Skip to content

Instantly share code, notes, and snippets.

@shortjared
Last active November 5, 2024 20:22
Show Gist options
  • Save shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22 to your computer and use it in GitHub Desktop.
Save shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22 to your computer and use it in GitHub Desktop.
List of AWS Service Principals
a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
meetings.chime.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
ops.apigateway.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com
{region}.elasticache-snapshot.amazonaws.com
@rjoniuqa
Copy link

@graydenshand
Copy link

AppRunner service builder: build.apprunner.amazonaws.com - https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html

@rrrix
Copy link

rrrix commented Sep 23, 2022

I have tried to find examples of aws:PrincipalServiceName in use but there are none. The IAM user guide has no results for this condition key. Do you have any examples I can refer to please?

https://github.com/awsdocs/iam-user-guide/blob/main/doc_source/reference_policies_condition-keys.md#awsprincipalservicename

@shortjared I recommend to use https://github.com/boto/botocore/tree/master/botocore/data as the ground truth. The folder name is the service name. It is how AWS manage their SDK.

To @MacHu-GWU and anyone else who doubts the purpose and value of this gist: Unfortunately, there is actually no publicly available "ground truth" as you say for most aspects of AWS IAM data codified in a machine-readable format - including AWS Service Principals. This thread in the AWS CDK project has an excellent discussion on the topic, albeit relating to AWS Service Names and IAM Action prefixes - but the point is the same.

Interestingly, AWS IAM API Actions (e.g. svc:Action) are one of the few things that has a publicly available machine-readable format.

A couple of examples of why this list is so, so valuable, and cannot (currently) be programmatically generated:

  • The boto service-2.json definition for sso-oidc declares the values endpointPrefix: oidc, signingName: awsssooidc, serviceId: SSO OIDC and /sso-oidc/ in the file path, but the Service Principal is sso.amazonaws.com
  • The boto service-2.json definition for sso declares the values endpointPrefix: portal.sso, signingName: awsssoportal, serviceId: SSO and /sso/ in the file path, but again the Service Principal is... sso.amazonaws.com?
  • The boto service-2.json definnition for sso-admin declares the values endpointPrefix: sso, signingName: sso, serviceId: SSO Admin and /sso-admin/ in the file path, but the Service Principal is sso.amazonaws.com WHAT THE HELL AMAZON!? 😡
  • SES has endpointPrefix: email, serviceId: SES and signingName: ses, has IAM Actions prefixed with email: and the Service Principal is ses.amazonaws.com

I have even more examples, but I think you get the idea. Clearly there is no consistency with regard to machine-readable resources - we cannot depend on file names, or SDK service definition file content.

We can however generally depend on AWS Documentation, but that isn't usually easily machine-readable.

I've personally spoken to many AWS Service Engineers - (who work or worked for Amazon!) - who couldn't explain why IAM is the way IAM is. It's just the way it is. My hypothesis, after years of unofficial research on the subject and despite the clear need and desire from their customers, is that there was never an "official" internal requirement for a standardized, unified and consistent convention for identifiers, tokens, service endpoint prefixes, API grammar, or other terminology for API definitions, authorization policies, or in this case, Service Principals. Perhaps someday, an IAM product/service owner in AWS will see this gist and realize their mistake and finally publish a definitive resource for us (hint, hint) 😉.

Thank you to everyone who contributes to this gist. You're helping build great things one Service Principal at a time 👏

@mbarneyjr
Copy link

@Olekidh
Copy link

Olekidh commented Dec 12, 2022

When I was importing resources from AWS in terraform, I observed some additional service principals:

controltower.amazonaws.com
compute-optimizer.amazonaws.com

@Arlington1985
Copy link

scheduler.amazonaws.com is missing. It's a new service which recently added
https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html

@edschreibman
Copy link

Audit Manager service principal, which is auditmanager.amazonaws.com .

@f0xtek
Copy link

f0xtek commented Jan 13, 2023

reachabilityanalyzer.networkinsights.amazonaws.com has recently been added for the fairly new Network Manager Reachability Analyzer. Now supports delegated administrator functionality for cross-account analyses.

https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

@EvaBaaza
Copy link

EvaBaaza commented Mar 6, 2023

scheduler.amazonaws.com is missing. It's a new service which recently added https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html

Thanks for this

@jayantasamaddar
Copy link

ecr.amazonaws.com is wrong.

You can either have,

  • pullthroughcache.ecr.amazonaws.com
  • replication.ecr.amazonaws.com

Source: https://docs.aws.amazon.com/AmazonECR/latest/userguide/using-service-linked-roles.html

@esherrill-uisg
Copy link

a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
auditmanager.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
batchoperations.s3.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
build.apprunner.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
cloudwatch.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
compute-optimizer.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
controltower.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
detective.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fis.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
hooks.cloudformation.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
inspector2.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
lookoutmetrics.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
oam.amazonaws.com
opensearchservice.amazonaws.com
ops.apigateway.amazonaws.com
opsdatasync.ssm.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
pullthroughcache.ecr.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
reachabilityanalyzer.networkinsights.amazonaws.com
redshift.amazonaws.com
region.elasticache-snapshot.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replication.ecr.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
resource.cloudformation.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
scheduler.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storage-lens.s3.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
tasks.apprunner.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com

@dls314
Copy link

dls314 commented Mar 30, 2023

resource.cloudformation.amazonaws.com
hooks.cloudformation.amazonaws.com

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html

Small typo introduced here -- should be resources.cloudformation.amazonaws.com instead

@nwber
Copy link

nwber commented Apr 20, 2023

dms.amazonaws.com should be dms.region-name.amazonaws.com.

Source: I was furiously searching for this and found it deep in https://docs.aws.amazon.com/dms/latest/userguide/security_iam_secretsmanager.html

@Higherings
Copy link

dms.amazonaws.com should be dms.region-name.amazonaws.com.

Does anyone know when should we reference the global endpoint and when the regional endpoint ?

I have found referencing one or the other in some IAM polices.

@dls314
Copy link

dls314 commented Apr 21, 2023

This list seems to be / have become a mix of AWS Service Principals and service endpoints. Is there a clear way to separate the two?

@wfjt
Copy link

wfjt commented Jul 7, 2023

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html tables' service-linked role column's ``Yes` link will lead to pages documenting service principals. The docs don't follow a convention when marking up principals so parsing would need be regex based and walk through many pages.

https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html service authorization reference lists the service prefix for all services in a parsable form. I've extracted service names before from these pages.

The service principals are doable, just need to follow links and grep for principal looking strings. Still room for error and I for one can't be bothered, but perhaps someone else has the time to script it and run on CI for an up-to-date list.

@CCH-sec
Copy link

CCH-sec commented Jul 18, 2023

emr-serverless.amazonaws.com

@notorand-it
Copy link

notorand-it commented Oct 2, 2023

a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
auditmanager.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
batchoperations.s3.amazonaws.com
bedrock.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
build.apprunner.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
cloudwatch.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
compute-optimizer.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
controltower.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
detective.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fastlaunch.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
emr-serverless.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fis.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
hooks.cloudformation.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
inspector2.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.alarms.cloudwatch.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
lookoutmetrics.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
malware-protection.guardduty.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
oam.amazonaws.com
opensearchservice.amazonaws.com
ops.apigateway.amazonaws.com
opsdatasync.ssm.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
partnercentral-account-management.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
pipes.amazonaws.com
polly.amazonaws.com
pullthroughcache.ecr.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
reachabilityanalyzer.networkinsights.amazonaws.com
redshift.amazonaws.com
region.elasticache-snapshot.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replication.ecr.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
resource.cloudformation.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
scheduler.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spot.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storage-lens.s3.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
tasks.apprunner.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com

@Thomas-X
Copy link

pipes.amazonaws.com

@lyndoh
Copy link

lyndoh commented Dec 19, 2023

ec2fastlaunch.amazonaws.com = AWSServiceRoleForEC2FastLaunch
spot.amazonaws.com = AWSServiceRoleForEC2Spot

@jack-parsons-bjss
Copy link

partnercentral-account-management.amazonaws.com

@notorand-it
Copy link

notorand-it commented Dec 21, 2023

List above updated!

@AnUnpronounceableName
Copy link

bedrock.amazonaws.com

@danixmarques
Copy link

Now a CloudWatch alarm can send an event directly to a Lambda Function. This is the principal: lambda.alarms.cloudwatch.amazonaws.com

@notorand-it
Copy link

notorand-it commented Feb 14, 2024

@udondan
Copy link

udondan commented Feb 21, 2024

Updated everything up to here. Honestly y'all, I tried years ago to get AWS to support this .

I'll look at putting together a repo. We would need to automate that repo updating this gist to maintain the friendliness of this being the top result on google for "list of AWS service principal" and related searches.

Wondering, is this gist already updated automatically in some way? It seems like whenever I come here it says something like last active x hours ago. 😸

I would like to suggest a pontential way to partially automate this. Searching through all AWS Managed IAM policies I get a list of 203 unique domains:

$ git clone --depth=1 https://github.com/udondan/iam-floyd
$ grep -rhoE '[^[:space:],;"'\''/*]+\.amazonaws\.com' iam-floyd/docs/source/_static/managed-policies/ | sort | uniq -c | sort -nr
  58 ec2.amazonaws.com
  23 cloudformation.amazonaws.com
  21 autoscaling.amazonaws.com
  20 ssm.amazonaws.com
  20 securitylake.amazonaws.com
  16 launchwizard.amazonaws.com
  16 events.amazonaws.com
  15 lambda.amazonaws.com
  15 elasticloadbalancing.amazonaws.com
  15 backup.amazonaws.com
  14 sagemaker.amazonaws.com
  13 glue.amazonaws.com
  12 spot.amazonaws.com
  12 rds.amazonaws.com
  11 ecs.amazonaws.com
  11 drs.amazonaws.com
  11 codeguru-reviewer.amazonaws.com
  11 cleanrooms.amazonaws.com
  10 elasticbeanstalk.amazonaws.com
   9 sso.amazonaws.com
   9 lexv2.amazonaws.com
   9 devops-guru.amazonaws.com
   9 application-autoscaling.amazonaws.com
   8 robomaker.amazonaws.com
   8 mgn.amazonaws.com
   8 elasticmapreduce.amazonaws.com
   8 application-insights.amazonaws.com
   7 spotfleet.amazonaws.com
   7 lex.amazonaws.com
   7 lakeformation.amazonaws.com
   7 dataexchange.amazonaws.com
   6 servicecatalog-appregistry.amazonaws.com
   6 imagebuilder.amazonaws.com
   6 ecs-tasks.amazonaws.com
   6 docdb-elastic.amazonaws.com
   6 continuousexport.discovery.amazonaws.com
   6 config-conforms.amazonaws.com
   6 cloud9.amazonaws.com
   6 channels.lexv2.amazonaws.com
   5 servicequotas.amazonaws.com
   5 securityhub.amazonaws.com
   5 schemas.amazonaws.com
   5 reporting.trustedadvisor.amazonaws.com
   5 ram.amazonaws.com
   5 iot.amazonaws.com
   5 fsx.amazonaws.com
   5 fms.amazonaws.com
   5 codepipeline.amazonaws.com
   4 vpc-lattice.amazonaws.com
   4 sqlworkbench.amazonaws.com
   4 sagemaker.application-autoscaling.amazonaws.com
   4 resource-explorer-2.amazonaws.com
   4 replication.lexv2.amazonaws.com
   4 macie.amazonaws.com
   4 iotsitewise.amazonaws.com
   4 dynamodb.application-autoscaling.amazonaws.com
   4 delivery.logs.amazonaws.com
   4 cloudtrail.amazonaws.com
   4 channels.lex.amazonaws.com
   4 cassandra.application-autoscaling.amazonaws.com
   4 braket.amazonaws.com
   4 auditmanager.amazonaws.com
   4 appflow.amazonaws.com
   4 apidestinations.events.amazonaws.com
   3 scraper.aps.amazonaws.com
   3 scheduler.amazonaws.com
   3 s3.data-source.lustre.fsx.amazonaws.com
   3 remediation.config.amazonaws.com
   3 redshift.amazonaws.com
   3 proton.amazonaws.com
   3 profile.amazonaws.com
   3 pipes.amazonaws.com
   3 nimble.amazonaws.com
   3 neptune-graph.amazonaws.com
   3 kafka.amazonaws.com
   3 inspector.amazonaws.com
   3 greengrass.amazonaws.com
   3 events.workmail.amazonaws.com
   3 detective.amazonaws.com
   3 databrew.amazonaws.com
   3 cost-optimization-hub.bcm.amazonaws.com
   3 connect.amazonaws.com
   3 cognito-identity.amazonaws.com
   3 appsync.amazonaws.com
   3 apprunner.amazonaws.com
   3 acm.amazonaws.com
   2 wafv2.amazonaws.com
   2 transitgateway.amazonaws.com
   2 transfer.amazonaws.com
   2 sync.proton.amazonaws.com
   2 ssm-sap.amazonaws.com
   2 smsintegration.migrationhub.amazonaws.com
   2 s3.amazonaws.com
   2 restore-testing.backup.amazonaws.com
   2 replication.cassandra.amazonaws.com
   2 refactor-spaces.amazonaws.com
   2 redshift-data.amazonaws.com
   2 qldb.amazonaws.com
   2 panorama.amazonaws.com
   2 osis.amazonaws.com
   2 orgsdatasync.servicecatalog.amazonaws.com
   2 organizations.amazonaws.com
   2 omics.amazonaws.com
   2 mq.amazonaws.com
   2 migrationhub.amazonaws.com
   2 migrationhub-strategy.amazonaws.com
   2 migrationhub-orchestrator.amazonaws.com
   2 memorydb.amazonaws.com
   2 managedupdates.elasticbeanstalk.amazonaws.com
   2 malware-protection.guardduty.amazonaws.com
   2 maintenance.elasticbeanstalk.amazonaws.com
   2 license-manager.member-account.amazonaws.com
   2 license-management.marketplace.amazonaws.com
   2 iotroborunner.amazonaws.com
   2 health.amazonaws.com
   2 guardduty.amazonaws.com
   2 globalaccelerator.amazonaws.com
   2 forecast.amazonaws.com
   2 firehose.amazonaws.com
   2 email.cognito-idp.amazonaws.com
   2 elasticache.amazonaws.com
   2 eks-connector.amazonaws.com
   2 ec2fleet.amazonaws.com
   2 ec2.application-autoscaling.amazonaws.com
   2 dmsintegration.migrationhub.amazonaws.com
   2 dax.amazonaws.com
   2 custom.rds.amazonaws.com
   2 custom.rds-preview.amazonaws.com
   2 controltower.amazonaws.com
   2 config-multiaccountsetup.amazonaws.com
   2 cognito-idp.amazonaws.com
   2 cognito-identity-us-gov.amazonaws.com
   2 codebuild.amazonaws.com
   2 codeartifact.amazonaws.com
   2 cleanrooms-ml.amazonaws.com
   2 chime.amazonaws.com
   2 bugbust.amazonaws.com
   2 bedrock.amazonaws.com
   2 assets.marketplace.amazonaws.com
   2 appstream.application-autoscaling.amazonaws.com
   2 appmesh.amazonaws.com
   2 application-signals.cloudwatch.amazonaws.com
   2 appfabric.amazonaws.com
   2 a4b.amazonaws.com
   1 vmie.amazonaws.com
   1 synthetics.amazonaws.com
   1 support.amazonaws.com
   1 states.amazonaws.com
   1 sms.amazonaws.com
   1 shield.amazonaws.com
   1 servicecatalog.amazonaws.com
   1 sagemaker-geospatial.amazonaws.com
   1 rum.amazonaws.com
   1 resource-groups.amazonaws.com
   1 replication.ecr.amazonaws.com
   1 replication.dynamodb.amazonaws.com
   1 rds.application-autoscaling.amazonaws.com
   1 personalize.amazonaws.com
   1 permission.iq.amazonaws.com
   1 partnercentral-account-management.amazonaws.com
   1 opsworks.amazonaws.com
   1 networkmanager.amazonaws.com
   1 network-firewall.amazonaws.com
   1 monitron.amazonaws.com
   1 medical-imaging.amazonaws.com
   1 mediaconvert.amazonaws.com
   1 lookoutmetrics.amazonaws.com
   1 lookoutequipment.amazonaws.com
   1 lightsail.amazonaws.com
   1 kinesisreplication.dynamodb.amazonaws.com
   1 kendra.amazonaws.com
   1 inspector2.amazonaws.com
   1 healthlake.amazonaws.com
   1 grafana.amazonaws.com
   1 frauddetector.amazonaws.com
   1 fis.amazonaws.com
   1 events.managedservices.amazonaws.com
   1 event-processor.health.amazonaws.com
   1 entityresolution.amazonaws.com
   1 elastictranscoder.amazonaws.com
   1 elasticfilesystem.amazonaws.com
   1 eks.amazonaws.com
   1 ecs.application-autoscaling.amazonaws.com
   1 ec2scheduled.amazonaws.com
   1 ec2fastlaunch.amazonaws.com
   1 ds.amazonaws.com
   1 datazonecontrol.amazonaws.com
   1 datazone.amazonaws.com
   1 datasync.amazonaws.com
   1 credentials.iot.amazonaws.com
   1 contributorinsights.dynamodb.amazonaws.com
   1 contract.iq.amazonaws.com
   1 config.amazonaws.com
   1 codeguru-security.amazonaws.com
   1 codeguru-profiler.amazonaws.com
   1 codecatalyst.amazonaws.com
   1 codecatalyst-runner.amazonaws.com
   1 budgets.amazonaws.com
   1 batch.amazonaws.com
   1 athena.amazonaws.com
   1 aps.amazonaws.com
   1 apigateway.amazonaws.com
   1 access-analyzer.amazonaws.com

I am not too deep into this topic, so not sure if all those matches are actually valid service principals...

This list is sorted by the number of occurences. Haven't checked the inersection with your list.

@Bharathkumarraju
Copy link

how about getting from this - https://awspolicygen.s3.amazonaws.com/js/policies.js

bharathkumardasaraju@~$ curl -s https://awspolicygen.s3.amazonaws.com/js/policies.js | sed 's/.*app.PolicyEditorConfig=//' | sed 's/};/}/' | jq -r '.serviceMap | to_entries[] | select(.value.StringPrefix != null) | .value.StringPrefix + ".amazonaws.com"' | sort | uniq | wc -l

     401
bharathkumardasaraju@~$
bharathkumardasaraju@~$ curl -s https://awspolicygen.s3.amazonaws.com/js/policies.js | sed 's/.*app.PolicyEditorConfig=//' | sed 's/};/}/' | jq -r '.serviceMap | to_entries[] | select(.value.StringPrefix != null) | .value.StringPrefix + ".amazonaws.com"' | sort | uniq

a2c.amazonaws.com
a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
activate.amazonaws.com
airflow.amazonaws.com
amplify.amazonaws.com
amplifybackend.amazonaws.com
amplifyuibuilder.amazonaws.com
aoss.amazonaws.com
apigateway.amazonaws.com
app-integrations.amazonaws.com
appconfig.amazonaws.com
appfabric.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-cost-profiler.amazonaws.com
application-signals.amazonaws.com
application-transformation.amazonaws.com
applicationinsights.amazonaws.com
appmesh-preview.amazonaws.com
appmesh.amazonaws.com
apprunner.amazonaws.com
appstream.amazonaws.com
appstudio.amazonaws.com
appsync.amazonaws.com
apptest.amazonaws.com
aps.amazonaws.com
arc-zonal-shift.amazonaws.com
arsenal.amazonaws.com
artifact.amazonaws.com
athena.amazonaws.com
auditmanager.amazonaws.com
autoscaling-plans.amazonaws.com
autoscaling.amazonaws.com
aws-marketplace-management.amazonaws.com
aws-marketplace.amazonaws.com
aws-portal.amazonaws.com
awsconnector.amazonaws.com
b2bi.amazonaws.com
backup-gateway.amazonaws.com
backup-storage.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
bcm-data-exports.amazonaws.com
bedrock.amazonaws.com
billing.amazonaws.com
billingconductor.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
bugbust.amazonaws.com
cases.amazonaws.com
cassandra.amazonaws.com
ce.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cleanrooms-ml.amazonaws.com
cleanrooms.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront-keyvaluestore.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudshell.amazonaws.com
cloudtrail-data.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch.amazonaws.com
codeartifact.amazonaws.com
codebuild.amazonaws.com
codecatalyst.amazonaws.com
codecommit.amazonaws.com
codeconnections.amazonaws.com
codedeploy-commands-secure.amazonaws.com
codedeploy.amazonaws.com
codeguru-profiler.amazonaws.com
codeguru-reviewer.amazonaws.com
codeguru-security.amazonaws.com
codeguru.amazonaws.com
codepipeline.amazonaws.com
codestar-connections.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
codewhisperer.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
comprehendmedical.amazonaws.com
compute-optimizer.amazonaws.com
config.amazonaws.com
connect-campaigns.amazonaws.com
connect.amazonaws.com
consoleapp.amazonaws.com
consolidatedbilling.amazonaws.com
controlcatalog.amazonaws.com
controltower.amazonaws.com
cost-optimization-hub.amazonaws.com
cur.amazonaws.com
customer-verification.amazonaws.com
databrew.amazonaws.com
dataexchange.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
datazone.amazonaws.com
dax.amazonaws.com
dbqms.amazonaws.com
deadline.amazonaws.com
deepcomposer.amazonaws.com
deeplens.amazonaws.com
deepracer.amazonaws.com
detective.amazonaws.com
devicefarm.amazonaws.com
devops-guru.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
docdb-elastic.amazonaws.com
drs.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
ebs.amazonaws.com
ec2-instance-connect.amazonaws.com
ec2.amazonaws.com
ec2messages.amazonaws.com
ecr-public.amazonaws.com
ecr.amazonaws.com
ecs.amazonaws.com
eks-auth.amazonaws.com
eks.amazonaws.com
elastic-inference.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
elemental-activations.amazonaws.com
elemental-appliances-software.amazonaws.com
elemental-support-cases.amazonaws.com
elemental-support-content.amazonaws.com
emr-containers.amazonaws.com
emr-serverless.amazonaws.com
entityresolution.amazonaws.com
es.amazonaws.com
events.amazonaws.com
evidently.amazonaws.com
execute-api.amazonaws.com
finspace-api.amazonaws.com
finspace.amazonaws.com
firehose.amazonaws.com
fis.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
frauddetector.amazonaws.com
freertos.amazonaws.com
freetier.amazonaws.com
fsx.amazonaws.com
gamelift.amazonaws.com
geo.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
grafana.amazonaws.com
greengrass.amazonaws.com
groundstation.amazonaws.com
groundtruthlabeling.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
healthlake.amazonaws.com
honeycode.amazonaws.com
iam.amazonaws.com
identity-sync.amazonaws.com
identitystore-auth.amazonaws.com
identitystore.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector-scan.amazonaws.com
inspector.amazonaws.com
inspector2.amazonaws.com
internetmonitor.amazonaws.com
invoicing.amazonaws.com
iot-device-tester.amazonaws.com
iot.amazonaws.com
iot1click.amazonaws.com
iotanalytics.amazonaws.com
iotdeviceadvisor.amazonaws.com
iotevents.amazonaws.com
iotfleethub.amazonaws.com
iotfleetwise.amazonaws.com
iotjobsdata.amazonaws.com
iotroborunner.amazonaws.com
iotsitewise.amazonaws.com
iottwinmaker.amazonaws.com
iotwireless.amazonaws.com
iq-permission.amazonaws.com
iq.amazonaws.com
ivs.amazonaws.com
ivschat.amazonaws.com
kafka-cluster.amazonaws.com
kafka.amazonaws.com
kafkaconnect.amazonaws.com
kendra-ranking.amazonaws.com
kendra.amazonaws.com
kinesis.amazonaws.com
kinesisanalytics.amazonaws.com
kinesisvideo.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
launchwizard.amazonaws.com
lex.amazonaws.com
license-manager-linux-subscriptions.amazonaws.com
license-manager-user-subscriptions.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logs.amazonaws.com
lookoutequipment.amazonaws.com
lookoutmetrics.amazonaws.com
lookoutvision.amazonaws.com
m2.amazonaws.com
machinelearning.amazonaws.com
macie2.amazonaws.com
managedblockchain-query.amazonaws.com
managedblockchain.amazonaws.com
mapcredits.amazonaws.com
marketplacecommerceanalytics.amazonaws.com
mechanicalturk.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediaimport.amazonaws.com
medialive.amazonaws.com
mediapackage-vod.amazonaws.com
mediapackage.amazonaws.com
mediapackagev2.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
medical-imaging.amazonaws.com
memorydb.amazonaws.com
mgh.amazonaws.com
mgn.amazonaws.com
migrationhub-orchestrator.amazonaws.com
migrationhub-strategy.amazonaws.com
mobileanalytics.amazonaws.com
mobiletargeting.amazonaws.com
monitron.amazonaws.com
mq.amazonaws.com
neptune-db.amazonaws.com
neptune-graph.amazonaws.com
network-firewall.amazonaws.com
networkmanager-chat.amazonaws.com
networkmanager.amazonaws.com
networkmonitor.amazonaws.com
nimble.amazonaws.com
notifications-contacts.amazonaws.com
notifications.amazonaws.com
oam.amazonaws.com
omics.amazonaws.com
one.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
osis.amazonaws.com
outposts.amazonaws.com
panorama.amazonaws.com
partnercentral-account-management.amazonaws.com
payment-cryptography.amazonaws.com
payments.amazonaws.com
pca-connector-ad.amazonaws.com
pca-connector-scep.amazonaws.com
personalize.amazonaws.com
pi.amazonaws.com
pipes.amazonaws.com
polly.amazonaws.com
pricing.amazonaws.com
private-networks.amazonaws.com
profile.amazonaws.com
proton.amazonaws.com
purchase-orders.amazonaws.com
q.amazonaws.com
qapps.amazonaws.com
qbusiness.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rbin.amazonaws.com
rds-data.amazonaws.com
rds-db.amazonaws.com
rds.amazonaws.com
redshift-data.amazonaws.com
redshift-serverless.amazonaws.com
redshift.amazonaws.com
refactor-spaces.amazonaws.com
rekognition.amazonaws.com
repostspace.amazonaws.com
resiliencehub.amazonaws.com
resource-explorer-2.amazonaws.com
resource-explorer.amazonaws.com
resource-groups.amazonaws.com
rhelkb.amazonaws.com
robomaker.amazonaws.com
rolesanywhere.amazonaws.com
route53-recovery-cluster.amazonaws.com
route53-recovery-control-config.amazonaws.com
route53-recovery-readiness.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53profiles.amazonaws.com
route53resolver.amazonaws.com
rum.amazonaws.com
s3-object-lambda.amazonaws.com
s3-outposts.amazonaws.com
s3.amazonaws.com
s3express.amazonaws.com
sagemaker-geospatial.amazonaws.com
sagemaker-groundtruth-synthetic.amazonaws.com
sagemaker-mlflow.amazonaws.com
sagemaker.amazonaws.com
savingsplans.amazonaws.com
scheduler.amazonaws.com
schemas.amazonaws.com
scn.amazonaws.com
sdb.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
securitylake.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
serviceextract.amazonaws.com
servicequotas.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
simspaceweaver.amazonaws.com
sms-voice.amazonaws.com
sms.amazonaws.com
snow-device-management.amazonaws.com
snowball.amazonaws.com
sns.amazonaws.com
sqlworkbench.amazonaws.com
sqs.amazonaws.com
ssm-contacts.amazonaws.com
ssm-guiconnect.amazonaws.com
ssm-incidents.amazonaws.com
ssm-quicksetup.amazonaws.com
ssm-sap.amazonaws.com
ssm.amazonaws.com
ssmmessages.amazonaws.com
sso-directory.amazonaws.com
sso-oauth.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
supportapp.amazonaws.com
supportplans.amazonaws.com
supportrecommendations.amazonaws.com
sustainability.amazonaws.com
swf.amazonaws.com
synthetics.amazonaws.com
tag.amazonaws.com
tax.amazonaws.com
textract.amazonaws.com
thinclient.amazonaws.com
timestream-influxdb.amazonaws.com
timestream.amazonaws.com
tiros.amazonaws.com
tnb.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
ts.amazonaws.com
user-subscriptions.amazonaws.com
vendor-insights.amazonaws.com
verified-access.amazonaws.com
verifiedpermissions.amazonaws.com
voiceid.amazonaws.com
vpc-lattice-svcs.amazonaws.com
vpc-lattice.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wafv2.amazonaws.com
wam.amazonaws.com
wellarchitected.amazonaws.com
wickr.amazonaws.com
wisdom.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workmailmessageflow.amazonaws.com
workspaces-web.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com
bharathkumardasaraju@~$

@dls314
Copy link

dls314 commented Aug 25, 2024

SNS to Lambda integration introduces opt-in region specific service principals for SNS like sns.<opt-in-region>.amazonaws.com from https://docs.aws.amazon.com/sns/latest/dg/lambda-prereq.html

@dls314
Copy link

dls314 commented Aug 25, 2024

Chime introduces a meetings.chime.amazonaws.com service principal according to https://docs.aws.amazon.com/chime-sdk/latest/dg/mtgs-sdk-notifications.html

@rmldsky
Copy link

rmldsky commented Sep 12, 2024

For AWS CloudFormation StackSets there are two principals (only one listed above):

  1. stacksets.cloudformation.amazonaws.com (missing one)
  2. member.org.stacksets.cloudformation.amazonaws.com

Source: https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-svcprin-cloudformation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment