Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Lightsail

Amazon Lightsail (service prefix: lightsail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Lightsail

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AllocateStaticIp Allocates a static IP address. Write

StaticIp*

AttachStaticIp Attaches a static IP address to a specific Amazon Lightsail instance. Write

Instance*

StaticIp*

CloseInstancePublicPorts Closes the public ports on a specific Amazon Lightsail instance. Write

Instance*

CreateDomain Creates a domain resource for the specified domain. Write

Domain*

CreateDomainEntry Creates one of the following entry records associated with the domain: A record, CNAME record, TXT record, or MX record. Write

Domain*

CreateInstanceSnapshot Creates a snapshot of a specific instance. You can use a snapshot to create a new instance that is based on that snapshot. Write

Instance*

InstanceSnapshot*

CreateInstances Creates one or more Amazon Lightsail instances. Write

KeyPair*

CreateInstancesFromSnapshot Uses a specific snapshot as a blueprint for creating one or more new instances that are based on that identical configuration. Write

Instance*

InstanceSnapshot*

CreateKeyPair Creates sn SSH key pair. Write

KeyPair*

DeleteDomain Deletes the specified domain recordset and all of its domain records. Write

Domain*

DeleteDomainEntry Deletes a specific domain entry. Write

Domain*

DeleteInstance Deletes a specific Amazon Lightsail instance. Write

Instance*

DeleteInstanceSnapshot Deletes a specific snapshot of an instance. Write

InstanceSnapshot*

DeleteKeyPair Deletes a specific SSH key pair. Write

KeyPair*

DetachStaticIp Detaches a static IP from the Amazon Lightsail instance to which it is attached. Write

Instance*

StaticIp*

DownloadDefaultKeyPair Downloads the default SSH key pair from the user's account. Read

KeyPair*

GetActiveNames Returns the names of all active (not deleted) resources. Read
GetBlueprints Returns the list of available instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a preinstalled app or development stack. The software each instance is running depends on the blueprint image you choose. List
GetBundles Returns the list of bundles that are available for purchase. A bundle describes the specifications for your instance. List
GetDomain Returns information about a specific domain recordset. List

Domain*

GetDomains Returns a list of all domains in the user's account. Read

Domain*

GetInstance Returns information about a specific Amazon Lightsail instance. Read

Instance*

GetInstanceAccessDetails Returns temporary SSH keys you can use to connect to a specific instance. Read

Instance*

GetInstanceMetricData Returns the data points for the specified Amazon Lightsail instance metric, given an instance name. Read

Instance*

GetInstancePortStates Returns the port states for a specific instance. Read

Instance*

GetInstanceSnapshot Returns information about a specific instance snapshot. Read

InstanceSnapshot*

GetInstanceSnapshots Returns all instance snapshots for the user's account. List

InstanceSnapshot*

GetInstanceState Returns the state of a specific instance. Read

Instance*

GetInstances Returns information about all Amazon Lightsail instances. List

Instance*

GetKeyPair Returns information about a specific key pair. List

KeyPair*

GetKeyPairs Returns information about all key pairs in the user's account. Read

KeyPair*

GetOperation Returns information about a specific operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on. Read
GetOperations Returns information about all operations. Read
GetOperationsForResource Gets operations for a specific resource. Read

Domain

Instance

InstanceSnapshot

KeyPair

StaticIp

GetRegions Returns a list of all valid regions for Amazon Lightsail. List
GetStaticIp Returns information about a specific static IP. Read

StaticIp*

GetStaticIps Returns information about all static IPs in the user's account. List

StaticIp*

ImportKeyPair Imports a public SSH key from a specific key pair. Write

KeyPair*

IsVpcPeered Returns a Boolean value indicating whether your Lightsail VPC is peered. List
OpenInstancePublicPorts Adds public ports to an Amazon Lightsail instance. Write

Instance*

PeerVpc Tries to peer the Lightsail VPC with the user's default VPC. Write
RebootInstance Restarts a specific instance. When your Amazon Lightsail instance is finished rebooting, Lightsail assigns a new public IP address. To use the same IP address after restarting, create a static IP address and attach it to the instance. Write

Instance*

ReleaseStaticIp Deletes a specific static IP from your account. Write

StaticIp*

StartInstance Starts a specific Amazon Lightsail instance from a stopped state. To restart an instance, use the reboot instance operation. Write

Instance*

StopInstance Stops a specific Amazon Lightsail instance that is currently running. Write

Instance*

UnpeerVpc Attempts to unpeer the Lightsail VPC from the user's default VPC. Write
UpdateDomainEntry Updates a domain RecordSet after it is created. Write

Domain*

Resources Defined by Lightsail

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
Domain arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}
Instance arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}
InstanceSnapshot arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}
KeyPair arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}
StaticIp arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}

Condition Keys for Amazon Lightsail

Lightsail has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.