Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
List of AWS Service Principals
a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
ops.apigateway.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com
{region}.elasticache-snapshot.amazonaws.com
@richardhboyd
Copy link

richardhboyd commented Sep 3, 2021

access-analyzer.amazonaws.com
amplify.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
automation.amazonaws.com
braket.amazonaws.com
chatbot.amazonaws.com
codeguru-reviewer.amazonaws.com
codestar-notifications.amazonaws.com
comprehend.amazonaws.com
datasync.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
emr-containers.amazonaws.com
forecast.amazonaws.com
galaxy.amazonaws.com
honeycode.amazonaws.com
imagebuilder.amazonaws.com
managedblockchain.amazonaws.com
mgn.amazonaws.com
mobileanalytics.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
personalize.amazonaws.com
purchaseorders.amazonaws.com
rds-preview.amazonaws.com
servicecatalog-appregistry.amazonaws.com
ssm-incidents.amazonaws.com
textract.amazonaws.com
transitgateway.amazonaws.com
vpc-flow-logs.amazonaws.com
wam.amazonaws.com

@mattghali
Copy link

mattghali commented Sep 7, 2021

missing: ivs.amazonaws.com

@juweeks
Copy link

juweeks commented Oct 21, 2021

cost anomaly detection- costalerts.amazonaws.com

@jack-parsons-bjss
Copy link

jack-parsons-bjss commented Nov 11, 2021

Account management api: account.amazonaws.com

@jdvalentine
Copy link

jdvalentine commented Dec 6, 2021

Here's another:
timestream.amazonaws.com

@shortjared
Copy link
Author

shortjared commented Dec 9, 2021

Updated based on comments to this point. Thx all.

@rts-rob
Copy link

rts-rob commented Dec 9, 2021

Kinda hidden but there is also tasks.apprunner.amazonaws.com for AWS App Runner.

Reference

@jmulvey123
Copy link

jmulvey123 commented Dec 17, 2021

New version of inspector: inspector2.amazonaws.com

Reference
(click on "View role permissions" and then "Trust relationships")

@LameLemon
Copy link

LameLemon commented Jan 5, 2022

Fault Injection Simulator fis.amazonaws.com
Reference

@ozbillwang
Copy link

ozbillwang commented Jan 17, 2022

@ozbillwang
Copy link

ozbillwang commented Jan 17, 2022

a service principal belongs to SSM

opsdatasync.ssm.amazonaws.com

mentioned in this document: https://docs.aws.amazon.com/en_us/systems-manager/latest/userguide/cross-service-confused-deputy-prevention.html

and it is only list when you enabled aws system manager with Organizations.

$ aws organizations list-aws-service-access-for-organization |grep ops

But not list in all organizations account. I still don't get it.

@jack-parsons-bjss
Copy link

jack-parsons-bjss commented Feb 9, 2022

storage-lens.s3.amazonaws.com
Storage Lens
Reference

@varunchandak
Copy link

varunchandak commented Feb 11, 2022

resource.cloudformation.amazonaws.com
hooks.cloudformation.amazonaws.com

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html

@juliangovender
Copy link

juliangovender commented Feb 16, 2022

logs.{region}.amazonaws.com

Reference

@KurtLehnardt
Copy link

KurtLehnardt commented Feb 28, 2022

Here's an updated and sorted list from the most recent comments

a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
cloudwatch.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
detective.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fis.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
hooks.cloudformation.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
inspector2.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
ops.apigateway.amazonaws.com
opsdatasync.ssm.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
region.elasticache-snapshot.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
resource.cloudformation.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storage-lens.s3.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
tasks.apprunner.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com

@MacHu-GWU
Copy link

MacHu-GWU commented Apr 5, 2022

@shortjared I recommend to use https://github.com/boto/botocore/tree/master/botocore/data as the ground truth. The folder name is the service name. It is how AWS manage their SDK.

@vschum
Copy link

vschum commented Apr 5, 2022

@shortjared I recommend to use https://github.com/boto/botocore/tree/master/botocore/data as the ground truth. The folder name is the service name. It is how AWS manage their SDK.

Yes; however, this doesn't tell you the name of the service principal, which is what this gist is documenting.

As a single simple example, the service principal for CloudFormation StackSet integration with AWS Organizations is member.org.stacksets.cloudformation.amazonaws.com, as documented here; but, you won't find this in the botocore/data directory you linked to.

@reidca
Copy link

reidca commented May 11, 2022

What is the arn format for the service principals listed here? I cannot seem to find any documentation for this.

My use case is this:
I have an ou for "suspended accounts" that blocks access to all services except on certain conditions.
One of those conditions is where the service principal is "member.org.stacksets.cloudformation.amazonaws.com" to allow CloudFormation to continue to update stacksets as accounts are moved into the ou.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyWriters",
			"Effect": "Deny",
			"Action": "*",
			"Resource": [
				"*"
			],
			"Condition": {
				"StringNotLike": {
					"aws:PrincipalArn": [
						"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSReadOnlyAccess_*",
						"<cloudformation stack set principal here>"
					]
				}
			}
		}
	]
}

Thanks

@vschum
Copy link

vschum commented May 11, 2022

@reidca The aws:PrincipalArn condition key tests against an AWS ARN. This gist is related to AWS service principals.

For your specific use case, try using the aws:PrincipalServiceName condition key, which tests against a service principal (name).

@reidca
Copy link

reidca commented May 11, 2022

Ah thank you for that. Is it possible to combine conditions so you can test against a role and the service principal in the condition?

@reidca
Copy link

reidca commented May 11, 2022

I have tried to find examples of aws:PrincipalServiceName in use but there are none. The IAM user guide has no results for this condition key. Do you have any examples I can refer to please?

@jangaraj
Copy link

jangaraj commented Jun 17, 2022

@rjoniuqa
Copy link

rjoniuqa commented Jun 26, 2022

OpenSearch Sevice: opensearchservice.amazonaws.com - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html

@rjoniuqa
Copy link

rjoniuqa commented Jun 27, 2022

@graydenshand
Copy link

graydenshand commented Jul 20, 2022

AppRunner service builder: build.apprunner.amazonaws.com - https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment