List of AWS Service Principals

list.txt

a4b.amazonaws.com
access-analyzer.amazonaws.com
account.amazonaws.com
acm-pca.amazonaws.com
acm.amazonaws.com
airflow-env.amazonaws.com
airflow.amazonaws.com
alexa-appkit.amazon.com
alexa-connectedhome.amazon.com
amazonmq.amazonaws.com
amplify.amazonaws.com
apigateway.amazonaws.com
appflow.amazonaws.com
application-autoscaling.amazonaws.com
application-insights.amazonaws.com
appstream.amazonaws.com
appstream.application-autoscaling.amazonaws.com
appsync.amazonaws.com
athena.amazonaws.com
automation.amazonaws.com
autoscaling.amazonaws.com
aws-artifact-account-sync.amazonaws.com
backup.amazonaws.com
batch.amazonaws.com
billingconsole.amazonaws.com
braket.amazonaws.com
budgets.amazonaws.com
ce.amazonaws.com
channels.lex.amazonaws.com
chatbot.amazonaws.com
chime.amazonaws.com
cloud9.amazonaws.com
clouddirectory.amazonaws.com
cloudformation.amazonaws.com
cloudfront.amazonaws.com
cloudhsm.amazonaws.com
cloudsearch.amazonaws.com
cloudtrail.amazonaws.com
cloudwatch-crossaccount.amazonaws.com
codebuild.amazonaws.com
codecommit.amazonaws.com
codedeploy.${aws::region}.amazonaws.com
codedeploy.amazonaws.com
codeguru-reviewer.amazonaws.com
codepipeline.amazonaws.com
codestar-notifications.amazonaws.com
codestar.amazonaws.com
cognito-identity.amazonaws.com
cognito-idp.amazonaws.com
cognito-sync.amazonaws.com
comprehend.amazonaws.com
config-conforms.amazonaws.com
config-multiaccountsetup.amazonaws.com
config.amazonaws.com
connect.amazonaws.com
continuousexport.discovery.amazonaws.com
costalerts.amazonaws.com
custom-resource.application-autoscaling.amazonaws.com
databrew.amazonaws.com
datapipeline.amazonaws.com
datasync.amazonaws.com
dax.amazonaws.com
deeplens.amazonaws.com
delivery.logs.amazonaws.com
diode.amazonaws.com
directconnect.amazonaws.com
discovery.amazonaws.com
dlm.amazonaws.com
dms.amazonaws.com
ds.amazonaws.com
dynamodb.amazonaws.com
dynamodb.application-autoscaling.amazonaws.com
ec.amazonaws.com
ec2.amazonaws.com
ec2.application-autoscaling.amazonaws.com
ec2fleet.amazonaws.com
ec2scheduled.amazonaws.com
ecr.amazonaws.com
ecs-tasks.amazonaws.com
ecs.amazonaws.com
ecs.application-autoscaling.amazonaws.com
edgelambda.amazonaws.com
eks-fargate-pods.amazonaws.com
eks-fargate.amazonaws.com
eks-nodegroup.amazonaws.com
eks.amazonaws.com
elasticache.amazonaws.com
elasticbeanstalk.amazonaws.com
elasticfilesystem.amazonaws.com
elasticloadbalancing.amazonaws.com
elasticmapreduce.amazonaws.com
elastictranscoder.amazonaws.com
email.cognito-idp.amazonaws.com
emr-containers.amazonaws.com
es.amazonaws.com
events.amazonaws.com
firehose.amazonaws.com
fms.amazonaws.com
forecast.amazonaws.com
freertos.amazonaws.com
fsx.amazonaws.com
galaxy.amazonaws.com
gamelift.amazonaws.com
glacier.amazonaws.com
globalaccelerator.amazonaws.com
glue.amazonaws.com
greengrass.amazonaws.com
guardduty.amazonaws.com
health.amazonaws.com
honeycode.amazonaws.com
iam.amazonaws.com
imagebuilder.amazonaws.com
importexport.amazonaws.com
inspector.amazonaws.com
iot.amazonaws.com
iotanalytics.amazonaws.com
iotevents.amazonaws.com
iotsitewise.amazonaws.com
iotthingsgraph.amazonaws.com
ivs.amazonaws.com
jellyfish.amazonaws.com
kafka.amazonaws.com
kinesis.amazonaws.com
kinesis.{us-gov-region}.amazonaws.com
kinesisanalytics.amazonaws.com
kms.amazonaws.com
lakeformation.amazonaws.com
lambda.amazonaws.com
lex.amazonaws.com
license-manager.amazonaws.com
lightsail.amazonaws.com
logger.cloudfront.amazonaws.com
logs.amazonaws.com
machinelearning.amazonaws.com
macie.amazonaws.com
managedblockchain.amazonaws.com
managedservices.amazonaws.com
mediaconnect.amazonaws.com
mediaconvert.amazonaws.com
mediapackage.amazonaws.com
mediastore.amazonaws.com
mediatailor.amazonaws.com
member.org.stacksets.cloudformation.amazonaws.com
metering-marketplace.amazonaws.com
mgn.amazonaws.com
migrationhub.amazonaws.com
mobileanalytics.amazonaws.com
mobilehub.amazonaws.com
monitoring.amazonaws.com
monitoring.rds.amazonaws.com
mq.amazonaws.com
network-firewall.amazonaws.com
ops.apigateway.amazonaws.com
opsworks-cm.amazonaws.com
opsworks.amazonaws.com
organizations.amazonaws.com
personalize.amazonaws.com
pinpoint.amazonaws.com
polly.amazonaws.com
purchaseorders.amazonaws.com
qldb.amazonaws.com
quicksight.amazonaws.com
ram.amazonaws.com
rds-preview.amazonaws.com
rds.amazonaws.com
redshift.amazonaws.com
rekognition.amazonaws.com
replication.dynamodb.amazonaws.com
replicator.lambda.amazonaws.com
resource-groups.amazonaws.com
robomaker.amazonaws.com
route53.amazonaws.com
route53domains.amazonaws.com
route53resolver.amazonaws.com
s3.amazonaws.com
sagemaker.amazonaws.com
secretsmanager.amazonaws.com
securityhub.amazonaws.com
serverlessrepo.amazonaws.com
servicecatalog-appregistry.amazonaws.com
servicecatalog.amazonaws.com
servicediscovery.amazonaws.com
ses.amazonaws.com
shield.amazonaws.com
signer.amazonaws.com
signin.amazonaws.com
sms.amazonaws.com
sns.amazonaws.com
spotfleet.amazonaws.com
sqs.amazonaws.com
ssm-incidents.amazonaws.com
ssm.amazonaws.com
sso.amazonaws.com
states.amazonaws.com
storagegateway.amazonaws.com
streams.metrics.cloudwatch.amazonaws.com
sts.amazonaws.com
support.amazonaws.com
swf.amazonaws.com
tagging.amazonaws.com
tagpolicies.tag.amazonaws.com
textract.amazonaws.com
timestream.amazonaws.com
transcribe.amazonaws.com
transfer.amazonaws.com
transitgateway.amazonaws.com
translate.amazonaws.com
trustedadvisor.amazonaws.com
tts.amazonaws.com
vmie.amazonaws.com
vpc-flow-logs.amazonaws.com
waf-regional.amazonaws.com
waf.amazonaws.com
wam.amazonaws.com
workdocs.amazonaws.com
worklink.amazonaws.com
workmail.amazonaws.com
workspaces.amazonaws.com
xray.amazonaws.com
{region}.elasticache-snapshot.amazonaws.com

Ah thank you for that. Is it possible to combine conditions so you can test against a role and the service principal in the condition?

I have tried to find examples of aws:PrincipalServiceName in use but there are none. The IAM user guide has no results for this condition key. Do you have any examples I can refer to please?

Missing lookoutmetrics.amazonaws.com - ref: https://docs.aws.amazon.com/lookoutmetrics/latest/dev/permissions-service.html

OpenSearch Sevice: opensearchservice.amazonaws.com - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html

S3 Batch Operations: batchoperations.s3.amazonaws.com - https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-invoke-lambda.html#batch-ops-invoke-lambda-using

AppRunner service builder: build.apprunner.amazonaws.com - https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html

I have tried to find examples of aws:PrincipalServiceName in use but there are none. The IAM user guide has no results for this condition key. Do you have any examples I can refer to please?

https://github.com/awsdocs/iam-user-guide/blob/main/doc_source/reference_policies_condition-keys.md#awsprincipalservicename

@shortjared I recommend to use https://github.com/boto/botocore/tree/master/botocore/data as the ground truth. The folder name is the service name. It is how AWS manage their SDK.

To @MacHu-GWU and anyone else who doubts the purpose and value of this gist: Unfortunately, there is actually no publicly available "ground truth" as you say for most aspects of AWS IAM data codified in a machine-readable format - including AWS Service Principals. This thread in the AWS CDK project has an excellent discussion on the topic, albeit relating to AWS Service Names and IAM Action prefixes - but the point is the same.

Interestingly, AWS IAM API Actions (e.g. svc:Action) are one of the few things that has a publicly available machine-readable format.

A couple of examples of why this list is so, so valuable, and cannot (currently) be programmatically generated:

• The boto service-2.json definition for sso-oidc declares the values endpointPrefix: oidc, signingName: awsssooidc, serviceId: SSO OIDC and /sso-oidc/ in the file path, but the Service Principal is sso.amazonaws.com
• The boto service-2.json definition for sso declares the values endpointPrefix: portal.sso, signingName: awsssoportal, serviceId: SSO and /sso/ in the file path, but again the Service Principal is... sso.amazonaws.com?
• The boto service-2.json definnition for sso-admin declares the values endpointPrefix: sso, signingName: sso, serviceId: SSO Admin and /sso-admin/ in the file path, but the Service Principal is sso.amazonaws.com WHAT THE HELL AMAZON!? 😡
• SES has endpointPrefix: email, serviceId: SES and signingName: ses, has IAM Actions prefixed with email: and the Service Principal is ses.amazonaws.com

I have even more examples, but I think you get the idea. Clearly there is no consistency with regard to machine-readable resources - we cannot depend on file names, or SDK service definition file content.

We can however generally depend on AWS Documentation, but that isn't usually easily machine-readable.

I've personally spoken to many AWS Service Engineers - (who work or worked for Amazon!) - who couldn't explain why IAM is the way IAM is. It's just the way it is. My hypothesis, after years of unofficial research on the subject and despite the clear need and desire from their customers, is that there was never an "official" internal requirement for a standardized, unified and consistent convention for identifiers, tokens, service endpoint prefixes, API grammar, or other terminology for API definitions, authorization policies, or in this case, Service Principals. Perhaps someday, an IAM product/service owner in AWS will see this gist and realize their mistake and finally publish a definitive resource for us (hint, hint) 😉.

Thank you to everyone who contributes to this gist. You're helping build great things one Service Principal at a time 👏

oam.amazonaws.com was recently added for "Observability Access Manager" (referenced here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html)

Brought up here: https://www.reddit.com/r/aws/comments/z6wz09/new_cloudtrail_event_souce_oamamazonawscom/

When I was importing resources from AWS in terraform, I observed some additional service principals:

controltower.amazonaws.com
compute-optimizer.amazonaws.com

scheduler.amazonaws.com is missing. It's a new service which recently added
https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html

Audit Manager service principal, which is auditmanager.amazonaws.com .

reachabilityanalyzer.networkinsights.amazonaws.com has recently been added for the fairly new Network Manager Reachability Analyzer. Now supports delegated administrator functionality for cross-account analyses.

https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

scheduler.amazonaws.com is missing. It's a new service which recently added https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html

Thanks for this

ecr.amazonaws.com is wrong.

You can either have,

• pullthroughcache.ecr.amazonaws.com
• replication.ecr.amazonaws.com

Source: https://docs.aws.amazon.com/AmazonECR/latest/userguide/using-service-linked-roles.html