Menu
Amazon ElastiCache
User Guide (API Version 2015-02-02)

ElastiCache API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each Amazon ElastiCache API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your ElastiCache policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.

Note

To specify an action, use the elasticache: prefix followed by the API operation name (for example, elasticache:DescribeSnapshots). For all ElastiCache actions, specify the wildcard character (*) as the resource.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Amazon ElastiCache API and Required Permissions for Actions

ElastiCache API Operations Required Permissions (API Actions) Resources

AddTagsToResource

elasticache:AddTagsToResource

*

AuthorizeCacheSecurityGroupIngress

elasticache:AuthorizeCacheSecurityGroupIngress

*

CopySnapshot

elasticache:CopySnapshot

s3:ListAllMyBuckets

*

*

CreateCacheCluster

elasticache:CreateCacheCluster

s3:GetObject

Note

If you use the SnapshotArns parameter, each member of the SnapshotArns list requires its own s3:GetObject permission with the s3 ARN as its resource.

*

arn:aws:s3:::my_bucket/snapshot1.rdb

Where my_bucket/snapshot1 is an S3 bucket and snapshot that you want to create the cache cluster from.

CreateCacheParameterGroup

elasticache:CreateCacheParameterGroup

*

CreateCacheSecurityGroup

elasticache:CreateCacheSecurityGroup

*

CreateCacheSubnetGroup

elasticache:CreateCacheSubnetGroup

*

CreateReplicationGroup

elasticache:CreateReplicationGroup

s3:GetObject

Note

If you use the SnapshotArns parameter, each member of the SnapshotArns list requires its own s3:GetObject permission with the s3 ARN as its resource.

*

arn:aws:s3:::my_bucket/snapshot1.rdb

Where my_bucket/snapshot1 is an S3 bucket and snapshot that you want to create the cache cluster from.

CreateSnapshot

elasticache:CreateSnapshot

*

DeleteCacheCluster

elasticache:DeleteCacheCluster

*

DeleteCacheParameterGroup

elasticache:DeleteCacheParameterGroup

*

DeleteCacheSecurityGroup

elasticache:DeleteCacheSecurityGroup

*

DeleteCacheSubnetGroup

elasticache:DeleteCacheSubnetGroup

*

DeleteReplicationGroup

elasticache:DeleteReplicationGroup

*

DeleteSnapshot

elasticache:DeleteSnapshot

*

DescribeCacheClusters

elasticache:DescribeCacheClusters

*

DescribeCacheEngineVersions

elasticache:DescribeCacheEngineVersions

*

DescribeCacheParameterGroups

elasticache:DescribeCacheParameterGroups

*

DescribeCacheParameters

elasticache:DescribeCacheParameters

*

DescribeCacheSecurityGroups

elasticache:DescribeCacheSecurityGroups

*

DescribeCacheSubnetGroups

elasticache:DescribeCacheSubnetGroups

*

DescribeEngineDefaultParameters

elasticache:DescribeEngineDefaultParameters

*

DescribeEvents

elasticache:DescribeEvents

*

DescribeReplicationGroups

elasticache:DescribeReplicationGroups

*

DescribeReservedCacheNodes

elasticache:DescribeReservedCacheNodes

*

DescribeReservedCacheNodesOfferings

elasticache:DescribeReservedCacheNodesOfferings

*

DescribeSnapshots

elasticache:DescribeSnapshots

*

ListTagsForResource

elasticache:ListTagsForResource

*

ModifyCacheCluster

elasticache:ModifyCacheCluster

*

ModifyCacheParameterGroup

elasticache:ModifyCacheParameterGroup

*

ModifyCacheSubnetGroup

elasticache:ModifyCacheSubnetGroup

*

ModifyReplicationGroup

elasticache:ModifyReplicationGroup

*

PurchaseReservedCacheNodesOffering

elasticache:PurchaseReservedCacheNodesOffering

*

RebootCacheCluster

elasticache:RebootCacheCluster

*

RemoveTagsFromResource

elasticache:RemoveTagsFromResource

*

ResetCacheParameterGroup

elasticache:ResetCacheParameterGroup

*

RevokeCacheSecurityGroupIngress

elasticache:RevokeCacheSecurityGroupIngress

*