Menu
AWS Identity and Access Management
User Guide

AWS Services That Work with IAM

This section links to topics that describe how AWS Identity and Access Management integrates with other services from AWS, and how to write policies to control access to a particular service and its resources.

In the following table, the columns have the following meanings:

  • Supports action-level permissions. The service supports specifying individual actions in a policy's Action element. If the service does not support action-level permissions, policies for the service use * in the Action element. For a list of all of the permissions for the AWS services can be used in IAM policies, see AWS Service Actions and Condition Context Keys for Use in IAM Policies.

  • Supports resource-level permissions. The service has one or more APIs that support specifying individual resources (using ARNs) in the policy's Resource element. If an API does not support resource-level permissions then that statement in the policy must use * in the Resource element. See the footnotes after each table for more information.

  • Supports resource-based permissions. The service enables you to attach policies to the service's resources in addition to IAM users, groups, and roles. The policies specify who can access that resource by including a Principal element.

  • Supports tag-based permissions. The service supports testing resource tags in a Condition element.

  • Supports temporary security credentials. The service lets users make requests using temporary security credentials that are obtained by calling AWS STS APIs like AssumeRole or GetFederationToken. Temporary credentials are commonly used in federation scenarios. For more information, see Temporary Security Credentials.

  • More information. Links to more information in the documentation of the product.

Compute Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon Elastic Compute Cloud (Amazon EC2)YesYes¹NoYes¹Yes
Amazon EC2 Container Service (Amazon ECS)YesNoNoNoYes
Auto ScalingYesNoNoNoYes
Elastic Load BalancingYesYes²NoNoYes
AWS LambdaYesYes³YesNoYes

¹ Amazon EC2 supports resource-level permissions and tags only for some APIs. For more information, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.

² Only some API actions for Elastic Load Balancing can be used as permissions against specific resources. For more information, see Control Access to Your Load Balancer in the Elastic Load Balancing Developer Guide.

³ The only AWS Lambda API action that can be used as a resource level permission is lambda:InvokeFunction.


Storage and Content Delivery Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon Simple Storage Service (Amazon S3)YesYesYesNoYes
Amazon EFSYesYesNoNoYes
AWS Storage GatewayYesYesNoNoYes
Amazon GlacierYesYesYesNoYes

Amazon CloudFront

Yes¹NoNoNoYes
Amazon Elastic Block Store (Amazon EBS)YesYes²NoYes²Yes
AWS Import/ExportYesNoNoNoYes

¹ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS root account to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.

² For information about which actions support resource-level permissions, see Supported Resources and Conditions for Amazon EC2 API Actions in the Amazon EC2 User Guide for Linux Instances.


Database Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon Relational Database Service (Amazon RDS)YesYesNoYesYes
Amazon DynamoDBYesYesNoNoYes
Amazon ElastiCacheYesNoNoNoYes
Amazon RedshiftYesYesNoNoYes
Amazon SimpleDBYesYesNoNoYes

Networking Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon Virtual Private Cloud (Amazon VPC)YesYes¹Yes²YesYes
Amazon Route 53YesYesNoNoYes
AWS Direct ConnectYesNoNoNoYes

¹ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

² Amazon VPC supports resource policies for VPC endpoints only. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.


Administration and Security Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
AWS Directory ServiceYesNoNoNoYes
AWS Identity and Access Management (IAM)YesYesNoNoYes¹
AWS Security Token Service (AWS STS)YesYes²NoNoYes²
AWS Certificate Manager (ACM)YesYesNoNoYes
AWS CloudTrailYesNoNoNoYes
AWS ConfigYesNoNoNoYes
Amazon CloudWatchYesNoNoNoYes
Amazon CloudWatch LogsYesYesNoNoYes
AWS Key Management Service (AWS KMS)YesYesYesNoYes
AWS CloudHSMYesNoNoNoNo
AWS Service CatalogYesYesNoNoYes
AWS WAFYesYesNoNoYes

¹ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options

² AWS STS does not have "resources", but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name. Only some of the APIs for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.


Deployment and Management Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
AWS Elastic BeanstalkYesYes¹NoNoYes
AWS OpsWorksYesYesYesNoYes
AWS CloudFormationYesYesNoNoYes
AWS CodeCommitYesYesNoNoYes
AWS CodeDeployYesYesNoNoYes
AWS CodePipelineYesYesNoNoYes

¹ Only some API actions for Elastic Beanstalk can be used as permissions against specific resources. For more information, see Resources and Conditions for Elastic Beanstalk Actions in the AWS Elastic Beanstalk Developer Guide.

Analytics Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon Elastic MapReduce (Amazon EMR)YesNoNoNoYes
Amazon KinesisYesYesNoNoYes
AWS Data PipelineYesYesNoYesYes
Amazon Machine LearningYesYesNoNoYes
Amazon Elasticsearch ServiceYesYesYesNoYes

Application Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon Simple Queue Service (Amazon SQS)YesYesYesNoYes
Amazon Simple Workflow Service (Amazon SWF)YesYesNoYesYes
Amazon AppStreamYesNoNoNoYes
Amazon Elastic TranscoderYesYesNoNoYes
Amazon Simple Email Service (Amazon SES)YesNoNoNoYes¹
Amazon CloudSearchYesYesNoNoYes
Amazon API GatewayYesYesNoNoYes

¹ Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.


Mobile Services

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon CognitoYesYesNoNoYes
Amazon Simple Notification Service (Amazon SNS)YesYesYesNoYes
AWS Device FarmYesNoNoNoYes
Amazon Mobile AnalyticsYesNoNoNoYes

Enterprise Applications

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
Amazon WorkSpacesYesYesNoNoYes
Amazon WorkDocsYesNoNoNoYes
Amazon WorkMailYesNoNoNoYes

Additional Resources

 

Service and Related IAM Info
Supports the following permissions
Action LevelResource LevelResource BasedTag BasedTemporary Credentials
AWS Billing and Cost ManagementYesNoNoNoYes
AWS MarketplaceYesYesNoNoYes
AWS SupportNoNoNoNoYes
AWS Trusted AdvisorYes¹YesNoNoYes¹

¹ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.