionGroupName} ${TagKey} (p. 1241)
rds:og-tag/${TagKey}
(p. 1242)
pg arn:${Partition}:rds:${Region}: aws:ResourceTag/
${Account}:pg:${ParameterGroupName} ${TagKey} (p. 1241)
rds:pg-tag/${TagKey}
(p. 1242)
proxy arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:db-proxy:${DbProxyId} ${TagKey} (p. 1241)
ri arn:${Partition}:rds:${Region}: aws:ResourceTag/
${Account}:ri:${ReservedDbInstanceName} ${TagKey} (p. 1241)
rds:ri-tag/${TagKey}
(p. 1242)
secgrp arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:secgrp:${SecurityGroupName} ${TagKey} (p. 1241)
rds:secgrp-tag/
${TagKey} (p. 1242)
snapshot arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:snapshot:${SnapshotName} ${TagKey} (p. 1241)
rds:snapshot-tag/
${TagKey} (p. 1242)
1240
Amazon RDS

types
subgrp arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:subgrp:${SubnetGroupName} ${TagKey} (p. 1241)
rds:subgrp-tag/
${TagKey} (p. 1242)
target arn:${Partition}:rds:${Region}:
${Account}:target:${TargetId}
target-group arn:${Partition}:rds:${Region}: aws:ResourceTag/

${Account}:target-group:${TargetGroupId} ${TagKey} (p. 1241)
Condition keys for Amazon RDS

Amazon RDS defines the following condition keys that can be used in the Condition element of an IAM
aws:RequestTag/ Filters access based on the presence of tag key-value pairs in String
Filters access based on tag key-value pairs attached to the String

${TagKey}
request
Filters access by the type of DB instance class String

rds:DatabaseClass
Filters access by the database engine. For possible values String

rds:DatabaseEngine refer to the engine parameter in CreateDBInstance API
Filters access by the user-defined name of the database on String

rds:DatabaseName the DB instance
rds:EndpointType Filters access by the type of the endpoint. One of: READER, String
WRITER, CUSTOM
rds:MultiAz Filters access by the value that specifies whether the DB Boolean
instance runs in multiple Availability Zones. To indicate that
the DB instance is using Multi-AZ, specify true
rds:Piops Filters access by the value that contains the number of Numeric
Provisioned IOPS (PIOPS) that the instance supports. To
indicate a DB instance that does not have PIOPS enabled,
specify 0
1241
Amazon RDS Data API
Filters access by the value that specifies whether the DB Boolean

rds:StorageEncryptedinstance storage should be encrypted. To enforce storage
encryption, specify true
rds:StorageSize Filters access by the storage volume size (in GB) Numeric
rds:Vpc Filters access by the value that specifies whether the DB Boolean
instance runs in an Amazon Virtual Private Cloud (Amazon
VPC). To indicate that the DB instance runs in an Amazon
VPC, specify true
rds:cluster-pg- Filters access by the tag attached to a DB cluster parameter String

tag/${TagKey} group
rds:cluster- Filters access by the tag attached to a DB cluster snapshot String

snapshot-tag/
${TagKey}
rds:cluster-tag/ Filters access by the tag attached to a DB cluster String

${TagKey}
rds:db-tag/ Filters access by the tag attached to a DB instance String

${TagKey}
rds:es-tag/ Filters access by the tag attached to an event subscription String

${TagKey}
rds:og-tag/ Filters access by the tag attached to a DB option group String

${TagKey}
rds:pg-tag/ Filters access by the tag attached to a DB parameter group String

${TagKey}
rds:req-tag/ Filters access by the set of tag keys and values that can be String
${TagKey} used to tag a resource
rds:ri-tag/ Filters access by the tag attached to a reserved DB instance String

${TagKey}
rds:secgrp-tag/ Filters access by the tag attached to a DB security group String

${TagKey}
rds:snapshot- Filters access by the tag attached to a DB snapshot String

tag/${TagKey}
rds:subgrp-tag/ Filters access by the tag attached to a DB subnet group String

${TagKey}

RDS Data API
Amazon RDS Data API (service prefix: rds-data) provides the following service-specific resources,
References:
1242
Amazon RDS Data API

Topics
• Actions defined by Amazon RDS Data API (p. 1243)
• Resource types defined by Amazon RDS Data API (p. 1244)
• Condition keys for Amazon RDS Data API (p. 1244)
Actions defined by Amazon RDS Data API

different actions.

(*required)
Runs a batch SQL statement Write

BatchExecuteStatement
over an array of data.
Starts a SQL transaction. Write

BeginTransaction
Ends a SQL transaction started Write rds-

CommitTransaction
with the BeginTransaction data:BeginTransaction
operation and commits the
changes.
ExecuteSql Runs one or more SQL Write

statements. This operation
is deprecated. Use the
BatchExecuteStatement or
ExecuteStatement operation.
Runs a SQL statement against a Write

ExecuteStatementdatabase.
Performs a rollback of a Write rds-

RollbackTransaction
transaction. Rolling back a data:BeginTransaction
transaction cancels its changes.
1243
Amazon RDS IAM Authentication
Resource types defined by Amazon RDS Data API

Amazon RDS Data API does not support specifying a resource ARN in the Resource element of an IAM
policy statement. To allow access to Amazon RDS Data API, specify “Resource”: “*” in your policy.
Condition keys for Amazon RDS Data API

Amazon RDS Data API defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
aws:TagKeys Filters actions based on the tag keys associated with the String
resource

RDS IAM Authentication
Amazon RDS IAM Authentication (service prefix: rds-db) provides the following service-specific
References:

Topics
• Actions defined by Amazon RDS IAM Authentication (p. 1244)
• Resource types defined by Amazon RDS IAM Authentication (p. 1245)
• Condition keys for Amazon RDS IAM Authentication (p. 1245)
Actions defined by Amazon RDS IAM Authentication

different actions.
1244
Amazon Redshift

(*required)
connect Allows IAM role or user to Permissions db-user*

connect to RDS database management (p. 1245)
Resource types defined by Amazon RDS IAM Authentication


types
db-user arn:${Partition}:rds-db:${Region}:
${Account}:dbuser:${DbiResourceId}/
${DbUserName}
Condition keys for Amazon RDS IAM Authentication

RDS IAM Authentication has no service-specific context keys that can be used in the Condition element

Redshift
Amazon Redshift (service prefix: redshift) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by Amazon Redshift (p. 1246)
• Resource types defined by Amazon Redshift (p. 1258)
• Condition keys for Amazon Redshift (p. 1259)
1245
Amazon Redshift
Actions defined by Amazon Redshift

different actions.

(*required)
Grants permission to exchange Write

AcceptReservedNodeExchange
a DC1 reserved node for a DC2
reserved node with no changes
to the configuration
Grants permission to add an Permissions securitygroup*

AuthorizeClusterSecurityGroupIngress
inbound (ingress) rule to an management (p. 1259)
Amazon Redshift security group
securitygroupingress-

ec2securitygroup*
(p. 1259)
Grants permission to the Permissions snapshot*

AuthorizeSnapshotAccess
specified AWS account to restore management (p. 1259)
a snapshot
Grants permission to delete Write snapshot*

BatchDeleteClusterSnapshots
snapshots in a batch of size upto (p. 1259)
100
Grants permission to modify Write snapshot*

BatchModifyClusterSnapshots
settings for a list of snapshots (p. 1259)
CancelQuery Grants permission to cancel Write

[permission a query through the Amazon
only] Redshift console
Grants permission to see queries Write

CancelQuerySession
in the Amazon Redshift console
[permission
only]
CancelResize Grants permission to cancel a Write cluster*

resize operation (p. 1258)
Grants permission to copy a Write snapshot*

CopyClusterSnapshot
cluster snapshot (p. 1259)
1246
Amazon Redshift

(*required)
CreateCluster Grants permission to create a Write cluster*

cluster (p. 1258)
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create an Write parametergroup*

CreateClusterParameterGroup
Amazon Redshift parameter (p. 1259)
group
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create an Write securitygroup*

CreateClusterSecurityGroup
Amazon Redshift security group (p. 1259)
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create Write snapshot*

CreateClusterSnapshot
a manual snapshot of the (p. 1259)
specified cluster
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create an Write subnetgroup*

CreateClusterSubnetGroup
Amazon Redshift subnet group (p. 1259)
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to Permissions dbuser*

CreateClusterUserautomatically create the management (p. 1258)
specified Amazon Redshift user
if it does not exist redshift:DbUser

(p. 1260)
1247
Amazon Redshift

(*required)
Grants permission to create Write eventsubscription*

an Amazon Redshift event (p. 1258)
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create an Write hsmclientcertificate*

CreateHsmClientCertificate
HSM client certificate that a (p. 1259)
cluster uses to connect to an
HSM aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create Write hsmconfiguration*

CreateHsmConfiguration
an HSM configuration that (p. 1259)
contains information required
by a cluster to store and use aws:RequestTag/

database encryption keys in a ${TagKey}
hardware security module (HSM) (p. 1259)
aws:TagKeys
(p. 1260)

CreateSavedQuery
saved SQL queries through the
[permission Amazon Redshift console
only]

CreateScheduledAction
Amazon Redshift scheduled
action
Grants permission to create Permissions snapshotcopygrant*

CreateSnapshotCopyGrant
a snapshot copy grant and management (p. 1259)
encrypt copied snapshots in a
destination AWS Region aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
Grants permission to create a Write snapshotschedule*

CreateSnapshotSchedule
snapshot schedule (p. 1259)
1248
Amazon Redshift

(*required)
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
CreateTags Grants permission to add one or Tagging cluster

more tags to a specified resource (p. 1258)
dbgroup
(p. 1258)
dbname
(p. 1258)
dbuser
(p. 1258)
eventsubscription

(p. 1258)
hsmclientcertificate

(p. 1259)
hsmconfiguration

(p. 1259)
parametergroup

(p. 1259)
securitygroup
(p. 1259)

cidr
(p. 1259)

ec2securitygroup
(p. 1259)
snapshot
(p. 1259)
snapshotcopygrant

(p. 1259)
snapshotschedule

(p. 1259)
subnetgroup
(p. 1259)
1249
Amazon Redshift

(*required)
aws:RequestTag/

${TagKey}
(p. 1259)
aws:TagKeys
(p. 1260)
DeleteCluster Grants permission to delete a Write cluster*

previously provisioned cluster (p. 1258)
Grants permission to delete an Write parametergroup*

DeleteClusterParameterGroup
Amazon Redshift parameter (p. 1259)
group
Grants permission to delete an Write securitygroup*

DeleteClusterSecurityGroup
Amazon Redshift security group (p. 1259)
Grants permission to delete a Write snapshot*

DeleteClusterSnapshot
manual snapshot (p. 1259)
Grants permission to delete a Write subnetgroup*

DeleteClusterSubnetGroup
cluster subnet group (p. 1259)
Grants permission to delete Write eventsubscription*

an Amazon Redshift event (p. 1258)
Grants permission to delete an Write hsmclientcertificate*

DeleteHsmClientCertificate
HSM client certificate (p. 1259)
Grants permission to delete Write hsmconfiguration*

DeleteHsmConfiguration
an Amazon Redshift HSM (p. 1259)
configuration

DeleteSavedQueries
saved SQL queries through the
only]

Amazon Redshift scheduled
action
Grants permission to delete a Write snapshotcopygrant*

DeleteSnapshotCopyGrant
snapshot copy grant (p. 1259)
Grants permission to delete a Write snapshotschedule*

DeleteSnapshotSchedule
DeleteTags Grants permission to delete a Tagging cluster

tag or tags from a resource (p. 1258)
dbgroup
(p. 1258)
1250
Amazon Redshift

(*required)
dbname
(p. 1258)
dbuser
(p. 1258)
eventsubscription

(p. 1258)

(p. 1259)
hsmconfiguration

(p. 1259)
parametergroup

(p. 1259)
securitygroup
(p. 1259)

cidr
(p. 1259)

ec2securitygroup
(p. 1259)
snapshot
(p. 1259)
snapshotcopygrant

(p. 1259)
snapshotschedule

(p. 1259)
subnetgroup
(p. 1259)
aws:TagKeys
(p. 1260)

attributes attached to the
specified AWS account

DescribeClusterDbRevisions
database revisions for a cluster

DescribeClusterParameterGroups
Amazon Redshift parameter
groups, including parameter
groups you created and the
default parameter group
1251
Amazon Redshift

(*required)
Grants permission to describe Read parametergroup*

DescribeClusterParameters
parameters contained within (p. 1259)
an Amazon Redshift parameter
group

DescribeClusterSecurityGroups
Amazon Redshift security groups

DescribeClusterSnapshots
one or more snapshot objects,
which contain metadata about
your cluster snapshots

DescribeClusterSubnetGroups
one or more cluster subnet
group objects, which contain
metadata about your cluster
subnet groups

DescribeClusterTracks
available maintenance tracks

DescribeClusterVersions
available Amazon Redshift
cluster versions

DescribeClusters properties of provisioned
clusters

DescribeDefaultClusterParameters
parameter settings for a
parameter group family

event categories for all event
source types, or for a specified
source type

Amazon Redshift event
notification subscriptions for the
specified AWS account

DescribeEvents events related to clusters,
security groups, snapshots, and
parameter groups for the past
14 days

DescribeHsmClientCertificates
HSM client certificates
1252
Amazon Redshift

(*required)

DescribeHsmConfigurations
Amazon Redshift HSM
configurations
Grants permission to describe Read cluster*

DescribeLoggingStatus
whether information, such (p. 1258)
as queries and connection
attempts, is being logged for a
cluster

DescribeNodeConfigurationOptions
properties of possible node
configurations such as node
type, number of nodes, and disk
usage for the specified action
type

DescribeOrderableClusterOptions
orderable cluster options

DescribeQuery a query through the Amazon
[permission Redshift console
only]

DescribeReservedNodeOfferings
available reserved node
offerings by Amazon Redshift

DescribeReservedNodes
the reserved nodes
Grants permission to describe Read cluster*

DescribeResize the last resize operation for a (p. 1258)
cluster

DescribeSavedQueries
saved queries through the
only]

created Amazon Redshift
scheduled actions

DescribeSnapshotCopyGrants
snapshot copy grants owned by
the specified AWS account in the
destination AWS Region
Grants permission to describe Read snapshotschedule*

DescribeSnapshotSchedules
snapshot schedules (p. 1259)
1253
Amazon Redshift

(*required)

DescribeStorage account level backups storage
size and provisional storage
DescribeTable Grants permission to describe Read

[permission a table through the Amazon

DescribeTableRestoreStatus
status of one or more table
restore requests made using the
RestoreTableFromClusterSnapshot
API action
DescribeTags Grants permission to describe Read cluster

tags (p. 1258)
dbgroup
(p. 1258)
dbname
(p. 1258)
dbuser
(p. 1258)
eventsubscription

(p. 1258)

(p. 1259)
hsmconfiguration

(p. 1259)
parametergroup

(p. 1259)
securitygroup
(p. 1259)

cidr
(p. 1259)

ec2securitygroup
(p. 1259)
snapshot
(p. 1259)
snapshotcopygrant

(p. 1259)
1254
Amazon Redshift

(*required)
snapshotschedule

(p. 1259)
subnetgroup
(p. 1259)
Grants permission to disable Write cluster*

DisableLogging logging information, such (p. 1258)
attempts, for a cluster
Grants permission to disable the Write cluster*

DisableSnapshotCopy
automatic copy of snapshots for (p. 1258)
a cluster
Grants permission to enable Write cluster*

EnableLogging logging information, such (p. 1258)
attempts, for a cluster
Grants permission to enable the Write cluster*

EnableSnapshotCopy
automatic copy of snapshots for (p. 1258)
a cluster
ExecuteQuery Grants permission to execute Write

[permission a query through the Amazon
FetchResults Grants permission to fetch query Read

[permission results through the Amazon
Grants permission to get Write dbuser*

GetClusterCredentials
temporary credentials to access (p. 1258)
an Amazon Redshift database by
the specified AWS account dbgroup
(p. 1258)
dbname
(p. 1258)
redshift:DbName

(p. 1260)
redshift:DbUser
(p. 1260)
redshift:DurationSeconds
(p. 1260)
1255
Amazon Redshift

(*required)

GetReservedNodeExchangeOfferings
get an array of DC2
ReservedNodeOfferings that
matches the payment type,
term, and usage price of the
given DC1 reserved node
JoinGroup Grants permission to join the Permissions dbgroup*

specified Amazon Redshift management (p. 1258)
group
ListDatabases Grants permission to list List

[permission databases through the Amazon
Grants permission to list saved List

ListSavedQueries queries through the Amazon
only]
ListSchemas Grants permission to list List

[permission schemas through the Amazon
ListTables Grants permission to list tables List

[permission through the Amazon Redshift
only] console
ModifyCluster Grants permission to modify the Write cluster*

settings of a cluster (p. 1258)
Grants permission to modify the Write cluster*

ModifyClusterDbRevision
database revision of a cluster (p. 1258)
Grants permission to modify Permissions cluster*

ModifyClusterIamRoles
the list of AWS Identity and management (p. 1258)
Access Management (IAM) roles
that can be used by a cluster to
access other AWS services

ModifyClusterMaintenance
the maintenance settings of a
cluster
Grants permission to modify Write parametergroup*

ModifyClusterParameterGroup
the parameters of a parameter (p. 1259)
group
Grants permission to modify the Write snapshot*

ModifyClusterSnapshot
settings of a snapshot (p. 1259)
Grants permission to modify a Write cluster*

ModifyClusterSnapshotSchedule
snapshot schedule for a cluster (p. 1258)
1256
Amazon Redshift

(*required)
Grants permission to modify a Write subnetgroup*

ModifyClusterSubnetGroup
cluster subnet group to include (p. 1259)
the specified list of VPC subnets
Grants permission to modify an Write eventsubscription*

existing Amazon Redshift event (p. 1258)
Grants permission to modify an Write

ModifySavedQuery
existing saved query through the
only]

ModifyScheduledAction
an existing Amazon Redshift
scheduled action
Grants permission to modify Write cluster*

ModifySnapshotCopyRetentionPeriod
the number of days to retain (p. 1258)
snapshots in the destination
AWS Region after they are
copied from the source AWS
Region
Grants permission to modify a Write snapshotschedule*

ModifySnapshotSchedule
PauseCluster Grants permission to pause a Write cluster*

cluster (p. 1258)
Grants permission to purchase a Write

PurchaseReservedNodeOffering
reserved node
RebootCluster Grants permission to reboot a Write cluster*

cluster (p. 1258)
Grants permission to set one or Write parametergroup*

ResetClusterParameterGroup
more parameters of a parameter (p. 1259)
group to their default values
and set the source values of the
parameters to "engine-default"
ResizeCluster Grants permission to change the Write cluster*

size of a cluster (p. 1258)

RestoreFromClusterSnapshot
cluster from a snapshot (p. 1258)
snapshot*
(p. 1259)

RestoreTableFromClusterSnapshot
table from a table in an Amazon (p. 1258)
Redshift cluster snapshot
snapshot*
(p. 1259)
1257
Amazon Redshift

(*required)
Grants permission to resume a Write cluster*

ResumeCluster cluster (p. 1258)
Grants permission to revoke Permissions securitygroup*

RevokeClusterSecurityGroupIngress
an ingress rule in an Amazon management (p. 1259)
Redshift security group for a
previously authorized IP range securitygroupingress-

or Amazon EC2 security group ec2securitygroup*
(p. 1259)
Grants permission to revoke Permissions snapshot*

RevokeSnapshotAccess
access from the specified AWS management (p. 1259)
account to restore a snapshot
Grants permission to rotate an Permissions cluster*

RotateEncryptionKey
encryption key for a cluster management (p. 1258)
Grants permission to view query List

ViewQueriesFromConsole
results through the Amazon
only]
Grants permission to terminate List

ViewQueriesInConsole
running queries and loads
[permission through the Amazon Redshift
only] console
Resource types defined by Amazon Redshift


types
cluster arn:${Partition}:redshift:${Region}: aws:ResourceTag/

${Account}:cluster:${ClusterName} ${TagKey} (p. 1260)
dbgroup arn:${Partition}:redshift:${Region}: aws:ResourceTag/

${Account}:dbgroup:${ClusterName}/${DbGroup} ${TagKey} (p. 1260)
dbname arn:${Partition}:redshift:${Region}: aws:ResourceTag/

${Account}:dbname:${ClusterName}/${DbName} ${TagKey} (p. 1260)
dbuser arn:${Partition}:redshift:${Region}: aws:ResourceTag/

${Account}:dbuser:${ClusterName}/${DbUser} ${TagKey} (p. 1260)
arn:${Partition}:redshift:${Region}: aws:ResourceTag/
eventsubscription${Account}:eventsubscription: ${TagKey} (p. 1260)
${EventSubscriptionName}
1258
Amazon Redshift

types
${Account}:hsmclientcertificate: ${TagKey} (p. 1260)
${HSMClientCertificateId}
hsmconfiguration${Account}:hsmconfiguration: ${TagKey} (p. 1260)
${HSMConfigurationId}
arn:${Partition}:redshift: aws:ResourceTag/
parametergroup ${Region}:${Account}:parametergroup: ${TagKey} (p. 1260)
${ParameterGroupName}
securitygroup arn:${Partition}:redshift: aws:ResourceTag/

${Region}:${Account}:securitygroup: ${TagKey} (p. 1260)
${SecurityGroupName}/ec2securitygroup/
${Owner}/${Ec2SecurityGroupId}
${Account}:securitygroupingress: ${TagKey} (p. 1260)
cidr ${SecurityGroupName}/cidrip/${IpRange}
${Account}:securitygroupingress: ${TagKey} (p. 1260)
ec2securitygroup ${SecurityGroupName}/ec2securitygroup/
${Owner}/${Ece2SecuritygroupId}
snapshot arn:${Partition}:redshift:${Region}: aws:ResourceTag/

${Account}:snapshot:${ClusterName}/ ${TagKey} (p. 1260)
${SnapshotName}
snapshotcopygrant
${Account}:snapshotcopygrant: ${TagKey} (p. 1260)
${SnapshotCopyGrantName}
snapshotschedule${Account}:snapshotschedule: ${TagKey} (p. 1260)
${ParameterGroupName}
subnetgroup arn:${Partition}:redshift:${Region}: aws:ResourceTag/

${Account}:subnetgroup:${SubnetGroupName} ${TagKey} (p. 1260)
Condition keys for Amazon Redshift

Amazon Redshift defines the following condition keys that can be used in the Condition element of
${TagKey} the tags
1259
Amazon Redshift Data API

${TagKey}

the request
redshift:DbName Filters access by the database name String
redshift:DbUser Filters access by the database user name String
Filters access by the number of seconds until a temporary String

redshift:DurationSeconds
credential set expires

Redshift Data API
Amazon Redshift Data API (service prefix: redshift-data) provides the following service-specific
References:

Topics
• Actions defined by Amazon Redshift Data API (p. 1260)
• Resource types defined by Amazon Redshift Data API (p. 1261)
• Condition keys for Amazon Redshift Data API (p. 1261)
Actions defined by Amazon Redshift Data API

different actions.
1260
Amazon Rekognition

(*required)

CancelStatement running query

DescribeStatement
detailed information about a
statement execution
DescribeTable Grants permission to retrieve Read

metadata about a particular
table
Grants permission to execute a Write

ExecuteStatementquery
Grants permission to fetch the Read

GetStatementResult
result of a query
ListDatabases Grants permission to list List

databases for a given cluster
ListSchemas Grants permission to list List

schemas for a given cluster
Grants permission to list queries List

ListStatements for a given principal
ListTables Grants permission to list tables List

for a given cluster
Resource types defined by Amazon Redshift Data API

Amazon Redshift Data API does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Amazon Redshift Data API, specify “Resource”: “*” in your
policy.
Condition keys for Amazon Redshift Data API

Redshift Data API has no service-specific context keys that can be used in the Condition element of

Rekognition
Amazon Rekognition (service prefix: rekognition) provides the following service-specific resources,
References:

1261
Amazon Rekognition
Topics
• Actions defined by Amazon Rekognition (p. 1262)
• Resource types defined by Amazon Rekognition (p. 1265)
• Condition keys for Amazon Rekognition (p. 1266)
Actions defined by Amazon Rekognition

different actions.

(*required)
Compares a face in source input Read

CompareFaces image with each face detected in
the target input image.
Creates a collection in an AWS Write collection*

CreateCollection region. You can then add faces (p. 1266)
to the collection using the
IndexFaces API.
CreateProject Creates a new Amazon Write project*

Rekognition Custom Labels (p. 1266)
project.
Creates a new version of a Write project*

CreateProjectVersion
model and begins training. (p. 1266)
projectversion*

(p. 1266)
Creates an Amazon Rekognition Write collection*

CreateStreamProcessor
stream processor that you can (p. 1266)
use to detect and recognize
faces in a streaming video. streamprocessor*

(p. 1266)
Deletes the specified collection. Write collection*

DeleteCollection Note that this operation (p. 1266)
removes all faces in the
collection.
1262
Amazon Rekognition

(*required)
DeleteFaces Deletes faces from a collection. Write collection*

(p. 1266)
DeleteProject Deletes a project. Write project*

(p. 1266)
Deletes a model. Write projectversion*

DeleteProjectVersion (p. 1266)
Deletes the stream processor Write streamprocessor*

DeleteStreamProcessor
identified by Name. (p. 1266)
Describes the specified Read collection*

DescribeCollectioncollection. (p. 1266)
Lists and describes the Read project*

DescribeProjectVersions
model versions in an Amazon (p. 1266)
Rekognition Custom Labels
project.
Lists and gets information Read

DescribeProjects about your Amazon Rekognition
Custom Labels projects.
Provides information about a Read streamprocessor*

DescribeStreamProcessor
stream processor created by (p. 1266)
CreateStreamProcessor.
Detects custom labels in a Read projectversion*

DetectCustomLabels
supplied image by using an (p. 1266)
Amazon Rekognition Custom
Labels model version.
DetectFaces Detects human faces within an Read

image (JPEG or PNG) provided as
input.
DetectLabels Detects instances of real-world Read

labels within an image (JPEG or
PNG) provided as input.
Detects moderation labels Read

DetectModerationLabels
within input image.
Detects Protective Equipment in Read

DetectProtectiveEquipment
the input image.
DetectText Detects text in the input image Read

and converts it into machine-
readable text.
Gets the name and additional Read

GetCelebrityInfo information about a celebrity
based on his or her Rekognition
ID.
1263
Amazon Rekognition

(*required)
Gets the celebrity recognition Read

GetCelebrityRecognition
results for a Rekognition
Video analysis started by
StartCelebrityRecognition.
Gets the content moderation Read

GetContentModeration
analysis results for a Rekognition
StartContentModeration.
Gets face detection results for Read

GetFaceDetectiona Rekognition Video analysis
started by StartFaceDetection.
Gets the face search results for Read

GetFaceSearch Rekognition Video face search
started by StartFaceSearch.
Gets the label detection results Read

GetLabelDetection
of a Rekognition Video analysis
started by StartLabelDetection.
Gets information about people Read

GetPersonTracking
detected within a video.
Gets segment detection Read

GetSegmentDetection
results for a Rekognition
StartSegmentDetection.
Gets text detection results for Read

GetTextDetectiona Rekognition Video analysis
started by StartTextDetection.
IndexFaces Detects faces in the input image Write collection*

and adds them to the specified (p. 1266)
collection.
Returns a list of collection IDs in Read collection*

ListCollections your account. (p. 1266)
ListFaces Returns metadata for faces in Read collection*

the specified collection. (p. 1266)
Gets a list of stream processors List streamprocessor*

ListStreamProcessors
that you have created with (p. 1266)
Returns an array of celebrities Read

RecognizeCelebrities
recognized in the input image.
SearchFaces For a given input face ID, Read collection*

searches the specified collection (p. 1266)
for matching faces.
1264
Amazon Rekognition

(*required)
For a given input image, first Read collection*

SearchFacesByImage
detects the largest face in the (p. 1266)
image, and then searches the
specified collection for matching
faces.
Starts asynchronous recognition Write

StartCelebrityRecognition
of celebrities in a video.
Starts asynchronous detection Write

StartContentModeration
of explicit or suggestive adult
content in a video.

StartFaceDetection
of faces in a video.
Starts the asynchronous search Write collection*

StartFaceSearch for faces in a collection that (p. 1266)
match the faces of persons
detected in a video.

StartLabelDetection
of labels in a video.
Starts the asynchronous tracking Write

StartPersonTracking
of persons in a video.
Starts the deployment of a Write projectversion*

StartProjectVersion
model version. (p. 1266)

StartSegmentDetection
of segments in a video.
Starts processing a stream Write streamprocessor*

StartStreamProcessor
processor. (p. 1266)

StartTextDetection
of text in a video.
Stops a deployed model version. Write projectversion*

StopProjectVersion (p. 1266)
Stops a running stream Write streamprocessor*

StopStreamProcessor
processor that was created by (p. 1266)
Resource types defined by Amazon Rekognition

1265
AWS Resource Access Manager

types
collection arn:${Partition}:rekognition:${Region}:
${Account}:collection/${CollectionId}
arn:${Partition}:rekognition:
streamprocessor ${Region}:${Account}:streamprocessor/
${StreamprocessorId}
project arn:${Partition}:rekognition:${Region}:
${Account}:project/${ProjectName}/
${CreationTimestamp}
projectversion arn:${Partition}:rekognition:${Region}:
${Account}:project/${ProjectName}/version/
${VersionName}/${CreationTimestamp}
Condition keys for Amazon Rekognition

Rekognition has no service-specific context keys that can be used in the Condition element of policy
conditions.

Resource Access Manager
AWS Resource Access Manager (service prefix: ram) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Resource Access Manager (p. 1266)
• Resource types defined by AWS Resource Access Manager (p. 1272)
• Condition keys for AWS Resource Access Manager (p. 1272)
Actions defined by AWS Resource Access Manager

different actions.
1266

(*required)
Accept the specified resource Write resource-

AcceptResourceShareInvitation
share invitation share-
invitation*
(p. 1272)
ram:ShareOwnerAccountId

(p. 1273)
Associates resource(s) and/or Write resource-

AssociateResourceShare
principal(s) to a resource share share*
(p. 1272)
aws:ResourceTag/

${TagKey}
(p. 1273)
ram:ResourceShareName
(p. 1273)
ram:AllowsExternalPrincipals
(p. 1273)
ram:Principal
(p. 1273)
ram:RequestedResourceType
(p. 1273)
ram:ResourceArn
(p. 1273)
Associate a Permission with a Write permission*

AssociateResourceSharePermission
Resource Share (p. 1272)
resource-
share*
(p. 1272)
aws:ResourceTag/

${TagKey}
(p. 1273)
(p. 1273)
(p. 1273)
1267

(*required)
ram:PermissionArn
(p. 1273)
Create resource share with Write aws:RequestTag/

CreateResourceShare
provided resource(s) and/or ${TagKey}
principal(s) (p. 1273)
aws:TagKeys
(p. 1273)
(p. 1273)
ram:ResourceArn
(p. 1273)
ram:RequestedAllowsExternalPrincipal
(p. 1273)
ram:Principal
(p. 1273)
Delete resource share Write resource-

DeleteResourceShare share*
(p. 1272)
aws:ResourceTag/

${TagKey}
(p. 1273)
(p. 1273)
(p. 1273)
Disassociates resource(s) and/ Write resource-

DisassociateResourceShare
or principal(s) from a resource share*
share (p. 1272)
1268

(*required)
aws:ResourceTag/

${TagKey}
(p. 1273)
(p. 1273)
(p. 1273)
ram:Principal
(p. 1273)
(p. 1273)
ram:ResourceArn
(p. 1273)
Disassociate a Permission from a Write permission*

DisassociateResourceSharePermission
Resource Share (p. 1272)
resource-
share*
(p. 1272)
aws:ResourceTag/

${TagKey}
(p. 1273)
(p. 1273)
(p. 1273)
ram:PermissionArn
(p. 1273)
Grants permission to access Write

EnableSharingWithAwsOrganization
customer's organization and
create a SLR in the customer's
account
Gets the contents of an AWS Read permission*

GetPermission RAM permission (p. 1272)
ram:PermissionArn

(p. 1273)
Gets the policies for the Read

GetResourcePolicies
specified resources that you own
and have shared
1269

(*required)
Get a set of resource share Read

GetResourceShareAssociations
associations from a provided list
or with a specified status of the
specified type
Get resource share invitations Read

GetResourceShareInvitations
by the specified invitation arn or
those for the resource share
Get a set of resource shares from Read

GetResourceShares
a provided list or with a specified
status
Lists the resources in a resource Read resource-

ListPendingInvitationResources
share that is shared with you share-
but that the invitation is still invitation*
pending for (p. 1272)
Lists the AWS RAM permissions List

ListPermissions
ListPrincipals Lists the principals that you have List

shared resources with or that
have shared resources with you
List the Permissions associated List resource-

ListResourceSharePermissions
with a Resource Share share*
(p. 1272)
aws:ResourceTag/

${TagKey}
(p. 1273)
(p. 1273)
(p. 1273)
Lists the shareable resource List

ListResourceTypestypes supported by AWS RAM
ListResources Lists the resources that you List

added to a resource shares or
the resources that are shared
with you
1270

(*required)
Use this API action to promote Write resource- aws:ResourceTag/

PromoteResourceShareCreatedFromPolicy
the resource share share* ${TagKey}
(p. 1272) (p. 1273)
(p. 1273)
(p. 1273)
Reject the specified resource Write resource-

RejectResourceShareInvitation
share invitation share-
invitation*
(p. 1272)

(p. 1273)
TagResource Tag the specified resources share Write resource-

share*
(p. 1272)
aws:RequestTag/

${TagKey}
(p. 1273)
aws:TagKeys
(p. 1273)
Untag the specified resource Write resource-

UntagResource share share*
(p. 1272)
aws:RequestTag/

${TagKey}
(p. 1273)
aws:TagKeys
(p. 1273)
Update attributes of the Write resource-

UpdateResourceShare
resource share share*
(p. 1272)
1271

(*required)
aws:ResourceTag/

${TagKey}
(p. 1273)
(p. 1273)
(p. 1273)
ram:RequestedAllowsExternalPrincipal
(p. 1273)
Resource types defined by AWS Resource Access Manager


types
resourcearn:${Partition}:ram:${Region}: aws:ResourceTag/

share ${Account}:resource-share/${ResourcePath} ${TagKey} (p. 1273)
(p. 1273)
(p. 1273)
resourcearn:${Partition}:ram:${Region}:
share- ${Account}:resource-share-invitation/
invitation ${ResourcePath}
permission arn:${Partition}:ram::${Account}:permission/ ram:PermissionArn

${ResourcePath} (p. 1273)
Condition keys for AWS Resource Access Manager

AWS Resource Access Manager defines the following condition keys that can be used in the Condition
table (p. 2).
1272
Amazon Resource Group Tagging API
aws:RequestTag/ Specifies a tag key and value pair that must be used when String
${TagKey} creating or tagging a resource share. If users don't pass these
specific tags, or if they don't specify tags at all, the request
fails.
Indicates that the action can only be performed on resources String

aws:ResourceTag/ that have the specified tag key and value pair.
${TagKey}
aws:TagKeys Specifies the tag keys that can be used when creating or String
tagging a resource share
Indicates that the action can only be performed on Bool

resource shares that allow or deny sharing with external
principals. For example, specify true if the action can only
be performed on resource shares that allow sharing with
external principals. External principals are AWS accounts that
are outside of its AWS organization
Indicates that the action can only be performed on a Arn

ram:PermissionArn resource using the specified Permission ARN.
ram:Principal Principals with the specified format can be associated to or String

disassociated from a resource share
The request must have the specified value for Bool

ram:RequestedAllowsExternalPrincipals
'allowExternalPrincipals'. External principals are AWS
accounts that are outside of its AWS Organization
Indicates that the action can only be performed on the String

specified resource type
ram:ResourceArn Indicates that the action can only be performed on a Arn

resource with the specified ARN.
Indicates that the action can only be performed on a String

resource share with the specified name.
Indicates that the action can only be performed on resource String

shares owned by a specific account. For example, you can use
this condition key to specify which resource share invitations
can be accepted or rejected based on the resource share
owner’s account ID.

Resource Group Tagging API
Amazon Resource Group Tagging API (service prefix: tag) provides the following service-specific
References:

1273
Amazon Resource Group Tagging API
Topics
• Actions defined by Amazon Resource Group Tagging API (p. 1274)
• Resource types defined by Amazon Resource Group Tagging API (p. 1275)
• Condition keys for Amazon Resource Group Tagging API (p. 1275)
Actions defined by Amazon Resource Group Tagging API

different actions.

(*required)
Describe the status of the Read

DescribeReportCreation
StartReportCreation operation.
Get a table that shows counts of Read

GetComplianceSummary
resources that are noncompliant
with their effective tag policies.
GetResources Get tagged AWS resources that Read

match the given tag filters
GetTagKeys Get all tagKeys for the account Read

in the specific region
GetTagValues Get all tagValues for the account Read

in the specific region
Generate a report that lists all Write

StartReportCreation
tagged resources in accounts
across your organization,
and whether each resource is
compliant with the effective tag
policy.
TagResources Add tags to AWS resources Tagging
Remove tags from AWS Tagging

UntagResources resources
1274
AWS Resource Groups
Resource types defined by Amazon Resource Group Tagging API

Amazon Resource Group Tagging API does not support specifying a resource ARN in the Resource
element of an IAM policy statement. To allow access to Amazon Resource Group Tagging API, specify
Condition keys for Amazon Resource Group Tagging API

Resource Group Tagging has no service-specific context keys that can be used in the Condition element

Resource Groups
AWS Resource Groups (service prefix: resource-groups) provides the following service-specific
References:

Topics
• Actions defined by AWS Resource Groups (p. 1275)
• Resource types defined by AWS Resource Groups (p. 1277)
• Condition keys for AWS Resource Groups (p. 1277)
Actions defined by AWS Resource Groups

different actions.
1275
AWS Resource Groups

(*required)
CreateGroup Grants permission to create a Write aws:RequestTag/

resource group with a specified ${TagKey}
name, description, and resource (p. 1277)
query
aws:TagKeys
(p. 1278)
DeleteGroup Grants permission to delete a Write group*

specified resource group (p. 1277)
GetGroup Grants permission to get Read group*

information of a specified (p. 1277)
resource group
Grants permission to get the Read group*

GetGroupConfiguration
service configuration associated (p. 1277)
with the specified resource
group
Grants permission to get the Read group*

GetGroupQuery query associated with a specified (p. 1277)
resource group
GetTags Grants permission to get the Read group*

tags associated with a specified (p. 1277)
resource group
Grants permission to add the Write group*

GroupResources specified resources to the (p. 1277)
specified group
Grants permission to list the List group* cloudformation:DescribeS

ListGroupResources
resources that are members of a (p. 1277)
specified resource group cloudformation:ListStackR
tag:GetResources
ListGroups Grants permission to list all List

resource groups in your account
Grants permission to add a Write group*

PutGroupPolicy resource-based policy for the (p. 1277)
[permission specified group
only]
Grants permission to search for List cloudformation:DescribeS

SearchResources AWS resources matching the
given query cloudformation:ListStackR
tag:GetResources
Tag Grants permission to tag a Tagging group*

1276
AWS Resource Groups

(*required)
aws:RequestTag/

${TagKey}
(p. 1277)
aws:TagKeys
(p. 1278)
Grants permission to remove Write group*

UngroupResources
the specified resources from the (p. 1277)
specified group
Untag Grants permission to remove Tagging group*

tags associated with a specified (p. 1277)
resource group
aws:TagKeys
(p. 1278)
UpdateGroup Grants permission to update a Write group*

Grants permission to update the Write group*

UpdateGroupQuery
query associated with a specified (p. 1277)
resource group
Resource types defined by AWS Resource Groups


types
group arn:${Partition}:resource-groups:${Region}: aws:ResourceTag/

${Account}:group/${GroupName} ${TagKey} (p. 1278)
Condition keys for AWS Resource Groups

AWS Resource Groups defines the following condition keys that can be used in the Condition
table (p. 2).
1277
AWS RoboMaker

${TagKey}
request

RoboMaker
AWS RoboMaker (service prefix: robomaker) provides the following service-specific resources, actions,
References:

Topics
• Actions defined by AWS RoboMaker (p. 1278)
• Resource types defined by AWS RoboMaker (p. 1284)
• Condition keys for AWS RoboMaker (p. 1285)
Actions defined by AWS RoboMaker

different actions.

(*required)
Delete one or more worlds in a Write

BatchDeleteWorlds
batch operation
1278
AWS RoboMaker

(*required)
Describe multiple simulation Read

BatchDescribeSimulationJob
jobs
Cancel a deployment job Write deploymentJob*

CancelDeploymentJob (p. 1285)
Cancel a simulation job Write simulationJob*

CancelSimulationJob (p. 1284)
Cancel a simulation job batch Write simulationJobBatch*

CancelSimulationJobBatch (p. 1285)
Cancel a world export job Write worldExportJob*

CancelWorldExportJob (p. 1285)
Cancel a world generation job Write worldGenerationJob*

CancelWorldGenerationJob (p. 1285)
Create a deployment job Write aws:TagKeys iam:CreateServiceLinkedR

CreateDeploymentJob (p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
CreateFleet Create a deployment fleet that Write aws:TagKeys

represents a logical group of (p. 1285)
robots running the same robot
application aws:RequestTag/
${TagKey}
(p. 1285)
CreateRobot Create a robot that can be Write aws:TagKeys iam:CreateServiceLinkedR

registered to a fleet (p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
Create a robot application Write aws:TagKeys

CreateRobotApplication (p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
Create a snapshot of a robot Write robotApplication*

s3:GetObject
CreateRobotApplicationVersion
Create a simulation application Write aws:TagKeys

CreateSimulationApplication (p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
1279
AWS RoboMaker

(*required)
Create a snapshot of a Write simulationApplication*

s3:GetObject
CreateSimulationApplicationVersion
simulation application (p. 1284)
Create a simulation job Write aws:TagKeys iam:CreateServiceLinkedR

CreateSimulationJob (p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
Create a world export job Write world*

CreateWorldExportJob (p. 1285)
Create a world generation job Write worldTemplate*

CreateWorldGenerationJob (p. 1285)
Create a world template Write

CreateWorldTemplate
DeleteFleet Delete a deployment fleet Write deploymentFleet*

(p. 1285)
DeleteRobot Delete a robot Write robot*

(p. 1285)
Delete a robot application Write robotApplication*

DeleteRobotApplication (p. 1284)
Delete a simulation application Write simulationApplication*

DeleteSimulationApplication (p. 1284)
Delete a world template Write worldTemplate*

DeleteWorldTemplate (p. 1285)
Deregister a robot from a fleet Write deploymentFleet*

DeregisterRobot (p. 1285)
robot*
(p. 1285)
Describe a deployment job Read deploymentJob*

DescribeDeploymentJob (p. 1285)
DescribeFleet Describe a deployment fleet Read deploymentFleet*

(p. 1285)
Describe a robot Read robot*

DescribeRobot (p. 1285)
Describe a robot application Read robotApplication*

DescribeRobotApplication (p. 1284)
Describe a simulation Read simulationApplication*

DescribeSimulationApplication
1280
AWS RoboMaker

(*required)
Describe a simulation job Read simulationJob*

DescribeSimulationJob (p. 1284)
Describe a simulation job batch Read simulationJobBatch*

DescribeSimulationJobBatch (p. 1285)
Describe a world Read world*

DescribeWorld (p. 1285)
Describe a world export job Read worldExportJob*

DescribeWorldExportJob (p. 1285)
Describe a world generation job Read worldGenerationJob*

DescribeWorldGenerationJob (p. 1285)
Describe a world template Read worldTemplate*

DescribeWorldTemplate (p. 1285)
Get the body of a world Read worldTemplate*

GetWorldTemplateBody
template (p. 1285)
List deployment jobs List

ListDeploymentJobs
ListFleets List fleets List
List robot applications List

ListRobotApplications
ListRobots List robots List
List simulation applications List

ListSimulationApplications
List simulation job batches List

ListSimulationJobBatches
List simulation jobs List

ListSimulationJobs
Lists supported availability List

ListSupportedAvailabilityZones
zones
[permission
only]
List tags for a RoboMaker List deploymentFleet

ListTagsForResource
resource. (p. 1285)
deploymentJob

(p. 1285)
robot
(p. 1285)
robotApplication

(p. 1284)
1281
AWS RoboMaker

(*required)
simulationApplication

(p. 1284)
simulationJob
(p. 1284)
simulationJobBatch

(p. 1285)
world
(p. 1285)
worldExportJob

(p. 1285)
worldGenerationJob

(p. 1285)
worldTemplate

(p. 1285)
List world export jobs List

ListWorldExportJobs
List world generation jobs List

ListWorldGenerationJobs
List world templates List

ListWorldTemplates
ListWorlds List worlds List
RegisterRobot Register a robot to a fleet Write deploymentFleet*

(p. 1285)
robot*
(p. 1285)
Restart a running simulation job Write simulationJob*

RestartSimulationJob (p. 1284)
Create a simulation job batch Write aws:TagKeys iam:CreateServiceLinkedR

StartSimulationJobBatch (p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
Ensures the most recently Write deploymentFleet*

SyncDeploymentJob
deployed robot application is (p. 1285)
deployed to all robots in the
fleet
TagResource Add tags to a RoboMaker Write deploymentFleet

resource (p. 1285)
1282
AWS RoboMaker

(*required)
deploymentJob

(p. 1285)
robot
(p. 1285)
robotApplication

(p. 1284)

(p. 1284)
simulationJob
(p. 1284)
simulationJobBatch

(p. 1285)
world
(p. 1285)
worldExportJob

(p. 1285)
worldGenerationJob

(p. 1285)
worldTemplate

(p. 1285)
aws:TagKeys
(p. 1285)
aws:RequestTag/
${TagKey}
(p. 1285)
Remove tags from a RoboMaker Write deploymentFleet

deploymentJob

(p. 1285)
robot
(p. 1285)
robotApplication

(p. 1284)

(p. 1284)
simulationJob
(p. 1284)
1283
AWS RoboMaker

(*required)
simulationJobBatch

(p. 1285)
world
(p. 1285)
worldExportJob

(p. 1285)
worldGenerationJob

(p. 1285)
worldTemplate

(p. 1285)
aws:TagKeys
(p. 1285)
Update a robot application Write robotApplication*

UpdateRobotApplication (p. 1284)
Report the deployment status Write

UpdateRobotDeployment
for an individual robot
[permission
only]
Update a simulation application Write simulationApplication*

UpdateSimulationApplication (p. 1284)
Update a world template Write worldTemplate*

UpdateWorldTemplate (p. 1285)
Resource types defined by AWS RoboMaker


types
arn:${Partition}:robomaker:${Region}: aws:ResourceTag/
robotApplication ${Account}:robot-application/ ${TagKey} (p. 1285)
${ApplicationName}/${CreatedOnEpoch}
${Account}:simulation-application/ ${TagKey} (p. 1285)
${ApplicationName}/${CreatedOnEpoch}
simulationJob arn:${Partition}:robomaker:${Region}: aws:ResourceTag/

${Account}:simulation-job/${SimulationJobId} ${TagKey} (p. 1285)
1284
AWS RoboMaker

types
simulationJobBatch
${Account}:simulation-job-batch/ ${TagKey} (p. 1285)
${SimulationJobBatchId}
deploymentJob ${Account}:deployment-job/${DeploymentJobId} ${TagKey} (p. 1285)
robot arn:${Partition}:robomaker:${Region}: aws:ResourceTag/

${Account}:robot/${RobotName}/ ${TagKey} (p. 1285)
${CreatedOnEpoch}
deploymentFleet ${Account}:deployment-fleet/${FleetName}/ ${TagKey} (p. 1285)
${CreatedOnEpoch}
worldGenerationJob
${Account}:world-generation-job/ ${TagKey} (p. 1285)
${WorldGenerationJobId}
worldExportJob ${Account}:world-export-job/ ${TagKey} (p. 1285)
${WorldExportJobId}
arn:${Partition}:robomaker: aws:ResourceTag/
worldTemplate ${Region}:${Account}:world-template/ ${TagKey} (p. 1285)
${WorldTemplateJobId}
world arn:${Partition}:robomaker:${Region}: aws:ResourceTag/

${Account}:world/${WorldId} ${TagKey} (p. 1285)
Condition keys for AWS RoboMaker

AWS RoboMaker defines the following condition keys that can be used in the Condition element of
${TagKey}
${TagKey}
aws:TagKeys String
1285
Amazon Route 53

Route 53
Amazon Route 53 (service prefix: route53) provides the following service-specific resources, actions, and
References:

Topics
• Actions defined by Amazon Route 53 (p. 1286)
• Resource types defined by Amazon Route 53 (p. 1292)
• Condition keys for Amazon Route 53 (p. 1293)
Actions defined by Amazon Route 53

different actions.

(*required)
Grants permission to associate Write vpc* ec2:DescribeVpcs

AssociateVPCWithHostedZone
an additional Amazon VPC with (p. 1292)
a private hosted zone
hostedzone
(p. 1292)
Grants permission to create, Write hostedzone*

ChangeResourceRecordSets
update, or delete a record, (p. 1292)
which contains authoritative
DNS information for a specified
domain or subdomain name
Grants permission to add, edit, Tagging healthcheck*

ChangeTagsForResource
or delete tags for a health check (p. 1292)
or a hosted zone
1286
Amazon Route 53

(*required)
hostedzone*
(p. 1292)

CreateHealthCheck
a new health check, which
monitors the health and
performance of your web
applications, web servers, and
other resources
Grants permission to create a Write vpc ec2:DescribeVpcs

CreateHostedZone
public hosted zone, which you (p. 1292)
use to specify how the Domain
Name System (DNS) routes
traffic on the Internet for a
domain, such as example.com,
and its subdomains
Grants permission to create a Write hostedzone*

CreateQueryLoggingConfig
configuration for DNS query (p. 1292)
logging

CreateReusableDelegationSet
a delegation set (a group of
four name servers) that can be
reused by multiple hosted zones

CreateTrafficPolicy
a traffic policy, which you
use to create multiple DNS
records for one domain name
(such as example.com) or one
subdomain name (such as
www.example.com)
Grants permission to create Write hostedzone*

CreateTrafficPolicyInstance
records in a specified hosted (p. 1292)
zone based on the settings in a
specified traffic policy version trafficpolicy*
(p. 1292)
Grants permission to create a Write trafficpolicy*

CreateTrafficPolicyVersion
new version of an existing traffic (p. 1292)
policy
Grants permission to authorize Write hostedzone*

CreateVPCAssociationAuthorization
the AWS account that created (p. 1292)
a specified VPC to submit an
AssociateVPCWithHostedZone
request, which associates the
VPC with a specified hosted
zone that was created by a
different account
1287
Amazon Route 53

(*required)
Grants permission to delete a Write healthcheck*

DeleteHealthCheck
health check (p. 1292)
Grants permission to delete a Write hostedzone*

DeleteHostedZone
hosted zone (p. 1292)
Grants permission to delete a Write queryloggingconfig*

DeleteQueryLoggingConfig
configuration for DNS query (p. 1292)
logging
Grants permission to delete a Write delegationset*

DeleteReusableDelegationSet
reusable delegation set (p. 1292)
Grants permission to delete a Write trafficpolicy*

DeleteTrafficPolicy
traffic policy (p. 1292)
Grants permission to delete a Write trafficpolicyinstance*

DeleteTrafficPolicyInstance
traffic policy instance and all the (p. 1292)
records that Route 53 created
when you created the instance
Grants permission to remove Write hostedzone*

DeleteVPCAssociationAuthorization
authorization for associating an (p. 1292)
Amazon Virtual Private Cloud
with a Route 53 private hosted
zone
Grants permission to Write hostedzone ec2:DescribeVpcs

DisassociateVPCFromHostedZone
disassociate an Amazon Virtual (p. 1292)
Private Cloud from a Route 53
private hosted zone vpc
(p. 1292)

GetAccountLimit specified limit for the current
account, for example, the
maximum number of health
checks that you can create using
the account
GetChange Grants permission to get the List change*

current status of a request to (p. 1292)
create, update, or delete one or
more records

GetCheckerIpRanges
of the IP ranges that are used
by Route 53 health checkers
to check the health of your
resources
1288
Amazon Route 53

(*required)

GetGeoLocation information about whether a
specified geographic location
is supported for Route 53
geolocation records
Grants permission to get Read healthcheck*

GetHealthCheck information about a specified (p. 1292)
health check

GetHealthCheckCount
number of health checks that
are associated with the current
AWS account
Grants permission to get the List healthcheck*

GetHealthCheckLastFailureReason
reason that a specified health (p. 1292)
check failed most recently
Grants permission to get the List healthcheck*

GetHealthCheckStatus
status of a specified health (p. 1292)
check
Grants permission to get List hostedzone*

GetHostedZone information about a specified (p. 1292)
hosted zone including the four
name servers that Route 53
assigned to the hosted zone

GetHostedZoneCount
number of hosted zones that are
account
Grants permission to get the Read hostedzone*

GetHostedZoneLimit
specified limit for a specified (p. 1292)
hosted zone
Grants permission to get Read queryloggingconfig*

GetQueryLoggingConfig
information about a specified (p. 1292)
configuration for DNS query
logging
Grants permission to get List delegationset*

GetReusableDelegationSet
reusable delegation set,
including the four name
servers that are assigned to the
delegation set
Grants permission to get the Read delegationset*

GetReusableDelegationSetLimit
maximum number of hosted (p. 1292)
zones that you can associate
with the specified reusable
delegation set
1289
Amazon Route 53

(*required)
Grants permission to get Read trafficpolicy*

GetTrafficPolicy information about a specified (p. 1292)
traffic policy version
Grants permission to get Read trafficpolicyinstance*

GetTrafficPolicyInstance
traffic policy instance

GetTrafficPolicyInstanceCount
the number of traffic policy
instances that are associated
with the current AWS account

ListGeoLocations geographic locations that Route
53 supports for geolocation

ListHealthChecks of the health checks that are
account

ListHostedZones of the public and private hosted
zones that are associated with
the current AWS account
Grants permission to get a List

ListHostedZonesByName
list of your hosted zones in
lexicographic order. Hosted
zones are sorted by name with
the labels reversed, for example,
com.example.www.
Grants permission to get a list of List vpc* ec2:DescribeVpcs

ListHostedZonesByVPC
all the private hosted zones that (p. 1292)
a specified VPC is associated
with
Grants permission to list the List hostedzone

ListQueryLoggingConfigs
configurations for DNS query (p. 1292)
logging that are associated with
the current AWS account or the
configuration that is associated
with a specified hosted zone.
Grants permission to list the List hostedzone*

ListResourceRecordSets
records in a specified hosted (p. 1292)
zone

ListReusableDelegationSets
reusable delegation sets that are
account.
1290
Amazon Route 53

(*required)
Grants permission to list tags for List healthcheck

ListTagsForResource
one health check or hosted zone (p. 1292)
hostedzone
(p. 1292)
Grants permission to list tags for List healthcheck

ListTagsForResources
up to 10 health checks or hosted (p. 1292)
zones
hostedzone
(p. 1292)

ListTrafficPolicies information about the latest
version for every traffic policy
that is associated with the
current AWS account. Policies
are listed in the order in which
they were created.

ListTrafficPolicyInstances
information about the traffic
policy instances that you created
by using the current AWS
account
Grants permission to get List hostedzone*

ListTrafficPolicyInstancesByHostedZone
information about the traffic (p. 1292)
in a specified hosted zone
Grants permission to get List trafficpolicy*

ListTrafficPolicyInstancesByPolicy
information about the traffic (p. 1292)
using a specified traffic policy
version
Grants permission to get List trafficpolicy*

ListTrafficPolicyVersions
information about all the (p. 1292)
versions for a specified traffic
policy
Grants permission to get a list List hostedzone*

ListVPCAssociationAuthorizations
of the VPCs that were created (p. 1292)
by other accounts and that can
be associated with a specified
hosted zone

TestDNSAnswer value that Route 53 returns in
response to a DNS query for a
specified record name and type
Grants permission to update an Write healthcheck*

UpdateHealthCheck
existing health check (p. 1292)
1291
Amazon Route 53

(*required)
Grants permission to update the Write hostedzone*

UpdateHostedZoneComment
comment for a specified hosted (p. 1292)
zone
Grants permission to update the Write trafficpolicy*

UpdateTrafficPolicyComment
comment for a specified traffic (p. 1292)
policy version
Grants permission to update Write trafficpolicyinstance*

UpdateTrafficPolicyInstance
the records in a specified hosted (p. 1292)
zone that were created based on
the settings in a specified traffic
policy version
Resource types defined by Amazon Route 53


types
change arn:${Partition}:route53:::change/${Id}
delegationset arn:${Partition}:route53:::delegationset/
${Id}
healthcheck arn:${Partition}:route53:::healthcheck/${Id}
hostedzone arn:${Partition}:route53:::hostedzone/${Id}
trafficpolicy arn:${Partition}:route53:::trafficpolicy/
${Id}
arn:
trafficpolicyinstance
${Partition}:route53:::trafficpolicyinstance/
${Id}
arn:
queryloggingconfig
${Partition}:route53:::queryloggingconfig/
${Id}
vpc arn:${Partition}:ec2:${Region}:
${Account}:vpc/${VpcId}
1292
Amazon Route 53 Resolver
Condition keys for Amazon Route 53

Route 53 has no service-specific context keys that can be used in the Condition element of policy
conditions.

Route 53 Resolver
Amazon Route 53 Resolver (service prefix: route53resolver) provides the following service-specific
References:

Topics
• Actions defined by Amazon Route 53 Resolver (p. 1293)
• Resource types defined by Amazon Route 53 Resolver (p. 1297)
• Condition keys for Amazon Route 53 Resolver (p. 1298)
Actions defined by Amazon Route 53 Resolver

different actions.

(*required)
Grants permission to associate Write resolver-

AssociateResolverEndpointIpAddress
a specified IP address with a endpoint*
Resolver endpoint. This is an IP (p. 1298)
address that DNS queries pass
through on the way to your
network (outbound) or your
VPCs (inbound)
1293

(*required)

AssociateResolverQueryLogConfig
an Amazon VPC with a specified query-log-
query logging configuration config*
(p. 1298)

AssociateResolverRule
a specified Resolver rule with a rule*
specified VPC (p. 1298)
Grants permission to create a Write resolver-

CreateResolverEndpoint
Resolver endpoint. There are endpoint*
two types of Resolver endpoints, (p. 1298)
inbound and outbound
Grants permission to create Write resolver-

CreateResolverQueryLogConfig
a Resolver query logging query-log-
configuration, which defines config*
where you want Resolver to save (p. 1298)
DNS query logs that originate in
your VPCs
For DNS queries that originate in Write resolver-

CreateResolverRule
your VPC, grants permission to rule*
define how to route the queries (p. 1298)
out of the VPC
Grants permission to delete Write resolver-

DeleteResolverEndpoint
a Resolver endpoint. The endpoint*
effect of deleting a Resolver (p. 1298)
endpoint depends on whether
it's an inbound or an outbound
endpoint
Grants permission to delete Write resolver-

DeleteResolverQueryLogConfig
a Resolver query logging query-log-
configuration config*
(p. 1298)
Grants permission to delete a Write resolver-

DeleteResolverRule
Resolver rule rule*
(p. 1298)
Grants permission to remove Write resolver-

DisassociateResolverEndpointIpAddress
a specified IP address from a endpoint*
Resolver endpoint. This is an IP (p. 1298)
address that DNS queries pass
through on the way to your
network (outbound) or your
VPCs (inbound)
1294

(*required)
Grants permission to remove Write resolver-

DisassociateResolverQueryLogConfig
the association between a query-log-
specified Resolver query logging config*
configuration and a specified (p. 1298)
VPC
Grants permission to remove the Write resolver-

DisassociateResolverRule
association between a specified rule*
Resolver rule and a specified (p. 1298)
VPC
Grants permission to get Read resolver-

GetResolverEndpoint
information about a specified endpoint*
Resolver endpoint, such as (p. 1298)
whether it's an inbound or an
outbound endpoint, and the IP
addresses in your VPC that DNS
queries are forwarded to on the
way into or out of your VPC

GetResolverQueryLogConfig
information about a specified query-log-
Resolver query logging config*
configuration, such as the (p. 1298)
number of VPCs that the
configuration is logging queries
for and the location that logs are
sent to

GetResolverQueryLogConfigAssociation
association between a Resolver config*
query logging configuration (p. 1298)
and an Amazon VPC. When you
associate a VPC with a query
logging configuration, Resolver
logs DNS queries that originate
in that VPC

GetResolverQueryLogConfigPolicy
Resolver query logging policy, config*
which specifies the Resolver (p. 1298)
query logging operations and
resources that you want to allow
another AWS account to use

GetResolverRule information about a specified rule*
Resolver rule, such as the (p. 1298)
domain name that the rule
forwards DNS queries for and
the IP address that queries are
forwarded to.
1295

(*required)

GetResolverRuleAssociation
information about an rule*
association between a specified (p. 1298)
Resolver rule and a VPC

GetResolverRulePolicy
information about a Resolver rule*
rule policy, which specifies (p. 1298)
the Resolver operations and
resources that you want to allow
another AWS account to use
For a specified Resolver List resolver-

ListResolverEndpointIpAddresses
endpoint, grants permission to endpoint*
list the IP addresses that DNS (p. 1298)
queries pass through on the way
to your network (outbound) or
your VPCs (inbound)

ListResolverEndpoints
Resolver endpoints that were
created using the current AWS
account
Grants permission to list List resolver-

ListResolverQueryLogConfigAssociations
information about associations query-log-
between Amazon VPCs and config*
query logging configurations (p. 1298)
Grants permission to list List resolver-

ListResolverQueryLogConfigs
information about the specified query-log-
query logging configurations, config*
which define where you want (p. 1298)
Resolver to save DNS query logs
and specify the VPCs that you
want to log queries for

ListResolverRuleAssociations
associations that were created
between Resolver rules and
VPCs using the current AWS
account

ListResolverRules Resolver rules that were created
using the current AWS account
Grants permission to list the Read resolver-

ListTagsForResource
tags that you associated with endpoint
the specified resource (p. 1298)
resolver-
rule
(p. 1298)
1296

(*required)
Grants permission to specify Write resolver-

PutResolverQueryLogConfigPolicy
an AWS account that you query-log-
want to share a query logging config*
configuration with, the query (p. 1298)
logging configuration that
you want to share, and the
operations that you want the
account to be able to perform
on the configuration
Grants permission to specify an Write resolver-

PutResolverRulePolicy
AWS account that you want to rule*
share rules with, the Resolver (p. 1298)
rules that you want to share,
and the operations that you
want the account to be able to
perform on those rules
TagResource Grants permission to add one or Tagging resolver-

more tags to a specified resource endpoint
(p. 1298)
resolver-
rule
(p. 1298)
Grants permission to remove Tagging resolver-

UntagResource one or more tags from a endpoint
specified resource (p. 1298)
resolver-
rule
(p. 1298)
Grants permission to update Write resolver-

UpdateResolverEndpoint
selected settings for an inbound endpoint*
or an outbound Resolver (p. 1298)
endpoint
Grants permission to update Write resolver-

UpdateResolverRule
settings for a specified Resolver rule*
rule (p. 1298)
Resource types defined by Amazon Route 53 Resolver

1297
Amazon Route53 Domains

types
resolver- arn:${Partition}:route53resolver:${Region}: aws:ResourceTag/

query-log- ${Account}:resolver-query-log-config/ ${TagKey} (p. 1298)
config ${ResourceId}
resolver-rule arn:${Partition}:route53resolver:${Region}: aws:ResourceTag/

${Account}:resolver-rule/${ResourceId} ${TagKey} (p. 1298)
resolver- arn:${Partition}:route53resolver:${Region}: aws:ResourceTag/

endpoint ${Account}:resolver-endpoint/${ResourceId} ${TagKey} (p. 1298)
Condition keys for Amazon Route 53 Resolver

Amazon Route 53 Resolver defines the following condition keys that can be used in the Condition
table (p. 2).

${TagKey}
request

Route53 Domains
Amazon Route53 Domains (service prefix: route53domains) provides the following service-specific
References:

Topics
• Actions defined by Amazon Route53 Domains (p. 1299)
• Resource types defined by Amazon Route53 Domains (p. 1301)
• Condition keys for Amazon Route53 Domains (p. 1301)
1298
Actions defined by Amazon Route53 Domains

different actions.

(*required)
Grants permission to check the Read

CheckDomainAvailability
availability of one domain name
Grants permission to delete the Tagging

DeleteTagsForDomain
specified tags for a domain

DisableDomainAutoRenew
configure Amazon Route 53
to automatically renew the
specified domain before the
domain registration expires

DisableDomainTransferLock
the transfer lock on the
domain (specifically the
clientTransferProhibited status)
to allow domain transfers

EnableDomainAutoRenew
configure Amazon Route 53
to automatically renew the
specified domain before the
domain registration expires
Grants permission to set Write

EnableDomainTransferLock
the transfer lock on the
domain (specifically the
clientTransferProhibited status)
to prevent domain transfers
For operations that require Read

GetContactReachabilityStatus
confirmation that the email
address for the registrant
contact is valid, such as
registering a new domain, grants
permission to get information
1299

(*required)
about whether the registrant
contact has responded

GetDomainDetail detailed information about a
domain
Grants permission to get a list of Read

GetDomainSuggestions
suggested domain names given
a string, which can either be a
domain name or simply a word
or phrase (without spaces)

GetOperationDetail
current status of an operation
that is not completed
ListDomains Grants permission to list all the List

domain names registered with
Amazon Route 53 for the current
AWS account

ListOperations operation IDs of operations that
are not yet complete

ListTagsForDomain
tags that are associated with the
specified domain
Grants permission to register Write

RegisterDomain domains
Grants permission to renew Write

RenewDomain domains for the specified
number of years
For operations that require Write

ResendContactReachabilityEmail
confirmation that the email
address for the registrant
contact is valid, such as
registering a new domain,
grants permission to resend
the confirmation email to the
current email address for the
registrant contact
Grants permission to get the Write

RetrieveDomainAuthCode
AuthCode for the domain
Grants permission to transfer a Write

TransferDomain domain from another registrar
to Amazon Route 53
1300
Amazon S3

(*required)

UpdateDomainContact
contact information for domain

UpdateDomainContactPrivacy
domain contact privacy setting
Grants permission to replace the Write

UpdateDomainNameservers
current set of name servers for a
domain with the specified set of
name servers
Grants permission to add or Tagging

UpdateTagsForDomain
update tags for a specified
domain
ViewBilling Grants permission to get all the Read

domain-related billing records
for the current AWS account for
a specified period
Resource types defined by Amazon Route53 Domains

Amazon Route53 Domains does not support specifying a resource ARN in the Resource element of an
IAM policy statement. To allow access to Amazon Route53 Domains, specify “Resource”: “*” in your
policy.
Condition keys for Amazon Route53 Domains

Route53 Domains has no service-specific context keys that can be used in the Condition element of
Actions, resources, and condition keys for Amazon S3

Amazon S3 (service prefix: s3) provides the following service-specific resources, actions, and condition
References:

Topics
• Actions defined by Amazon S3 (p. 1302)
• Resource types defined by Amazon S3 (p. 1356)
• Condition keys for Amazon S3 (p. 1357)
1301
Amazon S3
Actions defined by Amazon S3

different actions.

(*required)
Grants permission to abort a Write object*

multipart upload (p. 1356)
s3:DataAccessPointArn

(p. 1357)
s3:DataAccessPointAccount
(p. 1357)
s3:AccessPointNetworkOrigin
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to allow Permissions object*

BypassGovernanceRetention
circumvention of governance- management (p. 1356)
mode object retention settings

(p. 1357)
(p. 1357)
(p. 1357)
1302
Amazon S3

(*required)
s3:RequestObjectTag/
<key>
(p. 1357)
s3:RequestObjectTagKeys
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
copy-
source
(p. 1358)
s3:x-amz-
grant-full-
control
(p. 1358)
s3:x-amz-
grant-read
(p. 1358)
s3:x-amz-
grant-
read-acp
(p. 1358)
s3:x-amz-
grant-
write
(p. 1358)
s3:x-amz-
grant-
write-acp
(p. 1358)
1303
Amazon S3

(*required)
s3:x-amz-
metadata-
directive
(p. 1359)
s3:x-amz-
server-
side-
encryption
(p. 1359)
s3:x-amz-
server-
side-
encryption-
aws-kms-
key-id
(p. 1359)
s3:x-amz-
storage-
class
(p. 1359)
s3:x-amz-
website-
redirect-
location
(p. 1359)
s3:object-
lock-mode
(p. 1358)
s3:object-
lock-
retain-
until-date
(p. 1358)
s3:object-
lock-
remaining-
retention-
days
(p. 1358)
s3:object-
lock-
legal-hold
(p. 1358)
Grants permission to create a Write accesspoint*

CreateAccessPointnew access point (p. 1356)
1304
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:locationconstraint
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
CreateBucket Grants permission to create a Write bucket*

new bucket (p. 1356)
1305
Amazon S3

(*required)
s3:authType
(p. 1358)
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
grant-full-
control
(p. 1358)
s3:x-amz-
grant-read
(p. 1358)
s3:x-amz-
grant-
read-acp
(p. 1358)
s3:x-amz-
grant-
write
(p. 1358)
s3:x-amz-
grant-
write-acp
(p. 1358)
1306
Amazon S3

(*required)
CreateJob Grants permission to create Write s3:authType iam:PassRole

a new Amazon S3 Batch (p. 1358)
Operations job
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:RequestJobPriority
(p. 1357)
s3:RequestJobOperation
(p. 1357)
aws:TagKeys
(p. 1357)
aws:RequestTag/
${TagKey}
(p. 1357)
Grants permission to delete the Write accesspoint*

DeleteAccessPointaccess point named in the URI (p. 1356)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to delete the Permissions accesspoint*

DeleteAccessPointPolicy
policy on a specified access point management (p. 1356)
1307
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
DeleteBucket Grants permission to delete the Write bucket*

bucket named in the URI (p. 1356)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to delete Write bucket*

DeleteBucketOwnershipControls
ownership controls on a bucket (p. 1356)
1308
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to delete the Permissions bucket*

DeleteBucketPolicy
policy on a specified bucket management (p. 1356)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to remove Write bucket*

DeleteBucketWebsite
the website configuration for a (p. 1356)
bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to remove Tagging job*

DeleteJobTaggingtags from an existing Amazon S3 (p. 1356)
Batch Operations job
1309
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:ExistingJobPriority
(p. 1357)
s3:ExistingJobOperation
(p. 1357)
DeleteObject Grants permission to remove Write object*

the null version of an object and (p. 1356)
insert a delete marker, which
becomes the current version of s3:DataAccessPointAccount

the object (p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to use the Tagging object*

DeleteObjectTagging
tagging subresource to remove (p. 1356)
the entire tag set from the
specified object
1310
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:ExistingObjectTag/
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to remove a Write object*

DeleteObjectVersion
specific version of an object (p. 1356)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1311
Amazon S3

(*required)
Grants permission to remove Tagging object*

DeleteObjectVersionTagging
the entire tag set for a specific (p. 1356)
version of the object

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to delete an Write storagelensconfiguration*

DeleteStorageLensConfiguration
existing Amazon S3 Storage (p. 1356)
Lens configuration
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to remove Tagging storagelensconfiguration*

DeleteStorageLensConfigurationTagging
tags from an existing Amazon S3 (p. 1356)
Storage Lens configuration
1312
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
DescribeJob Grants permission to retrieve the Read job*

configuration parameters and (p. 1356)
status for a batch operations job
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to uses the Read bucket*

GetAccelerateConfiguration
accelerate subresource to return (p. 1356)
the Transfer Acceleration state
of a bucket, which is either s3:authType
Enabled or Suspended (p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1313
Amazon S3

(*required)
Grants permission to return Read s3:DataAccessPointAccount

GetAccessPoint configuration information about (p. 1357)
the specified access point
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to returns the Read accesspoint*

GetAccessPointPolicy
access point policy associated (p. 1356)
with the specified access point

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return the Read accesspoint*

GetAccessPointPolicyStatus
policy status for a specific access (p. 1356)
point policy
1314
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to retrieve the Read s3:authType

GetAccountPublicAccessBlock
PublicAccessBlock configuration (p. 1358)
for an AWS account
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get an Read bucket*

GetAnalyticsConfiguration
analytics configuration from an (p. 1356)
Amazon S3 bucket, identified by
the analytics configuration ID s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1315
Amazon S3

(*required)
GetBucketAcl Grants permission to use the acl Read bucket*

subresource to return the access (p. 1356)
control list (ACL) of an Amazon
S3 bucket s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return the Read bucket*

GetBucketCORS CORS configuration information (p. 1356)
set for an Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return Read bucket*

GetBucketLocation
the Region that an Amazon S3 (p. 1356)
bucket resides in

GetBucketLogginglogging status of an Amazon (p. 1356)
S3 bucket and the permissions
users have to view or modify s3:authType
that status (p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1316
Amazon S3

(*required)
Grants permission to get the Read bucket*

GetBucketNotification
notification configuration of an (p. 1356)
Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetBucketObjectLockConfiguration
Object Lock configuration of an (p. 1356)
Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
Grants permission to retrieve Read bucket*

GetBucketOwnershipControls
ownership controls on a bucket (p. 1356)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetBucketPolicy policy of the specified bucket (p. 1356)
1317
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to retrieve Read bucket*

GetBucketPolicyStatus
the policy status for a specific (p. 1356)
Amazon S3 bucket, which
indicates whether the bucket is s3:authType
public (p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to retrieve the Read bucket*

GetBucketPublicAccessBlock
PublicAccessBlock configuration (p. 1356)
for an Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetBucketRequestPayment
request payment configuration (p. 1356)
for an Amazon S3 bucket
1318
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetBucketTaggingthe tag set associated with an (p. 1356)
Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetBucketVersioning
versioning state of an Amazon (p. 1356)
S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetBucketWebsitewebsite configuration for an (p. 1356)
Amazon S3 bucket
1319
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetEncryptionConfiguration
default encryption configuration (p. 1356)
an Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return an Read bucket*

GetInventoryConfiguration
inventory configuration from an (p. 1356)
Amazon S3 bucket, identified by
the inventory configuration ID s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return the Read job*

GetJobTagging tag set of an existing Amazon S3 (p. 1356)
1320
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetLifecycleConfiguration
the lifecycle configuration (p. 1356)
information set on an Amazon
S3 bucket s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get a Read bucket*

GetMetricsConfiguration
metrics configuration from an (p. 1356)
Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
GetObject Grants permission to retrieve Read object*

objects from Amazon S3 (p. 1356)
1321
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
GetObjectAcl Grants permission to return the Read object*

access control list (ACL) of an (p. 1356)
object
1322
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get an Read object*

GetObjectLegalHold
object's current Legal Hold (p. 1356)
status

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to retrieve the Read object*

GetObjectRetention
retention settings for an object (p. 1356)
1323
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return the Read object*

GetObjectTaggingtag set of an object (p. 1356)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to return Read object*

GetObjectTorrenttorrent files from an Amazon S3 (p. 1356)
bucket
1324
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to retrieve a Read object*

GetObjectVersionspecific version of an object (p. 1356)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetObjectVersionAcl
access control list (ACL) of a (p. 1356)
specific object version
1325
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to replicate Read object*

GetObjectVersionForReplication
both unencrypted objects and (p. 1356)
objects encrypted with SSE-S3
or SSE-KMS s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetObjectVersionTagging
tag set for a specific version of (p. 1356)
the object
1326
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get Torrent Read object*

GetObjectVersionTorrent
files about a different version (p. 1356)
using the versionId subresource
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

GetReplicationConfiguration
replication configuration (p. 1356)
S3 bucket
1327
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get an Read storagelensconfiguration*

GetStorageLensConfiguration
Amazon S3 Storage Lens (p. 1356)
configuration
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get the tag Read storagelensconfiguration*

GetStorageLensConfigurationTagging
set of an existing Amazon S3 (p. 1356)
Storage Lens configuration
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to get an Read storagelensconfiguration*

GetStorageLensDashboard
dashboard
1328
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to list access Read s3:authType

ListAccessPoints points (p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to list List s3:authType

ListAllMyBuckets all buckets owned by the (p. 1358)
authenticated sender of the
request s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
ListBucket Grants permission to list some or List bucket*

all of the objects in an Amazon (p. 1356)
S3 bucket (up to 1000)
1329
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:delimiter
(p. 1358)
s3:max-
keys
(p. 1358)
s3:prefix
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to list in- List bucket*

ListBucketMultipartUploads
progress multipart uploads (p. 1356)
1330
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to list List bucket*

ListBucketVersions
metadata about all the versions (p. 1356)
of objects in an Amazon S3
bucket
1331
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:delimiter
(p. 1358)
s3:max-
keys
(p. 1358)
s3:prefix
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
ListJobs Grants permission to list current List s3:authType

jobs and jobs that have ended (p. 1358)
recently
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to list the List object*

ListMultipartUploadParts
parts that have been uploaded (p. 1356)
for a specific multipart upload
1332
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to list List s3:authType

ListStorageLensConfigurations
configurations
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to change Permissions object*

ObjectOwnerOverrideToBucketOwner
replica ownership management (p. 1356)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1333
Amazon S3

(*required)
Grants permission to use the Write bucket*

PutAccelerateConfiguration
accelerate subresource to set the (p. 1356)
Transfer Acceleration state of an
existing S3 bucket s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to associate Permissions accesspoint*

PutAccessPointPolicy
an access policy with a specified management (p. 1356)
access point

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1334
Amazon S3

(*required)
Grants permission to create or Permissions s3:authType

PutAccountPublicAccessBlock
modify the PublicAccessBlock management (p. 1358)
configuration for an AWS
account s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to set an Write bucket*

PutAnalyticsConfiguration
analytics configuration for the (p. 1356)
bucket, specified by the analytics
configuration ID s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
PutBucketAcl Grants permission to set the Permissions bucket*

permissions on an existing management (p. 1356)
bucket using access control lists
(ACLs)
1335
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
grant-full-
control
(p. 1358)
s3:x-amz-
grant-read
(p. 1358)
s3:x-amz-
grant-
read-acp
(p. 1358)
s3:x-amz-
grant-
write
(p. 1358)
s3:x-amz-
grant-
write-acp
(p. 1358)
Grants permission to set the Write bucket*

PutBucketCORS CORS configuration for an (p. 1356)
Amazon S3 bucket
1336
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

PutBucketLogginglogging parameters for an (p. 1356)
Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to receive Write bucket*

PutBucketNotification
notifications when certain (p. 1356)
events happen in an Amazon S3
bucket s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to put Object Write bucket*

PutBucketObjectLockConfiguration
Lock configuration on a specific (p. 1356)
bucket
1337
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
Grants permission to add or Write bucket*

PutBucketOwnershipControls
replace ownership controls on a (p. 1356)
bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to add or Permissions bucket*

PutBucketPolicy replace a bucket policy on a management (p. 1356)
bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to create or Permissions bucket*

PutBucketPublicAccessBlock
modify the PublicAccessBlock management (p. 1356)
configuration for a specific
Amazon S3 bucket
1338
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

PutBucketRequestPayment
request payment configuration (p. 1356)
of a bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to add a set Tagging bucket*

PutBucketTaggingof tags to an existing Amazon S3 (p. 1356)
bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

PutBucketVersioning
versioning state of an existing (p. 1356)
Amazon S3 bucket
1339
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

PutBucketWebsiteconfiguration of the website (p. 1356)
that is specified in the website
subresource s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)

PutEncryptionConfiguration
encryption configuration for an (p. 1356)
Amazon S3 bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to add an Write bucket*

PutInventoryConfiguration
inventory configuration to (p. 1356)
the bucket, identified by the
inventory ID
1340
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to replace Tagging job*

PutJobTagging tags on an existing Amazon S3 (p. 1356)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
(p. 1357)
(p. 1357)
aws:TagKeys
(p. 1357)
aws:RequestTag/
${TagKey}
(p. 1357)
Grants permission to create a Write bucket*

new lifecycle configuration for (p. 1356)
the bucket or replace an existing
lifecycle configuration
1341
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to set or Write bucket*

PutMetricsConfiguration
update a metrics configuration (p. 1356)
for the CloudWatch request
metrics from an Amazon S3 s3:authType
bucket (p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
PutObject Grants permission to add an Write object*

object to a bucket (p. 1356)
1342
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
copy-
source
(p. 1358)
s3:x-amz-
grant-full-
control
(p. 1358)
s3:x-amz-
grant-read
(p. 1358)
s3:x-amz-
grant-
read-acp
(p. 1358)
s3:x-amz-
grant-
1343
Amazon S3

(*required)
write
(p. 1358)
s3:x-amz-
grant-
write-acp
(p. 1358)
s3:x-amz-
metadata-
directive
(p. 1359)
s3:x-amz-
server-
side-
encryption
(p. 1359)
s3:x-amz-
server-
side-
encryption-
aws-kms-
key-id
(p. 1359)
s3:x-amz-
storage-
class
(p. 1359)
s3:x-amz-
website-
redirect-
location
(p. 1359)
s3:object-
lock-mode
(p. 1358)
s3:object-
lock-
retain-
until-date
(p. 1358)
s3:object-
lock-
remaining-
retention-
days
(p. 1358)
1344
Amazon S3

(*required)
s3:object-
lock-
legal-hold
(p. 1358)
PutObjectAcl Grants permission to set Permissions object*

the access control list (ACL) management (p. 1356)
permissions for new or existing
objects in an S3 bucket.
1345
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
grant-full-
control
(p. 1358)
s3:x-amz-
grant-read
(p. 1358)
s3:x-amz-
grant-
read-acp
(p. 1358)
s3:x-amz-
grant-
write
(p. 1358)
s3:x-amz-
grant-
write-acp
(p. 1358)
1346
Amazon S3

(*required)
s3:x-amz-
storage-
class
(p. 1359)
Grants permission to apply a Write object*

PutObjectLegalHold
Legal Hold configuration to the (p. 1356)
specified object

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:object-
lock-
legal-hold
(p. 1358)
Grants permission to place an Write object*

PutObjectRetention
Object Retention configuration (p. 1356)
on an object
1347
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:object-
lock-mode
(p. 1358)
s3:object-
lock-
retain-
until-date
(p. 1358)
s3:object-
lock-
remaining-
retention-
days
(p. 1358)
Grants permission to set the Tagging object*

PutObjectTaggingsupplied tag-set to an object (p. 1356)
that already exists in a bucket
1348
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
<key>
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
1349
Amazon S3

(*required)
Grants permission to use the acl Permissions object*

PutObjectVersionAcl
subresource to set the access management (p. 1356)
control list (ACL) permissions for
an object that already exists in a s3:DataAccessPointAccount

bucket (p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-
amz-acl
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
grant-full-
control
(p. 1358)
s3:x-amz-
grant-read
(p. 1358)
s3:x-amz-
grant-
read-acp
(p. 1358)
s3:x-amz-
grant-
write
(p. 1358)
1350
Amazon S3

(*required)
s3:x-amz-
grant-
write-acp
(p. 1358)
s3:x-amz-
storage-
class
(p. 1359)

PutObjectVersionTagging
supplied tag-set for a specific (p. 1356)
version of an object

(p. 1357)
(p. 1357)
(p. 1357)
<key>
(p. 1357)
<key>
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:versionid
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to create a Write bucket* iam:PassRole

PutReplicationConfiguration
new replication configuration or (p. 1356)
replace an existing one
1351
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to create or Write s3:authType

PutStorageLensConfiguration
update an Amazon S3 Storage (p. 1358)
Lens configuration
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
aws:TagKeys
(p. 1357)
aws:RequestTag/
${TagKey}
(p. 1357)
Grants permission to put or Tagging storagelensconfiguration*

PutStorageLensConfigurationTagging
replace tags on an existing (p. 1356)
Amazon S3 Storage Lens
configuration
1352
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
aws:TagKeys
(p. 1357)
aws:RequestTag/
${TagKey}
(p. 1357)
Grants permission to replicate Write object*

ReplicateDelete delete markers to the (p. 1356)
destination bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to replicate Write object*

ReplicateObject objects and object tags to the (p. 1356)
destination bucket
1353
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
s3:x-amz-
server-
side-
encryption
(p. 1359)
s3:x-amz-
server-
side-
encryption-
aws-kms-
key-id
(p. 1359)
ReplicateTags Grants permission to replicate Tagging object*

object tags to the destination (p. 1356)
bucket
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
RestoreObject Grants permission to restore an Write object*

archived copy of an object back (p. 1356)
into Amazon S3
1354
Amazon S3

(*required)

(p. 1357)
(p. 1357)
(p. 1357)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
Grants permission to update the Write job*

UpdateJobPrioritypriority of an existing job (p. 1356)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
(p. 1357)
(p. 1357)
(p. 1357)
Grants permission to update the Write job*

UpdateJobStatus status for the specified job (p. 1356)
1355
Amazon S3

(*required)
s3:authType
(p. 1358)
s3:signatureAge
(p. 1358)
s3:signatureversion
(p. 1358)
s3:x-amz-
content-
sha256
(p. 1358)
(p. 1357)
(p. 1357)
s3:JobSuspendedCause
(p. 1357)
Resource types defined by Amazon S3


types
accesspoint arn:${Partition}:s3:${Region}:
${Account}:accesspoint/${AccessPointName}
bucket arn:${Partition}:s3:::${BucketName}
object arn:${Partition}:s3:::${BucketName}/
${ObjectName}
job arn:${Partition}:s3:${Region}:
${Account}:job/${JobId}
arn:${Partition}:s3:${Region}: aws:ResourceTag/
storagelensconfiguration
${Account}:storage-lens/${ConfigId} ${TagKey} (p. 1357)
1356
Amazon S3
Condition keys for Amazon S3

Amazon S3 defines the following condition keys that can be used in the Condition element of an IAM
${TagKey} request

${TagKey}
request
Filters access by the network origin (Internet or VPC) String

Filters access by the AWS Account ID that owns the access String
point
Filters access by an access point Amazon Resource Name String

(ARN)
Filters access to updating the job priority by operation String

Filters access to cancelling existing jobs by priority range Numeric

Filters access by existing object tag key and value String

<key>
Filters access to cancelling suspended jobs by a specific job String

s3:JobSuspendedCause
suspended cause (for example, AWAITING_CONFIRMATION)
Filters access by a specific Region String

s3:LocationConstraint
Filters access to creating jobs by operation String

s3:RequestJobOperation
Filters access to creating new jobs by priority range Numeric

Filters access by the tag keys and values to be added to String

s3:RequestObjectTag/objects
<key>
Filters access by the tag keys to be added to objects String

s3:VersionId Filters access by a specific object version String
1357
Amazon S3
s3:authType Filters access by authentication method String
s3:delimiter Filters access by delimiter parameter String
Filters access by a specific Region String

s3:max-keys Filters access by maximum number of keys returned in a Numeric

ListBucket request
s3:object-lock- Filters access by object legal hold status String

legal-hold
s3:object-lock- Filters access by object retention mode (COMPLIANCE or String

mode GOVERNANCE)
s3:object- Filters access by remaining object retention days String

lock-remaining-
retention-days
s3:object-lock- Filters access by object retain-until date String

retain-until-date
s3:prefix Filters access by key name prefix String
s3:signatureAge Filters access by the age in milliseconds of the request Numeric

signature
Filters access by the version of AWS Signature used on the String

s3:signatureversion request
s3:versionid Filters access by a specific object version String
s3:x-amz-acl Filters access by canned ACL in the request's x-amz-acl String

header
s3:x-amz- Filters access to unsigned content in your bucket String

content-sha256
s3:x-amz-copy- Filters access to requests with a specific bucket, prefix, or String

source object as the copy source
s3:x-amz-grant- Filters access to requests with the x-amz-grant-full-control String

full-control (full control) header
s3:x-amz-grant- Filters access to requests with the x-amz-grant-read (read String

read access) header
s3:x-amz-grant- Filters access to requests with the x-amz-grant-read-acp String

read-acp (read permissions for the ACL) header
s3:x-amz-grant- Filters access to requests with the x-amz-grant-write (write String

write access) header
s3:x-amz-grant- Filters access to requests with the x-amz-grant-write-acp String

write-acp (write permissions for the ACL) header
1358
Amazon S3 on Outposts
s3:x-amz- Filters access by object metadata behavior (COPY or String

metadata- REPLACE) when objects are copied
directive
s3:x-amz-server- Filters access by server-side encryption String

side-encryption
s3:x-amz-server- Filters access by AWS KMS customer managed CMK for String
side-encryption- server-side encryption
aws-kms-key-id
s3:x-amz- Filters access by storage class String

storage-class
s3:x-amz- Filters access by a specific website redirect location for String

website-redirect- buckets that are configured as static websites
location
Actions, resources, and condition keys for Amazon S3

on Outposts
Amazon S3 on Outposts (service prefix: s3-outposts) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon S3 on Outposts (p. 1359)
• Resource types defined by Amazon S3 on Outposts (p. 1380)
• Condition keys for Amazon S3 on Outposts (p. 1381)
Actions defined by Amazon S3 on Outposts

different actions.
1359

(*required)
Grants permission to abort a Write object*

multipart upload (p. 1381)
s3-
outposts:DataAccessPointArn
(p. 1381)
s3-
outposts:DataAccessPointAccount
(p. 1381)
s3-
outposts:AccessPointNetworkOrigin
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
outposts:signatureAge
(p. 1382)
s3-
outposts:signatureversion
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to create a Write accesspoint*

CreateAccessPointnew access point (p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
1360

(*required)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
CreateBucket Grants permission to create a Write bucket*

new bucket (p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to create a Write endpoint*

CreateEndpoint new endpoint (p. 1381)
Grants permission to delete the Write accesspoint*

DeleteAccessPointaccess point named in the URI (p. 1381)
1361

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to delete the Permissions accesspoint*

DeleteAccessPointPolicy
policy on a specified access point management (p. 1381)
1362

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
DeleteBucket Grants permission to delete the Write bucket*

bucket named in the URI (p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to delete the Permissions bucket*

DeleteBucketPolicy
policy on a specified bucket management (p. 1381)
1363

(*required)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to delete the Write endpoint*

DeleteEndpoint endpoint named in the URI (p. 1381)
DeleteObject Grants permission to remove Write object*

the null version of an object and (p. 1381)
insert a delete marker, which
becomes the current version of s3-
the object outposts:DataAccessPointAccount
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
1364

(*required)
Grants permission to use the Tagging object*

DeleteObjectTagging
tagging subresource to remove (p. 1381)
the entire tag set from the
specified object s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:ExistingObjectTag/
<key>
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
1365

(*required)
Grants permission to return Read s3-

GetAccessPoint configuration information about outposts:DataAccessPointAccount
the specified access point (p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to returns the Read accesspoint*

GetAccessPointPolicy
access point policy associated (p. 1381)
with the specified access point
1366

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
GetBucket Grants permission to return the Read bucket*

bucket configuration associated (p. 1381)
with an Amazon S3 bucket
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)

GetBucketPolicy policy of the specified bucket (p. 1381)
1367

(*required)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)

GetBucketTaggingthe tag set associated with an (p. 1381)
Amazon S3 bucket
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)

GetLifecycleConfiguration
the lifecycle configuration (p. 1381)
S3 bucket
1368

(*required)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
GetObject Grants permission to retrieve Read object*

objects from Amazon S3 (p. 1381)
1369

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
<key>
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)

GetObjectTaggingtag set of an object (p. 1381)
1370

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
<key>
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to list access List s3-

ListAccessPoints points outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
1371

(*required)
ListBucket Grants permission to list some or List accesspoint*

all of the objects in an Amazon (p. 1381)
S3 bucket (up to 1000)
bucket*
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
outposts:delimiter
(p. 1381)
s3-
outposts:max-
keys
(p. 1382)
s3-
outposts:prefix
(p. 1382)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to list in- List accesspoint*

ListBucketMultipartUploads
progress multipart uploads (p. 1381)
bucket*
(p. 1381)
1372

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
ListEndpoints Grants permission to list List

endpoints
Grants permission to list the List object*

ListMultipartUploadParts
parts that have been uploaded (p. 1381)
for a specific multipart upload
1373

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to list List s3-

ListRegionalBuckets
all buckets owned by the outposts:authType
authenticated sender of the (p. 1381)
request
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to associate Permissions accesspoint*

PutAccessPointPolicy
an access policy with a specified management (p. 1381)
access point
1374

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to add or Permissions bucket*

PutBucketPolicy replace a bucket policy on a management (p. 1381)
bucket
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
1375

(*required)
Grants permission to add a set Tagging bucket*

PutBucketTaggingof tags to an existing Amazon S3 (p. 1381)
bucket
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Grants permission to create a Write bucket*

new lifecycle configuration for (p. 1381)
the bucket or replace an existing
lifecycle configuration s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
PutObject Grants permission to add an Write object*

object to a bucket (p. 1381)
1376

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
outposts:RequestObjectTag/
<key>
(p. 1381)
s3-
outposts:RequestObjectTagKeys
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-acl
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
s3-
outposts:x-
amz-copy-
source
(p. 1382)
s3-
outposts:x-
amz-
metadata-
1377

(*required)
directive
(p. 1382)
s3-
outposts:x-
amz-
server-
side-
encryption
(p. 1382)
s3-
outposts:x-
amz-
storage-
class
(p. 1382)
PutObjectAcl Grants permission to set Permissions object*

the access control list (ACL) management (p. 1381)
permissions for an object that
already exists in a bucket
1378

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
<key>
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-acl
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
s3-
outposts:x-
amz-
storage-
class
(p. 1382)

PutObjectTaggingsupplied tag-set to an object (p. 1381)
that already exists in a bucket
1379

(*required)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
(p. 1381)
s3-
<key>
(p. 1381)
s3-
<key>
(p. 1381)
s3-
(p. 1381)
s3-
outposts:authType
(p. 1381)
s3-
(p. 1382)
s3-
(p. 1382)
s3-
outposts:x-
amz-
content-
sha256
(p. 1382)
Resource types defined by Amazon S3 on Outposts

1380

types
accesspoint arn:${Partition}:s3-outposts:${Region}:
${Account}:outpost/${OutpostId}/accesspoint/
${AccessPointName}
bucket arn:${Partition}:s3-outposts:${Region}:
${Account}:outpost/${OutpostId}/bucket/
${BucketName}
endpoint arn:${Partition}:s3-outposts:${Region}:
${Account}:outpost/${OutpostId}/endpoint/
${EndpointId}
object arn:${Partition}:s3-outposts:${Region}:
${Account}:outpost/${OutpostId}/bucket/
${BucketName}/object/${ObjectName}
Condition keys for Amazon S3 on Outposts

Amazon S3 on Outposts defines the following condition keys that can be used in the Condition
table (p. 2).
s3- Filters access by the network origin (Internet or VPC) String

s3- Filters access by the AWS Account ID that owns the access String
point
s3- Filters access by an access point Amazon Resource Name String

(ARN)
s3- Filters access by requiring that an existing object tag has a String
specific tag key and value
<key>
s3- Filters access by restricting the tag keys and values allowed String
on objects
<key>
s3- Filters access by restricting the tag keys allowed on objects String
s3- Filters access by restricting incoming requests to a specific String

outposts:authType authentication method
s3- Filters access by requiring the delimiter parameter String

outposts:delimiter
1381
Amazon SageMaker
s3-outposts:max- Filters access by limiting the maximum number of keys Numeric

keys returned in a ListBucket request
s3- Filters access by key name prefix String

outposts:prefix
s3- Filters access by identifying the length of time, in Numeric

milliseconds, that a signature is valid in an authenticated
request
s3- Filters access by identifying the version of AWS Signature String

that is supported for authenticated requests
s3-outposts:x- Filters access by requiring the x-amz-acl header with a String

amz-acl specific canned ACL in a request
s3-outposts:x- Filters access by disallowing unsigned content in your bucket String

amz-content-
sha256
s3-outposts:x- Filters access by restricting the copy source to a specific String

amz-copy-source bucket, prefix, or object
s3-outposts:x- Filters access by enabling enforcement of object metadata String

amz-metadata- behavior (COPY or REPLACE) when objects are copied
directive
s3-outposts:x- Filters access by requiring server-side encryption String

amz-server-side-
encryption
s3-outposts:x- Filters access by storage class String

amz-storage-class

SageMaker
Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources,
References:

Topics
• Actions defined by Amazon SageMaker (p. 1383)
• Resource types defined by Amazon SageMaker (p. 1425)
• Condition keys for Amazon SageMaker (p. 1430)
1382
Amazon SageMaker
Actions defined by Amazon SageMaker

different actions.

(*required)
Grants permission to associate a Write action*

AddAssociation lineage entity (artifact, context, (p. 1430)
action, experiment, experiment-
trial-component) to another. artifact*
(p. 1430)
context*
(p. 1430)
experiment*
(p. 1429)
experiment-
trial-
component*
(p. 1430)
AddTags Adds or overwrites one or more Tagging action

tags for the specified Amazon (p. 1430)
SageMaker resource.
algorithm
(p. 1427)
app
(p. 1427)
app-
image-
config
(p. 1427)
artifact
(p. 1430)
automl-
job
(p. 1429)
1383
Amazon SageMaker

(*required)
code-
repository
(p. 1427)
context
(p. 1430)
data-
quality-
job-
definition
(p. 1429)
device
(p. 1426)
device-
fleet
(p. 1426)
domain
(p. 1426)
edge-
packaging-
job
(p. 1426)
endpoint
(p. 1428)
endpoint-
config
(p. 1428)
experiment
(p. 1429)
experiment-
trial
(p. 1429)
experiment-
trial-
component
(p. 1430)
feature-
group
(p. 1430)
flow-
definition
(p. 1426)
1384
Amazon SageMaker

(*required)
human-
task-ui
(p. 1426)
hyper-
parameter-
tuning-job
(p. 1428)
image
(p. 1427)
labeling-
job
(p. 1426)
model
(p. 1428)
model-
bias-job-
definition
(p. 1429)
model-
explainability-
job-
definition
(p. 1429)
model-
package
(p. 1428)
model-
package-
group
(p. 1428)
model-
quality-
job-
definition
(p. 1429)
monitoring-
schedule
(p. 1429)
notebook-
instance
(p. 1427)
pipeline
(p. 1430)
1385
Amazon SageMaker

(*required)
processing-
job
(p. 1428)
project
(p. 1428)
training-
job
(p. 1428)
transform-
job
(p. 1429)
user-
profile
(p. 1427)
workteam
(p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Associate a trial component with Write experiment-

AssociateTrialComponent
a trial. trial*
(p. 1429)
experiment-
trial-
component*
(p. 1430)
Retrieve metrics associated with Read training-

BatchGetMetrics SageMaker Resources such as job*
[permission Training Jobs. This API is not (p. 1428)
only] publicly exposed at this point,
however admins can control this
action
Publish metrics associated with Write training-

BatchPutMetrics a SageMaker Resource such as job*
[permission a Training Job. This API is not (p. 1428)
only] publicly exposed at this point,
however admins can control this
action
CreateAction Grants permission to create an Write action*

action. (p. 1430)
1386
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permission to create an Write algorithm*

CreateAlgorithm algorithm. (p. 1427)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
CreateApp Grants permission to create an Write app*

App for a SageMaker Studio (p. 1427)
UserProfile
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
sagemaker:InstanceTypes
(p. 1431)
sagemaker:ImageArns
(p. 1431)
sagemaker:ImageVersionArns
(p. 1431)
Grants permission to create an Write app-

CreateAppImageConfig
AppImageConfig image-
config*
(p. 1427)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
CreateArtifact Grants permission to create an Write artifact*

artifact. (p. 1430)
1387
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Creates automl job. Write automl- iam:PassRole

CreateAutoMLJob job*
(p. 1429)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
sagemaker:InterContainerTrafficEncryp
(p. 1431)
sagemaker:OutputKmsKey
(p. 1432)
sagemaker:VolumeKmsKey
(p. 1432)
sagemaker:VpcSecurityGroupIds
(p. 1432)
sagemaker:VpcSubnets
(p. 1432)
Grants permission to create a Write code-

CreateCodeRepository
CodeRepository. repository*
(p. 1427)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Create a compilation job. Write compilation- iam:PassRole

CreateCompilationJob job*
(p. 1429)
Grants permission to create a Write context*

CreateContext context. (p. 1430)
1388
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permission to create a Write data- iam:PassRole

CreateDataQualityJobDefinition
data quality job definition. quality-
job-
definition*
(p. 1429)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
sagemaker:MaxRuntimeInSeconds
(p. 1431)
sagemaker:NetworkIsolation
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Grants permission to create a Write device- iam:PassRole

CreateDeviceFleetdevice fleet fleet*
(p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
1389
Amazon SageMaker

(*required)
CreateDomain Grants permission to create a Write domain* iam:CreateServiceLinkedR

Domain for SageMaker Studio (p. 1426)
iam:PassRole
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
sagemaker:AppNetworkAccessType
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
sagemaker:DomainSharingOutputKms
(p. 1431)
(p. 1432)
sagemaker:ImageArns
(p. 1431)
(p. 1431)
Grants permission to create an Write edge- iam:PassRole

CreateEdgePackagingJob
edge packaging job packaging-
job*
(p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Creates an endpoint using the Write endpoint*

CreateEndpoint endpoint configuration specified (p. 1428)
in the request.
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
1390
Amazon SageMaker

(*required)
Creates an endpoint Write endpoint-

CreateEndpointConfig
configuration that can be config*
deployed using Amazon (p. 1428)
SageMaker hosting services.
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
sagemaker:AcceleratorTypes
(p. 1431)
(p. 1431)
sagemaker:ModelArn
(p. 1432)
(p. 1432)
Create an experiment. Write experiment*

CreateExperiment (p. 1429)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Creates feature group. Write feature- iam:PassRole

CreateFeatureGroup group*
(p. 1430)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
sagemaker:FeatureGroupOnlineStoreK
(p. 1431)
sagemaker:FeatureGroupOfflineStoreK
(p. 1431)
sagemaker:FeatureGroupOfflineStoreS
(p. 1431)
1391
Amazon SageMaker

(*required)
Creates a flow definition, which Write flow- iam:PassRole

CreateFlowDefinition
defines settings for a human definition*
workflow. (p. 1426)
sagemaker:WorkteamArn

(p. 1432)
sagemaker:WorkteamType
(p. 1432)
aws:RequestTag/
${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Defines the settings you will use Write human-

CreateHumanTaskUi
for the human review workflow task-ui*
user interface. (p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Creates hyper parameter tuning Write hyper- iam:PassRole

CreateHyperParameterTuningJob
job that can be deployed using parameter-
Amazon SageMaker. tuning-
job*
(p. 1428)
1392
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
sagemaker:FileSystemAccessMode
(p. 1431)
sagemaker:FileSystemDirectoryPath
(p. 1431)
sagemaker:FileSystemId
(p. 1431)
sagemaker:FileSystemType
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
CreateImage Grants permissions to create a Write image* iam:PassRole

SageMaker Image. (p. 1427)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permissions to create a Write image*

CreateImageVersion
SageMaker ImageVersion. (p. 1427)
1393
Amazon SageMaker

(*required)
Starts a labeling job. A labeling Write labeling- iam:PassRole

CreateLabelingJobjob takes unlabeled data in and job*
produces labeled data as output, (p. 1426)
which can be used for training
SageMaker models. sagemaker:WorkteamArn

(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
aws:RequestTag/
${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
CreateModel Creates a model in Amazon Write model* iam:PassRole

SageMaker. In the request, (p. 1428)
you specify a name for the
model and describe one or more aws:RequestTag/

containers. ${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
Grants permission to create a Write model- iam:PassRole

CreateModelBiasJobDefinition
model bias job definition. bias-job-
definition*
(p. 1429)
1394
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Grants permission to create Write model- iam:PassRole

CreateModelExplainabilityJobDefinition
a model explainability job explainability-
definition. job-
definition*
(p. 1429)
1395
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Grants permission to create a Write model-

CreateModelPackage
ModelPackage. package
(p. 1428)
model-
package-
group
(p. 1428)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permission to create a Write model-

CreateModelPackageGroup
ModelPackageGroup. package-
group*
(p. 1428)
1396
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permission to create a Write model- iam:PassRole

CreateModelQualityJobDefinition
model quality job definition. quality-
job-
definition*
(p. 1429)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Grants permission to create a Write monitoring- iam:PassRole

CreateMonitoringSchedule
monitoring schedule. schedule*
(p. 1429)
1397
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Creates an Amazon SageMaker Write notebook- iam:PassRole

CreateNotebookInstance
notebook instance. A notebook instance*
instance is an Amazon EC2 (p. 1427)
instance running on a Jupyter
Notebook.
1398
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
sagemaker:DirectInternetAccess
(p. 1431)
(p. 1431)
sagemaker:RootAccess
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Creates an notebook instance Write notebook-

CreateNotebookInstanceLifecycleConfig
lifecycle configuration that can instance-
be deployed using Amazon lifecycle-
SageMaker. config*
(p. 1427)
Grants permission to create a Write pipeline* iam:PassRole

CreatePipeline pipeline. (p. 1430)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permission to return Write user-

CreatePresignedDomainUrl
a URL that you can use from profile*
your browser to connect to (p. 1427)
the Domain as a specified
UserProfile when AuthMode is
'IAM'
Returns a URL that you can use Write notebook-

CreatePresignedNotebookInstanceUrl
from your browser to connect to instance*
the Notebook Instance. (p. 1427)
1399
Amazon SageMaker

(*required)
Starts a processing job. After Write processing- iam:PassRole

CreateProcessingJob
processing completes, Amazon job*
SageMaker saves the resulting (p. 1428)
artifacts and other optional
output to an Amazon S3 aws:RequestTag/

location that you specify. ${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1431)
CreateProject Grants permission to create a Write project*

Project. (p. 1428)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
1400
Amazon SageMaker

(*required)
Starts a model training job. Write training- iam:PassRole

CreateTrainingJobAfter training completes, job*
Amazon SageMaker saves the (p. 1428)
resulting model artifacts and
other optional output to an aws:RequestTag/

Amazon S3 location that you ${TagKey}
specify. (p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
Starts a transform job. After the Write transform-

CreateTransformJob
results are obtained, Amazon job*
SageMaker saves them to an (p. 1429)
Amazon S3 location that you
specify.
1401
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
sagemaker:ModelArn
(p. 1432)
(p. 1432)
(p. 1432)
CreateTrial Create a trial. Write experiment-

trial*
(p. 1429)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Create a trial component. Write experiment-

CreateTrialComponent trial-
component*
(p. 1430)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Grants permission to create a Write user- iam:PassRole

CreateUserProfileUserProfile for a SageMaker profile*
Studio Domain (p. 1427)
1402
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1432)
(p. 1431)
(p. 1431)
sagemaker:ImageArns
(p. 1431)
(p. 1431)
Create a workforce. Write workforce*

CreateWorkforce (p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Create a workteam. Write workteam*

CreateWorkteam (p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
DeleteAction Grants permission to delete an Write action*

action. (p. 1430)
Grants permission to delete an Write algorithm*

DeleteAlgorithm algorithm. (p. 1427)
DeleteApp Grants permission to delete an Write app*

App (p. 1427)

DeleteAppImageConfig
config*
(p. 1427)
1403
Amazon SageMaker

(*required)
DeleteArtifact Grants permission to delete an Write artifact*

artifact. (p. 1430)
Grants permission to delete Write action*

DeleteAssociationthe association from a lineage (p. 1430)
entity (artifact, context, action,
experiment, experiment-trial- artifact*
component) to another. (p. 1430)
context*
(p. 1430)
experiment*
(p. 1429)
experiment-
trial-
component*
(p. 1430)
Grants permission to delete a Write code-

DeleteCodeRepository
(p. 1427)
Grants permission to delete a Write context*

DeleteContext context. (p. 1430)
Grants permission to Write data-

DeleteDataQualityJobDefinition
delete the data quality job quality-
definition created using the job-
CreateDataQualityJobDefinition definition*
API. (p. 1429)
Grants permission to delete a Write device-

DeleteDeviceFleetdevice fleet fleet*
(p. 1426)
DeleteDomain Grants permission to delete a Write domain*

Domain (p. 1426)
Deletes an endpoint. Amazon Write endpoint*

DeleteEndpoint SageMaker frees up all the (p. 1428)
resources that were deployed
when the endpoint was created.
Deletes the endpoint Write endpoint-

DeleteEndpointConfig
configuration created using config*
the CreateEndpointConfig API. (p. 1428)
The DeleteEndpointConfig
API deletes only the specified
configuration. It does not delete
any endpoints created using the
configuration.
1404
Amazon SageMaker

(*required)
Deletes an experiment. Write experiment*

DeleteExperiment (p. 1429)
Deletes a feature group. Write feature-

DeleteFeatureGroup group*
(p. 1430)
aws:RequestTag/

${TagKey}
(p. 1430)
Deltes the specified flow Write flow-

DeleteFlowDefinition
definition. definition*
(p. 1426)
Deletes the specified human Write human-

DeleteHumanLoop
loop. loop*
(p. 1426)
DeleteImage Grants permissions to delete a Write image*

SageMaker Image. (p. 1427)
Grants permissions to delete a Write image-

DeleteImageVersion
SageMaker ImageVersion. version*
(p. 1427)
DeleteModel Deletes a model created using Write model*

the CreateModel API. The (p. 1428)
DeleteModel API deletes only
the model entry in Amazon
SageMaker that you created by
calling the CreateModel API. It
does not delete model artifacts,
inference code, or the IAM role
that you specified when creating
the model.
Grants permission to Write model-

DeleteModelBiasJobDefinition
delete the model bias job bias-job-
definition created using the definition*
CreateModelBiasJobDefinition (p. 1429)
API.
Grants permission to delete Write model-

DeleteModelExplainabilityJobDefinition
the model explainability job explainability-
CreateModelExplainabilityJobDefinition definition*
API. (p. 1429)
Grants permission to delete a Write model-

DeleteModelPackage
ModelPackage. package*
(p. 1428)
1405
Amazon SageMaker

(*required)

DeleteModelPackageGroup
group*
(p. 1428)

DeleteModelPackageGroupPolicy
ModelPackageGroup policy. package-
group*
(p. 1428)
Grants permission to delete Write model-

DeleteModelQualityJobDefinition
the model quality job quality-
CreateModelQualityJobDefinition definition*
API. (p. 1429)
Grants permission to delete a Write monitoring-

DeleteMonitoringSchedule
monitoring schedule. schedule*
(p. 1429)
Deletes an Amazon SageMaker Write notebook-

DeleteNotebookInstance
notebook instance. Before instance*
you can delete a notebook (p. 1427)
instance, you must call the
StopNotebookInstance API.
Deletes an notebook instance Write notebook-

DeleteNotebookInstanceLifecycleConfig
lifecycle configuration that can instance-
be deployed using Amazon lifecycle-
SageMaker. config*
(p. 1427)
Grants permission to delete a Write pipeline*

DeletePipeline pipeline. (p. 1430)

project. (p. 1428)
DeleteRecord Delete a record from a feature Write feature-

group. group*
(p. 1430)
DeleteTags Deletes the specified set of tags Tagging action

from an Amazon SageMaker (p. 1430)
resource.
algorithm
(p. 1427)
app
(p. 1427)
app-
image-
config
(p. 1427)
1406
Amazon SageMaker

(*required)
artifact
(p. 1430)
automl-
job
(p. 1429)
code-
repository
(p. 1427)
compilation-
job
(p. 1429)
context
(p. 1430)
data-
quality-
job-
definition
(p. 1429)
device
(p. 1426)
device-
fleet
(p. 1426)
domain
(p. 1426)
edge-
packaging-
job
(p. 1426)
endpoint
(p. 1428)
endpoint-
config
(p. 1428)
experiment
(p. 1429)
experiment-
trial
(p. 1429)
1407
Amazon SageMaker

(*required)
experiment-
trial-
component
(p. 1430)
feature-
group
(p. 1430)
flow-
definition
(p. 1426)
human-
task-ui
(p. 1426)
hyper-
parameter-
tuning-job
(p. 1428)
image
(p. 1427)
labeling-
job
(p. 1426)
model
(p. 1428)
model-
bias-job-
definition
(p. 1429)
model-
explainability-
job-
definition
(p. 1429)
model-
package
(p. 1428)
model-
package-
group
(p. 1428)
1408
Amazon SageMaker

(*required)
model-
quality-
job-
definition
(p. 1429)
monitoring-
schedule
(p. 1429)
notebook-
instance
(p. 1427)
pipeline
(p. 1430)
processing-
job
(p. 1428)
project
(p. 1428)
training-
job
(p. 1428)
transform-
job
(p. 1429)
user-
profile
(p. 1427)
workteam
(p. 1426)
aws:TagKeys
(p. 1431)
DeleteTrial Deletes a trial. Write experiment-

trial*
(p. 1429)
Deletes a trial component. Write experiment-

DeleteTrialComponent trial-
component*
(p. 1430)
Grants permission to delete a Write user-

DeleteUserProfileUserProfile profile*
(p. 1427)
1409
Amazon SageMaker

(*required)
Deletes a workforce. Write workforce*

DeleteWorkforce (p. 1426)
Deletes a workteam. Write workteam*

DeleteWorkteam (p. 1426)
Grants permission to deregister Write device*

DeregisterDevicesa set of devices (p. 1426)
Grants permission to get Read action*

DescribeAction information about an action. (p. 1430)
Grants permission to describe an Read algorithm*

DescribeAlgorithm
algorithm. (p. 1427)
DescribeApp Grants permission to describe an Read app*

App (p. 1427)
Grants permission to describe an Read app-

DescribeAppImageConfig
config*
(p. 1427)
Grants permission to get Read artifact*

DescribeArtifact information about an artifact. (p. 1430)
Describes an automl Read automl-

DescribeAutoMLJob
job that was created via job*
CreateAutoMLJob API. (p. 1429)
Grants permission to describe a Read code-

DescribeCodeRepository
(p. 1427)
Returns information about a Read compilation-

DescribeCompilationJob
compilation job. job*
(p. 1429)
Grants permission to get Read context*

DescribeContext information about a context. (p. 1430)
Grants permission to return Read data-

DescribeDataQualityJobDefinition
information about a data quality quality-
job definition. job-
definition*
(p. 1429)
Grants permission to access Read device*

DescribeDevice information about a device (p. 1426)
Grants permission to access Read device-

DescribeDeviceFleet
information about a device fleet fleet*
(p. 1426)
Grants permission to describe a Read domain*

DescribeDomain Domain (p. 1426)
1410
Amazon SageMaker

(*required)
Grants permission to access Read edge-

DescribeEdgePackagingJob
information about an edge packaging-
packaging job job*
(p. 1426)
Returns the description of an Read endpoint*

DescribeEndpointendpoint. (p. 1428)
Returns the description of Read endpoint-

DescribeEndpointConfig
an endpoint configuration, config*
which was created using the (p. 1428)
CreateEndpointConfig API.
Returns information about an Read experiment*

DescribeExperiment
experiment. (p. 1429)
Returns information about a Read feature-

DescribeFeatureGroup
feature group. group*
(p. 1430)
Returns detailed information Read flow-

DescribeFlowDefinition
about the specified flow definition*
definition. (p. 1426)
Returns detailed information Read human-

DescribeHumanLoop
about the specified human loop. loop*
(p. 1426)
Returns detailed information Read human-

DescribeHumanTaskUi
about the specified human task-ui*
review workflow user interface. (p. 1426)
Describes a hyper parameter Read hyper-

DescribeHyperParameterTuningJob
tuning job that was created via parameter-
CreateHyperParameterTuningJob tuning-
API. job*
(p. 1428)
Grants permissions to return Read image*

DescribeImage information about a SageMaker (p. 1427)
Image.
Grants permissions to return Read image-

DescribeImageVersion
information about a SageMaker version*
ImageVersion. (p. 1427)
Returns information about a Read labeling-

DescribeLabelingJob
labeling job. job*
(p. 1426)
Describes a model that you Read model*

DescribeModel created using the CreateModel (p. 1428)
API.
1411
Amazon SageMaker

(*required)
Grants permission to return Read model-

DescribeModelBiasJobDefinition
information about a model bias bias-job-
job definition. definition*
(p. 1429)

DescribeModelExplainabilityJobDefinition
information about a model explainability-
explainability job definition. job-
definition*
(p. 1429)
Grants permission to describe a Read model-

DescribeModelPackage
(p. 1428)
Grants permission to describe a Read model-

DescribeModelPackageGroup
group*
(p. 1428)

DescribeModelQualityJobDefinition
information about a model quality-
quality job definition. job-
definition*
(p. 1429)
Grants permission to return Read monitoring-

DescribeMonitoringSchedule
information about a monitoring schedule*
schedule. (p. 1429)
Returns information about a Read notebook-

DescribeNotebookInstance
notebook instance. instance*
(p. 1427)
Describes an notebook Read notebook-

DescribeNotebookInstanceLifecycleConfig
instance lifecycle configuration instance-
that was created via lifecycle-
CreateNotebookInstanceLifecycleConfig config*
API. (p. 1427)
Grants permission to get Read pipeline*

DescribePipeline information about a pipeline. (p. 1430)
Grants permission to get the Read pipeline-

DescribePipelineDefinitionForExecution
pipeline definition for a pipeline execution*
execution. (p. 1430)
Grants permission to get Read pipeline-

DescribePipelineExecution
information about a pipeline execution*
execution. (p. 1430)
Returns information about a Read processing-

DescribeProcessingJob
processing job. job*
(p. 1428)
1412
Amazon SageMaker

(*required)
Grants permission to describe a Read project*

DescribeProject project. (p. 1428)
Returns information about a Read workteam*

DescribeSubscribedWorkteam
subscribed workteam. (p. 1426)
Returns information about a Read training-

DescribeTrainingJob
training job. job*
(p. 1428)
Returns information about a Read transform-

DescribeTransformJob
transform job. job*
(p. 1429)
DescribeTrial Returns information about a Read experiment-

trial. trial*
(p. 1429)
Returns information about a trial Read experiment-

DescribeTrialComponent
component. trial-
component*
(p. 1430)
Grants permission to describe a Read user-

DescribeUserProfile
UserProfile profile*
(p. 1427)
Returns information about a Read workforce*

DescribeWorkforce
workforce. (p. 1426)
Returns information about a Read workteam*

DescribeWorkteam
workteam. (p. 1426)

DisableSagemakerServicecatalogPortfolio
a SageMaker Service Catalog
Portfolio.
Disassociate a trial component Write experiment-

DisassociateTrialComponent
with a trial. trial*
(p. 1429)
experiment-
trial-
component*
(p. 1430)
processing-
job*
(p. 1428)

EnableSagemakerServicecatalogPortfolio
a SageMaker Service Catalog
Portfolio.
1413
Amazon SageMaker

(*required)
Grants permission to access a Read device-

GetDeviceFleetReport
summary of the devices in a fleet*
device fleet (p. 1426)
Grants permission to get device Read device*

GetDeviceRegistration
registration. After you deploy (p. 1426)
a model onto edge devices this
api is used to get current device
registration
Grants permission to get a Read model-

GetModelPackageGroupPolicy
group*
(p. 1428)
GetRecord Get a record from a feature Read feature-

group. group*
(p. 1430)

GetSagemakerServicecatalogPortfolioStatus
SageMaker Service Catalog
Portfolio.
Get search suggestions when Read

GetSearchSuggestions
provided with keyword.
After you deploy a model into Read endpoint*

InvokeEndpoint production using Amazon (p. 1428)
SageMaker hosting services,
your client applications use this sagemaker:TargetModel

API to get inferences from the (p. 1432)
model hosted at the specified
endpoint.
ListActions Grants permission to list actions. List

ListAlgorithms Algorithms.

ListAppImageConfigs
AppImageConfigs in your
account
ListApps Grants permission to list the List

Apps in your account
ListArtifacts Grants permission to list List

artifacts.

ListAssociations associations.
Lists automl jobs created via the List

ListAutoMLJobs CreateAutoMLJob.
1414
Amazon SageMaker

(*required)
Lists candidates for List

ListCandidatesForAutoMLJob
automl job created via the
CreateAutoMLJob.
Grants permission to list code List

ListCodeRepositories
repositories.
Lists compilation jobs. List

ListCompilationJobs
ListContexts Grants permission to list List

contexts.
Grants permission to list data List

ListDataQualityJobDefinitions
quality job definitions.
Grants permission to list device List

ListDeviceFleets fleets
ListDevices Grants permission to list devices. List
ListDomains Grants permission to list the List

Domains in your account
Grants permission to list edge List

ListEdgePackagingJobs
packaging jobs
Lists endpoint configurations. List

ListEndpointConfigs
ListEndpoints Lists endpoints. List
Lists experiments. List

ListExperiments
Lists feature groups. List

ListFeatureGroups
Returns summary information List

ListFlowDefinitions
about flow definitions, given the
specified parameters.

ListHumanLoops about human loops, given the

ListHumanTaskUisabout human review workflow
user interfaces, given the
Lists hyper parameter tuning List

ListHyperParameterTuningJobs
jobs that was created using
Amazon SageMaker.
1415
Amazon SageMaker

(*required)
Grants permissions to list List image*

ListImageVersionsImageVersions that belong to a (p. 1427)
SageMaker Image.
ListImages Grants permissions to list List

SageMaker Images in your
account.
Lists labeling jobs. List

ListLabelingJobs
Lists labeling jobs for workteam. List workteam*

ListLabelingJobsForWorkteam (p. 1426)
Grants permission to list model List

ListModelBiasJobDefinitions
bias job definitions.

ListModelExplainabilityJobDefinitions
explainability job definitions.

ListModelPackageGroups
ModelPackageGroups.

ListModelPackages
ModelPackages.

ListModelQualityJobDefinitions
quality job definitions.
ListModels Lists the models created with List

the CreateModel API.

ListMonitoringExecutions
monitoring executions.

ListMonitoringSchedules
monitoring schedules.
Lists notebook instance lifecycle List

ListNotebookInstanceLifecycleConfigs
configurations that can be
deployed using Amazon
SageMaker.
Returns a list of the Amazon List

ListNotebookInstances
SageMaker notebook instances
in the requester's account in an
AWS Region.
Grants permission to list steps List pipeline-

ListPipelineExecutionSteps
for a pipeline execution execution*
(p. 1430)
Grants permission to list List pipeline*

ListPipelineExecutions
executions for a pipeline (p. 1430)
1416
Amazon SageMaker

(*required)
Grants permission to list List pipeline-

ListPipelineParametersForExecution
parameters for a pipeline execution*
execution (p. 1430)
ListPipelines Grants permission to list List

pipelines.
Lists processing jobs. List

ListProcessingJobs
ListProjects Grants permission to list List

Projects.
Lists subscribed workteams. List

ListSubscribedWorkteams
ListTags Returns the tag set associated List action

with the specified resource. (p. 1430)
algorithm
(p. 1427)
app
(p. 1427)
app-
image-
config
(p. 1427)
artifact
(p. 1430)
automl-
job
(p. 1429)
code-
repository
(p. 1427)
context
(p. 1430)
data-
quality-
job-
definition
(p. 1429)
device
(p. 1426)
device-
fleet
(p. 1426)
1417
Amazon SageMaker

(*required)
domain
(p. 1426)
edge-
packaging-
job
(p. 1426)
endpoint
(p. 1428)
endpoint-
config
(p. 1428)
experiment
(p. 1429)
experiment-
trial
(p. 1429)
experiment-
trial-
component
(p. 1430)
feature-
group
(p. 1430)
flow-
definition
(p. 1426)
human-
task-ui
(p. 1426)
hyper-
parameter-
tuning-job
(p. 1428)
image
(p. 1427)
labeling-
job
(p. 1426)
model
(p. 1428)
1418
Amazon SageMaker

(*required)
model-
bias-job-
definition
(p. 1429)
model-
explainability-
job-
definition
(p. 1429)
model-
package
(p. 1428)
model-
package-
group
(p. 1428)
model-
quality-
job-
definition
(p. 1429)
monitoring-
schedule
(p. 1429)
notebook-
instance
(p. 1427)
pipeline
(p. 1430)
project
(p. 1428)
training-
job
(p. 1428)
transform-
job
(p. 1429)
user-
profile
(p. 1427)
workteam
(p. 1426)
1419
Amazon SageMaker

(*required)
Lists training jobs. List

ListTrainingJobs
Lists training jobs for a hyper List hyper-

ListTrainingJobsForHyperParameterTuningJob
parameter tuning job that parameter-
was created using Amazon tuning-
SageMaker. job*
(p. 1428)
Lists transform jobs. List

ListTransformJobs
Lists trial components. List

ListTrialComponents
ListTrials Lists trials. List

ListUserProfiles UserProfiles in your account
Lists workforces. List

ListWorkforces
Lists workteams. List

ListWorkteams
Grants permission to put a Write model-

PutModelPackageGroupPolicy
group*
(p. 1428)
PutRecord Put a record to a feature group. Write feature-

group*
(p. 1430)
Grants permission to register a Write device*

RegisterDevices set of devices (p. 1426)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
Render a UI template used for a Read iam:PassRole

RenderUiTemplatehuman annotation task.
Search Search for SageMaker objects. Read
Grants permission to publish Write device*

SendHeartbeat heartbeat data from devices. (p. 1426)
After you deploy a model onto
edge devices this api is used to
report device status
1420
Amazon SageMaker

(*required)
Starts a human loop. Write flow-

StartHumanLoop definition*
(p. 1426)
Starts a monitoring schedule. Write monitoring-

StartMonitoringSchedule schedule*
(p. 1429)
Launches an EC2 instance with Write notebook-

StartNotebookInstance
the latest version of the libraries instance*
and attaches your EBS volume. (p. 1427)
Grants permission to start a Write pipeline*

StartPipelineExecution
pipeline execution. (p. 1430)
Stops a running automl Write automl-

StopAutoMLJob job created via the job*
CreateAutoMLJob. (p. 1429)
Stops a compilation job. Write compilation-

StopCompilationJob job*
(p. 1429)
Grants permission to stop an Write edge-

StopEdgePackagingJob
edge packaging job packaging-
job*
(p. 1426)
Stops the specified human loop. Write human-

StopHumanLoop loop*
(p. 1426)
Stops a running hyper Write hyper-

StopHyperParameterTuningJob
parameter tuning parameter-
job create via the tuning-
CreateHyperParameterTuningJob. job*
(p. 1428)
Stops a labeling job. Any labels Write labeling-

StopLabelingJob already generated will be job*
exported before stopping. (p. 1426)
Stops a monitoring schedule. Write monitoring-

StopMonitoringSchedule schedule*
(p. 1429)
Terminates the EC2 instance. Write notebook-

StopNotebookInstance
Before terminating the instance, instance*
Amazon SageMaker disconnects (p. 1427)
the EBS volume from it. Amazon
SageMaker preserves the EBS
volume.
1421
Amazon SageMaker

(*required)
Grants permission to stop a Write pipeline-

StopPipelineExecution
pipeline execution. execution*
(p. 1430)
Stops a processing job. To Write processing-

StopProcessingJob
stop a job, Amazon SageMaker job*
sends the algorithm the (p. 1428)
SIGTERM signal, which delays
job termination for 120 seconds.
Stops a training job. To stop Write training-

StopTrainingJob a job, Amazon SageMaker job*
sends the algorithm the (p. 1428)
SIGTERM signal, which delays
job termination for 120 seconds.
Stops a transform job. When Write transform-

StopTransformJobAmazon SageMaker receives job*
a StopTransformJob request, (p. 1429)
the status of the job changes
to Stopping. After Amazon
SageMaker stops the job, the
status is set to Stopped
UpdateAction Grants permission to update an Write action*

action. (p. 1430)
Grants permission to update an Write app-

UpdateAppImageConfig
config*
(p. 1427)
Grants permission to update an Write artifact*

UpdateArtifact artifact. (p. 1430)
Grants permission to update a Write code-

UpdateCodeRepository
(p. 1427)
Grants permission to update a Write context*

UpdateContext context. (p. 1430)
Grants permission to update a Write device-

UpdateDeviceFleet
device fleet fleet*
(p. 1426)
Grants permission to update a Write device*

UpdateDevices set of devices (p. 1426)
Grants permission to update a Write domain*

UpdateDomain Domain (p. 1426)
1422
Amazon SageMaker

(*required)

(p. 1432)
(p. 1431)
(p. 1431)
sagemaker:ImageArns
(p. 1431)
(p. 1431)
Updates an endpoint to use the Write endpoint*

UpdateEndpoint endpoint configuration specified (p. 1428)
in the request.
Updates variant weight, Write endpoint*

UpdateEndpointWeightsAndCapacities
capacity, or both of one or more (p. 1428)
variants associated with an
endpoint.
Updates an experiment. Write experiment*

UpdateExperiment (p. 1429)
UpdateImage Grants permissions to update Write image* iam:PassRole

the properties of a SageMaker (p. 1427)
Image.
Grants permission to update a Write model-

UpdateModelPackage
(p. 1428)
Updates a monitoring schedule. Write monitoring- iam:PassRole

UpdateMonitoringSchedule schedule*
(p. 1429)
1423
Amazon SageMaker

(*required)
aws:RequestTag/

${TagKey}
(p. 1430)
aws:TagKeys
(p. 1431)
(p. 1431)
(p. 1431)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1432)
(p. 1431)
Updates a notebook instance. Write notebook-

UpdateNotebookInstance
Notebook instance updates instance*
include upgrading or (p. 1427)
downgrading the EC2 instance
used for your notebook instance sagemaker:AcceleratorTypes

to accommodate changes in (p. 1431)
your workload requirements.
You can also update the VPC sagemaker:InstanceTypes
security groups. (p. 1431)
(p. 1432)
Updates a notebook Write notebook-

UpdateNotebookInstanceLifecycleConfig
instance lifecycle instance-
configuration created with the lifecycle-
CreateNotebookInstanceLifecycleConfig config*
API. (p. 1427)
Grants permission to update a Write pipeline* iam:PassRole

UpdatePipeline pipeline. (p. 1430)
1424
Amazon SageMaker

(*required)
Grants permission to update a Write pipeline-

UpdatePipelineExecution
pipeline execution. execution*
(p. 1430)
Updates a training job. Write training-

UpdateTrainingJob job*
(p. 1428)

(p. 1431)
UpdateTrial Updates a trial. Write experiment-

trial*
(p. 1429)
Updates a trial component. Write experiment-

UpdateTrialComponent trial-
component*
(p. 1430)
Grants permission to update a Write user-

UpdateUserProfileUserProfile profile*
(p. 1427)

(p. 1431)
(p. 1432)
(p. 1431)
(p. 1431)
sagemaker:ImageArns
(p. 1431)
(p. 1431)
Updates a workforce. Write workforce*

UpdateWorkforce (p. 1426)
Updates a workteam. Write workteam*

UpdateWorkteam (p. 1426)
Resource types defined by Amazon SageMaker

1425
Amazon SageMaker

types
device arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:device-fleet/${DeviceFleetName}/ ${TagKey} (p. 1431)
device/${DeviceName}
sagemaker:ResourceTag/
${TagKey} (p. 1432)
device-fleet arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:device-fleet/${DeviceFleetName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
edge- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

packaging-job ${Account}:edge-packaging-job/ ${TagKey} (p. 1431)
${EdgePackagingJobName}
${TagKey} (p. 1432)
human-loop arn:${Partition}:sagemaker:${Region}:
${Account}:human-loop/${HumanLoopName}
flow- arn:${Partition}:sagemaker: aws:ResourceTag/

definition ${Region}:${Account}:flow-definition/ ${TagKey} (p. 1431)
${FlowDefinitionName}
${TagKey} (p. 1432)
human-task-ui arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:human-task-ui/${HumanTaskUiName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
labeling-job arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:labeling-job/${LabelingJobName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
workteam arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:workteam/${WorkteamName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
workforce arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:workforce/${WorkforceName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
domain arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:domain/${DomainId} ${TagKey} (p. 1431)
1426
Amazon SageMaker

types
${TagKey} (p. 1432)
user-profile arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:user-profile/${DomainId}/ ${TagKey} (p. 1431)
${UserProfileName}
${TagKey} (p. 1432)
app arn:${Partition}:sagemaker: aws:ResourceTag/

${Region}:${Account}:app/${DomainId}/ ${TagKey} (p. 1431)
${UserProfileName}/${AppType}/${AppName}
${TagKey} (p. 1432)
app-image- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

config ${Account}:app-image-config/ ${TagKey} (p. 1431)
${AppImageConfigName}
${TagKey} (p. 1432)
notebook- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

instance ${Account}:notebook-instance/ ${TagKey} (p. 1431)
${NotebookInstanceName}
${TagKey} (p. 1432)
notebook- arn:${Partition}:sagemaker:
instance- ${Region}:${Account}:notebook-
lifecycle-config instance-lifecycle-config/
${NotebookInstanceLifecycleConfigName}
code- arn:${Partition}:sagemaker: aws:ResourceTag/

repository ${Region}:${Account}:code-repository/ ${TagKey} (p. 1431)
${CodeRepositoryName}
${TagKey} (p. 1432)
image arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:image/${ImageName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
image-version arn:${Partition}:sagemaker:${Region}:
${Account}:image-version/${ImageName}/
${Version}
algorithm arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:algorithm/${AlgorithmName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
1427
Amazon SageMaker

types
training-job arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:training-job/${TrainingJobName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
processing-job arn:${Partition}:sagemaker: aws:ResourceTag/

${Region}:${Account}:processing-job/ ${TagKey} (p. 1431)
${ProcessingJobName}
${TagKey} (p. 1432)
hyper- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

parameter- ${Account}:hyper-parameter-tuning-job/ ${TagKey} (p. 1431)
tuning-job ${HyperParameterTuningJobName}
${TagKey} (p. 1432)
project arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:project/${ProjectName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
modelarn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

package ${Account}:model-package/${ModelPackageName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)

package-group ${Account}:model-package-group/ ${TagKey} (p. 1431)
${ModelPackageGroupName}
${TagKey} (p. 1432)
model arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:model/${ModelName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
endpoint- arn:${Partition}:sagemaker: aws:ResourceTag/

config ${Region}:${Account}:endpoint-config/ ${TagKey} (p. 1431)
${EndpointConfigName}
${TagKey} (p. 1432)
endpoint arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:endpoint/${EndpointName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
1428
Amazon SageMaker

types
transform-job arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:transform-job/${TransformJobName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
compilation- arn:${Partition}:sagemaker:
job ${Region}:${Account}:compilation-job/
${CompilationJobName}
automl-job arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:automl-job/${AutoMLJobJobName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
monitoring- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

schedule ${Account}:monitoring-schedule/ ${TagKey} (p. 1431)
${MonitoringScheduleName}
${TagKey} (p. 1432)
data-quality- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

job-definition ${Account}:data-quality-job-definition/ ${TagKey} (p. 1431)
${DataQualityJobDefinitionName}
${TagKey} (p. 1432)

quality-job- ${Account}:model-quality-job-definition/ ${TagKey} (p. 1431)
definition ${ModelQualityJobDefinitionName}
${TagKey} (p. 1432)
model-bias- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

job-definition ${Account}:model-bias-job-definition/ ${TagKey} (p. 1431)
${ModelBiasJobDefinitionName}
${TagKey} (p. 1432)
modelarn:${Partition}:sagemaker: aws:ResourceTag/

explainability- ${Region}:${Account}:model- ${TagKey} (p. 1431)
job-definition explainability-job-definition/
${ModelExplainabilityJobDefinitionName} sagemaker:ResourceTag/
${TagKey} (p. 1432)
experiment arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:experiment/${ExperimentName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
experiment- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

trial ${Account}:experiment-trial/${TrialName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
1429
Amazon SageMaker

types
experiment- arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

trial- ${Account}:experiment-trial-component/ ${TagKey} (p. 1431)
component ${TrialComponentName}
${TagKey} (p. 1432)
feature-group arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:feature-group/${FeatureGroupName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
pipeline arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:pipeline/${PipelineName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
pipeline- arn:${Partition}:sagemaker:${Region}:
execution ${Account}:pipeline/${PipelineName}/
execution/${RandomString}
artifact arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:artifact/${HashOfArtifactSource} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
context arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:context/${ContextName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
action arn:${Partition}:sagemaker:${Region}: aws:ResourceTag/

${Account}:action/${ActionName} ${TagKey} (p. 1431)
${TagKey} (p. 1432)
Condition keys for Amazon SageMaker

Amazon SageMaker defines the following condition keys that can be used in the Condition element of
${TagKey} SageMaker service.
1430
Amazon SageMaker
A tag key and value pair. String

aws:ResourceTag/
${TagKey}
in the request.
The list of all accelerator types associated with the resource ArrayOfString
in the request.
App network access type associated with the resource in the String
sagemaker:AppNetworkAccessType
request.
The direct internet access associated with the resource in the String
sagemaker:DirectInternetAccess
request.
The Domain sharing output KMS key associated with the ARN
sagemaker:DomainSharingOutputKmsKey
The offline store kms key associated with the feature group ARN
sagemaker:FeatureGroupOfflineStoreKmsKey
The offline store s3 uri associated with the feature group String
sagemaker:FeatureGroupOfflineStoreS3Uri
The online store kms key associated with the feature group ARN
sagemaker:FeatureGroupOnlineStoreKmsKey
File system access mode associated with the resource in the String
request.
File system directory path associated with the resource in String

the request.
A file system ID associated with the resource in the request. String

File system type associated with the resource in the request. String
This key is deprecated. It has been replaced by ARN

sagemaker:HomeEfsFileSystemKmsKey
sagemaker:VolumeKmsKey.
Filters access by the list of all image arns associated with the ArrayOfString
sagemaker:ImageArnsresource in the request.
Filters access by the list of all image version arns associated ArrayOfString
with the resource in the request.
The list of all instance types associated with the resource in ArrayOfString
the request.
The inter container traffic encryption associated with the Bool

sagemaker:InterContainerTrafficEncryption
The max runtime in seconds associated with the resource in Numeric

the request.
1431
AWS Savings Plans
The model arn associated with the resource in the request. ARN
sagemaker:ModelArn
The network isolation associated with the resource in the Bool

request.
The output kms key associated with the resource in the ARN
request.
The preface string for a tag key and value pair attached to a String
resource.
A tag key and value pair. String

${TagKey}
The root access associated with the resource in the request. String
The target model associated with the Multi-Model Endpoint String

sagemaker:TargetModel
in the request.
The volume kms key associated with the resource in the ARN
request.
The list of all vpc security group ids associated with the ArrayOfString
The list of all vpc subnets associated with the resource in the ArrayOfString
request.
The workteam arn associated to the request. ARN

sagemaker:WorkteamArn
The workteam type associated to the request. This can be String

public-crowd, private-crowd or vendor-crowd.

Savings Plans
AWS Savings Plans (service prefix: savingsplans) provides the following service-specific resources,
References:

Topics
• Actions defined by AWS Savings Plans (p. 1433)
• Resource types defined by AWS Savings Plans (p. 1434)
• Condition keys for AWS Savings Plans (p. 1434)
1432
AWS Savings Plans
Actions defined by AWS Savings Plans

different actions.

(*required)

CreateSavingsPlansavings plan ${TagKey}
(p. 1434)
aws:TagKeys
(p. 1435)
Grants permission to delete the Write savingsplan*

DeleteQueuedSavingsPlan
queued savings plan associated (p. 1434)
with customers account
aws:ResourceTag/

${TagKey}
(p. 1434)
Grants permission to describe Read savingsplan*

DescribeSavingsPlanRates
the rates associated with (p. 1434)
customers savings plan
aws:ResourceTag/

${TagKey}
(p. 1434)
Grants permission to describe Read savingsplan*

DescribeSavingsPlans
the savings plans associated (p. 1434)
with customers account
aws:ResourceTag/

${TagKey}
(p. 1434)

DescribeSavingsPlansOfferingRates
the rates assciated with savings
plans offerings

DescribeSavingsPlansOfferings
the savings plans offerings that
customer is eligible to purchase
1433
AWS Savings Plans

(*required)
Grants permission to list tags for List savingsplan*

ListTagsForResource
a savings plan (p. 1434)
TagResource Grants permission to tag a Tagging savingsplan*

savings plan (p. 1434)
aws:TagKeys
(p. 1435)
aws:RequestTag/
${TagKey}
(p. 1434)
Grants permission to untag a Tagging savingsplan*

UntagResource savings plan (p. 1434)
aws:TagKeys
(p. 1435)
Resource types defined by AWS Savings Plans


types
savingsplan arn:${Partition}:savingsplans:: aws:ResourceTag/

${Account}:savingsplan/${ResourceId} ${TagKey} (p. 1434)
Condition keys for AWS Savings Plans

AWS Savings Plans defines the following condition keys that can be used in the Condition element of
${TagKey} the tags

${TagKey}
1434
AWS Secrets Manager

the request

Secrets Manager
AWS Secrets Manager (service prefix: secretsmanager) provides the following service-specific
References:

Topics
• Actions defined by AWS Secrets Manager (p. 1435)
• Resource types defined by AWS Secrets Manager (p. 1441)
• Condition keys for AWS Secrets Manager (p. 1442)
Actions defined by AWS Secrets Manager

different actions.

(*required)
Enables the user to cancel an in- Write Secret*

CancelRotateSecret
progress secret rotation. (p. 1441)
secretsmanager:SecretId

(p. 1442)
secretsmanager:resource/
AllowRotationLambdaArn
(p. 1442)
1435
AWS Secrets Manager

(*required)
secretsmanager:ResourceTag/
tag-key
(p. 1442)
CreateSecret Enables the user to create a Write Secret*

secret that stores encrypted (p. 1441)
data that can be queried and
rotated. secretsmanager:Name

(p. 1442)
secretsmanager:Description
(p. 1442)
secretsmanager:KmsKeyId
(p. 1442)
aws:RequestTag/
tag-key
(p. 1442)
aws:TagKeys
(p. 1442)
tag-key
(p. 1442)
Enables the user to delete the Permissions Secret*

resource policy attached to a management (p. 1441)
secret.

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
DeleteSecret Enables the user to delete a Write Secret*

secret. (p. 1441)
1436
AWS Secrets Manager

(*required)

(p. 1442)
(p. 1442)
secretsmanager:RecoveryWindowInDay
(p. 1442)
secretsmanager:ForceDeleteWithoutRe
(p. 1442)
tag-key
(p. 1442)
Enables the user to retrieve the Read Secret*

DescribeSecret metadata about a secret, but not (p. 1441)
the encrypted data.

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
Enables the user to generate Read

GetRandomPassword
a random string for use in
password creation.
Enables the user to get the Read Secret*

GetResourcePolicyresource policy attached to a (p. 1441)
secret.

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
Enables the user to retrieve and Read Secret*

GetSecretValue decrypt the encrypted data. (p. 1441)
1437
AWS Secrets Manager

(*required)

(p. 1442)
secretsmanager:VersionId
(p. 1442)
secretsmanager:VersionStage
(p. 1442)
(p. 1442)
tag-key
(p. 1442)
Enables the user to list the Read Secret*

ListSecretVersionIds
available versions of a secret. (p. 1441)

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
ListSecrets Enables the user to list the List

available secrets.
Enables the user to attach a Permissions Secret*

PutResourcePolicyresource policy to a secret. management (p. 1441)

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
secretsmanager:BlockPublicPolicy
(p. 1442)
Enables the user to create a new Write Secret*

PutSecretValue version of the secret with new (p. 1441)
encrypted data.
1438
AWS Secrets Manager

(*required)

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
RestoreSecret Enables the user to cancel Write Secret*

deletion of a secret. (p. 1441)

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
RotateSecret Enables the user to start Write Secret*

rotation of a secret. (p. 1441)

(p. 1442)
secretsmanager:RotationLambdaARN
(p. 1442)
(p. 1442)
tag-key
(p. 1442)
TagResource Enables the user to add tags to a Tagging Secret*

secret. (p. 1441)
1439
AWS Secrets Manager

(*required)

(p. 1442)
aws:RequestTag/
tag-key
(p. 1442)
aws:TagKeys
(p. 1442)
(p. 1442)
tag-key
(p. 1442)
Enables the user to remove tags Tagging Secret*

UntagResource from a secret. (p. 1441)

(p. 1442)
aws:TagKeys
(p. 1442)
(p. 1442)
tag-key
(p. 1442)
UpdateSecret Enables the user to update Write Secret*

a secret with new metadata (p. 1441)
or with a new version of the
encrypted data. secretsmanager:SecretId

(p. 1442)
(p. 1442)
(p. 1442)
(p. 1442)
tag-key
(p. 1442)
1440
AWS Secrets Manager

(*required)
Enables the user to move a stage Write Secret*

UpdateSecretVersionStage
from one secret to another. (p. 1441)

(p. 1442)
(p. 1442)
(p. 1442)
tag-key
(p. 1442)
Enables the user to validate a Permissions Secret*

ValidateResourcePolicy
resource policy before attaching management (p. 1441)
policy.

(p. 1442)
(p. 1442)
tag-key
(p. 1442)
Resource types defined by AWS Secrets Manager


types
Secret arn:${Partition}:secretsmanager:${Region}: aws:RequestTag/tag-

${Account}:secret:${SecretId} key (p. 1442)
tag-key (p. 1442)
(p. 1442)
1441
AWS Secrets Manager
Condition keys for AWS Secrets Manager

AWS Secrets Manager defines the following condition keys that can be used in the Condition
table (p. 2).
tag-key makes to the Secrets Manager service.
aws:TagKeys Filters access by the list of all the tag key namespresent in String
the request the user makes to the Secrets Manager service.
Filters access by whether the resource policy blocks broad Boolean

secretsmanager:BlockPublicPolicy
AWS account access.
Filters access by the description text in the request. String

Filters access by whether the secret is to be deleted Boolean

secretsmanager:ForceDeleteWithoutRecovery
immediately without any recovery window.
Filters access by the ARN of the KMS key in the request. String
Filters access by the friendly name of the secret in the String

secretsmanager:Name
request.
Filters access by the number of days that Secrets Manager Long

secretsmanager:RecoveryWindowInDays
waits before it can delete the secret.

tag-key
Filters access by the ARN of the rotation Lambda function in ARN

secretsmanager:RotationLambdaARN
the request.
Filters access by the SecretID value in the request. ARN

Filters access by the unique identifier of the version of the String

secretsmanager:VersionId
secret in the request.
Filters access by the list of version stages in the request. String

Filters access by the ARN of the rotation Lambda function ARN

associated with the secret.
1442

Service Authorization Reference

Uploaded by

Copyright:

Available Formats

Service Authorization Reference

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Service Authorization Reference

Uploaded by

Copyright:

Available Formats

Service Authorization Reference

Service Authorization Reference

Service Authorization Reference: Service Authorization Reference

AWS CodePipeline .......................................................................................................... 221

AWS Elemental MediaStore .............................................................................................. 780

Amazon Machine Learning ............................................................................................. 1069

Amazon S3 on Outposts ................................................................................................ 1359

Actions, resources, and condition keys for AWS

The actions table

The resource types table

The condition keys table

• Actions, resources, and condition keys for Amazon S3 (p. 1301)

Actions, resources, and condition keys for AWS

• Learn how to conﬁgure this service.

Actions deﬁned by AWS Accounts

Actions Description Access Resource Condition Dependent

DisableRegion Grants permission to disable a Write account:TargetRegion

EnableRegion Grants permission to enable a Write account:TargetRegion

ListRegions Grants permission to list regions List

Resource types deﬁned by AWS Accounts

Condition keys for AWS Accounts

Condition keys Description Type

Filters access by a list of regions String

Actions, resources, and condition keys for AWS

• Learn how to conﬁgure this service.

Actions deﬁned by AWS Activate

Actions Description Access Resource Condition Dependent

CreateForm Grants permission to submit an Write

Grants permission to get Read

Grants permission to get Read

GetCosts Grants permission to get the Read

GetCredits Grants permission to get the Read

Grants permission to get the Read

GetProgram Grants permission to get an Read

Grants permission to create or Write

Resource types deﬁned by AWS Activate

Condition keys for AWS Activate

Actions, resources, and condition keys for Alexa for

• View a list of the API operations available for this service.

• Condition keys for Alexa for Business (p. 18)

Actions deﬁned by Alexa for Business

Actions Description Access Resource Condition Dependent

ApproveSkill Associates a skill with the Write

Associates a contact with a given Write addressbook*

Associates device with given Write device*

Associates the skill group with Write room*

Associates a skill with a skill Write skillgroup*

Makes a private skill available Write

Completes the operation of Write

Actions Description Access Resource Condition Dependent

Creates an address book with Write

Creates a recurring schedule Write

Adds a new conference provider Write

CreateContact Creates a contact with the Write

CreateProﬁle Creates a new proﬁle. Write

CreateRoom Create room with the speciﬁed Write proﬁle*

Creates a skill group with given Write

CreateUser Creates a user. Write user*

Deletes an address book by the Write addressbook*