AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

AWS Services That Support IAM

This section links to topics that describe how AWS Identity and Access Management integrates with other services from AWS, and how to write policies to control access to a particular service and its resources.

Note

In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service's resources instead of to IAM users, groups, or roles. Resource-based permissions are supported by Amazon S3, Amazon SNS, and Amazon SQS. For information about resource-based policies in these services, see the links in the following table for those services.

In the following table, the columns have the following meanings:

  • Actions. The service supports IAM policies in which you can allow or deny individual API actions.

  • Resource-level permissions. The service supports IAM policies in which you can specify individual resources (using ARNs) in the policy's Resource element. If the service does not support resource-level permissions, policies for the service use * in the Resource element.

    Note

    Some services support resource-level permissions only for some actions. See the notes that follow the table for more information.

  • Tags. The service supports IAM policies that let you create resource-level permissions using tags that are attached to the resources and testing for those tags in a Condition element.

  • Temporary credentials. The service lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. For more information, see the Using Temporary Security Credentials guide.

  • More information. Links to more information in the documentation of the service.

AWS Service Category: ComputeActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon Elastic Compute Cloud (Amazon EC2)YesYes; see NotesYes; see NotesYes Controlling Access to Amazon EC2 Resources
Auto ScalingYesNo NoYes Auto Scaling and AWS Identity and Access Management
Elastic Load BalancingYesYesNoYes Control User Access to Your AWS Account
AWS LambdaYesYesNoYes 
AWS Service Category: Storage and Content DeliveryActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon Simple Storage Service (Amazon S3)YesYesNoYes Using IAM Policies
AWS Storage GatewayYesYesNoYes Access Control Using AWS Identity and Access Management (IAM)
Amazon GlacierYesYesNoYes Access Control Using AWS Identity and Access Management (IAM)

Amazon CloudFront

YesNoNoYes Using IAM to Control Access to CloudFront Resources
Amazon Elastic Block Store (Amazon EBS)YesYes; see NotesYes; see NotesYes Controlling Access to Amazon EC2 Resources
AWS Import/ExportYesNoNoYes Using IAM with AWS Import/Export
AWS Service Category: DatabaseActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon Relational Database Service (Amazon RDS)YesYesYesYes Controlling Access to Amazon RDS Resources
Amazon DynamoDBYesYesNoYes Controlling Access to Amazon DynamoDB Resources
Amazon ElastiCacheYesNoNoYes Controlling User Access to Your AWS Account
Amazon RedshiftYesYesNoYes Controlling Access to Amazon Redshift Resources
Amazon SimpleDBYesYesNoYes Managing Users of Amazon SimpleDB
AWS Service Category: NetworkingActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon Virtual Private Cloud (Amazon VPC)YesYesYesYes Controlling VPC Management
Amazon Route 53YesYesNoYes Using IAM to Control Access to Route 53 Resources
AWS Direct ConnectYesNoNoYes Using AWS Identity and Access Management with AWS Direct Connect
AWS Service Category: Administration and SecurityActionsResource-level permissionsTagsTemporary credentialsMore information
AWS Directory ServiceYesNoNoYesControlling Access to AWS Directory Service Resources
AWS Identity and Access Management (IAM)YesYesNoYes. See Summary of AWS STS API Functionality in Using Temporary Security Credentials. Permissions for Administering IAM Users, Groups, and Credentials
AWS Security Token Service (AWS STS)YesNot applicableNo Yes. See Summary of AWS STS API Functionality in Using Temporary Security Credentials. Controlling Permissions for Temporary Security Credentials
AWS Trusted AdvisorYes; see NotesYesNoYes; see Notes Controlling Access to the Trusted Advisor Console
AWS CloudTrailYesYesNoYes Controlling User Access to AWS CloudTrail Actions
AWS ConfigYesNoNoYes Recommended IAM Permissions for Using the AWS Config Console and the AWS CLI
Amazon CloudWatchYesNoNoYes Controlling User Access to Your AWS Account
AWS Key Management Service (AWS KMS)YesYesNoYes Key Policies
AWS Service Category: Deployment and ManagementActionsResource-level permissionsTagsTemporary credentialsMore information
AWS Elastic BeanstalkYesYesNoYes Using AWS Elastic Beanstalk with AWS Identity and Access Management (IAM)
AWS OpsWorksYesYesNoYes Granting Users Permissions to Work with AWS OpsWorks
AWS CloudFormationYesYesNoYes Controlling User Access with AWS Identity and Access Management
AWS CodeDeployYesYesNoYes AWS CodeDeploy User Access Permissions Reference
AWS Service Category: AnalyticsActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon Elastic MapReduce (Amazon EMR)YesNoNoYes Configure IAM User Permissions
Amazon KinesisYesYesNoYes Controlling Access to Amazon Kinesis Resources with IAM
AWS Data PipelineYesNoNoYes; see Notes IAM Roles
AWS Service Category: Application ServicesActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon Simple Queue Service (Amazon SQS)YesYesNoYes Controlling User Access to Your AWS Account
Amazon Simple Workflow Service (Amazon SWF) YesYesYesYes Using IAM to Manage Access to Amazon SWF Resources
Amazon AppStreamYesNoNoYes Security Considerations for Amazon AppStream
Amazon Elastic TranscoderYesYesNoYes Security Considerations for Elastic Transcoder
Amazon Simple Email Service (Amazon SES)YesNoNoYes Controlling User Access to Amazon SES
Amazon CloudSearchYesYesNoYes Configuring Access for an Amazon CloudSearch Domain
AWS Service Category: Mobile ServicesActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon CognitoYesNoNoYes 
Amazon Mobile AnalyticsYesNoNoYes 

Amazon Simple Notification Service (Amazon SNS)

YesYesNoYes Controlling User Access to Your AWS Account
AWS Service Category: Enterprise ApplicationsActionsResource-level permissionsTagsTemporary credentialsMore information
Amazon WorkSpacesYesNoNoYes Controlling Access to Amazon WorkSpaces Resources
Amazon ZocaloYesNoNoYes 
AWS Service Category: Additional ResourcesActionsResource-level permissionsTagsTemporary credentialsMore information
AWS Billing and Cost ManagementYesNoNoYes Controlling User Access to Your AWS Billing and Cost Management Information
AWS MarketplaceYesYesNoNo Controlling Access to AWS Marketplace Subscriptions
AWS SupportYesNoNoYes Accessing AWS Support

Notes

  • Amazon EC2: Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

  • Amazon EBS: Amazon EBS supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

  • Trusted Advisor: API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

  • AWS Data Pipeline: AWS Data Pipeline does not support temporary security credentials for the CreatePipeline API. All other AWS Data Pipeline API actions support temporary security credentials.