Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
List of AWS Service Principals
a4b.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
budgets.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${AWS::Region}.amazonaws.com
codedeploy.amazonaws.com
codepipeline.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fms.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
iam.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
migrationhub.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
ops.apigateway.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com
@shortjared

This comment has been minimized.

@mjnowen

This comment has been minimized.

Copy link

@mjnowen mjnowen commented Jan 19, 2018

Missed one: vmie.amazonaws.com

@JohnVonNeumann

This comment has been minimized.

Copy link

@JohnVonNeumann JohnVonNeumann commented Apr 7, 2018

You are a beautiful human bean.

@spullara

This comment has been minimized.

Copy link

@spullara spullara commented May 30, 2018

new one recently, don't know what it is: im.amazonaws.com

@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented Jul 5, 2018

@spullara I can’t even find a reference to that with a quick google. Any ideas or doc links?

@chadbrewbaker

This comment has been minimized.

Copy link

@chadbrewbaker chadbrewbaker commented Jul 5, 2018

Got a list of their RPM servers for AWS Linux?

@ahujarajesh

This comment has been minimized.

Copy link

@ahujarajesh ahujarajesh commented Aug 10, 2018

{
  "Statement": {
    "Effect": "Allow",
    "Principal": { "Service": "logs.amazonaws.com" },
    "Action": "sts:AssumeRole"
  }
}

Trying to create above policy.
It gives me This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar

IDK what I am adding wrong here?

@jeshan

This comment has been minimized.

Copy link

@jeshan jeshan commented Sep 10, 2018

There's Kinesis Firehose as well:
firehose.amazonaws.com
https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html

@atrakic

This comment has been minimized.

Copy link

@atrakic atrakic commented Oct 8, 2018

How does one generate latest list by aws cli?

@iscofield

This comment has been minimized.

Copy link

@iscofield iscofield commented Oct 10, 2018

Missing:

kinesisanalytics.amazonaws.com
firehose.amazonaws.com
states.amazonaws.com
codebuild.amazonaws.com
glue.amazonaws.com
appstream.application-autoscaling.amazonaws.com
ecs-tasks.amazonaws.com
appsync.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ecs.application-autoscaling.amazonaws.com
continuousexport.discovery.amazonaws.com
batch.amazonaws.com
dms.amazonaws.com
dlm.amazonaws.com
deeplens.amazonaws.com
greengrass.amazonaws.com
dax.amazonaws.com
replication.dynamodb.amazonaws.com
ec2scheduled.amazonaws.com
spotfleet.amazonaws.com
application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
eks.amazonaws.com
elastictranscoder.amazonaws.com
guardduty.amazonaws.com
iot.amazonaws.com
lex.amazonaws.com
channels.lex.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
mediaconvert.amazonaws.com
monitoring.rds.amazonaws.com
rekognition.amazonaws.com
sms.amazonaws.com
swf.amazonaws.com
sagemaker.amazonaws.com
trustedadvisor.amazonaws.com
@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented Nov 8, 2018

Updated list. Thanks to @iscofield and @jeshan

@cmaurer

This comment has been minimized.

Copy link

@cmaurer cmaurer commented Nov 21, 2018

missing:

cloud9.amazonaws.com
es.amazonaws.com
sso.amazonaws.com

cloudhsm? I cant seem to be able to find the principal for this one

@copumpkin

This comment has been minimized.

Copy link

@copumpkin copumpkin commented Dec 5, 2018

Some of these also have region-specific principals, for what it's worth.

For example codedeploy and several others support a codedeploy.us-east-1.amazonaws.com form of the service principal. Not really sure why given that IAM entities are global, but if you want an exhaustive list that should probably be captured somewhere.

Incidentally, this is also why @ahujarajesh's asked the question above. For a while (I think!), logs only worked with regions, so logs.us-east-1.amazonaws.com was valid but logs.amazonaws.com was not. I think that's now changed and both forms are accepted. Or possibly it was just attempting to input a principal field into a principal policy, which is forbidden 😄

@copumpkin

This comment has been minimized.

Copy link

@copumpkin copumpkin commented Dec 5, 2018

Also relevant to this list if you start broadening its scope a bit is https://github.com/duo-labs/cloudmapper/blob/master/vendor_accounts.yaml (courtesy of @0xdabbad00 and @williambherman), which includes AWS service accounts that don't have associated service principals, as well as canonical third-party vendor accounts.

@dnitsch

This comment has been minimized.

Copy link

@dnitsch dnitsch commented Feb 3, 2019

This one as well, but really falls under federated principal type...
cognito-identity.amazonaws.com

@reidgould

This comment has been minimized.

Copy link

@reidgould reidgould commented Feb 14, 2019

I'm looking for the service principal needed for the Alexa::ASK::Skill CloudFormation resource to assume a role to get a Skill Package object from S3. Has anyone made this work? Maybe it's a federated principal? Relevant property: Alexa::ASK::Skill SkillPackage S3BucketRole

@cStorm

This comment has been minimized.

Copy link

@cStorm cStorm commented Feb 14, 2019

I'm looking for the service principal needed for the Alexa::ASK::Skill CloudFormation resource to assume a role to get a Skill Package object from S3. Has anyone made this work? Maybe it's a federated principal? Relevant property: Alexa::ASK::Skill SkillPackage S3BucketRole

@reidgould I came here for the exact same reason. Does anyone know?

@cStorm

This comment has been minimized.

Copy link

@cStorm cStorm commented Feb 14, 2019

For @reidgould and anyone else that's interested, the Alexa service principal seems to be alexa-appkit.amazon.com

@mdclement

This comment has been minimized.

Copy link

@mdclement mdclement commented Feb 27, 2019

missing secretsmanager.amazonaws.com

@Logikz

This comment has been minimized.

Copy link

@Logikz Logikz commented Mar 12, 2019

anyone know the principal string for the alexa smart home trigger?

@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented Apr 11, 2019

thanks all, updated the list again

@wjoe

This comment has been minimized.

Copy link

@wjoe wjoe commented Apr 25, 2019

Missing elasticloadbalancing.amazonaws.com - required at least for granting ALBs permission to invoke Lambda functions, which was added quite recently - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html

@vitaminj

This comment has been minimized.

Copy link

@vitaminj vitaminj commented May 28, 2019

Alexa Smart Home seems to be alexa-connectedhome.amazon.com

@jeffmccollum

This comment has been minimized.

Copy link

@jeffmccollum jeffmccollum commented Jun 11, 2019

A couple more
aws-artifact-account-sync.amazonaws.com
ram.amazonaws.com
license-manager.amazonaws.com
fms.amazonaws.com

@zweizhang

This comment has been minimized.

Copy link

@zweizhang zweizhang commented Jul 13, 2019

I hope there will be another list for china region, due to some services in china region with the suffix .cn but some without.

@abdullahkhawer

This comment has been minimized.

Copy link

@abdullahkhawer abdullahkhawer commented Aug 1, 2019

Where is "cloudwatch.amazonaws.com"? Also, "monitoring.amazonaws.com" is not working in SNS policy.

@tomasaschan

This comment has been minimized.

Copy link

@tomasaschan tomasaschan commented Aug 15, 2019

This one also seems to be missing: cognito-idp.amazonaws.com

@rajholla

This comment has been minimized.

Copy link

@rajholla rajholla commented Aug 31, 2019

Consolidated list :

a4b.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
amazonmq.amazonaws.com
apigateway.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
autoscaling.amazonaws.com
b
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
c
ce.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.amazonaws.com
codepipeline.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
config.amazonaws.com
d
datapipeline.amazonaws.com
dax.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
e
ec2.amazonaws.com
ecr.amazonaws.com
ecs.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
es.amazonaws.com
events.amazonaws.com
f
firehose.amazonaws.com
fms.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
g
gamelift.amazonaws.com
glacier.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
h
health.amazonaws.com
i
iam.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotthingsgraph.amazonaws.com
j
jellyfish.amazonaws.com
k
kinesis.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
l
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
lightsail.amazonaws.com
logs.amazonaws.com
m
machinelearning.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
metering-marketplace.amazonaws.com
migrationhub.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
o
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
p
pinpoint.amazonaws.com
polly.amazonaws.com
q
qldb.amazonaws.com
quicksight.amazonaws.com
r
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
sqs.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
t
tagging.amazonaws.com
transfer.amazonaws.com
translate.amazonaws.com
tts.amazonaws.com
w
waf-regional.amazonaws.com
waf.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
x
xray.amazonaws.com

@chizou

This comment has been minimized.

Copy link

@chizou chizou commented Oct 9, 2019

VPC Flow logs get delivered by delivery.logs.amazonaws.com

@varunchandak

This comment has been minimized.

Copy link

@varunchandak varunchandak commented Oct 17, 2019

How does one generate latest list by aws cli?

+1

@adamdonahue

This comment has been minimized.

Copy link

@adamdonahue adamdonahue commented Nov 25, 2019

@rajholla Missing ecs-tasks at least.

@jeffmccollum

This comment has been minimized.

Copy link

@jeffmccollum jeffmccollum commented Nov 29, 2019

New Tag Policies - tagpolicies.tag.amazonaws.com

@nriveraonica

This comment has been minimized.

Copy link

@nriveraonica nriveraonica commented Dec 11, 2019

config-multiaccountsetup.amazonaws.com

@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented May 28, 2020

did another big round of updates.

@leandrodamascena

This comment has been minimized.

Copy link

@leandrodamascena leandrodamascena commented Jun 5, 2020

@meshuga

This comment has been minimized.

Copy link

@meshuga meshuga commented Jun 9, 2020

Missing principals:

ops.apigateway.amazonaws.com
replicator.lambda.amazonaws.com
email.cognito-idp.amazonaws.com
kafka.amazonaws.com
securityhub.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
globalaccelerator.amazonaws.com
logger.cloudfront.amazonaws.com
connect.amazonaws.com
config-conforms.amazonaws.com
iotsitewise.amazonaws.com
@satyamkondle

This comment has been minimized.

Copy link

@satyamkondle satyamkondle commented Jul 4, 2020

Thank you! I couldn't find this in aws documentation...

@BrandonALXEllisSS

This comment has been minimized.

Copy link

@BrandonALXEllisSS BrandonALXEllisSS commented Jul 14, 2020

How does one generate latest list by aws cli?

+1

@meshuga

This comment has been minimized.

Copy link

@meshuga meshuga commented Jul 15, 2020

How does one generate latest list by aws cli?

+1

There is no such list anywhere. AFAIK even AWS engineers don't know the full list of principals...

@sanjars

This comment has been minimized.

Copy link

@sanjars sanjars commented Jul 20, 2020

do not see for neptune, anyone knows if there is one?

@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented Aug 12, 2020

Missing principals:

ops.apigateway.amazonaws.com
replicator.lambda.amazonaws.com
email.cognito-idp.amazonaws.com
kafka.amazonaws.com
securityhub.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
globalaccelerator.amazonaws.com
logger.cloudfront.amazonaws.com
connect.amazonaws.com
config-conforms.amazonaws.com
iotsitewise.amazonaws.com

Adding. Thx.

How does one generate latest list by aws cli?

+1

There is no such list anywhere. AFAIK even AWS engineers don't know the full list of principals...

I've tried my hardest to get official support for this from AWS in docs and gave up after about 2 years of trying. Continuing to maintain this list is the best I can do.

@varunchandak

This comment has been minimized.

Copy link

@varunchandak varunchandak commented Aug 12, 2020

@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented Aug 12, 2020

@shortjared Can you try finding all the endpoints/principals from here: https://github.com/aws/aws-cli/tree/de606ac57324a83b5473562ce2b76c07e8a68947/awscli/examples

@varunchandak I just did a simple search for a couple of the more obscure ones and found nothing. Please correct me if I am wrong and bad at searching. I searched for various strings and substrings of cloudwatch-crossaccount.amazonaws.com and monitoring.rds.amazonaws.com.

The big problem is the service principals do not necessarily correlate things available in the API.

@trademark18

This comment has been minimized.

Copy link

@trademark18 trademark18 commented Sep 16, 2020

Missing iotevents.amazonaws.com

@kgc00

This comment has been minimized.

@kbusekist

This comment has been minimized.

Copy link

@kbusekist kbusekist commented Oct 1, 2020

Have also seen ec.amazonaws.com

@LameLemon

This comment has been minimized.

Copy link

@LameLemon LameLemon commented Nov 13, 2020

databrew.amazonaws.com just got added recently.

@rossng

This comment has been minimized.

Copy link

@rossng rossng commented Dec 10, 2020

Missing transcribe.amazonaws.com (reference: https://docs.aws.amazon.com/transcribe/latest/dg/transcribe-dg.pdf)

@JamieMcKernanKaizen

This comment has been minimized.

Copy link

@JamieMcKernanKaizen JamieMcKernanKaizen commented Dec 16, 2020

Just noticed that appflow.amazonaws.com isn't on there either

@bigjimmynz

This comment has been minimized.

Copy link

@bigjimmynz bigjimmynz commented Dec 17, 2020

Need to add
member.org.stacksets.cloudformation.amazonaws.com
for the new CloudFormation StackSets via Organizations functionality.

@ribeiroh

This comment has been minimized.

Copy link

@ribeiroh ribeiroh commented Jan 22, 2021

@shortjared have you considered making an actual repo out of this? I think it could make it easier to find (and omg does this gem need to be found!!), and easier for people to contribute stuff. I'd be happy to help maintaining it. An idea could be to add a column for China, since it's veeery hard to find that info.

@thundergolfer

This comment has been minimized.

Copy link

@thundergolfer thundergolfer commented Jan 22, 2021

Including China on this page somehow would be 👌.

Some services running in China need a China-specific tld .com.cn but some don't. For example:

  • EC2 in China: "ec2.amazonaws.com.cn" (China specific)
  • Firehose in China: "firehose.amazonaws.com" (Same as US/Global)
@shortjared

This comment has been minimized.

Copy link
Owner Author

@shortjared shortjared commented May 4, 2021

Updated everything up to here. Honestly y'all, I tried years ago to get AWS to support this .

I'll look at putting together a repo. We would need to automate that repo updating this gist to maintain the friendliness of this being the top result on google for "list of AWS service principal" and related searches.

@leetrout

This comment has been minimized.

Copy link

@leetrout leetrout commented May 4, 2021

@shortjared we could just replace the file contents with a link to the file in the repo so people hitting this would see instructions and we could make it a deep link to the latest version of the list within the repo.

@rossng

This comment has been minimized.

Copy link

@rossng rossng commented May 4, 2021

I also raised this issue on the AWS Forums. Perhaps a few more comments there would encourage them to do something.

@ribeiroh

This comment has been minimized.

Copy link

@ribeiroh ribeiroh commented May 4, 2021

Updated everything up to here. Honestly y'all, I tried years ago to get AWS to support this .

I'll look at putting together a repo. We would need to automate that repo updating this gist to maintain the friendliness of this being the top result on google for "list of AWS service principal" and related searches.

@shortjared I've actually started to do that some time ago as well, based on your list :) Was slowly adding things here and there to eventually make it public. Happy to collaborate on this together if you're looking for help.

@iamgabeortiz

This comment has been minimized.

Copy link

@iamgabeortiz iamgabeortiz commented May 30, 2021

@badfun

This comment has been minimized.

Copy link

@badfun badfun commented May 31, 2021

thanks for your efforts. Can't believe that this is not in the AWS docs anywhere.

@jjaniec

This comment has been minimized.

Copy link

@jjaniec jjaniec commented Jun 9, 2021

Missing region.elasticache-snapshot.amazonaws.com used to start a redis cluster with a .rdb file on s3

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-seeding-redis.html#backups-seeding-redis-create-backup

@adrian202

This comment has been minimized.

Copy link

@adrian202 adrian202 commented Jun 21, 2021

Another one. IAM Access Analyzer access-analyzer.amazonaws.com for example to grant a delegated account access in an AWS organization

aws organizations register-delegated-administrator --service-principal=access-analyzer.amazonaws.com --account-id someaccountid

@vschum

This comment has been minimized.

Copy link

@vschum vschum commented Jun 24, 2021

CloudWatch Metric Streams streams.metrics.cloudwatch.amazonaws.com

@maiconrocha

This comment has been minimized.

Copy link

@maiconrocha maiconrocha commented Jul 21, 2021

Missing airflow.amazonaws.com and airflow-env.amazonaws.com
for Amazon MWAA

@542d2ad116

This comment has been minimized.

Copy link

@542d2ad116 542d2ad116 commented Jul 23, 2021

Another one. IAM Access Analyzer access-analyzer.amazonaws.com for example to grant a delegated account access in an AWS organization

aws organizations register-delegated-administrator --service-principal=access-analyzer.amazonaws.com --account-id someaccountid

is this the same service-principal in govcloud? if not, does anyone know what it is, or how to find that?

Edit: or are they all just *.amazonaws-us-gov.com ?

@bishopb

This comment has been minimized.

Copy link

@bishopb bishopb commented Aug 19, 2021

@542d2ad116 They're typically the same in GovCloud. As I find differences, I'll note them here.

@542d2ad116

This comment has been minimized.

Copy link

@542d2ad116 542d2ad116 commented Aug 19, 2021

@542d2ad116 They're the same in GovCloud.

Got it working. Thanks!

@bishopb

This comment has been minimized.

Copy link

@bishopb bishopb commented Aug 27, 2021

According to AWS Enterprise Support:

The service principal “kinesis.amazonaws.com” cannot be used for GovCloud accounts.

Instead AWS recommends:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": "kms:*",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": [
          "kinesis.us-gov-east-1.amazonaws.com",
          "kinesis.us-gov-west-1.amazonaws.com"
       ]
    }
  }
}
@richardhboyd

This comment has been minimized.

Copy link

@richardhboyd richardhboyd commented Sep 3, 2021

access-analyzer.amazonaws.com
amplify.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
automation.amazonaws.com
braket.amazonaws.com
chatbot.amazonaws.com
codeguru-reviewer.amazonaws.com
codestar-notifications.amazonaws.com
comprehend.amazonaws.com
datasync.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
emr-containers.amazonaws.com
forecast.amazonaws.com
galaxy.amazonaws.com
honeycode.amazonaws.com
imagebuilder.amazonaws.com
managedblockchain.amazonaws.com
mgn.amazonaws.com
mobileanalytics.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
personalize.amazonaws.com
purchaseorders.amazonaws.com
rds-preview.amazonaws.com
servicecatalog-appregistry.amazonaws.com
ssm-incidents.amazonaws.com
textract.amazonaws.com
transitgateway.amazonaws.com
vpc-flow-logs.amazonaws.com
wam.amazonaws.com
@mattghali

This comment has been minimized.

Copy link

@mattghali mattghali commented Sep 7, 2021

missing: ivs.amazonaws.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment