AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

AWS Services That Support IAM

This section links to topics that describe how IAM integrates with other services from AWS, and how to write policies to control access to a particular service and its resources.

Note

In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service's resources instead of to IAM users or groups. Resource-based permissions are supported by Amazon S3, Amazon SNS, and Amazon SQS. For information about support for resource-based policies in these services, see the links in the following table for those services.

In the following table, the columns have the following meanings:

  • Actions. The service supports IAM policies in which you can allow or deny individual API actions.

  • Resource-level permissions. The service supports IAM policies in which you can specify individual resources (using ARNs) in the policy's Resource element. If the service does not support resource-level permissions, policies for the service use * in the Resource element.

    Note

    Some services support resource-level permissions only for some actions. See the notes that follow the table for more information.

  • Tags. The service supports IAM policies that let you create resource-level permissions using tags that are attached to the resources and testing for those tags in a Condition element.

  • Temporary credentials. The service lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. For more information, see the Using Temporary Security Credentials guide.

  • More information. Links to more information in the documentation of the service.

Compute and Networking

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Elastic Compute Cloud (Amazon EC2)

YesYesYes; see NotesYes

Controlling Access to Amazon EC2 Resources

Auto Scaling

YesNo NoYes

Auto Scaling and AWS Identity and Access Management

Elastic Load Balancing

YesYesNoYes

Control User Access to Your AWS Account

Amazon WorkSpaces

YesNoNoYes

Controlling Access to Amazon WorkSpaces Resources

Amazon Virtual Private Cloud (Amazon VPC)

YesYesYesYes

Controlling VPC Management

Amazon Route 53

YesYesNoYes

Using IAM to Control Access to Route 53 Resources

AWS Direct ConnectYesNoNoYes

Using AWS Identity and Access Management with AWS Direct Connect

      

Storage and Content Delivery

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Simple Storage Service (Amazon S3)

YesYesNoYes

Using IAM Policies

Amazon Glacier

YesYesNoYes

Access Control Using AWS Identity and Access Management (IAM)

AWS Import/ExportYesNoNoYes

Using IAM with AWS Import/Export

AWS Storage Gateway

YesYesNoYes Access Control Using AWS Identity and Access Management (IAM)

Amazon CloudFront

YesNoNoYes

Using IAM to Control Access to CloudFront Resources

      

Database

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Relational Database Service (Amazon RDS)

YesYesYesYes

Controlling Access to Amazon RDS Resources

Amazon DynamoDB

YesYesNoYes

Controlling Access to Amazon DynamoDB Resources

Amazon ElastiCache

YesNoNoYes

Controlling User Access to Your AWS Account

Amazon RedshiftYesYesNoYes

Controlling Access to Amazon Redshift Resources

Amazon SimpleDB

YesYesNoYes

Managing Users of Amazon SimpleDB

      

Analytics

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Elastic MapReduce (Amazon EMR)

YesNoNoYes

Configure IAM User Permissions

Amazon Kinesis

YesYesNoYes

Controlling Access to Amazon Kinesis Resources with IAM

AWS Data Pipeline

YesNoNoYes

IAM Roles

      

Deployment and Management

ActionsResource-level permissionsTagsTemporary credentialsMore information

AWS Identity and Access Management (IAM)

YesYesNo Yes. See Summary of AWS STS API Functionality in Using Temporary Security Credentials.

Permissions for Administering IAM Users, Groups, and Credentials

AWS Security Token Service (AWS STS)

YesNot applicableNo Yes. See Summary of AWS STS API Functionality in Using Temporary Security Credentials.

AWS Directory Service

YesNoNoYes.Controlling Access to AWS Directory Service Resources
AWS CloudTrailYesYesNoYes

Controlling User Access to AWS CloudTrail Actions

Amazon CloudWatch

YesNoNoYes

Controlling User Access to Your AWS Account

AWS Elastic Beanstalk

YesYesNoYes

Using AWS Elastic Beanstalk with AWS Identity and Access Management (IAM)

AWS CloudFormation

YesYesNoYes

Controlling User Access with AWS Identity and Access Management

AWS OpsWorksYesYesNoYes

Granting Users Permissions to Work with AWS OpsWorks

AWS CloudHSM

NoNoNoNo 
      

Application Services

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon AppStream

YesNoNoYes

Security Considerations for Amazon AppStream

Amazon CloudSearchYesYesNoYes

Configuring Access for an Amazon CloudSearch Domain

Amazon Simple Workflow Service (Amazon SWF)

YesYesYesYes

Using IAM to Manage Access to Amazon SWF Resources

Amazon Simple Queue Service (Amazon SQS)

YesYesNoYes

Controlling User Access to Your AWS Account

Amazon Simple Email Service (Amazon SES)

YesNoNoYes

Controlling User Access to Amazon SES

Amazon Simple Notification Service (Amazon SNS)

YesYesNoYes

Controlling User Access to Your AWS Account

Amazon Elastic TranscoderYesYesNoYes

Security Considerations for Elastic Transcoder

      

Resources

ActionsResource-level permissionsTagsTemporary credentialsMore information

AWS Billing and Cost Management

YesNoNoYes

Controlling User Access to Your AWS Billing and Cost Management Information

Amazon Fulfillment Web Service (Amazon FWS)NoNoNoNo 

AWS Marketplace

YesYesNoNo

Controlling Access to AWS Marketplace Subscriptions

AWS Marketplace Management Portal

YesNoNoNo

Controlling User Access to AWS Marketplace Management Portal

Amazon Mechanical TurkNoNoNoNo 

AWS Support

YesNoNoYes

Accessing AWS Support

AWS Trusted Advisor

Yes; see NotesYesNoYes; see Notes

Controlling Access to the Trusted Advisor Console


Notes

  • Amazon EC2: Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

  • Trusted Advisor: API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.