Menu
AWS Identity and Access Management
User Guide

AWS Services That Work with IAM

Many AWS services are integrated with AWS Identity and Access Management. The following tables group these services by category and show the IAM permission types that each service supports, tips to help you write policies to control service access, and links to related information.

Specifically, each table provides the following information:

  • Action-level permissions. The service supports specifying individual actions in a policy's Action element. If the service does not support action-level permissions, policies for the service use * in the Action element. For a list of all of the permissions for the AWS services can be used in IAM policies, see AWS Service Actions and Condition Context Keys for Use in IAM Policies.

  • Resource-level permissions. The service has one or more APIs that support specifying individual resources (using ARNs) in the policy's Resource element. If an API does not support resource-level permissions, then that statement in the policy must use * in the Resource element. See the footnotes after each table for more information.

  • Resource-based permissions. The service enables you to attach resource-based policies to the service's resources. Resource-based policies include a Principal element to specify an IAM identity that can access that resource. Identity-based ( IAM) permissions are different. They are attached to users, groups, or roles and include a Resource element to specify the resource that can be accessed by the identity. For more details, see Identity-Based Policies and Resource-Based Policies.

  • Tag-based permissions. The service supports testing resource tags in a Condition element.

  • Temporary security credentials. The service lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. Temporary credentials are commonly used in federation scenarios. For more information, see Temporary Security Credentials.

  • Service-linked roles. The service requires that you use a unique type of service role that is linked directly to the service. This service-linked role is predefined by the service, and includes all the permissions that the service requires. To learn how to create a role used to delegate permissions to a service, see Creating a Role to Delegate Permissions to an AWS Service.

  • More information. Links to more information in the documentation of the product.

Compute Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Elastic Compute Cloud (Amazon EC2) Yes Yes¹ No Yes¹ Yes Yes:²
Amazon EC2 Container Registry (Amazon ECR) Yes Yes Yes No Yes No
Amazon EC2 Container Service (Amazon ECS) Yes Yes³ No No Yes No
AWS Elastic Beanstalk Yes Yes⁴ No No Yes Yes
AWS Lambda Yes Yes Yes⁵ No Yes No
Amazon Lightsail Yes No No No Yes No
Auto Scaling Yes Yes No No Yes No
Application Auto Scaling Yes No No No Yes No
Elastic Load Balancing Yes Yes⁶ No No Yes No

¹ Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

² Amazon EC2 service-linked roles cannot be created using the AWS Management Console, and can be used only for the following features: Scheduled Instances, Spot Instance Requests, Spot Fleet Requests

³ Amazon ECS supports resource-level permissions only for some APIs. For more information, see Supported Resource-Level Permissions for Amazon ECS API Actions in the Amazon EC2 Container Service Developer Guide.

⁴ Only some API actions for Elastic Beanstalk can be used as permissions against specific resources. For more information, see Resources and Conditions for Elastic Beanstalk Actions in the AWS Elastic Beanstalk Developer Guide.

⁵ The only AWS Lambda API action that can be specified in a resource-based policy is lambda:InvokeFunction. For more information, see Using Resource-Based Policies for AWS Lambda (Lambda Function Policies) in the AWS Lambda Developer Guide.

⁶ Only some API actions for Elastic Load Balancing can be used as permissions against specific resources. For more information, see Control Access to Your Load Balancer in the Elastic Load Balancing User Guide.

Storage and Content Delivery Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Simple Storage Service (Amazon S3) Yes Yes Yes Yes Yes No
Amazon Elastic Block Store (Amazon EBS) Yes Yes¹ No Yes Yes No
Amazon EFS Yes Yes No No Yes No
Amazon Glacier Yes Yes Yes Yes Yes No
AWS Import/Export Yes No No No Yes No
AWS Snowball Yes No² No No Yes No
AWS Snowball Edge Yes No³ No No No No
AWS Storage Gateway Yes Yes No No Yes No

¹ For information about which EBS actions support resource-level permissions, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

² Specifies ARNs for related services (Amazon S3).

³ Specifies ARNs for related services (Amazon S3, AWS Lambda, AWS Greengrass).

Database Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Relational Database Service (Amazon RDS) Yes Yes No Yes Yes No
Amazon DynamoDB Yes Yes No No Yes No
Amazon ElastiCache Yes No¹ No No Yes No
Amazon Redshift Yes Yes No Yes Yes Yes
Amazon SimpleDB Yes Yes No No Yes No

¹ Two APIs specify an Amazon S3 ARN resource when seeding a cluster/replication group.

Networking and Content Delivery Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Virtual Private Cloud (Amazon VPC) Yes Yes¹ Yes² Yes Yes No

Amazon CloudFront

Yes³ No No No Yes No
AWS Direct Connect Yes No No No Yes No
Amazon Route 53 Yes Yes No No Yes No

¹ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

² Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

³ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS account root user to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.

Migration Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
AWS Database Migration Service Yes Yes No Yes Yes No
AWS Migration Hub Yes Yes No No Yes No

Developer Tools and Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
AWS CodeCommit Yes Yes No No Yes No
AWS CodeBuild Yes Yes No No Yes No
AWS CodeDeploy Yes Yes No No Yes No
AWS CodePipeline Yes Yes¹ No No Yes No
AWS CodeStar Yes Yes¹ No No No No

¹ Only some API actions for AWS CodePipeline can be used as permissions against specific resources. For more information, see AWS CodePipeline Resources and Operations in the AWS CodePipeline User Guide.

Management Tools and Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon CloudWatch Yes No No No Yes Yes¹
Amazon CloudWatch Events Yes Yes No No Yes No
Amazon CloudWatch Logs Yes Yes No No Yes No
AWS CloudFormation Yes Yes No No Yes No
AWS CloudTrail Yes Yes No No Yes No
AWS Config Yes No No No Yes No
AWS OpsWorks for Chef Automate Yes Yes Yes No Yes No
AWS OpsWorks Yes Yes Yes No Yes No
AWS Service Catalog Yes No No No Yes No
AWS Trusted Advisor Yes² Yes No No Yes² No
AWS Health Yes No No No Yes No

¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.

² API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

Security, Identity, and Compliance Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
AWS Artifact Yes Yes No No Yes No
AWS Certificate Manager (ACM) Yes Yes No No Yes No
AWS CloudHSM Yes Yes No No Yes No
AWS CloudHSM Classic Yes No No No No No
AWS Directory Service Yes No No No Yes No
AWS Identity and Access Management (IAM) Yes Yes No No Yes¹ No
Amazon Inspector Yes No No No Yes¹ No
AWS Key Management Service (AWS KMS) Yes Yes Yes No Yes No
AWS Organizations Yes Yes No No Yes No
AWS Shield Advanced Yes No No No Yes No
AWS Security Token Service (AWS STS) Yes Yes² No No Yes² No
AWS WAF Yes Yes No No Yes No

¹ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options

² AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name. Only some of the APIs for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.

Analytics Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon EMR Yes No No Yes Yes Yes
Amazon CloudSearch Yes Yes No No Yes No
Amazon Elasticsearch Service Yes Yes Yes No Yes No
AWS Glue Yes No No No No No
Amazon Kinesis Analytics Yes Yes No No Yes No
Amazon Kinesis Firehose Yes Yes No No Yes No
Amazon Kinesis Streams Yes Yes No No Yes No
Amazon QuickSight Yes No No No No No
AWS Data Pipeline Yes No No Yes Yes No

Artificial Intelligence

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Lex Yes Yes No No Yes Yes¹
Amazon Machine Learning Yes Yes No Yes Yes No
Amazon Polly Yes Yes No No Yes No
Amazon Rekognition Yes Yes² No No No No

¹This service-linked role cannot be deleted using IAM. To learn how to delete the role, see Deleting Service-Linked Roles in the Amazon Lex Developer Guide.

²Amazon Rekognition supports resource-level permissions only for collections. For example, CollectionArn:"aws:rekognition:us-west-2:11111111111:collection/mycollection.

Internet of Things

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
AWS IoT Yes¹ Yes² Yes³ No Yes No
AWS Greengrass Yes¹ Yes² Yes³ No Yes No

¹ For more information about AWS IoT action-level permissions, see AWS IoT Policy Actions in the AWS IoT User Guide.

² For information about which AWS IoT actions support resource-level permissions and which resources you can specify for each, see Action Resources in the AWS IoT Developer Guide.

³ Devices connected to AWS IoT are authenticated by using X.509 certificates. You can attach AWS IoT policies to an X.509 certificate to control what the device is authorized to do. For more information, see Create an AWS IoT Policy in the AWS IoT Developer Guide.

Game Development Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon GameLift Yes No No No Yes No

Mobile Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Cognito Yes Yes No No Yes No
AWS Device Farm Yes No No No Yes No
Amazon Mobile Analytics Yes No No No Yes No
Amazon Pinpoint Yes Yes No No Yes No

Application Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon API Gateway Yes Yes No No Yes No
Amazon Elastic Transcoder Yes Yes No No Yes No
Amazon Simple Workflow Service (Amazon SWF) Yes Yes No Yes Yes No

Messaging Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon Simple Notification Service (Amazon SNS) Yes Yes Yes No Yes No
Amazon Simple Email Service (Amazon SES) Yes Yes¹ No No Yes² No
Amazon Simple Queue Service (Amazon SQS) Yes Yes Yes No Yes No

¹ Amazon SES supports resource-level permissions in policies that grant permissions to delegate senders to access specific SES identities.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

Business Productivity

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon WorkDocs Yes No No No Yes No
Amazon WorkMail Yes No No No Yes No

Desktop and App Streaming Services

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
Amazon WorkSpaces Yes Yes No No Yes No
Amazon WAM Yes No No No Yes No
Amazon AppStream Yes No No No Yes No
Amazon AppStream 2.0 Yes No No No Yes No

Additional Resources

 

Service and Related IAM Info
Supports the following permissions
Action Level Resource Level Resource Based Tag Based Temporary Credentials Service-Linked Role
AWS Billing and Cost Management Yes No No No Yes No
AWS Marketplace Yes Yes No No Yes No
AWS Support No No No No Yes No