List of IAM Permissions
This is a list of controls that can be placed into an IAM policy document. All content comes from AWS documentation.
Something wrong? Try looking here.
Table of Contents generated with DocToc
- List of IAM Permissions
- IAM Policy Variables
- AWS Billing
- Auto Scaling
- CloudFormation
- CloudTrail
- CloudWatch
- CloudWatch Logs
- Database Migration Service (DMS)
- DynamoDB
- Elastic Beanstalk
- ElastiCache
- EC2
- EC2 Container Service (ECS)
- Elastic File System (EFS)
- Elastic Load Balancer (ELB)
- Elastic MapReduce (EMR)
- Identity and Access Management (IAM)
- Kinesis
- Key Management Service (KMS)
- Lambda
- OpsWorks
- Relational Database Service (RDS)
- Redshift
- Route 53
- Route53 Domains
- S3
- Security Token Service (STS)
- Simple Email Service (SES)
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- Support
- Trusted Advisor
IAM Policy Variables
aws:CurrentTime
—To check for date/time conditions.aws:EpochTime
—To check for date/time conditions using a date in epoch or UNIX time.aws:TokenIssueTime
This is the date and time that temporary security credentials were issued and can be used with date/time conditions. (Note: This key is only available in requests that are signed using temporary security credentials. For more information about temporary security credentials, see Temporary Security Credentials.)aws:principaltype
—To check the type of principal (user, account, federated user, - etc.) for the current request.aws:SecureTransport
—To check whether the request was sent using SSL. For services - that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport - key has no meaning.aws:SourceArn
—To check the source of the request, using the Amazon Resource Name - (ARN) of the source. (This value is available for only some services. For more - information, see Amazon Resource Name (ARN) under "Element Descriptions" in the - Amazon Simple Queue Service Developer Guide.)aws:SourceIp
—To check the IP address of the requester. Note that if you use - aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP - address of the instance is evaluated.aws:UserAgent
—To check the client application that made the request.aws:userid
—To check the user ID of the requester.aws:username
—To check the user name of the requester, if available.ec2:SourceInstanceARN
This is the Amazon Resource Name (ARN) of the Amazon EC2 instance from which the request is made. This key is present only when the request comes from an Amazon EC2 instance using an IAM role associated with an EC2 instance profile.
The values for aws:username
, aws:userid
, and aws:principaltype
depend on what type of principal initiated the request—whether the request was made using the credentials of an AWS account, an IAM user, an IAM role, and so on. The following table shows values for these keys for different types of principal.
Principal | aws:username | aws:userid | aws:principaltype |
---|---|---|---|
AWS account | (not present) | AWS account ID | Account |
IAM user | IAM-user-name | unique ID | User |
Federated user | (not present) | account:caller-specified-name | FederatedUser |
Web federated user (Login with Amazon, Amazon Cognito, Facebook, Google) * | (not present) | role id:caller-specified-role-name | AssumedRole |
SAML federated user ** | (not present) | role id:caller-specified-role-name | AssumedRole |
Assumed role | (not present) | role-id:caller-specified-role-name | AssumedRole |
Role assigned to an Amazon EC2 instance | (not present) | role-id:ec2-instance-id | AssumedRole |
Anonymous caller (Amazon SQS, Amazon SNS, and Amazon S3 only) | (not present) | (not present) | Anonymous |
* For information about policy keys that are available when you use web identity federation, see Identifying Users with Web Identity Federation.
** For information about policy keys that are available when you use SAML federation, see Uniquely Identifying Users in SAML-Based Federation.
In this table:
- not present means that the value is not in the current request information, and any attempt to match it fails and causes the request to be denied.
role-id
is a unique identifier assigned to each role at creation. You can display the role ID with the AWS CLI command:aws iam get-role --role-name ${rolename}
caller-specified-name
andcaller-specified-role-name
are names that are passed by the calling process (e.g. application or service) when it makes a call to get temporary credentials.ec2-instance-id
is a value assigned to the instance when it is launched and appears on the Instances page of the Amazon EC2 console. You can also display the instance ID by running the AWS CLI command:aws ec2 describe-instances
AWS Billing
aws-portal:
- ModifyAccount
- ModifyBilling
- ModifyPaymentMethods
- ViewAccount
- ViewBilling
- ViewBudget
- ViewPaymentMethods
- ViewUsage
Auto Scaling
autoscaling:
- AttachInstances
- AttachLoadBalancers
- CompleteLifecycleAction
- CreateAutoScalingGroup
- CreateLaunchConfiguration
- CreateOrUpdateTags
- DeleteAutoScalingGroup
- DeleteLaunchConfiguration
- DeleteLifecycleHook
- DeleteNotificationConfiguration
- DeletePolicy
- DeleteScheduledAction
- DeleteTags
- DescribeAccountLimits
- DescribeAdjustmentTypes
- DescribeAutoScalingGroups
- DescribeAutoScalingInstances
- DescribeAutoScalingNotificationTypes
- DescribeLaunchConfigurations
- DescribeLifecycleHooks
- DescribeLifecycleHookTypes
- DescribeLoadBalancers
- DescribeMetricCollectionTypes
- DescribeNotificationConfigurations
- DescribePolicies
- DescribeScalingActivities
- DescribeScalingProcessTypes
- DescribeScheduledActions
- DescribeTags
- DescribeTerminationPolicyTypes
- DetachInstances
- DetachLoadBalancers
- DisableMetricsCollection
- EnableMetricsCollection
- EnterStandby
- ExecutePolicy
- ExitStandby
- PutLifecycleHook
- PutNotificationConfiguration
- PutScalingPolicy
- PutScheduledUpdateGroupAction
- RecordLifecycleActionHeartbeat
- ResumeProcesses
- SetDesiredCapacity
- SetInstanceHealth
- SetInstanceProtection
- SuspendProcesses
- TerminateInstanceInAutoScalingGroup
- UpdateAutoScalingGroup
CloudFormation
cloudformation:
- CancelUpdateStack
- ContinueUpdateRollback
- CreateChangeSet
- CreateStack
- CreateUploadBucket
- DeleteStack
- DescribeAccountLimits
- DescribeChangeSet
- DescribeStackEvents
- DescribeStackResource
- DescribeStackResources
- DescribeStacks
- EstimateTemplateCost
- ExecuteChangeSet
- GetStackPolicy
- GetTemplate
- GetTemplateSummary
- ListChangeSets
- ListStackResources
- ListStacks
- PreviewStackUpdate
- SetStackPolicy
- SignalResource
- UpdateStack
- ValidateTemplate
CloudTrail
cloudtrail:
- AddTags
- CreateTrail
- DeleteTrail
- DescribeTrails
- GetTrailStatus
- ListPublicKeys
- ListTags
- LookupEvents
- RemoveTags
- StartLogging
- StopLogging
- UpdateTrail
CloudWatch
cloudwatch:
- CancelExportTask
- CreateExportTask
- CreateLogGroup
- CreateLogStream
- DeleteDestination
- DeleteLogGroup
- DeleteLogStream
- DeleteMetricFilter
- DeleteRetentionPolicy
- DeleteSubscriptionFilter
- DescribeDestinations
- DescribeExportTasks
- DescribeLogGroups
- DescribeLogStreams
- DescribeMetricFilters
- DescribeSubscriptionFilters
- FilterLogEvents
- GetLogEvents
- PutDestination
- PutDestinationPolicy
- PutLogEvents
- PutMetricFilter
- PutRetentionPolicy
- PutSubscriptionFilter
- TestMetricFilter
CloudWatch Logs
logs:
- CancelExportTask
- CreateExportTask
- CreateLogGroup
- CreateLogStream
- DeleteDestination
- DeleteLogGroup
- DeleteLogStream
- DeleteMetricFilter
- DeleteRetentionPolicy
- DeleteSubscriptionFilter
- DescribeDestinations
- DescribeExportTasks
- DescribeLogGroups
- DescribeLogStreams
- DescribeMetricFilters
- DescribeSubscriptionFilters
- FilterLogEvents
- GetLogEvents
- PutDestination
- PutDestinationPolicy
- PutLogEvents
- PutMetricFilter
- PutRetentionPolicy
- PutSubscriptionFilter
- TestMetricFilter
Database Migration Service (DMS)
dms:
- AddTagsToResource
- CreateEndpoint
- CreateReplicationInstance
- CreateReplicationSubnetGroup
- CreateReplicationTask
- DeleteEndpoint
- DeleteReplicationInstance
- DeleteReplicationSubnetGroup
- DeleteReplicationTask
- DescribeAccountAttributes
- DescribeConnections
- DescribeEndpointTypes
- DescribeEndpoints
- DescribeOrderableReplicationInstances
- DescribeRefreshSchemasStatus
- DescribeReplicationInstances
- DescribeReplicationSubnetGroups
- DescribeReplicationTasks
- DescribeSchemas
- DescribeTableStatistics
- ListTagsForResource
- ModifyEndpoint
- ModifyReplicationInstance
- ModifyReplicationSubnetGroup
- RefreshSchemas
- RemoveTagsFromResource
- StartReplicationTask
- StopReplicationTask
- TestConnection
DynamoDB
dynamodb:
- BatchGetItem
- BatchWriteItem
- CreateTable
- DeleteItem
- DeleteTable
- DescribeReservedCapacity
- DescribeReservedCapacityOfferings
- DescribeStream
- DescribeTable
- GetItem
- GetRecords
- GetShardIterator
- ListStreams
- ListTables
- PurchaseReservedCapacityOfferings
- PutItem
- Query
- Scan
- UpdateItem
- UpdateTable
Elastic Beanstalk
elasticbeanstalk:
- CheckDNSAvailability
- CreateApplication
- CreateApplicationVersion
- CreateConfigurationTemplate
- CreateEnvironment
- CreateStorageLocation
- DeleteApplication
- DeleteApplicationVersion
- DeleteConfigurationTemplate
- DeleteEnvironmentConfiguration
- DescribeApplicationVersions
- DescribeApplications
- DescribeConfigurationOptions
- DescribeConfigurationSettings
- DescribeEnvironmentHealth
- DescribeEnvironmentResources
- DescribeEnvironments
- DescribeEvents
- DescribeInstancesHealth
- ListAvailableSolutionStacks
- RebuildEnvironment
- RequestEnvironmentInfo
- RestartAppServer
- RetrieveEnvironmentInfo
- SwapEnvironmentCNAMEs
- TerminateEnvironment
- UpdateApplication
- UpdateApplicationVersion
- UpdateConfigurationTemplate
- UpdateEnvironment
- ValidateConfigurationSettings
ElastiCache
elasticache:
- AddTagsToResource
- AuthorizeCacheSecurityGroupIngress
- CopySnapshot
- CreateCacheCluster
- CreateCacheParameterGroup
- CreateCacheSecurityGroup
- CreateCacheSubnetGroup
- CreateReplicationGroup
- CreateSnapshot
- DeleteCacheCluster
- DeleteCacheParameterGroup
- DeleteCacheSecurityGroup
- DeleteCacheSubnetGroup
- DeleteReplicationGroup
- DeleteSnapshot
- DescribeCacheClusters
- DescribeCacheEngineVersions
- DescribeCacheParameterGroups
- DescribeCacheParameters
- DescribeCacheSecurityGroups
- DescribeCacheSubnetGroups
- DescribeEngineDefaultParameters
- DescribeEvents
- DescribeReplicationGroups
- DescribeReservedCacheNodes
- DescribeReservedCacheNodesOfferings
- DescribeSnapshots
- ListAllowedNodeTypeModifications
- ListTagsForResource
- ModifyCacheCluster
- ModifyCacheParameterGroup
- ModifyCacheSubnetGroup
- ModifyReplicationGroup
- PurchaseReservedCacheNodesOffering
- RebootCacheCluster
- RemoveTagsFromResource
- ResetCacheParameterGroup
- RevokeCacheSecurityGroupIngress
EC2
ec2:
- AcceptVpcPeeringConnection
- AllocateAddress
- AllocateHosts
- AssignPrivateIpAddresses
- AssociateAddress
- AssociateDhcpOptions
- AssociateRouteTable
- AttachClassicLinkVpc
- AttachInternetGateway
- AttachNetworkInterface
- AttachVolume
- AttachVpnGateway
- AuthorizeSecurityGroupEgress
- AuthorizeSecurityGroupIngress
- BundleInstance
- CancelBundleTask
- CancelConversionTask
- CancelExportTask
- CancelImportTask
- CancelReservedInstancesListing
- CancelSpotFleetRequests
- CancelSpotInstanceRequests
- ConfirmProductInstance
- CopyImage
- CopySnapshot
- CreateCustomerGateway
- CreateDhcpOptions
- CreateFlowLogs
- CreateImage
- CreateInstanceExportTask
- CreateInternetGateway
- CreateKeyPair
- CreateNatGateway
- CreateNetworkAcl
- CreateNetworkAclEntry
- CreateNetworkInterface
- CreatePlacementGroup
- CreateReservedInstancesListing
- CreateRoute
- CreateRouteTable
- CreateSecurityGroup
- CreateSnapshot
- CreateSpotDatafeedSubscription
- CreateSubnet
- CreateTags
- CreateVolume
- CreateVpc
- CreateVpcEndpoint
- CreateVpcPeeringConnection
- CreateVpnConnection
- CreateVpnConnectionRoute
- CreateVpnGateway
- DeleteCustomerGateway
- DeleteDhcpOptions
- DeleteFlowLogs
- DeleteInternetGateway
- DeleteKeyPair
- DeleteNatGateway
- DeleteNetworkAcl
- DeleteNetworkAclEntry
- DeleteNetworkInterface
- DeletePlacementGroup
- DeleteRoute
- DeleteRouteTable
- DeleteSecurityGroup
- DeleteSnapshot
- DeleteSpotDatafeedSubscription
- DeleteSubnet
- DeleteTags
- DeleteVolume
- DeleteVpc
- DeleteVpcEndpoints
- DeleteVpcPeeringConnection
- DeleteVpnConnection
- DeleteVpnConnectionRoute
- DeleteVpnGateway
- DeregisterImage
- DescribeAccountAttributes
- DescribeAddresses
- DescribeAvailabilityZones
- DescribeBundleTasks
- DescribeClassicLinkInstances
- DescribeConversionTasks
- DescribeCustomerGateways
- DescribeDhcpOptions
- DescribeExportTasks
- DescribeFlowLogs
- DescribeHosts
- DescribeIdFormat
- DescribeImageAttribute
- DescribeImages
- DescribeImportImageTasks
- DescribeImportSnapshotTasks
- DescribeInstanceAttribute
- DescribeInstances
- DescribeInstanceStatus
- DescribeInternetGateways
- DescribeKeyPairs
- DescribeMovingAddresses
- DescribeNatGateways
- DescribeNetworkAcls
- DescribeNetworkInterfaceAttribute
- DescribeNetworkInterfaces
- DescribePlacementGroups
- DescribePrefixLists
- DescribeRegions
- DescribeReservedInstances
- DescribeReservedInstancesListings
- DescribeReservedInstancesModifications
- DescribeReservedInstancesOfferings
- DescribeRouteTables
- DescribeScheduledInstanceAvailability
- DescribeScheduledInstances
- DescribeSecurityGroupReferences
- DescribeSecurityGroups
- DescribeSnapshotAttribute
- DescribeSnapshots
- DescribeSpotDatafeedSubscription
- DescribeSpotFleetInstances
- DescribeSpotFleetRequestHistory
- DescribeSpotFleetRequests
- DescribeSpotInstanceRequests
- DescribeSpotPriceHistory
- DescribeStaleSecurityGroups
- DescribeSubnets
- DescribeTags
- DescribeVolumeAttribute
- DescribeVolumes
- DescribeVolumeStatus
- DescribeVpcAttribute
- DescribeVpcClassicLink
- DescribeVpcClassicLinkDnsSupport
- DescribeVpcEndpoints
- DescribeVpcEndpointServices
- DescribeVpcPeeringConnections
- DescribeVpcs
- DescribeVpnConnections
- DescribeVpnGateways
- DetachClassicLinkVpc
- DetachInternetGateway
- DetachNetworkInterface
- DetachVolume
- DetachVpnGateway
- DisableVgwRoutePropagation
- DisableVpcClassicLink
- DisableVpcClassicLinkDnsSupport
- DisassociateAddress
- DisassociateRouteTable
- EnableVgwRoutePropagation
- EnableVolumeIO
- EnableVpcClassicLink
- EnableVpcClassicLinkDnsSupport
- GetConsoleOutput
- GetConsoleScreenshot
- GetPasswordData
- ImportImage
- ImportInstance
- ImportKeyPair
- ImportSnapshot
- ImportVolume
- ModifyHosts
- ModifyIdFormat
- ModifyImageAttribute
- ModifyInstanceAttribute
- ModifyInstancePlacement
- ModifyNetworkInterfaceAttribute
- ModifyReservedInstances
- ModifySnapshotAttribute
- ModifySpotFleetRequest
- ModifySubnetAttribute
- ModifyVolumeAttribute
- ModifyVpcAttribute
- ModifyVpcEndpoint
- ModifyVpcPeeringConnectionOptions
- MonitorInstances
- MoveAddressToVpc
- PurchaseReservedInstancesOffering
- PurchaseScheduledInstances
- RebootInstances
- RegisterImage
- RejectVpcPeeringConnection
- ReleaseAddress
- ReleaseHosts
- ReplaceNetworkAclAssociation
- ReplaceNetworkAclEntry
- ReplaceRoute
- ReplaceRouteTableAssociation
- ReportInstanceStatus
- RequestSpotFleet
- RequestSpotInstances
- ResetImageAttribute
- ResetInstanceAttribute
- ResetNetworkInterfaceAttribute
- ResetSnapshotAttribute
- RestoreAddressToClassic
- RevokeSecurityGroupEgress
- RevokeSecurityGroupIngress
- RunInstances
- RunScheduledInstances
- StartInstances
- StopInstances
- TerminateInstances
- UnassignPrivateIpAddresses
- UnmonitorInstances
EC2 Container Service (ECS)
ecs:
- CreateCluster
- CreateService
- DeleteCluster
- DeleteService
- DeregisterContainerInstance
- DeregisterTaskDefinition
- DescribeClusters
- DescribeContainerInstances
- DescribeServices
- DescribeTaskDefinition
- DescribeTasks
- DiscoverPollEndpoint
- ListClusters
- ListContainerInstances
- ListServices
- ListTaskDefinitionFamilies
- ListTaskDefinitions
- ListTasks
- RegisterContainerInstance
- RegisterTaskDefinition
- RunTask
- StartTask
- StopTask
- SubmitContainerStateChange
- SubmitTaskStateChange
- UpdateContainerAgent
- UpdateService
Elastic File System (EFS)
elasticfilesystem:
- CreateFileSystem
- CreateMountTarget
- Dependencies
ec2:DescribeSubnets
ec2:DescribeNetworkInterfaces
ec2:CreateNetworkInterface
- CreateTags
- DeleteFileSystem
- Dependencies
ec2:DeleteNetworkInterface
- DeleteMountTarget
- DeleteTags
- DescribeFileSystems
- DescribeMountTargetSecurityGroups
- Dependencies
ec2:DescribeNetworkInterfaceAttribute
- DescribeMountTargets
- DescribeTags
- ModifyMountTargetSecurityGroups
- Dependencies
ec2:ModifyNetworkInterfaceAttribute
Elastic Load Balancer (ELB)##
elasticloadbalancing:
- AddTags
- ApplySecurityGroupsToLoadBalancer
- AttachLoadBalancerToSubnets
- ConfigureHealthCheck
- CreateAppCookieStickinessPolicy
- CreateLBCookieStickinessPolicy
- CreateLoadBalancer
- CreateLoadBalancerListeners
- CreateLoadBalancerPolicy
- DeleteLoadBalancer
- DeleteLoadBalancerListeners
- DeleteLoadBalancerPolicy
- DeregisterInstancesFromLoadBalancer
- DescribeInstanceHealth
- DescribeLoadBalancerAttributes
- DescribeLoadBalancerPolicies
- DescribeLoadBalancerPolicyTypes
- DescribeLoadBalancers
- DescribeTags
- DetachLoadBalancerFromSubnets
- DisableAvailabilityZonesForLoadBalancer
- EnableAvailabilityZonesForLoadBalancer
- ModifyLoadBalancerAttributes
- RegisterInstancesWithLoadBalancer
- RemoveTags
- SetLoadBalancerListenerSSLCertificate
- SetLoadBalancerPoliciesForBackendServer
- SetLoadBalancerPoliciesOfListener
Elastic MapReduce (EMR)
elasticmapreduce:
- AddInstanceGroups
- AddJobFlowSteps
- AddTags
- DescribeCluster
- DescribeJobFlows
- DescribeStep
- ListBootstrapActions
- ListClusters
- ListInstanceGroups
- ListInstances
- ListSteps
- ModifyInstanceGroups
- RemoveTags
- RunJobFlow
- SetTerminationProtection
- SetVisibleToAllUsers
- TerminateJobFlows
Identity and Access Management (IAM)
iam:
- AddClientIDToOpenIDConnectProvider
- AddRoleToInstanceProfile
- AddUserToGroup
- AttachGroupPolicy
- AttachRolePolicy
- AttachUserPolicy
- ChangePassword
- CreateAccessKey
- CreateAccountAlias
- CreateGroup
- CreateInstanceProfile
- CreateLoginProfile
- CreateOpenIDConnectProvider
- CreatePolicy
- CreatePolicyVersion
- CreateRole
- CreateSAMLProvider
- CreateUser
- CreateVirtualMFADevice
- DeactivateMFADevice
- DeleteAccessKey
- DeleteAccountAlias
- DeleteAccountPasswordPolicy
- DeleteGroup
- DeleteGroupPolicy
- DeleteInstanceProfile
- DeleteLoginProfile
- DeleteOpenIDConnectProvider
- DeletePolicy
- DeletePolicyVersion
- DeleteRole
- DeleteRolePolicy
- DeleteSAMLProvider
- DeleteServerCertificate
- DeleteSigningCertificate
- DeleteSSHPublicKey
- DeleteUser
- DeleteUserPolicy
- DeleteVirtualMFADevice
- DetachGroupPolicy
- DetachRolePolicy
- DetachUserPolicy
- EnableMFADevice
- GenerateCredentialReport
- GetAccessKeyLastUsed
- GetAccountAuthorizationDetails
- GetAccountPasswordPolicy
- GetAccountSummary
- GetContextKeysForCustomPolicy
- GetContextKeysForPrincipalPolicy
- GetCredentialReport
- GetGroup
- GetGroupPolicy
- GetInstanceProfile
- GetLoginProfile
- GetOpenIDConnectProvider
- GetPolicy
- GetPolicyVersion
- GetRole
- GetRolePolicy
- GetSAMLProvider
- GetServerCertificate
- GetSSHPublicKey
- GetUser
- GetUserPolicy
- ListAccessKeys
- ListAccountAliases
- ListAttachedGroupPolicies
- ListAttachedRolePolicies
- ListAttachedUserPolicies
- ListEntitiesForPolicy
- ListGroupPolicies
- ListGroups
- ListGroupsForUser
- ListInstanceProfiles
- ListInstanceProfilesForRole
- ListMFADevices
- ListOpenIDConnectProviders
- ListPolicies
- ListPolicyVersions
- ListRolePolicies
- ListRoles
- ListSAMLProviders
- ListServerCertificates
- ListSigningCertificates
- ListSSHPublicKeys
- ListUserPolicies
- ListUsers
- ListVirtualMFADevices
- PutGroupPolicy
- PutRolePolicy
- PutUserPolicy
- RemoveClientIDFromOpenIDConnectProvider
- RemoveRoleFromInstanceProfile
- RemoveUserFromGroup
- ResyncMFADevice
- SetDefaultPolicyVersion
- SimulateCustomPolicy
- SimulatePrincipalPolicy
- UpdateAccessKey
- UpdateAccountPasswordPolicy
- UpdateAssumeRolePolicy
- UpdateGroup
- UpdateLoginProfile
- UpdateOpenIDConnectProviderThumbprint
- UpdateSAMLProvider
- UpdateServerCertificate
- UpdateSigningCertificate
- UpdateSSHPublicKey
- UpdateUser
- UploadServerCertificate
- UploadSigningCertificate
- UploadSSHPublicKey
Kinesis##
kinesis:
- AddTagsToStream
- CreateStream
- DecreaseStreamRetentionPeriod
- DeleteStream
- DescribeStream
- DisableEnhancedMonitoring
- EnableEnhancedMonitoring
- GetRecords
- GetShardIterator
- IncreaseStreamRetentionPeriod
- ListStreams
- ListTagsForStream
- MergeShards
- PutRecord
- PutRecords
- RemoveTagsFromStream
- SplitShard
Key Management Service (KMS)
kms:
- CancelKeyDeletion
- CreateAlias
- CreateGrant
- CreateKey
- Decrypt
- DeleteAlias
- DescribeKey
- DisableKey
- DisableKeyRotation
- EnableKey
- EnableKeyRotation
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- GenerateRandom
- GetKeyPolicy
- GetKeyRotationStatus
- ListAliases
- ListGrants
- ListKeyPolicies
- ListKeys
- ListRetirableGrants
- PutKeyPolicy
- ReEncrypt
- RetireGrant
- RevokeGrant
- ScheduleKeyDeletion
- UpdateAlias
- UpdateKeyDescription
Lambda
lambda:
- AddPermission
- CreateAlias
- CreateEventSourceMapping
- CreateFunction
- DeleteAlias
- DeleteEventSourceMapping
- DeleteFunction
- GetAlias
- GetEventSourceMapping
- GetFunction
- GetFunctionConfiguration
- GetPolicy
- Invoke
- InvokeAsync
- ListAliases
- ListEventSourceMappings
- ListFunctions
- ListVersionsByFunction
- PublishVersion
- RemovePermission
- UpdateAlias
- UpdateEventSourceMapping
- UpdateFunctionCode
- UpdateFunctionConfiguration
AWS OpsWorks)
[OpsWorks](opsworks:
- AssignInstance
- AssignVolume
- AssociateElasticIp
- AttachElasticLoadBalancer
- CloneStack
- CreateApp
- CreateDeployment
- CreateInstance
- CreateLayer
- CreateStack
- CreateUserProfile
- DeleteApp
- DeleteInstance
- DeleteLayer
- DeleteStack
- DeleteUserProfile
- DeregisterEcsCluster
- DeregisterElasticIp
- DeregisterInstance
- DeregisterRdsDbInstance
- DeregisterVolume
- DescribeAgentVersions
- DescribeApps
- DescribeCommands
- DescribeDeployments
- DescribeEcsClusters
- DescribeElasticIps
- DescribeElasticLoadBalancers
- DescribeInstances
- DescribeLayers
- DescribeLoadBasedAutoScaling
- DescribeMyUserProfile
- DescribePermissions
- DescribeRaidArrays
- DescribeRdsDbInstances
- DescribeServiceErrors
- DescribeStackProvisioningParameters
- DescribeStacks
- DescribeStackSummary
- DescribeTimeBasedAutoScaling
- DescribeUserProfiles
- DescribeVolumes
- DetachElasticLoadBalancer
- DisassociateElasticIp
- GetHostnameSuggestion
- GrantAccess
- RebootInstance
- RegisterEcsCluster
- RegisterElasticIp
- RegisterInstance
- RegisterRdsDbInstance
- RegisterVolume
- SetLoadBasedAutoScaling
- SetPermission
- SetTimeBasedAutoScaling
- StartInstance
- StartStack
- StopInstance
- StopStack
- UnassignInstance
- UnassignVolume
- UpdateApp
- UpdateElasticIp
- UpdateInstance
- UpdateLayer
- UpdateMyUserProfile
- UpdateRdsDbInstance
- UpdateStack
- UpdateUserProfile
- UpdateVolume
Relational Database Service (RDS)
rds:
- AddSourceIdentifierToSubscription
- AddTagsToResource
- ApplyPendingMaintenanceAction
- AuthorizeDBSecurityGroupIngress
- CopyDBClusterSnapshot
- CopyDBParameterGroup
- CopyDBSnapshot
- CopyOptionGroup
- CreateDBCluster
- CreateDBClusterParameterGroup
- CreateDBClusterSnapshot
- CreateDBInstance
- CreateDBInstanceReadReplica
- CreateDBParameterGroup
- CreateDBSecurityGroup
- CreateDBSnapshot
- CreateDBSubnetGroup
- CreateEventSubscription
- CreateOptionGroup
- DeleteDBCluster
- DeleteDBClusterParameterGroup
- DeleteDBClusterSnapshot
- DeleteDBInstance
- DeleteDBParameterGroup
- DeleteDBSecurityGroup
- DeleteDBSnapshot
- DeleteDBSubnetGroup
- DeleteEventSubscription
- DeleteOptionGroup
- DescribeAccountAttributes
- DescribeCertificates
- DescribeDBClusterParameterGroups
- DescribeDBClusterParameters
- DescribeDBClusters
- DescribeDBClusterSnapshotAttributes
- DescribeDBClusterSnapshots
- DescribeDBEngineVersions
- DescribeDBInstances
- DescribeDBLogFiles
- DescribeDBParameterGroups
- DescribeDBParameters
- DescribeDBSecurityGroups
- DescribeDBSnapshotAttributes
- DescribeDBSnapshots
- DescribeDBSubnetGroups
- DescribeEngineDefaultClusterParameters
- DescribeEngineDefaultParameters
- DescribeEventCategories
- DescribeEvents
- DescribeEventSubscriptions
- DescribeOptionGroupOptions
- DescribeOptionGroups
- DescribeOrderableDBInstanceOptions
- DescribePendingMaintenanceActions
- DescribeReservedDBInstances
- DescribeReservedDBInstancesOfferings
- DownloadDBLogFilePortion
- FailoverDBCluster
- ListTagsForResource
- ModifyDBCluster
- ModifyDBClusterParameterGroup
- ModifyDBClusterSnapshotAttribute
- ModifyDBInstance
- ModifyDBParameterGroup
- ModifyDBSnapshotAttribute
- ModifyDBSubnetGroup
- ModifyEventSubscription
- ModifyOptionGroup
- PromoteReadReplica
- PromoteReadReplicaDBCluster
- PurchaseReservedDBInstancesOffering
- RebootDBInstance
- RemoveSourceIdentifierFromSubscription
- RemoveTagsFromResource
- ResetDBClusterParameterGroup
- ResetDBParameterGroup
- RestoreDBClusterFromSnapshot
- RestoreDBClusterToPointInTime
- RestoreDBInstanceFromDBSnapshot
- RestoreDBInstanceToPointInTime
- RevokeDBSecurityGroupIngress
Redshift
redshift:
- AuthorizeClusterSecurityGroupIngress
- AuthorizeSnapshotAccess
- CancelQuerySession
- CopyClusterSnapshot
- CreateCluster
- CreateClusterParameterGroup
- CreateClusterSecurityGroup
- CreateClusterSnapshot
- CreateClusterSubnetGroup
- CreateEventSubscription
- CreateHsmClientCertificate
- CreateHsmConfiguration
- CreateTags
- DeleteCluster
- DeleteClusterParameterGroup
- DeleteClusterSecurityGroup
- DeleteClusterSnapshot
- DeleteClusterSubnetGroup
- DeleteEventSubscription
- DeleteHsmClientCertificate
- DeleteHsmConfiguration
- DeleteTags
- DescribeClusterParameterGroups
- DescribeClusterParameters
- DescribeClusterSecurityGroups
- DescribeClusterSnapshots
- DescribeClusterSubnetGroups
- DescribeClusterVersions
- DescribeClusters
- DescribeDefaultClusterParameters
- DescribeEventCategories
- DescribeEventSubscriptions
- DescribeEvents
- DescribeHsmClientCertificates
- DescribeHsmConfigurations
- DescribeLoggingStatus
- DescribeOrderableClusterOptions
- DescribeReservedNodeOfferings
- DescribeReservedNodes
- DescribeResize
- DescribeTags
- DisableLogging
- DisableSnapshotCopy
- EnableLogging
- EnableSnapshotCopy
- ModifyCluster
- ModifyClusterParameterGroup
- ModifyClusterSubnetGroup
- ModifyEventSubscription
- ModifySnapshotCopyRetentionPeriod
- PurchaseReservedNodeOffering
- RebootCluster
- ResetClusterParameterGroup
- RestoreFromClusterSnapshot
- RevokeClusterSecurityGroupIngress
- RevokeSnapshotAccess
- RotateEncryptionKey
- ViewQueriesInConsole
Route 53
route53:
- AssociateVPCWithHostedZone
- ChangeResourceRecordSets
- ChangeTagsForResource
- CreateHealthCheck
- CreateHostedZone
- CreateReusableDelegationSet
- CreateTrafficPolicy
- CreateTrafficPolicyInstance
- CreateTrafficPolicyVersion
- DeleteHealthCheck
- DeleteHostedZone
- DeleteReusableDelegationSet
- DeleteTrafficPolicy
- DeleteTrafficPolicyInstance
- DisableDomainAutoRenew
- DisassociateVPCFromHostedZone
- EnableDomainAutoRenew
- GetChange
- GetCheckerIpRanges
- GetGeoLocation
- GetHealthCheck
- GetHealthCheckCount
- GetHealthCheckLastFailureReason
- GetHealthCheckStatus
- GetHostedZone
- GetHostedZoneCount
- GetReusableDelegationSet
- GetTrafficPolicy
- GetTrafficPolicyInstance
- GetTrafficPolicyInstanceCount
- ListGeoLocations
- ListHealthChecks
- ListHostedZones
- ListHostedZonesByName
- ListResourceRecordSets
- ListReusableDelegationSets
- ListTagsForResource
- ListTagsForResources
- ListTrafficPolicies
- ListTrafficPolicyInstances
- ListTrafficPolicyInstancesByHostedZone
- ListTrafficPolicyInstancesByPolicy
- route53:ListTrafficPolicyVersions
- route53:UpdateHealthCheck
- route53:UpdateHostedZoneComment
- route53:UpdateTrafficPolicyComment
- route53:UpdateTrafficPolicyInstance
Route53 Domains
route53domains:
- CheckDomainAvailability
- DeleteDomain
- DeleteTagsForDomain
- DisableDomainTransferLock
- EnableDomainTransferLock
- GetDomainDetail
- GetOperationDetail
- ListDomains
- ListOperations
- ListTagsForDomain
- RegisterDomain
- RetrieveDomainAuthCode
- TransferDomain
- UpdateDomainContact
- UpdateDomainContactPrivacy
- UpdateDomainNameservers
- UpdateTagsForDomain
S3
s3:
- AbortMultipartUpload
- CreateBucket
- DeleteBucket
- DeleteBucketPolicy
- DeleteBucketWebsite
- DeleteObject
- GetAccelerateConfiguration
- GetBucketAcl
- GetBucketCORS
- GetBucketLocation
- GetBucketLogging
- GetBucketNotification
- GetBucketPolicy
- GetBucketRequestPayment
- GetBucketTagging
- GetBucketVersioning
- GetBucketWebsite
- GetLifecycleConfiguration
- GetObject
- GetObjectAcl
- GetObjectTorrent
- GetObjectVersionAcl
- GetReplicationConfiguration
- ListAllMyBuckets
- ListBucket
- ListBucketMultipartUploads
- ListBucketVersions
- ListMultipartUploadParts
- PutAccelerateConfiguration
- PutBucketAcl
- PutBucketCORS
- PutBucketLogging
- PutBucketNotification
- PutBucketPolicy
- PutBucketRequestPayment
- PutBucketTagging
- PutBucketVersioning
- PutBucketWebsite
- PutLifecycleConfiguration
- PutObject
- PutObjectAcl
- PutObjectVersionAcl
- RestoreObject
Security Token Service (STS)
sts:
- AssumeRole
- AssumeRoleWithSAML
- AssumeRoleWithWebIdentity
- DecodeAuthorizationMessage
- GetCallerIdentity
- GetFederationToken
- GetSessionToken
Simple Email Service (SES)
ses:
- CloneReceiptRuleSet
- CreateReceiptFilter
- CreateReceiptRule
- CreateReceiptRuleSet
- DeleteIdentity
- DeleteIdentityPolicy
- DeleteReceiptFilter
- DeleteReceiptRule
- DeleteReceiptRuleSet
- DeleteVerifiedEmailAddress
- DescribeActiveReceiptRuleSet
- DescribeReceiptRule
- DescribeReceiptRuleSet
- GetIdentityDkimAttributes
- GetIdentityMailFromDomainAttributes
- GetIdentityNotificationAttributes
- GetIdentityPolicies
- GetIdentityVerificationAttributes
- GetSendQuota
- GetSendStatistics
- ListIdentities
- ListIdentityPolicies
- ListReceiptFilters
- ListReceiptRuleSets
- ListVerifiedEmailAddresses
- PutIdentityPolicy
- ReorderReceiptRuleSet
- SendBounce
- SendEmail
- SendRawEmail
- SetActiveReceiptRuleSet
- SetIdentityDkimEnabled
- SetIdentityFeedbackForwardingEnabled
- SetIdentityHeadersInNotificationsEnabled
- SetIdentityMailFromDomain
- SetIdentityNotificationTopic
- SetReceiptRulePosition
- UpdateReceiptRule
- VerifyDomainDkim
- VerifyDomainIdentity
- VerifyEmailAddress
- VerifyEmailIdentity
Simple Notification Service (SNS)
- AddPermission
- CheckIfPhoneNumberIsOptedOut
- ConfirmSubscription
- CreatePlatformApplication
- CreatePlatformEndpoint
- CreateTopic
- DeleteEndpoint
- DeletePlatformApplication
- DeleteTopic
- GetEndpointAttributes
- GetPlatformApplicationAttributes
- GetSMSAttributes
- GetSubscriptionAttributes
- GetTopicAttributes
- ListEndpointsByPlatformApplication
- ListPhoneNumbersOptedOut
- ListPlatformApplications
- ListSubscriptions
- ListSubscriptionsByTopic
- ListTopics
- OptInPhoneNumber
- Publish
- RemovePermission
- SetEndpointAttributes
- SetPlatformApplicationAttributes
- SetSMSAttributes
- SetSubscriptionAttributes
- SetTopicAttributes
- Subscribe
- Unsubscribe
Simple Queue Service (SQS)
sqs:
- AddPermission
- ChangeMessageVisibility
- ChangeMessageVisibilityBatch
- CreateQueue
- DeleteMessage
- DeleteMessageBatch
- DeleteQueue
- GetQueueAttributes
- GetQueueUrl
- ListDeadLetterSourceQueues
- ListQueues
- PurgeQueue
- ReceiveMessage
- RemovePermission
- SendMessage
- SendMessageBatch
- SetQueueAttributes
Support##
support:
- AddAttachmentsToSet
- AddCommunicationToCase
- CreateCase
- DescribeAttachment
- DescribeCases
- DescribeCommunications
- DescribeServices
- DescribeSeverityLevels
- DescribeTrustedAdvisorCheckRefreshStatuses
- DescribeTrustedAdvisorCheckResult
- DescribeTrustedAdvisorChecks
- DescribeTrustedAdvisorCheckSummaries
- RefreshTrustedAdvisorCheck
- ResolveCase
Trusted Advisor
trustedadvisor:
- DescribeCheckSummaries
- DescribeCheckItems
- RefreshCheck
- DescribeCheckRefreshStatuses
- ExcludeCheckItems
- IncludeCheckItems
- DescribeNotificationPreferences
- UpdateNotificationPreferences