AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

AWS Products That Integrate With IAM

This section links to topics that describe how AWS Identity and Access Management integrates with other products from AWS, and how to write policies to control access to a particular product and its resources.

Note

Some products support resource-based permissions, which let you attach policies to the product's resources in addition to IAM users, groups, or roles. Resource-based permissions are supported by Amazon S3, Amazon Glacier, Amazon SNS, Amazon SQS, AWS Key Management Service (AWS KMS) and the VPC Endpoint feature of Amazon Virtual Private Cloud (Amazon VPC). For information about resource-based policies in these products, see the links for these products in the following table.

In the following table, the columns have the following meanings:

  • Supports action-level permissions. The product supports IAM policies in which you can specify individual actions in a policy's Action element. If the product does not support action-level permissions, policies for the product use * in the Action element.

  • Supports resource-level permissions. The product supports IAM policies in which you can specify individual resources (using ARNs) in the policy's Resource element. If the product does not support resource-level permissions, policies for the product use * in the Resource element.

    Note

    Some products support resource-level permissions only for some actions. See the notes that follow the table for more information.

  • Supports tag-based permissions. The product supports IAM policies that let you create resource-level permissions by testing tags attached to a resource in a Condition element.

  • Supports temporary security credentials. The product lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. For more information, see the Using Temporary Security Credentials guide.

  • More information. Links to more information in the documentation of the product.

AWS Product Category: ComputeSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon Elastic Compute Cloud (Amazon EC2)YesYes; see NotesYes; see NotesYes Controlling Access to Amazon EC2 Resources
Amazon EC2 Container Service (Amazon ECS)YesNoNoYes Amazon ECS IAM Policies
Auto ScalingYesNoNoYes Auto Scaling and AWS Identity and Access Management
Elastic Load BalancingYesYesNoYes Control User Access to Your AWS Account
AWS LambdaYesYesNoYes 
AWS Product Category: Storage and Content DeliverySupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon Simple Storage Service (Amazon S3)YesYesNoYes Using IAM Policies
Amazon EFSYesYesNoYesAWS Identity and Access Management(IAM) permissions for API calls
AWS Storage GatewayYesYesNoYes Access Control Using AWS Identity and Access Management (IAM)
Amazon GlacierYesYesNoYes Access Control Using AWS Identity and Access Management (IAM)

Amazon CloudFront

Yes; see NotesNoNoYes Using IAM to Control Access to CloudFront Resources
Amazon Elastic Block Store (Amazon EBS)YesYes; see NotesYes; see NotesYes Controlling Access to Amazon EC2 Resources
AWS Import/ExportYesNoNoYes Using IAM with AWS Import/Export
AWS Product Category: DatabaseSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon Relational Database Service (Amazon RDS)YesYesYesYes Controlling Access to Amazon RDS Resources
Amazon DynamoDBYesYesNoYes Controlling Access to Amazon DynamoDB Resources
Amazon ElastiCacheYesNoNoYes Controlling User Access to Your AWS Account
Amazon RedshiftYesYesNoYes Controlling Access to Amazon Redshift Resources
Amazon SimpleDBYesYesNoYes Managing Users of Amazon SimpleDB
AWS Product Category: NetworkingSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon Virtual Private Cloud (Amazon VPC)YesYes; see NotesYesYes Controlling VPC Management
Amazon Route 53YesYesNoYes Using IAM to Control Access to Route 53 Resources
AWS Direct ConnectYesNoNoYes Using AWS Identity and Access Management with AWS Direct Connect
AWS Product Category: Administration and SecuritySupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
AWS Directory ServiceYesNoNoYesControlling Access to AWS Directory Service Resources
AWS Identity and Access Management (IAM)YesYesNo

Yes; see Comparing your API options in
Using Temporary Security Credentials

Permissions for Administering IAM Users, Groups, and Credentials
AWS Security Token Service (AWS STS)Yes

Yes; see Denying Access to Temporary
Security Credentials by Name
 in
Using Temporary Security Credentials

No

Yes; see Comparing your API options in
Using Temporary Security Credentials

Controlling Permissions for Temporary Security Credentials
AWS CloudTrailYesNoNoYes Controlling User Access to AWS CloudTrail Actions
AWS ConfigYesNoNoYes Recommended IAM Permissions for Using the AWS Config Console and the AWS CLI
Amazon CloudWatchYesNoNoYes Controlling User Access to Your AWS Account
AWS Key Management Service (AWS KMS)YesYesNoYes Key Policies
AWS CloudHSMYesNoNoNo Controlling Access to AWS CloudHSM Resources
AWS Service CatalogYesYesNoYes Permissions
AWS Product Category: Deployment and ManagementSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
AWS Elastic BeanstalkYesYesNoYes Using Elastic Beanstalk with AWS Identity and Access Management (IAM)
AWS OpsWorksYesYesNoYes Granting Users Permissions to Work with AWS OpsWorks
AWS CloudFormationYesYesNoYes Controlling User Access with AWS Identity and Access Management
AWS CodeCommitYesYesNoYes AWS CodeCommit Access Permissions Reference
AWS CodeDeployYesYesNoYes AWS CodeDeploy User Access Permissions Reference
AWS CodePipelineYesYesNoYes AWS CodePipeline Access Permissions Reference
AWS Product Category: AnalyticsSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon Elastic MapReduce (Amazon EMR)YesNoNoYes Configure IAM User Permissions
Amazon KinesisYesYesNoYes Controlling Access to Amazon Kinesis Resources with IAM
AWS Data PipelineYesYesYesYes IAM Roles
Amazon Machine LearningYesYesNoYes Controlling Access to Amazon ML Resources by Using IAM
AWS Product Category: Application ServicesSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon Simple Queue Service (Amazon SQS)YesYesNoYes Controlling User Access to Your AWS Account
Amazon Simple Workflow Service (Amazon SWF) YesYesYesYes Using IAM to Manage Access to Amazon SWF Resources
Amazon AppStreamYesNoNoYes Security Considerations for Amazon AppStream
Amazon Elastic TranscoderYesYesNoYes Security Considerations for Elastic Transcoder
Amazon Simple Email Service (Amazon SES)YesNoNoYes Controlling User Access to Amazon SES
Amazon CloudSearchYesYesNoYes Configuring Access for an Amazon CloudSearch Domain
Amazon API GatewayYesYesNoYes User Access Permissions for Amazon API Gateway
AWS Product Category: Mobile ServicesSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon CognitoYesYesNoYesResource Permissions in Amazon Cognito
Amazon Simple Notification Service (Amazon SNS) YesYesNoYes Controlling User Access to Your AWS Account
AWS Device FarmYesNoNoYes User Access Permissions for AWS Device Farm
Amazon Mobile AnalyticsYesNoNoYes 
AWS Product Category: Enterprise ApplicationsSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
Amazon WAMNoNoNoNoControlling Access to Amazon WAM Resources
Amazon WorkSpacesYesYesNoYes Controlling Access to Amazon WorkSpaces Resources
Amazon WorkDocsYesNoNoYes IAM Policies for Amazon WorkDocs
Amazon WorkMailYesNoNoYesAWS Identity and Access Management Users and Groups
AWS Product Category: Additional ResourcesSupports action-level permissionsSupports resource-level permissionsSupports tag-based permissionsSupports temporary security credentialsMore information
AWS Billing and Cost ManagementYesNoNoYes Controlling User Access to Your AWS Billing and Cost Management Information
AWS MarketplaceYesYesNoYes Controlling Access to AWS Marketplace Subscriptions
AWS SupportNoNoNoYes Accessing AWS Support
AWS Trusted AdvisorYes; see NotesYesNoYes; see Notes Controlling Access to the Trusted Advisor Console

Notes

  • Amazon EC2: Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

  • CloudFront: CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS root account to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.

  • Amazon EBS: Amazon EBS supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

  • Amazon VPC: In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

  • Trusted Advisor: API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.