AWS Services That Work with IAM
Many AWS services are integrated with AWS Identity and Access Management. The following tables group these services by category and show the IAM permission types that each service supports, tips to help you write policies to control service access, and links to related information.
Specifically, each table provides the following information:
-
Action-level permissions. The service supports specifying individual actions in a policy's
Actionelement. If the service does not support action-level permissions, policies for the service use*in theActionelement. For a list of all of the permissions for the AWS services can be used in IAM policies, see AWS Service Actions and Condition Context Keys for Use in IAM Policies. -
Resource-level permissions. The service has one or more APIs that support specifying individual resources (using ARNs) in the policy's
Resourceelement. If an API does not support resource-level permissions, then that statement in the policy must use*in theResourceelement. See the footnotes after each table for more information. -
Resource-based permissions. The service enables you to attach policies to the service's resources in addition to IAM users, groups, and roles. The policies specify who can access that resource by including a
Principalelement. -
Tag-based permissions. The service supports testing resource tags in a
Conditionelement. -
Temporary security credentials. The service lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. Temporary credentials are commonly used in federation scenarios. For more information, see Temporary Security Credentials.
-
Service-linked roles. The service requires that you use a unique type of service role that is linked directly to the service. This service-linked role is predefined by the service, and includes all the permissions that the service requires. To learn how to create a role used to delegate permissions to a service, see Creating a Role to Delegate Permissions to an AWS Service.
-
More information. Links to more information in the documentation of the product.
Compute Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Elastic Compute Cloud (Amazon EC2) | Yes | Yes¹ | No | Yes¹ | Yes | No |
| Amazon EC2 Container Registry (Amazon ECR) | Yes | Yes | No | Yes | No | |
| Amazon EC2 Container Service (Amazon ECS) | Yes | Yes² | No | No | Yes | No |
| AWS Elastic Beanstalk | Yes | Yes³ | No | No | Yes | No |
| AWS Lambda | Yes | Yes | Yes⁴ | No | Yes | No |
| Amazon Lightsail | Yes | No | No | No | Yes | No |
| Auto Scaling | Yes | Yes | No | No | Yes | No |
| Elastic Load Balancing | Yes | Yes⁵ | No | No | Yes | No |
¹ Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.
² Amazon ECS supports resource-level permissions only for some APIs. For more information, see Supported Resource-Level Permissions for Amazon ECS API Actions in the Amazon EC2 Container Service Developer Guide.
³ Only some API actions for Elastic Beanstalk can be used as permissions against specific resources. For more information, see Resources and Conditions for Elastic Beanstalk Actions in the AWS Elastic Beanstalk Developer Guide.
⁴ The only AWS Lambda API action that can be specified in a resource-based policy is lambda:InvokeFunction. For more information, see Using Resource-Based Policies for AWS Lambda (Lambda Function Policies) in the AWS Lambda Developer Guide.
⁵ Only some API actions for Elastic Load Balancing can be used as permissions against specific resources. For more information, see Control Access to Your Load Balancer in the Elastic Load Balancing User Guide.
Storage and Content Delivery Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Simple Storage Service (Amazon S3) | Yes | Yes | Yes | Yes | Yes | No |
| Amazon Elastic Block Store (Amazon EBS) | Yes | Yes¹ | No | Yes | Yes | No |
| Amazon EFS | Yes | Yes | No | No | Yes | No |
| Amazon Glacier | Yes | Yes | Yes | Yes | Yes | No |
| AWS Snowball and AWS Snowball Edge | Yes | No | No | No | Yes | No |
| AWS Storage Gateway | Yes | Yes | No | No | Yes | No |
¹ For information about which EBS actions support resource-level permissions, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.
Database Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Relational Database Service (Amazon RDS) | Yes | Yes | No | Yes | Yes | No |
| Amazon DynamoDB | Yes | Yes | No | No | Yes | No |
| Amazon ElastiCache | Yes | No | No | No | Yes | No |
| Amazon Redshift | Yes | Yes | No | No | Yes | No |
| Amazon SimpleDB | Yes | Yes | No | No | Yes | No |
Networking and Content Delivery Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Virtual Private Cloud (Amazon VPC) | Yes | Yes¹ | Yes² | Yes | Yes | No |
| Yes³ | No | No | No | Yes | No | |
| AWS Direct Connect | Yes | No | No | No | Yes | No |
| Amazon Route 53 | Yes | Yes | No | No | Yes | No |
¹ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC
endpoint. Any Action element that includes the ec2:*VpcEndpoint* or
ec2:DescribePrefixLists API actions must specify ""Resource":
"*"". For more information, see Controlling the Use of
Endpoints in the Amazon VPC User Guide.
² Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.
³ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS root account to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.
Migration Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| AWS Import/Export | Yes | No | No | No | Yes | No |
Developer Tools and Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| AWS CodeCommit | Yes | Yes | No | No | Yes | No |
| AWS CodeBuild | Yes | Yes | No | No | Yes | No |
| AWS CodeDeploy | Yes | Yes | No | No | Yes | No |
| AWS CodePipeline | Yes | Yes¹ | No | No | Yes | No |
¹ Only some API actions for AWS CodePipeline can be used as permissions against specific resources. For more information, see AWS CodePipeline Resources and Operations in the AWS CodePipeline User Guide.
Management Tools and Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon CloudWatch | Yes | No | No | No | Yes | No |
| Amazon CloudWatch Events | Yes | Yes | No | No | Yes | No |
| Amazon CloudWatch Logs | Yes | Yes | No | No | Yes | No |
| AWS CloudFormation | Yes | Yes | No | No | Yes | No |
| AWS CloudTrail | Yes | Yes | No | No | Yes | No |
| AWS Config | Yes | No | No | No | Yes | No |
| AWS OpsWorks for Chef Automate | Yes | Yes | Yes | No | Yes | No |
| AWS OpsWorks | Yes | Yes | Yes | No | Yes | No |
| AWS Service Catalog | Yes | No | No | No | Yes | No |
| AWS Trusted Advisor | Yes¹ | Yes | No | No | Yes¹ | No |
| AWS Health | Yes | No | No | No | Yes | No |
¹ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.
Security, Identity, and Compliance Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| AWS Identity and Access Management (IAM) | Yes | Yes | No | No | Yes¹ | No |
| Amazon Inspector | Yes | No | No | No | Yes¹ | No |
| AWS Security Token Service (AWS STS) | Yes | Yes² | No | No | Yes² | No |
| AWS Organizations | Yes | Yes | No | No | Yes | No |
| AWS Artifact | Yes | Yes | No | No | Yes | No |
| AWS Certificate Manager (ACM) | Yes | Yes | No | No | Yes | No |
| AWS Directory Service | Yes | No | No | No | Yes | No |
| AWS CloudHSM | Yes | No | No | No | No | No |
| AWS Key Management Service (AWS KMS) | Yes | Yes | Yes | No | Yes | No |
| AWS WAF | Yes | Yes | No | No | Yes | No |
¹ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options
² AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name. Only some of the APIs for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.
Analytics Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon EMR | Yes | No | No | Yes | Yes | No |
| Amazon CloudSearch | Yes | Yes | No | No | Yes | No |
| Amazon Elasticsearch Service | Yes | Yes | Yes | No | Yes | No |
| Amazon Kinesis Streams | Yes | Yes | No | No | Yes | No |
| Amazon Kinesis Analytics | Yes | Yes | No | No | Yes | No |
| Amazon Kinesis Firehose | Yes | Yes | No | No | Yes | No |
| AWS Data Pipeline | Yes | No | No | Yes | Yes | No |
Artificial Intelligence
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Lex | Yes | Yes | No | No | Yes | Yes |
| Amazon Machine Learning | Yes | Yes | No | No | Yes | No |
| Amazon Polly | Yes | Yes | No | No | Yes | No |
Internet of Things
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| AWS IoT | Yes¹ | Yes² | Yes³ | No | Yes | No |
¹ For more information about AWS IoT action-level permissions, see AWS IoT Policy Actions in the AWS IoT User Guide.
² For information about which AWS IoT actions support resource-level permissions and which resources you can specify for each, see Action Resources in the AWS IoT Developer Guide.
³ Devices connected to AWS IoT are authenticated by using X.509 certificates. You can attach AWS IoT policies to an X.509 certificate to control what the device is authorized to do. For more information, see Create an AWS IoT Policy in the AWS IoT Developer Guide.
Game Development Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon GameLift | Yes | No | No | No | Yes | No |
Mobile Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Cognito | Yes | Yes | No | No | Yes | No |
| AWS Device Farm | Yes | No | No | No | Yes | No |
| Amazon Mobile Analytics | Yes | No | No | No | Yes | No |
| Amazon Pinpoint | Yes | Yes | No | No | Yes | No |
Application Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon API Gateway | Yes | Yes | No | No | Yes | No |
| Amazon Elastic Transcoder | Yes | Yes | No | No | Yes | No |
| Amazon Simple Workflow Service (Amazon SWF) | Yes | Yes | No | Yes | Yes | No |
Messaging Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon Simple Notification Service (Amazon SNS) | Yes | Yes | Yes | No | Yes | No |
| Amazon Simple Email Service (Amazon SES) | Yes | Yes¹ | No | No | Yes² | No |
| Amazon Simple Queue Service (Amazon SQS) | Yes | Yes | Yes | No | Yes | No |
¹ Amazon SES supports resource-level permissions in policies that grant permissions to delegate senders to access specific SES identities.
² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.
Business Productivity
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon WorkDocs | Yes | No | No | No | Yes | No |
| Amazon WorkMail | Yes | No | No | No | Yes | No |
Desktop and App Streaming Services
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| Amazon WorkSpaces | Yes | Yes | No | No | Yes | No |
| Amazon WAM | Yes | No | No | No | Yes | No |
| Amazon AppStream | Yes | No | No | No | Yes | No |
| Amazon AppStream 2.0 | Yes | No | No | No | Yes | No |
Additional Resources
|
Service and Related IAM Info |
Supports the following permissions | |||||
| Action Level | Resource Level | Resource Based | Tag Based | Temporary Credentials | Service-Linked Role | |
| AWS Billing and Cost Management | Yes | No | No | No | Yes | No |
| AWS Marketplace | Yes | Yes | No | No | Yes | No |
| AWS Support | No | No | No | No | Yes | No |
| AWS Trusted Advisor | Yes¹ | Yes | No | No | Yes¹ | No |
