Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
List of AWS Service Principals
acm.amazonaws.com
alexa-appkit.amazon.com
apigateway.amazonaws.com
application-autoscaling.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
autoscaling.amazonaws.com
batch.amazonaws.com
channels.lex.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.amazonaws.com
codedeploy.${AWS::Region}.amazonaws.com
codepipeline.amazonaws.com
config.amazonaws.com
continuousexport.discovery.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
datapipeline.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
directconnect.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
iam.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
kinesis.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
lightsail.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
mediaconvert.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
route53.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
servicecatalog.amazonaws.com
ses.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
trustedadvisor.amazonaws.com
vmie.amazonaws.com
waf.amazonaws.com
workdocs.amazonaws.com
workspaces.amazonaws.com
@shortjared

This comment has been minimized.

@mjnowen

This comment has been minimized.

Copy link

mjnowen commented Jan 19, 2018

Missed one: vmie.amazonaws.com

@JohnVonNeumann

This comment has been minimized.

Copy link

JohnVonNeumann commented Apr 7, 2018

You are a beautiful human bean.

@spullara

This comment has been minimized.

Copy link

spullara commented May 30, 2018

new one recently, don't know what it is: im.amazonaws.com

@shortjared

This comment has been minimized.

Copy link
Owner Author

shortjared commented Jul 5, 2018

@spullara I can’t even find a reference to that with a quick google. Any ideas or doc links?

@chadbrewbaker

This comment has been minimized.

Copy link

chadbrewbaker commented Jul 5, 2018

Got a list of their RPM servers for AWS Linux?

@ahujarajesh

This comment has been minimized.

Copy link

ahujarajesh commented Aug 10, 2018

{
  "Statement": {
    "Effect": "Allow",
    "Principal": { "Service": "logs.amazonaws.com" },
    "Action": "sts:AssumeRole"
  }
}

Trying to create above policy.
It gives me This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar

IDK what I am adding wrong here?

@jeshan

This comment has been minimized.

Copy link

jeshan commented Sep 10, 2018

There's Kinesis Firehose as well:
firehose.amazonaws.com
https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html

@atrakic

This comment has been minimized.

Copy link

atrakic commented Oct 8, 2018

How does one generate latest list by aws cli?

@iscofield

This comment has been minimized.

Copy link

iscofield commented Oct 10, 2018

Missing:

kinesisanalytics.amazonaws.com
firehose.amazonaws.com
states.amazonaws.com
codebuild.amazonaws.com
glue.amazonaws.com
appstream.application-autoscaling.amazonaws.com
ecs-tasks.amazonaws.com
appsync.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ecs.application-autoscaling.amazonaws.com
continuousexport.discovery.amazonaws.com
batch.amazonaws.com
dms.amazonaws.com
dlm.amazonaws.com
deeplens.amazonaws.com
greengrass.amazonaws.com
dax.amazonaws.com
replication.dynamodb.amazonaws.com
ec2scheduled.amazonaws.com
spotfleet.amazonaws.com
application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
eks.amazonaws.com
elastictranscoder.amazonaws.com
guardduty.amazonaws.com
iot.amazonaws.com
lex.amazonaws.com
channels.lex.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
mediaconvert.amazonaws.com
monitoring.rds.amazonaws.com
rekognition.amazonaws.com
sms.amazonaws.com
swf.amazonaws.com
sagemaker.amazonaws.com
trustedadvisor.amazonaws.com
@shortjared

This comment has been minimized.

Copy link
Owner Author

shortjared commented Nov 8, 2018

Updated list. Thanks to @iscofield and @jeshan

@cmaurer

This comment has been minimized.

Copy link

cmaurer commented Nov 21, 2018

missing:

cloud9.amazonaws.com
es.amazonaws.com
sso.amazonaws.com

cloudhsm? I cant seem to be able to find the principal for this one

@copumpkin

This comment has been minimized.

Copy link

copumpkin commented Dec 5, 2018

Some of these also have region-specific principals, for what it's worth.

For example codedeploy and several others support a codedeploy.us-east-1.amazonaws.com form of the service principal. Not really sure why given that IAM entities are global, but if you want an exhaustive list that should probably be captured somewhere.

Incidentally, this is also why @ahujarajesh's asked the question above. For a while (I think!), logs only worked with regions, so logs.us-east-1.amazonaws.com was valid but logs.amazonaws.com was not. I think that's now changed and both forms are accepted. Or possibly it was just attempting to input a principal field into a principal policy, which is forbidden 😄

@copumpkin

This comment has been minimized.

Copy link

copumpkin commented Dec 5, 2018

Also relevant to this list if you start broadening its scope a bit is https://github.com/duo-labs/cloudmapper/blob/master/vendor_accounts.yaml (courtesy of @0xdabbad00 and @williambherman), which includes AWS service accounts that don't have associated service principals, as well as canonical third-party vendor accounts.

@dnitsch

This comment has been minimized.

Copy link

dnitsch commented Feb 3, 2019

This one as well, but really falls under federated principal type...
cognito-identity.amazonaws.com

@reidgould

This comment has been minimized.

Copy link

reidgould commented Feb 14, 2019

I'm looking for the service principal needed for the Alexa::ASK::Skill CloudFormation resource to assume a role to get a Skill Package object from S3. Has anyone made this work? Maybe it's a federated principal? Relevant property: Alexa::ASK::Skill SkillPackage S3BucketRole

@cStorm

This comment has been minimized.

Copy link

cStorm commented Feb 14, 2019

I'm looking for the service principal needed for the Alexa::ASK::Skill CloudFormation resource to assume a role to get a Skill Package object from S3. Has anyone made this work? Maybe it's a federated principal? Relevant property: Alexa::ASK::Skill SkillPackage S3BucketRole

@reidgould I came here for the exact same reason. Does anyone know?

@cStorm

This comment has been minimized.

Copy link

cStorm commented Feb 14, 2019

For @reidgould and anyone else that's interested, the Alexa service principal seems to be alexa-appkit.amazon.com

@mdclement

This comment has been minimized.

Copy link

mdclement commented Feb 27, 2019

missing secretsmanager.amazonaws.com

@Logikz

This comment has been minimized.

Copy link

Logikz commented Mar 12, 2019

anyone know the principal string for the alexa smart home trigger?

@shortjared

This comment has been minimized.

Copy link
Owner Author

shortjared commented Apr 11, 2019

thanks all, updated the list again

@wjoe

This comment has been minimized.

Copy link

wjoe commented Apr 25, 2019

Missing elasticloadbalancing.amazonaws.com - required at least for granting ALBs permission to invoke Lambda functions, which was added quite recently - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html

@vitaminj

This comment has been minimized.

Copy link

vitaminj commented May 28, 2019

Alexa Smart Home seems to be alexa-connectedhome.amazon.com

@jeffmccollum

This comment has been minimized.

Copy link

jeffmccollum commented Jun 11, 2019

A couple more
aws-artifact-account-sync.amazonaws.com
ram.amazonaws.com
license-manager.amazonaws.com
fms.amazonaws.com

@zweizhang

This comment has been minimized.

Copy link

zweizhang commented Jul 13, 2019

I hope there will be another list for china region, due to some services in china region with the suffix .cn but some without.

@abdullahkhawer

This comment has been minimized.

Copy link

abdullahkhawer commented Aug 1, 2019

Where is "cloudwatch.amazonaws.com"? Also, "monitoring.amazonaws.com" is not working in SNS policy.

@tomasaschan

This comment has been minimized.

Copy link

tomasaschan commented Aug 15, 2019

This one also seems to be missing: cognito-idp.amazonaws.com

@rajholla

This comment has been minimized.

Copy link

rajholla commented Aug 31, 2019

Consolidated list :

a4b.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
amazonmq.amazonaws.com
apigateway.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
autoscaling.amazonaws.com
b
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
c
ce.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.amazonaws.com
codepipeline.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
config.amazonaws.com
d
datapipeline.amazonaws.com
dax.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
e
ec2.amazonaws.com
ecr.amazonaws.com
ecs.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
es.amazonaws.com
events.amazonaws.com
f
firehose.amazonaws.com
fms.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
g
gamelift.amazonaws.com
glacier.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
h
health.amazonaws.com
i
iam.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotthingsgraph.amazonaws.com
j
jellyfish.amazonaws.com
k
kinesis.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
l
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
lightsail.amazonaws.com
logs.amazonaws.com
m
machinelearning.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
metering-marketplace.amazonaws.com
migrationhub.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
o
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
p
pinpoint.amazonaws.com
polly.amazonaws.com
q
qldb.amazonaws.com
quicksight.amazonaws.com
r
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
sqs.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
t
tagging.amazonaws.com
transfer.amazonaws.com
translate.amazonaws.com
tts.amazonaws.com
w
waf-regional.amazonaws.com
waf.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
x
xray.amazonaws.com

@chizou

This comment has been minimized.

Copy link

chizou commented Oct 9, 2019

VPC Flow logs get delivered by delivery.logs.amazonaws.com

@varunchandak

This comment has been minimized.

Copy link

varunchandak commented Oct 17, 2019

How does one generate latest list by aws cli?

+1

@adamdonahue

This comment has been minimized.

Copy link

adamdonahue commented Nov 25, 2019

@rajholla Missing ecs-tasks at least.

@jeffmccollum

This comment has been minimized.

Copy link

jeffmccollum commented Nov 29, 2019

New Tag Policies - tagpolicies.tag.amazonaws.com

@nriveraonica

This comment has been minimized.

Copy link

nriveraonica commented Dec 11, 2019

config-multiaccountsetup.amazonaws.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.