AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

AWS Services That Support IAM

This section links to topics that describe how IAM integrates with other services from AWS, and how to write policies to control access to a particular service and its resources.

Note

In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service's resources instead of to IAM users or groups. Resource-based permissions are supported by AWS OpsWorks, Amazon S3, Amazon SNS, and Amazon SQS. For information about support for resource-based policies in these services, see the links in the following table for those services.

In the following table, the columns have the following meanings:

  • Actions. The service supports IAM policies in which you can allow or deny individual API actions.

  • Resource-level permissions. The service supports IAM policies in which you can specify individual resources (using ARNs) in the policy's Resource element. If the service does not support resource-level permissions, policies for the service use * in the Resource element.

    Note

    Some services support resource-level permissions only for some actions. See the notes that follow the table for more information.

  • Tags. The service supports IAM policies that let you create resource-level permissions using tags that are attached to the resources and testing for those tags in a Condition element.

  • Temporary credentials. The service lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. For more information, see the Using Temporary Security Credentials guide.

  • More information. Links to more information in the documentation of the service.

Compute and Networking

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Elastic Compute Cloud (Amazon EC2)

YesYesYes; see NotesYes

Controlling Access to Amazon EC2 Resources

Auto Scaling

YesNo NoYes

Auto Scaling and AWS Identity and Access Management

Elastic Load Balancing

YesNoNoYes

Control User Access to Your AWS Account

Amazon WorkSpaces

NoNoNoNo

Amazon Virtual Private Cloud (Amazon VPC)

YesYesYesYes

Controlling VPC Management

Amazon Route 53

YesYesNoYes

Using IAM to Control Access to Route 53 Resources

AWS Direct ConnectYesNoNoYes

Using AWS Identity and Access Management with AWS Direct Connect

      

Storage and Content Delivery

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Simple Storage Service (Amazon S3)

YesYesNoYes

Using IAM Policies

Amazon Glacier

YesYesNoYes

Access Control Using AWS Identity and Access Management (IAM)

AWS Import/ExportYesNoNoYes

Using IAM with AWS Import/Export

AWS Storage Gateway

YesYesNoYes Access Control Using AWS Identity and Access Management (IAM)

Amazon CloudFront

YesNoNoYes

Using IAM to Control Access to CloudFront Resources

      

Database

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Relational Database Service (Amazon RDS)

YesYesYesYes

Controlling Access to Amazon RDS Resources

Amazon DynamoDB

YesYesNoYes

Controlling Access to Amazon DynamoDB Resources

Amazon ElastiCache

YesNoNoYes

Controlling User Access to Your AWS Account

Amazon RedshiftYesYesNoYes

Controlling Access to Amazon Redshift Resources

Amazon SimpleDB

YesYesNoYes

Managing Users of Amazon SimpleDB

      

Analytics

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon Elastic MapReduce (Amazon EMR)

YesNoNoNo

Configure IAM User Permissions

Amazon Kinesis

YesYesNoYes

Controlling Access to Amazon Kinesis Resources with IAM

AWS Data Pipeline

YesNoNoYes

IAM Roles

      

Deployment and Management

ActionsResource-level permissionsTagsTemporary credentialsMore information

AWS Identity and Access Management (IAM)

YesYesNoYes; see Notes

Permissions for Administering IAM Users, Groups, and Credentials

AWS Security Token Service (AWS STS)

YesNot applicableNoYes; see Notes

AWS CloudTrailYesYesNoYes

Controlling User Access to AWS CloudTrail Actions

Amazon CloudWatch

YesNoNoYes

Controlling User Access to Your AWS Account

AWS Elastic Beanstalk

YesYesNoNo

Using AWS Elastic Beanstalk with AWS Identity and Access Management (IAM)

AWS CloudFormation

YesYesNoYes

Controlling User Access with AWS Identity and Access Management

AWS OpsWorksYesYesNoYes

Granting Users Permissions to Work with AWS OpsWorks

AWS CloudHSM

NoNoNoNo 
      

Application Services

ActionsResource-level permissionsTagsTemporary credentialsMore information

Amazon AppStream

YesNoNoYes

Security Considerations for Amazon AppStream

Amazon CloudSearchYesYesNoYes

Configuring Access for an Amazon CloudSearch Domain

Amazon Simple Workflow Service (Amazon SWF)

YesYesYesYes

Using IAM to Manage Access to Amazon SWF Resources

Amazon Simple Queue Service (Amazon SQS)

YesYesNoYes

Controlling User Access to Your AWS Account

Amazon Simple Email Service (Amazon SES)

YesNoNoYes

Controlling User Access to Amazon SES

Amazon Simple Notification Service (Amazon SNS)

YesYesNoYes

Controlling User Access to Your AWS Account

Amazon Elastic TranscoderYesYesNoYes

Security Considerations for Elastic Transcoder

      

Resources

ActionsResource-level permissionsTagsTemporary credentialsMore information

AWS Billing and Cost Management

Yes; see NotesNoNoNo

Controlling User Access to Your AWS Billing and Cost Management Information

Amazon Flexible Payments Service (Amazon FPS)NoNoNoNo 
Amazon Fulfillment Web Service (Amazon FWS)NoNoNoNo 

AWS Marketplace

YesYesNoNo

Controlling Access to AWS Marketplace Subscriptions

AWS Marketplace Management Portal

YesNoNoNo

Controlling User Access to AWS Marketplace Management Portal

Amazon Mechanical TurkNoNoNoNo 

AWS Support

Yes; see NotesNoNoNo

Accessing AWS Support


Notes

  • AWS Billing and Cost Management: You can use IAM policies to control user access to your account's Account Activity page and Usage Reports page.

  • Amazon EC2: Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon Elastic Compute Cloud Developer Guide.

  • IAM: IAM supports AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML. If you use GetFederationToken, you can access IAM when using single sign-on to the AWS Management Console, but not from the API or CLI. You cannot use temporary security credentials from GetSessionToken to call any IAM APIs.

  • AWS STS: In AWS STS you can use the temporary security credentials that you get from AssumeRole, AssumeRoleWithWebIdentity, or AssumeRoleWithSAML to make subsequent calls to AssumeRole. However, you cannot use those credentials to call GetFederationToken or GetSessionToken. You cannot use the temporary security credentials from GetFederationToken or GetSessionToken to call any AWS STS APIs.

  • AWS Support: Users who are allowed access to AWS Support can use all support features: Support Center, Trusted Advisor, and the AWS Support API.