Actions, resources, and condition keys for Amazon Comprehend

Amazon Comprehend (service prefix: comprehend) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Comprehend
Resource types defined by Amazon Comprehend
Condition keys for Amazon Comprehend

Actions defined by Amazon Comprehend

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys
BatchDetectDominantLanguage	Grants permission to detect the language or languages present in the list of text documents	Read
BatchDetectEntities	Grants permission to detect the named entities ("People", "Places", "Locations", etc) within the given list of text documents	Read
BatchDetectKeyPhrases	Grants permission to detect the phrases in the list of text documents that are most indicative of the content	Read
BatchDetectSentiment	Grants permission to detect the sentiment of a text in the list of documents (Positive, Negative, Neutral, or Mixed)	Read
BatchDetectSyntax	Grants permission to detect syntactic information (like Part of Speech, Tokens) in a list of text documents	Read
BatchDetectTargetedSentiment	Grants permission to detect the sentiments associated with specific entities (such as brands or products) within the given list of text documents	Read
ClassifyDocument	Grants permission to create a new document classification request to analyze a single document in real-time, using a previously created and trained custom model and an endpoint	Read	document-classifier-endpoint*
ContainsPiiEntities	Grants permission to classify the personally identifiable information within given documents in real-time	Read
CreateDataset	Grants permission to create a new dataset within a flywheel	Write	flywheel*
CreateDataset	Grants permission to create a new dataset within a flywheel	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateDocumentClassifier	Grants permission to create a new document classifier that you can use to categorize documents	Write	document-classifier*
CreateDocumentClassifier		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:ModelKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
CreateEndpoint	Grants permission to create a model-specific endpoint for synchronous inference for a previously trained custom model	Write	document-classifier*
			document-classifier-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys
			entity-recognizer*
			entity-recognizer-endpoint*	aws:RequestTag/${TagKey} aws:TagKeys
			flywheel
CreateEntityRecognizer	Grants permission to create an entity recognizer using submitted files	Write	entity-recognizer*
CreateEntityRecognizer		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:ModelKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
CreateFlywheel	Grants permission to create a new flywheel that you can use to train model versions	Write	flywheel*	aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:ModelKmsKey comprehend:DataLakeKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
			document-classifier
			entity-recognizer
DeleteDocumentClassifier	Grants permission to delete a previously created document classifier	Write	document-classifier*
DeleteEndpoint	Grants permission to delete a model-specific endpoint for a previously-trained custom model. All endpoints must be deleted in order for the model to be deleted	Write	document-classifier-endpoint*
DeleteEndpoint		Write	entity-recognizer-endpoint*
DeleteEntityRecognizer	Grants permission to delete a submitted entity recognizer	Write	entity-recognizer*
DeleteFlywheel	Grants permission to Delete a flywheel	Write	flywheel*
DeleteResourcePolicy	Grants permission to remove policy on resource	Write	document-classifier*
DeleteResourcePolicy	Grants permission to remove policy on resource	Write	entity-recognizer*
DescribeDataset	Grants permission to get the properties associated with a dataset	Read	flywheel-dataset*
DescribeDocumentClassificationJob	Grants permission to get the properties associated with a document classification job	Read	document-classification-job*
DescribeDocumentClassifier	Grants permission to get the properties associated with a document classifier	Read	document-classifier*
DescribeDominantLanguageDetectionJob	Grants permission to get the properties associated with a dominant language detection job	Read	dominant-language-detection-job*
DescribeEndpoint	Grants permission to get the properties associated with a specific endpoint. Use this operation to get the status of an endpoint	Read	document-classifier-endpoint*
DescribeEndpoint		Read	entity-recognizer-endpoint*
DescribeEntitiesDetectionJob	Grants permission to get the properties associated with an entities detection job	Read	entities-detection-job*
DescribeEntityRecognizer	Grants permission to provide details about an entity recognizer including status, S3 buckets containing training data, recognizer metadata, metrics, and so on	Read	entity-recognizer*
DescribeEventsDetectionJob	Grants permission to get the properties associated with an Events detection job	Read	events-detection-job*
DescribeFlywheel	Grants permission to get the properties associated with a flywheel	Read	flywheel*
DescribeFlywheelIteration	Grants permission to get the properties associated with a flywheel iteration for a flywheel	Read	flywheel*
DescribeFlywheelIteration		Read		comprehend:FlywheelIterationId
DescribeKeyPhrasesDetectionJob	Grants permission to get the properties associated with a key phrases detection job	Read	key-phrases-detection-job*
DescribePiiEntitiesDetectionJob	Grants permission to get the properties associated with a PII entities detection job	Read	pii-entities-detection-job*
DescribeResourcePolicy	Grants permission to read attached policy on resource	Read	document-classifier*
DescribeResourcePolicy	Grants permission to read attached policy on resource	Read	entity-recognizer*
DescribeSentimentDetectionJob	Grants permission to get the properties associated with a sentiment detection job	Read	sentiment-detection-job*
DescribeTargetedSentimentDetectionJob	Grants permission to get the properties associated with a targeted sentiment detection job	Read	targeted-sentiment-detection-job*
DescribeTopicsDetectionJob	Grants permission to get the properties associated with a topic detection job	Read	topics-detection-job*
DetectDominantLanguage	Grants permission to detect the language or languages present in the text	Read
DetectEntities	Grants permission to detect the named entities ("People", "Places", "Locations", etc) within the given text document	Read	entity-recognizer-endpoint
DetectKeyPhrases	Grants permission to detect the phrases in the text that are most indicative of the content	Read
DetectPiiEntities	Grants permission to detect the personally identifiable information entities ("Name", "SSN", "PIN", etc) within the given text document	Read
DetectSentiment	Grants permission to detect the sentiment of a text in a document (Positive, Negative, Neutral, or Mixed)	Read
DetectSyntax	Grants permission to detect syntactic information (like Part of Speech, Tokens) in a text document	Read
DetectTargetedSentiment	Grants permission to detect the sentiments associated with specific entities (such as brands or products) in a document	Read
DetectToxicContent	Grants permission to detect toxic content within the given list of text segments	Read
ImportModel	Grants permission to import a trained Comprehend model	Write	document-classifier*
			entity-recognizer*
				aws:RequestTag/${TagKey} aws:TagKeys comprehend:ModelKmsKey
ListDatasets	Grants permission to get a list of the Datasets associated with a flywheel	Read	flywheel*
ListDocumentClassificationJobs	Grants permission to get a list of the document classification jobs that you have submitted	Read
ListDocumentClassifierSummaries	Grants permission to get a list of summaries of the document classifiers that you have created	Read
ListDocumentClassifiers	Grants permission to get a list of the document classifiers that you have created	Read
ListDominantLanguageDetectionJobs	Grants permission to get a list of the dominant language detection jobs that you have submitted	Read
ListEndpoints	Grants permission to get a list of all existing endpoints that you've created	Read
ListEntitiesDetectionJobs	Grants permission to get a list of the entity detection jobs that you have submitted	Read
ListEntityRecognizerSummaries	Grants permission to get a list of summaries for the entity recognizers that you have created	Read
ListEntityRecognizers	Grants permission to get a list of the properties of all entity recognizers that you created, including recognizers currently in training	Read
ListEventsDetectionJobs	Grants permission to get a list of Events detection jobs that you have submitted	Read
ListFlywheelIterationHistory	Grants permission to get a list of iterations associated for a flywheel	Read	flywheel*
ListFlywheels	Grants permission to get a list of the flywheels that you have created	Read
ListKeyPhrasesDetectionJobs	Grants permission to get a list of key phrase detection jobs that you have submitted	Read
ListPiiEntitiesDetectionJobs	Grants permission to get a list of PII entities detection jobs that you have submitted	Read
ListSentimentDetectionJobs	Grants permission to get a list of sentiment detection jobs that you have submitted	Read
ListTagsForResource	Grants permission to list tags for a resource	Read	document-classification-job
			document-classifier
			document-classifier-endpoint
			dominant-language-detection-job
			entities-detection-job
			entity-recognizer
			entity-recognizer-endpoint
			events-detection-job
			flywheel
			flywheel-dataset
			key-phrases-detection-job
			pii-entities-detection-job
			sentiment-detection-job
			targeted-sentiment-detection-job
			topics-detection-job
ListTargetedSentimentDetectionJobs	Grants permission to get a list of targeted sentiment detection jobs that you have submitted	Read
ListTopicsDetectionJobs	Grants permission to get a list of the topic detection jobs that you have submitted	Read
PutResourcePolicy	Grants permission to attach policy to resource	Write	document-classifier*
PutResourcePolicy	Grants permission to attach policy to resource	Write	entity-recognizer*
StartDocumentClassificationJob	Grants permission to start an asynchronous document classification job	Write	document-classification-job*	aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
			document-classifier
			flywheel
StartDominantLanguageDetectionJob	Grants permission to start an asynchronous dominant language detection job for a collection of documents	Write	dominant-language-detection-job*
StartDominantLanguageDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
StartEntitiesDetectionJob	Grants permission to start an asynchronous entity detection job for a collection of documents	Write	entities-detection-job*	aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
			entity-recognizer
			flywheel
StartEventsDetectionJob	Grants permission to start an asynchronous Events detection job for a collection of documents	Write	events-detection-job*
StartEventsDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:OutputKmsKey
StartFlywheelIteration	Grants permission to start a flywheel iteration for a flywheel	Write	flywheel*
StartKeyPhrasesDetectionJob	Grants permission to start an asynchronous key phrase detection job for a collection of documents	Write	key-phrases-detection-job*
StartKeyPhrasesDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
StartPiiEntitiesDetectionJob	Grants permission to start an asynchronous PII entities detection job for a collection of documents	Write	pii-entities-detection-job*
StartPiiEntitiesDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:OutputKmsKey
StartSentimentDetectionJob	Grants permission to start an asynchronous sentiment detection job for a collection of documents	Write	sentiment-detection-job*
StartSentimentDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
StartTargetedSentimentDetectionJob	Grants permission to start an asynchronous targeted sentiment detection job for a collection of documents	Write	targeted-sentiment-detection-job*
StartTargetedSentimentDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
StartTopicsDetectionJob	Grants permission to start an asynchronous job to detect the most common topics in the collection of documents and the phrases associated with each topic	Write	topics-detection-job*
StartTopicsDetectionJob		Write		aws:RequestTag/${TagKey} aws:TagKeys comprehend:VolumeKmsKey comprehend:OutputKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
StopDominantLanguageDetectionJob	Grants permission to stop a dominant language detection job	Write	dominant-language-detection-job*
StopEntitiesDetectionJob	Grants permission to stop an entity detection job	Write	entities-detection-job*
StopEventsDetectionJob	Grants permission to stop an Events detection job	Write	events-detection-job*
StopKeyPhrasesDetectionJob	Grants permission to stop a key phrase detection job	Write	key-phrases-detection-job*
StopPiiEntitiesDetectionJob	Grants permission to stop a PII entities detection job	Write	pii-entities-detection-job*
StopSentimentDetectionJob	Grants permission to stop a sentiment detection job	Write	sentiment-detection-job*
StopTargetedSentimentDetectionJob	Grants permission to stop a targeted sentiment detection job	Write	targeted-sentiment-detection-job*
StopTrainingDocumentClassifier	Grants permission to stop a previously created document classifier training job	Write	document-classifier*
StopTrainingEntityRecognizer	Grants permission to stop a previously created entity recognizer training job	Write	entity-recognizer*
TagResource	Grants permission to tag a resource with given key value pairs	Tagging	document-classification-job
			document-classifier
			document-classifier-endpoint
			dominant-language-detection-job
			entities-detection-job
			entity-recognizer
			entity-recognizer-endpoint
			events-detection-job
			flywheel
			flywheel-dataset
			key-phrases-detection-job
			pii-entities-detection-job
			sentiment-detection-job
			targeted-sentiment-detection-job
			topics-detection-job
				aws:RequestTag/${TagKey} aws:TagKeys
UntagResource	Grants permission to untag a resource with given key	Tagging	document-classification-job
			document-classifier
			document-classifier-endpoint
			dominant-language-detection-job
			entities-detection-job
			entity-recognizer
			entity-recognizer-endpoint
			events-detection-job
			flywheel
			flywheel-dataset
			key-phrases-detection-job
			pii-entities-detection-job
			sentiment-detection-job
			targeted-sentiment-detection-job
			topics-detection-job
				aws:TagKeys
UpdateEndpoint	Grants permission to update information about the specified endpoint	Write	document-classifier-endpoint*
			entity-recognizer-endpoint*
			flywheel
UpdateFlywheel	Grants permission to Update a flywheel's configuration	Write	flywheel*	comprehend:VolumeKmsKey comprehend:ModelKmsKey comprehend:VpcSecurityGroupIds comprehend:VpcSubnets
			document-classifier
			entity-recognizer

Resource types defined by Amazon Comprehend

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
targeted-sentiment-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:targeted-sentiment-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
document-classifier	`arn:${Partition}:comprehend:${Region}:${Account}:document-classifier/${DocumentClassifierName}`	aws:ResourceTag/${TagKey}
document-classifier-endpoint	`arn:${Partition}:comprehend:${Region}:${Account}:document-classifier-endpoint/${DocumentClassifierEndpointName}`	aws:ResourceTag/${TagKey}
entity-recognizer	`arn:${Partition}:comprehend:${Region}:${Account}:entity-recognizer/${EntityRecognizerName}`	aws:ResourceTag/${TagKey}
entity-recognizer-endpoint	`arn:${Partition}:comprehend:${Region}:${Account}:entity-recognizer-endpoint/${EntityRecognizerEndpointName}`	aws:ResourceTag/${TagKey}
dominant-language-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:dominant-language-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
entities-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:entities-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
pii-entities-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:pii-entities-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
events-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:events-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
key-phrases-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:key-phrases-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
sentiment-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:sentiment-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
topics-detection-job	`arn:${Partition}:comprehend:${Region}:${Account}:topics-detection-job/${JobId}`	aws:ResourceTag/${TagKey}
document-classification-job	`arn:${Partition}:comprehend:${Region}:${Account}:document-classification-job/${JobId}`	aws:ResourceTag/${TagKey}
flywheel	`arn:${Partition}:comprehend:${Region}:${Account}:flywheel/${FlywheelName}`	aws:ResourceTag/${TagKey}
flywheel-dataset	`arn:${Partition}:comprehend:${Region}:${Account}:flywheel/${FlywheelName}/dataset/${DatasetName}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon Comprehend

Amazon Comprehend defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by requiring tag values present in a resource creation request	String
aws:ResourceTag/${TagKey}	Filters access by requiring tag value associated with the resource	String
aws:TagKeys	Filters access by requiring the presence of mandatory tags in the request	ArrayOfString
comprehend:DataLakeKmsKey	Filters access by the DataLake Kms Key associated with the flywheel resource in the request	ARN
comprehend:FlywheelIterationId	Filters access by particular Iteration Id for a flywheel	String
comprehend:ModelKmsKey	Filters access by the model KMS key associated with the resource in the request	ARN
comprehend:OutputKmsKey	Filters access by the output KMS key associated with the resource in the request	ARN
comprehend:VolumeKmsKey	Filters access by the volume KMS key associated with the resource in the request	ARN
comprehend:VpcSecurityGroupIds	Filters access by the list of all VPC security group ids associated with the resource in the request	ArrayOfString
comprehend:VpcSubnets	Filters access by the list of all VPC subnets associated with the resource in the request	ArrayOfString

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Cognito User Pools

Amazon Comprehend Medical