List of IAM Permissions

## IAM Permissions List.md

      
          Raw
        
        
              IAM Permissions List.md
            
          
    List of IAM Permissions
This is a list of controls that can be placed into an IAM policy document.  All content comes from AWS documentation.
Something wrong?  Try looking here.
Table of Contents  generated with DocToc

List of IAM Permissions

IAM Policy Variables
AWS Billing
Auto Scaling
CloudFormation
CloudTrail
CloudWatch
CloudWatch Logs
Database Migration Service (DMS)
DynamoDB
Elastic Beanstalk
ElastiCache
EC2
EC2 Container Service (ECS)
Elastic File System (EFS)
Elastic Load Balancer (ELB)
Elastic MapReduce (EMR)
Identity and Access Management (IAM)
Kinesis
Key Management Service (KMS)
Lambda
OpsWorks
Relational Database Service (RDS)
Redshift
Route 53
Route53 Domains
S3
Security Token Service (STS)
Simple Email Service (SES)
Simple Notification Service (SNS)
Simple Queue Service (SQS)
Support
Trusted Advisor


IAM Policy Variables

aws:CurrentTime —To check for date/time conditions.
aws:EpochTime —To check for date/time conditions using a date in epoch or UNIX time.
aws:TokenIssueTime This is the date and time that temporary security credentials were issued and can be used with date/time conditions. (Note: This key is only available in requests that are signed using temporary security credentials. For more information about temporary security credentials, see Temporary Security Credentials.)
aws:principaltype —To check the type of principal (user, account, federated user, - etc.) for the current request.
aws:SecureTransport —To check whether the request was sent using SSL. For services - that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport - key has no meaning.
aws:SourceArn —To check the source of the request, using the Amazon Resource Name - (ARN) of the source. (This value is available for only some services. For more - information, see Amazon Resource Name (ARN) under "Element Descriptions" in the - Amazon Simple Queue Service Developer Guide.)
aws:SourceIp —To check the IP address of the requester. Note that if you use - aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP - address of the instance is evaluated.
aws:UserAgent —To check the client application that made the request.
aws:userid —To check the user ID of the requester.
aws:username —To check the user name of the requester, if available.
ec2:SourceInstanceARN This is the Amazon Resource Name (ARN) of the Amazon EC2 instance from which the request is made. This key is present only when the request comes from an Amazon EC2 instance using an IAM role associated with an EC2 instance profile.

The values for aws:username, aws:userid, and aws:principaltype depend on what type of principal initiated the request—whether the request was made using the credentials of an AWS account, an IAM user, an IAM role, and so on. The following table shows values for these keys for different types of principal.


Principal
aws:username
aws:userid
aws:principaltype


AWS account
(not present)
AWS account ID
Account


IAM user
IAM-user-name
unique ID
User


Federated user
(not present)
account:caller-specified-name
FederatedUser


Web federated user (Login with Amazon, Amazon Cognito, Facebook, Google) *
(not present)
role id:caller-specified-role-name
AssumedRole


SAML federated user **
(not present)
role id:caller-specified-role-name
AssumedRole


Assumed role
(not present)
role-id:caller-specified-role-name
AssumedRole


Role assigned to an Amazon EC2 instance
(not present)
role-id:ec2-instance-id
AssumedRole


Anonymous caller (Amazon SQS, Amazon SNS, and Amazon S3 only)
(not present)
(not present)
Anonymous


* For information about policy keys that are available when you use web identity federation, see Identifying Users with Web Identity Federation.
** For information about policy keys that are available when you use SAML federation, see Uniquely Identifying Users in SAML-Based Federation.
In this table:

not present means that the value is not in the current request information, and any attempt to match it fails and causes the request to be denied.
role-id is a unique identifier assigned to each role at creation. You can display the role ID with the AWS CLI command: aws iam get-role --role-name ${rolename}
caller-specified-name and caller-specified-role-name are names that are passed by the calling process (e.g. application or service) when it makes a call to get temporary credentials.
ec2-instance-id is a value assigned to the instance when it is launched and appears on the Instances page of the Amazon EC2 console. You can also display the instance ID by running the AWS CLI command: aws ec2 describe-instances

AWS Billing
aws-portal:

ModifyAccount
ModifyBilling
ModifyPaymentMethods
ViewAccount
ViewBilling
ViewBudget
ViewPaymentMethods
ViewUsage

Auto Scaling
autoscaling:

AttachInstances
AttachLoadBalancers
CompleteLifecycleAction
CreateAutoScalingGroup
CreateLaunchConfiguration
CreateOrUpdateTags
DeleteAutoScalingGroup
DeleteLaunchConfiguration
DeleteLifecycleHook
DeleteNotificationConfiguration
DeletePolicy
DeleteScheduledAction
DeleteTags
DescribeAccountLimits
DescribeAdjustmentTypes
DescribeAutoScalingGroups
DescribeAutoScalingInstances
DescribeAutoScalingNotificationTypes
DescribeLaunchConfigurations
DescribeLifecycleHooks
DescribeLifecycleHookTypes
DescribeLoadBalancers
DescribeMetricCollectionTypes
DescribeNotificationConfigurations
DescribePolicies
DescribeScalingActivities
DescribeScalingProcessTypes
DescribeScheduledActions
DescribeTags
DescribeTerminationPolicyTypes
DetachInstances
DetachLoadBalancers
DisableMetricsCollection
EnableMetricsCollection
EnterStandby
ExecutePolicy
ExitStandby
PutLifecycleHook
PutNotificationConfiguration
PutScalingPolicy
PutScheduledUpdateGroupAction
RecordLifecycleActionHeartbeat
ResumeProcesses
SetDesiredCapacity
SetInstanceHealth
SetInstanceProtection
SuspendProcesses
TerminateInstanceInAutoScalingGroup
UpdateAutoScalingGroup

CloudFormation
cloudformation:

CancelUpdateStack
ContinueUpdateRollback
CreateChangeSet
CreateStack
CreateUploadBucket
DeleteStack
DescribeAccountLimits
DescribeChangeSet
DescribeStackEvents
DescribeStackResource
DescribeStackResources
DescribeStacks
EstimateTemplateCost
ExecuteChangeSet
GetStackPolicy
GetTemplate
GetTemplateSummary
ListChangeSets
ListStackResources
ListStacks
PreviewStackUpdate
SetStackPolicy
SignalResource
UpdateStack
ValidateTemplate

CloudTrail
cloudtrail:

AddTags
CreateTrail
DeleteTrail
DescribeTrails
GetTrailStatus
ListPublicKeys
ListTags
LookupEvents
RemoveTags
StartLogging
StopLogging
UpdateTrail

CloudWatch
cloudwatch:

CancelExportTask
CreateExportTask
CreateLogGroup
CreateLogStream
DeleteDestination
DeleteLogGroup
DeleteLogStream
DeleteMetricFilter
DeleteRetentionPolicy
DeleteSubscriptionFilter
DescribeDestinations
DescribeExportTasks
DescribeLogGroups
DescribeLogStreams
DescribeMetricFilters
DescribeSubscriptionFilters
FilterLogEvents
GetLogEvents
PutDestination
PutDestinationPolicy
PutLogEvents
PutMetricFilter
PutRetentionPolicy
PutSubscriptionFilter
TestMetricFilter

CloudWatch Logs
logs:

CancelExportTask
CreateExportTask
CreateLogGroup
CreateLogStream
DeleteDestination
DeleteLogGroup
DeleteLogStream
DeleteMetricFilter
DeleteRetentionPolicy
DeleteSubscriptionFilter
DescribeDestinations
DescribeExportTasks
DescribeLogGroups
DescribeLogStreams
DescribeMetricFilters
DescribeSubscriptionFilters
FilterLogEvents
GetLogEvents
PutDestination
PutDestinationPolicy
PutLogEvents
PutMetricFilter
PutRetentionPolicy
PutSubscriptionFilter
TestMetricFilter

Database Migration Service (DMS)
dms:

AddTagsToResource
CreateEndpoint
CreateReplicationInstance
CreateReplicationSubnetGroup
CreateReplicationTask
DeleteEndpoint
DeleteReplicationInstance
DeleteReplicationSubnetGroup
DeleteReplicationTask
DescribeAccountAttributes
DescribeConnections
DescribeEndpointTypes
DescribeEndpoints
DescribeOrderableReplicationInstances
DescribeRefreshSchemasStatus
DescribeReplicationInstances
DescribeReplicationSubnetGroups
DescribeReplicationTasks
DescribeSchemas
DescribeTableStatistics
ListTagsForResource
ModifyEndpoint
ModifyReplicationInstance
ModifyReplicationSubnetGroup
RefreshSchemas
RemoveTagsFromResource
StartReplicationTask
StopReplicationTask
TestConnection

DynamoDB
dynamodb:

BatchGetItem
BatchWriteItem
CreateTable
DeleteItem
DeleteTable
DescribeReservedCapacity
DescribeReservedCapacityOfferings
DescribeStream
DescribeTable
GetItem
GetRecords
GetShardIterator
ListStreams
ListTables
PurchaseReservedCapacityOfferings
PutItem
Query
Scan
UpdateItem
UpdateTable

Elastic Beanstalk
elasticbeanstalk:

CheckDNSAvailability
CreateApplication
CreateApplicationVersion
CreateConfigurationTemplate
CreateEnvironment
CreateStorageLocation
DeleteApplication
DeleteApplicationVersion
DeleteConfigurationTemplate
DeleteEnvironmentConfiguration
DescribeApplicationVersions
DescribeApplications
DescribeConfigurationOptions
DescribeConfigurationSettings
DescribeEnvironmentHealth
DescribeEnvironmentResources
DescribeEnvironments
DescribeEvents
DescribeInstancesHealth
ListAvailableSolutionStacks
RebuildEnvironment
RequestEnvironmentInfo
RestartAppServer
RetrieveEnvironmentInfo
SwapEnvironmentCNAMEs
TerminateEnvironment
UpdateApplication
UpdateApplicationVersion
UpdateConfigurationTemplate
UpdateEnvironment
ValidateConfigurationSettings

ElastiCache
elasticache:

AddTagsToResource
AuthorizeCacheSecurityGroupIngress
CopySnapshot
CreateCacheCluster
CreateCacheParameterGroup
CreateCacheSecurityGroup
CreateCacheSubnetGroup
CreateReplicationGroup
CreateSnapshot
DeleteCacheCluster
DeleteCacheParameterGroup
DeleteCacheSecurityGroup
DeleteCacheSubnetGroup
DeleteReplicationGroup
DeleteSnapshot
DescribeCacheClusters
DescribeCacheEngineVersions
DescribeCacheParameterGroups
DescribeCacheParameters
DescribeCacheSecurityGroups
DescribeCacheSubnetGroups
DescribeEngineDefaultParameters
DescribeEvents
DescribeReplicationGroups
DescribeReservedCacheNodes
DescribeReservedCacheNodesOfferings
DescribeSnapshots
ListAllowedNodeTypeModifications
ListTagsForResource
ModifyCacheCluster
ModifyCacheParameterGroup
ModifyCacheSubnetGroup
ModifyReplicationGroup
PurchaseReservedCacheNodesOffering
RebootCacheCluster
RemoveTagsFromResource
ResetCacheParameterGroup
RevokeCacheSecurityGroupIngress

EC2
ec2:

AcceptVpcPeeringConnection
AllocateAddress
AllocateHosts
AssignPrivateIpAddresses
AssociateAddress
AssociateDhcpOptions
AssociateRouteTable
AttachClassicLinkVpc
AttachInternetGateway
AttachNetworkInterface
AttachVolume
AttachVpnGateway
AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
BundleInstance
CancelBundleTask
CancelConversionTask
CancelExportTask
CancelImportTask
CancelReservedInstancesListing
CancelSpotFleetRequests
CancelSpotInstanceRequests
ConfirmProductInstance
CopyImage
CopySnapshot
CreateCustomerGateway
CreateDhcpOptions
CreateFlowLogs
CreateImage
CreateInstanceExportTask
CreateInternetGateway
CreateKeyPair
CreateNatGateway
CreateNetworkAcl
CreateNetworkAclEntry
CreateNetworkInterface
CreatePlacementGroup
CreateReservedInstancesListing
CreateRoute
CreateRouteTable
CreateSecurityGroup
CreateSnapshot
CreateSpotDatafeedSubscription
CreateSubnet
CreateTags
CreateVolume
CreateVpc
CreateVpcEndpoint
CreateVpcPeeringConnection
CreateVpnConnection
CreateVpnConnectionRoute
CreateVpnGateway
DeleteCustomerGateway
DeleteDhcpOptions
DeleteFlowLogs
DeleteInternetGateway
DeleteKeyPair
DeleteNatGateway
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteNetworkInterface
DeletePlacementGroup
DeleteRoute
DeleteRouteTable
DeleteSecurityGroup
DeleteSnapshot
DeleteSpotDatafeedSubscription
DeleteSubnet
DeleteTags
DeleteVolume
DeleteVpc
DeleteVpcEndpoints
DeleteVpcPeeringConnection
DeleteVpnConnection
DeleteVpnConnectionRoute
DeleteVpnGateway
DeregisterImage
DescribeAccountAttributes
DescribeAddresses
DescribeAvailabilityZones
DescribeBundleTasks
DescribeClassicLinkInstances
DescribeConversionTasks
DescribeCustomerGateways
DescribeDhcpOptions
DescribeExportTasks
DescribeFlowLogs
DescribeHosts
DescribeIdFormat
DescribeImageAttribute
DescribeImages
DescribeImportImageTasks
DescribeImportSnapshotTasks
DescribeInstanceAttribute
DescribeInstances
DescribeInstanceStatus
DescribeInternetGateways
DescribeKeyPairs
DescribeMovingAddresses
DescribeNatGateways
DescribeNetworkAcls
DescribeNetworkInterfaceAttribute
DescribeNetworkInterfaces
DescribePlacementGroups
DescribePrefixLists
DescribeRegions
DescribeReservedInstances
DescribeReservedInstancesListings
DescribeReservedInstancesModifications
DescribeReservedInstancesOfferings
DescribeRouteTables
DescribeScheduledInstanceAvailability
DescribeScheduledInstances
DescribeSecurityGroupReferences
DescribeSecurityGroups
DescribeSnapshotAttribute
DescribeSnapshots
DescribeSpotDatafeedSubscription
DescribeSpotFleetInstances
DescribeSpotFleetRequestHistory
DescribeSpotFleetRequests
DescribeSpotInstanceRequests
DescribeSpotPriceHistory
DescribeStaleSecurityGroups
DescribeSubnets
DescribeTags
DescribeVolumeAttribute
DescribeVolumes
DescribeVolumeStatus
DescribeVpcAttribute
DescribeVpcClassicLink
DescribeVpcClassicLinkDnsSupport
DescribeVpcEndpoints
DescribeVpcEndpointServices
DescribeVpcPeeringConnections
DescribeVpcs
DescribeVpnConnections
DescribeVpnGateways
DetachClassicLinkVpc
DetachInternetGateway
DetachNetworkInterface
DetachVolume
DetachVpnGateway
DisableVgwRoutePropagation
DisableVpcClassicLink
DisableVpcClassicLinkDnsSupport
DisassociateAddress
DisassociateRouteTable
EnableVgwRoutePropagation
EnableVolumeIO
EnableVpcClassicLink
EnableVpcClassicLinkDnsSupport
GetConsoleOutput
GetConsoleScreenshot
GetPasswordData
ImportImage
ImportInstance
ImportKeyPair
ImportSnapshot
ImportVolume
ModifyHosts
ModifyIdFormat
ModifyImageAttribute
ModifyInstanceAttribute
ModifyInstancePlacement
ModifyNetworkInterfaceAttribute
ModifyReservedInstances
ModifySnapshotAttribute
ModifySpotFleetRequest
ModifySubnetAttribute
ModifyVolumeAttribute
ModifyVpcAttribute
ModifyVpcEndpoint
ModifyVpcPeeringConnectionOptions
MonitorInstances
MoveAddressToVpc
PurchaseReservedInstancesOffering
PurchaseScheduledInstances
RebootInstances
RegisterImage
RejectVpcPeeringConnection
ReleaseAddress
ReleaseHosts
ReplaceNetworkAclAssociation
ReplaceNetworkAclEntry
ReplaceRoute
ReplaceRouteTableAssociation
ReportInstanceStatus
RequestSpotFleet
RequestSpotInstances
ResetImageAttribute
ResetInstanceAttribute
ResetNetworkInterfaceAttribute
ResetSnapshotAttribute
RestoreAddressToClassic
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress
RunInstances
RunScheduledInstances
StartInstances
StopInstances
TerminateInstances
UnassignPrivateIpAddresses
UnmonitorInstances

EC2 Container Service (ECS)
ecs:

CreateCluster
CreateService
DeleteCluster
DeleteService
DeregisterContainerInstance
DeregisterTaskDefinition
DescribeClusters
DescribeContainerInstances
DescribeServices
DescribeTaskDefinition
DescribeTasks
DiscoverPollEndpoint
ListClusters
ListContainerInstances
ListServices
ListTaskDefinitionFamilies
ListTaskDefinitions
ListTasks
RegisterContainerInstance
RegisterTaskDefinition
RunTask
StartTask
StopTask
SubmitContainerStateChange
SubmitTaskStateChange
UpdateContainerAgent
UpdateService

Elastic File System (EFS)
elasticfilesystem:

CreateFileSystem
CreateMountTarget
Dependencies
ec2:DescribeSubnets
ec2:DescribeNetworkInterfaces
ec2:CreateNetworkInterface
CreateTags
DeleteFileSystem
Dependencies
ec2:DeleteNetworkInterface
DeleteMountTarget
DeleteTags
DescribeFileSystems
DescribeMountTargetSecurityGroups
Dependencies
ec2:DescribeNetworkInterfaceAttribute
DescribeMountTargets
DescribeTags
ModifyMountTargetSecurityGroups
Dependencies
ec2:ModifyNetworkInterfaceAttribute

Elastic Load Balancer (ELB)##
elasticloadbalancing:

AddTags
ApplySecurityGroupsToLoadBalancer
AttachLoadBalancerToSubnets
ConfigureHealthCheck
CreateAppCookieStickinessPolicy
CreateLBCookieStickinessPolicy
CreateLoadBalancer
CreateLoadBalancerListeners
CreateLoadBalancerPolicy
DeleteLoadBalancer
DeleteLoadBalancerListeners
DeleteLoadBalancerPolicy
DeregisterInstancesFromLoadBalancer
DescribeInstanceHealth
DescribeLoadBalancerAttributes
DescribeLoadBalancerPolicies
DescribeLoadBalancerPolicyTypes
DescribeLoadBalancers
DescribeTags
DetachLoadBalancerFromSubnets
DisableAvailabilityZonesForLoadBalancer
EnableAvailabilityZonesForLoadBalancer
ModifyLoadBalancerAttributes
RegisterInstancesWithLoadBalancer
RemoveTags
SetLoadBalancerListenerSSLCertificate
SetLoadBalancerPoliciesForBackendServer
SetLoadBalancerPoliciesOfListener

Elastic MapReduce (EMR)
elasticmapreduce:

AddInstanceGroups
AddJobFlowSteps
AddTags
DescribeCluster
DescribeJobFlows
DescribeStep
ListBootstrapActions
ListClusters
ListInstanceGroups
ListInstances
ListSteps
ModifyInstanceGroups
RemoveTags
RunJobFlow
SetTerminationProtection
SetVisibleToAllUsers
TerminateJobFlows

Identity and Access Management (IAM)
iam:

AddClientIDToOpenIDConnectProvider
AddRoleToInstanceProfile
AddUserToGroup
AttachGroupPolicy
AttachRolePolicy
AttachUserPolicy
ChangePassword
CreateAccessKey
CreateAccountAlias
CreateGroup
CreateInstanceProfile
CreateLoginProfile
CreateOpenIDConnectProvider
CreatePolicy
CreatePolicyVersion
CreateRole
CreateSAMLProvider
CreateUser
CreateVirtualMFADevice
DeactivateMFADevice
DeleteAccessKey
DeleteAccountAlias
DeleteAccountPasswordPolicy
DeleteGroup
DeleteGroupPolicy
DeleteInstanceProfile
DeleteLoginProfile
DeleteOpenIDConnectProvider
DeletePolicy
DeletePolicyVersion
DeleteRole
DeleteRolePolicy
DeleteSAMLProvider
DeleteServerCertificate
DeleteSigningCertificate
DeleteSSHPublicKey
DeleteUser
DeleteUserPolicy
DeleteVirtualMFADevice
DetachGroupPolicy
DetachRolePolicy
DetachUserPolicy
EnableMFADevice
GenerateCredentialReport
GetAccessKeyLastUsed
GetAccountAuthorizationDetails
GetAccountPasswordPolicy
GetAccountSummary
GetContextKeysForCustomPolicy
GetContextKeysForPrincipalPolicy
GetCredentialReport
GetGroup
GetGroupPolicy
GetInstanceProfile
GetLoginProfile
GetOpenIDConnectProvider
GetPolicy
GetPolicyVersion
GetRole
GetRolePolicy
GetSAMLProvider
GetServerCertificate
GetSSHPublicKey
GetUser
GetUserPolicy
ListAccessKeys
ListAccountAliases
ListAttachedGroupPolicies
ListAttachedRolePolicies
ListAttachedUserPolicies
ListEntitiesForPolicy
ListGroupPolicies
ListGroups
ListGroupsForUser
ListInstanceProfiles
ListInstanceProfilesForRole
ListMFADevices
ListOpenIDConnectProviders
ListPolicies
ListPolicyVersions
ListRolePolicies
ListRoles
ListSAMLProviders
ListServerCertificates
ListSigningCertificates
ListSSHPublicKeys
ListUserPolicies
ListUsers
ListVirtualMFADevices
PutGroupPolicy
PutRolePolicy
PutUserPolicy
RemoveClientIDFromOpenIDConnectProvider
RemoveRoleFromInstanceProfile
RemoveUserFromGroup
ResyncMFADevice
SetDefaultPolicyVersion
SimulateCustomPolicy
SimulatePrincipalPolicy
UpdateAccessKey
UpdateAccountPasswordPolicy
UpdateAssumeRolePolicy
UpdateGroup
UpdateLoginProfile
UpdateOpenIDConnectProviderThumbprint
UpdateSAMLProvider
UpdateServerCertificate
UpdateSigningCertificate
UpdateSSHPublicKey
UpdateUser
UploadServerCertificate
UploadSigningCertificate
UploadSSHPublicKey

Kinesis##
kinesis:

AddTagsToStream
CreateStream
DecreaseStreamRetentionPeriod
DeleteStream
DescribeStream
DisableEnhancedMonitoring
EnableEnhancedMonitoring
GetRecords
GetShardIterator
IncreaseStreamRetentionPeriod
ListStreams
ListTagsForStream
MergeShards
PutRecord
PutRecords
RemoveTagsFromStream
SplitShard

Key Management Service (KMS)
kms:

CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey
Decrypt
DeleteAlias
DescribeKey
DisableKey
DisableKeyRotation
EnableKey
EnableKeyRotation
Encrypt
GenerateDataKey
GenerateDataKeyWithoutPlaintext
GenerateRandom
GetKeyPolicy
GetKeyRotationStatus
ListAliases
ListGrants
ListKeyPolicies
ListKeys
ListRetirableGrants
PutKeyPolicy
ReEncrypt
RetireGrant
RevokeGrant
ScheduleKeyDeletion
UpdateAlias
UpdateKeyDescription

Lambda
lambda:

AddPermission
CreateAlias
CreateEventSourceMapping
CreateFunction
DeleteAlias
DeleteEventSourceMapping
DeleteFunction
GetAlias
GetEventSourceMapping
GetFunction
GetFunctionConfiguration
GetPolicy
Invoke
InvokeAsync
ListAliases
ListEventSourceMappings
ListFunctions
ListVersionsByFunction
PublishVersion
RemovePermission
UpdateAlias
UpdateEventSourceMapping
UpdateFunctionCode
UpdateFunctionConfiguration

[OpsWorks](AWS OpsWorks)
opsworks:

AssignInstance
AssignVolume
AssociateElasticIp
AttachElasticLoadBalancer
CloneStack
CreateApp
CreateDeployment
CreateInstance
CreateLayer
CreateStack
CreateUserProfile
DeleteApp
DeleteInstance
DeleteLayer
DeleteStack
DeleteUserProfile
DeregisterEcsCluster
DeregisterElasticIp
DeregisterInstance
DeregisterRdsDbInstance
DeregisterVolume
DescribeAgentVersions
DescribeApps
DescribeCommands
DescribeDeployments
DescribeEcsClusters
DescribeElasticIps
DescribeElasticLoadBalancers
DescribeInstances
DescribeLayers
DescribeLoadBasedAutoScaling
DescribeMyUserProfile
DescribePermissions
DescribeRaidArrays
DescribeRdsDbInstances
DescribeServiceErrors
DescribeStackProvisioningParameters
DescribeStacks
DescribeStackSummary
DescribeTimeBasedAutoScaling
DescribeUserProfiles
DescribeVolumes
DetachElasticLoadBalancer
DisassociateElasticIp
GetHostnameSuggestion
GrantAccess
RebootInstance
RegisterEcsCluster
RegisterElasticIp
RegisterInstance
RegisterRdsDbInstance
RegisterVolume
SetLoadBasedAutoScaling
SetPermission
SetTimeBasedAutoScaling
StartInstance
StartStack
StopInstance
StopStack
UnassignInstance
UnassignVolume
UpdateApp
UpdateElasticIp
UpdateInstance
UpdateLayer
UpdateMyUserProfile
UpdateRdsDbInstance
UpdateStack
UpdateUserProfile
UpdateVolume

Relational Database Service (RDS)
rds:

AddSourceIdentifierToSubscription
AddTagsToResource
ApplyPendingMaintenanceAction
AuthorizeDBSecurityGroupIngress
CopyDBClusterSnapshot
CopyDBParameterGroup
CopyDBSnapshot
CopyOptionGroup
CreateDBCluster
CreateDBClusterParameterGroup
CreateDBClusterSnapshot
CreateDBInstance
CreateDBInstanceReadReplica
CreateDBParameterGroup
CreateDBSecurityGroup
CreateDBSnapshot
CreateDBSubnetGroup
CreateEventSubscription
CreateOptionGroup
DeleteDBCluster
DeleteDBClusterParameterGroup
DeleteDBClusterSnapshot
DeleteDBInstance
DeleteDBParameterGroup
DeleteDBSecurityGroup
DeleteDBSnapshot
DeleteDBSubnetGroup
DeleteEventSubscription
DeleteOptionGroup
DescribeAccountAttributes
DescribeCertificates
DescribeDBClusterParameterGroups
DescribeDBClusterParameters
DescribeDBClusters
DescribeDBClusterSnapshotAttributes
DescribeDBClusterSnapshots
DescribeDBEngineVersions
DescribeDBInstances
DescribeDBLogFiles
DescribeDBParameterGroups
DescribeDBParameters
DescribeDBSecurityGroups
DescribeDBSnapshotAttributes
DescribeDBSnapshots
DescribeDBSubnetGroups
DescribeEngineDefaultClusterParameters
DescribeEngineDefaultParameters
DescribeEventCategories
DescribeEvents
DescribeEventSubscriptions
DescribeOptionGroupOptions
DescribeOptionGroups
DescribeOrderableDBInstanceOptions
DescribePendingMaintenanceActions
DescribeReservedDBInstances
DescribeReservedDBInstancesOfferings
DownloadDBLogFilePortion
FailoverDBCluster
ListTagsForResource
ModifyDBCluster
ModifyDBClusterParameterGroup
ModifyDBClusterSnapshotAttribute
ModifyDBInstance
ModifyDBParameterGroup
ModifyDBSnapshotAttribute
ModifyDBSubnetGroup
ModifyEventSubscription
ModifyOptionGroup
PromoteReadReplica
PromoteReadReplicaDBCluster
PurchaseReservedDBInstancesOffering
RebootDBInstance
RemoveSourceIdentifierFromSubscription
RemoveTagsFromResource
ResetDBClusterParameterGroup
ResetDBParameterGroup
RestoreDBClusterFromSnapshot
RestoreDBClusterToPointInTime
RestoreDBInstanceFromDBSnapshot
RestoreDBInstanceToPointInTime
RevokeDBSecurityGroupIngress

Redshift
redshift:

AuthorizeClusterSecurityGroupIngress
AuthorizeSnapshotAccess
CancelQuerySession
CopyClusterSnapshot
CreateCluster
CreateClusterParameterGroup
CreateClusterSecurityGroup
CreateClusterSnapshot
CreateClusterSubnetGroup
CreateEventSubscription
CreateHsmClientCertificate
CreateHsmConfiguration
CreateTags
DeleteCluster
DeleteClusterParameterGroup
DeleteClusterSecurityGroup
DeleteClusterSnapshot
DeleteClusterSubnetGroup
DeleteEventSubscription
DeleteHsmClientCertificate
DeleteHsmConfiguration
DeleteTags
DescribeClusterParameterGroups
DescribeClusterParameters
DescribeClusterSecurityGroups
DescribeClusterSnapshots
DescribeClusterSubnetGroups
DescribeClusterVersions
DescribeClusters
DescribeDefaultClusterParameters
DescribeEventCategories
DescribeEventSubscriptions
DescribeEvents
DescribeHsmClientCertificates
DescribeHsmConfigurations
DescribeLoggingStatus
DescribeOrderableClusterOptions
DescribeReservedNodeOfferings
DescribeReservedNodes
DescribeResize
DescribeTags
DisableLogging
DisableSnapshotCopy
EnableLogging
EnableSnapshotCopy
ModifyCluster
ModifyClusterParameterGroup
ModifyClusterSubnetGroup
ModifyEventSubscription
ModifySnapshotCopyRetentionPeriod
PurchaseReservedNodeOffering
RebootCluster
ResetClusterParameterGroup
RestoreFromClusterSnapshot
RevokeClusterSecurityGroupIngress
RevokeSnapshotAccess
RotateEncryptionKey
ViewQueriesInConsole

Route 53
route53:

AssociateVPCWithHostedZone
ChangeResourceRecordSets
ChangeTagsForResource
CreateHealthCheck
CreateHostedZone
CreateReusableDelegationSet
CreateTrafficPolicy
CreateTrafficPolicyInstance
CreateTrafficPolicyVersion
DeleteHealthCheck
DeleteHostedZone
DeleteReusableDelegationSet
DeleteTrafficPolicy
DeleteTrafficPolicyInstance
DisableDomainAutoRenew
DisassociateVPCFromHostedZone
EnableDomainAutoRenew
GetChange
GetCheckerIpRanges
GetGeoLocation
GetHealthCheck
GetHealthCheckCount
GetHealthCheckLastFailureReason
GetHealthCheckStatus
GetHostedZone
GetHostedZoneCount
GetReusableDelegationSet
GetTrafficPolicy
GetTrafficPolicyInstance
GetTrafficPolicyInstanceCount
ListGeoLocations
ListHealthChecks
ListHostedZones
ListHostedZonesByName
ListResourceRecordSets
ListReusableDelegationSets
ListTagsForResource
ListTagsForResources
ListTrafficPolicies
ListTrafficPolicyInstances
ListTrafficPolicyInstancesByHostedZone
ListTrafficPolicyInstancesByPolicy
route53:ListTrafficPolicyVersions
route53:UpdateHealthCheck
route53:UpdateHostedZoneComment
route53:UpdateTrafficPolicyComment
route53:UpdateTrafficPolicyInstance

Route53 Domains
route53domains:

CheckDomainAvailability
DeleteDomain
DeleteTagsForDomain
DisableDomainTransferLock
EnableDomainTransferLock
GetDomainDetail
GetOperationDetail
ListDomains
ListOperations
ListTagsForDomain
RegisterDomain
RetrieveDomainAuthCode
TransferDomain
UpdateDomainContact
UpdateDomainContactPrivacy
UpdateDomainNameservers
UpdateTagsForDomain

S3
s3:

AbortMultipartUpload
CreateBucket
DeleteBucket
DeleteBucketPolicy
DeleteBucketWebsite
DeleteObject
GetAccelerateConfiguration
GetBucketAcl
GetBucketCORS
GetBucketLocation
GetBucketLogging
GetBucketNotification
GetBucketPolicy
GetBucketRequestPayment
GetBucketTagging
GetBucketVersioning
GetBucketWebsite
GetLifecycleConfiguration
GetObject
GetObjectAcl
GetObjectTorrent
GetObjectVersionAcl
GetReplicationConfiguration
ListAllMyBuckets
ListBucket
ListBucketMultipartUploads
ListBucketVersions
ListMultipartUploadParts
PutAccelerateConfiguration
PutBucketAcl
PutBucketCORS
PutBucketLogging
PutBucketNotification
PutBucketPolicy
PutBucketRequestPayment
PutBucketTagging
PutBucketVersioning
PutBucketWebsite
PutLifecycleConfiguration
PutObject
PutObjectAcl
PutObjectVersionAcl
RestoreObject

Security Token Service (STS)
sts:

AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
DecodeAuthorizationMessage
GetCallerIdentity
GetFederationToken
GetSessionToken

Simple Email Service (SES)
ses:

CloneReceiptRuleSet
CreateReceiptFilter
CreateReceiptRule
CreateReceiptRuleSet
DeleteIdentity
DeleteIdentityPolicy
DeleteReceiptFilter
DeleteReceiptRule
DeleteReceiptRuleSet
DeleteVerifiedEmailAddress
DescribeActiveReceiptRuleSet
DescribeReceiptRule
DescribeReceiptRuleSet
GetIdentityDkimAttributes
GetIdentityMailFromDomainAttributes
GetIdentityNotificationAttributes
GetIdentityPolicies
GetIdentityVerificationAttributes
GetSendQuota
GetSendStatistics
ListIdentities
ListIdentityPolicies
ListReceiptFilters
ListReceiptRuleSets
ListVerifiedEmailAddresses
PutIdentityPolicy
ReorderReceiptRuleSet
SendBounce
SendEmail
SendRawEmail
SetActiveReceiptRuleSet
SetIdentityDkimEnabled
SetIdentityFeedbackForwardingEnabled
SetIdentityHeadersInNotificationsEnabled
SetIdentityMailFromDomain
SetIdentityNotificationTopic
SetReceiptRulePosition
UpdateReceiptRule
VerifyDomainDkim
VerifyDomainIdentity
VerifyEmailAddress
VerifyEmailIdentity

Simple Notification Service (SNS)

AddPermission
CheckIfPhoneNumberIsOptedOut
ConfirmSubscription
CreatePlatformApplication
CreatePlatformEndpoint
CreateTopic
DeleteEndpoint
DeletePlatformApplication
DeleteTopic
GetEndpointAttributes
GetPlatformApplicationAttributes
GetSMSAttributes
GetSubscriptionAttributes
GetTopicAttributes
ListEndpointsByPlatformApplication
ListPhoneNumbersOptedOut
ListPlatformApplications
ListSubscriptions
ListSubscriptionsByTopic
ListTopics
OptInPhoneNumber
Publish
RemovePermission
SetEndpointAttributes
SetPlatformApplicationAttributes
SetSMSAttributes
SetSubscriptionAttributes
SetTopicAttributes
Subscribe
Unsubscribe

Simple Queue Service (SQS)
sqs:

AddPermission
ChangeMessageVisibility
ChangeMessageVisibilityBatch
CreateQueue
DeleteMessage
DeleteMessageBatch
DeleteQueue
GetQueueAttributes
GetQueueUrl
ListDeadLetterSourceQueues
ListQueues
PurgeQueue
ReceiveMessage
RemovePermission
SendMessage
SendMessageBatch
SetQueueAttributes

Support##
support:

AddAttachmentsToSet
AddCommunicationToCase
CreateCase
DescribeAttachment
DescribeCases
DescribeCommunications
DescribeServices
DescribeSeverityLevels
DescribeTrustedAdvisorCheckRefreshStatuses
DescribeTrustedAdvisorCheckResult
DescribeTrustedAdvisorChecks
DescribeTrustedAdvisorCheckSummaries
RefreshTrustedAdvisorCheck
ResolveCase

Trusted Advisor
trustedadvisor:

DescribeCheckSummaries
DescribeCheckItems
RefreshCheck
DescribeCheckRefreshStatuses
ExcludeCheckItems
IncludeCheckItems
DescribeNotificationPreferences
UpdateNotificationPreferences