Resource-level permissions

You can restrict the scope of permissions by specifying resources in an IAM policy. Many Elasticache API actions support a resource type that varies depending on the behavior of the action. Every IAM policy statement grants permission to an action that's performed on a resource. When the action doesn't act on a named resource, or when you grant permission to perform the action on all resources, the value of the resource in the policy is a wildcard (*). For many API actions, you can restrict the resources that a user can modify by specifying the Amazon Resource Name (ARN) of a resource, or an ARN pattern that matches multiple resources. To restrict permissions by resource, specify the resource by ARN.

ElastiCache Resource ARN Format

Note

For resource-level permissions to be effective, the resource name on the ARN string should be lower case.

• Cluster – arn:aws:elasticache:us-east-2:123456789012:cluster:my-cluster

• Parameter group – arn:aws:elasticache:us-east-2:123456789012:parametergroup:my-parameter-group

• Security group – arn:aws:elasticache:us-east-2:123456789012:securitygroup:my-security-group

• Subnet group – arn:aws:elasticache:us-east-2:123456789012:subnetgroup:my-subnet-group

• Reserved instance – arn:aws:elasticache:us-east-2:123456789012:reservedinstance:my-reserved-instance

Example 1: Allow a user full access to specific ElastiCache resource types

The following policy explicitly allows all resources of type subnet group, security group and replication group.

{
        "Sid": "Example1",
        "Effect": "Allow",
        "Action": "elasticache:*",
        "Resource": [
             "arn:aws:elasticache:us-east-1:account-id:subnetgroup:*",
             "arn:aws:elasticache:us-east-1:account-id:securitygroup:*""
        ]
}