Actions, Resources, and Condition Keys for Amazon Lightsail - AWS Identity and Access Management

Actions, Resources, and Condition Keys for Amazon Lightsail

Amazon Lightsail (service prefix: lightsail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Lightsail

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource Types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AllocateStaticIp Creates a static IP address that can be attached to an instance. Write

StaticIp*

AttachDisk Attaches a disk to an instance. Write

Disk*

Instance*

AttachInstancesToLoadBalancer Attaches one or more instances to a load balancer. Write

Instance*

LoadBalancer*

AttachLoadBalancerTlsCertificate Attaches a TLS certificate to a load balancer. Write

LoadBalancer*

AttachStaticIp Attaches a static IP address to an instance. Write

Instance*

StaticIp*

CloseInstancePublicPorts Closes a public port of an instance. Write

Instance*

CopySnapshot Copies a snapshot from one AWS Region to another in Amazon Lightsail. Write
CreateCloudFormationStack Creates a new Amazon EC2 instance from an exported Amazon Lightsail snapshot. Write

ExportSnapshotRecord*

CreateDisk Creates a disk. Write

Disk*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDiskFromSnapshot Creates a disk from snapshot. Write

Disk*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDiskSnapshot Creates a disk snapshot. Write

Disk*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomain Creates a domain resource for the specified domain name. Write

Domain*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomainEntry Creates one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT). Write

Domain*

CreateInstanceSnapshot Creates an instance snapshot. Write

Instance*

InstanceSnapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInstances Creates one or more instances. Write

KeyPair*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInstancesFromSnapshot Creates one or more instances based on an instance snapshot. Write

Instance*

InstanceSnapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKeyPair Creates a key pair used to authenticate and connect to an instance. Write

KeyPair*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLoadBalancer Creates a load balancer. Write

LoadBalancer*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLoadBalancerTlsCertificate Creates a load balancer TLS certificate. Write

LoadBalancer*

CreateRelationalDatabase Creates a new relational database. Write

RelationalDatabase*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRelationalDatabaseFromSnapshot Creates a new relational database from a snapshot. Write

RelationalDatabase*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRelationalDatabaseSnapshot Creates a relational database snapshot. Write

RelationalDatabaseSnapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDisk Deletes a disk. Write

Disk*

DeleteDiskSnapshot Deletes a disk snapshot. Write

Disk*

DeleteDomain Deletes a domain resource and all of its DNS records. Write

Domain*

DeleteDomainEntry Deletes a DNS record entry for a domain resource. Write

Domain*

DeleteInstance Deletes an instance. Write

Instance*

DeleteInstanceSnapshot Deletes an instance snapshot. Write

InstanceSnapshot*

DeleteKeyPair Deletes a key pair used to authenticate and connect to an instance. Write

KeyPair*

DeleteKnownHostKeys Deletes the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance. Write

Instance*

DeleteLoadBalancer Deletes a load balancer. Write

LoadBalancer*

DeleteLoadBalancerTlsCertificate Deletes a load balancer TLS certificate. Write

LoadBalancer*

DeleteRelationalDatabase Deletes a relational database. Write

RelationalDatabase*

DeleteRelationalDatabaseSnapshot Deletes relational database snapshot. Write

RelationalDatabaseSnapshot*

DetachDisk Detaches a disk from an instance. Write

Disk*

DetachInstancesFromLoadBalancer Detaches one or more instances from a load balancer. Write

Instance*

LoadBalancer*

DetachStaticIp Detaches a static IP from an instance to which it is attached. Write

Instance*

StaticIp*

DownloadDefaultKeyPair Downloads the default key pair used to authenticate and connect to instances in a specific AWS Region. Write

KeyPair*

ExportSnapshot Exports an Amazon Lightsail snapshot to Amazon EC2. Write
GetActiveNames Returns the names of all active (not deleted) resources. Read
GetBlueprints Returns a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance. List
GetBundles Returns a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance. List
GetCloudFormationStackRecords Returns information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots. List

CloudFormationStackRecord*

GetDisk Returns information about a disk. Read

Disk*

GetDiskSnapshot Returns information about a disk snapshot. Read

Disk*

GetDiskSnapshots Returns information about all disk snapshots. List

Disk*

GetDisks Returns information about all disks. List
GetDomain Returns DNS records for a domain resource. Read

Domain*

GetDomains Returns DNS records for all domain resources. Read

Domain*

GetExportSnapshotRecords Returns information about all records to export Amazon Lightsail snapshots to Amazon EC2. List

ExportSnapshotRecord*

GetInstance Returns information about an instance. Read

Instance*

GetInstanceAccessDetails Returns temporary keys you can use to authenticate and connect to an instance. Write

Instance*

GetInstanceMetricData Returns the data points for the specified metric of an instance. Read

Instance*

GetInstancePortStates Returns the port states of an instance. Read

Instance*

GetInstanceSnapshot Returns information about an instance snapshot. Read

InstanceSnapshot*

GetInstanceSnapshots Returns information about all instance snapshots. List

InstanceSnapshot*

GetInstanceState Returns the state of an instance. Read

Instance*

GetInstances Returns information about all instances. Read

Instance*

GetKeyPair Returns information about a key pair. List

KeyPair*

GetKeyPairs Returns information about all key pairs. Read

KeyPair*

GetLoadBalancer Returns information about a load balancer. Read

LoadBalancer*

GetLoadBalancerMetricData Returns the data points for the specified metric of a load balancer. Read

LoadBalancer*

GetLoadBalancerTlsCertificates Returns information about a load balancer TLS certificate. Read

LoadBalancer*

GetLoadBalancers Returns information about load balancers. Read

LoadBalancer*

GetOperation Returns information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on. Read
GetOperations Returns information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on. Read
GetOperationsForResource Returns operations for a resource. Read

Domain

Instance

InstanceSnapshot

KeyPair

StaticIp

GetRegions Returns a list of all valid AWS Regions for Amazon Lightsail. List
GetRelationalDatabase Returns information about a relational database. List

RelationalDatabase*

GetRelationalDatabaseBlueprints Returns a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database. List
GetRelationalDatabaseBundles Returns a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database. List
GetRelationalDatabaseEvents Returns events for a relational database. Read
GetRelationalDatabaseLogEvents Returns events for the specified log stream of a relational database. Read
GetRelationalDatabaseLogStreams Returns the log streams available for a relational database. Read
GetRelationalDatabaseMasterUserPassword Returns the master user password of a relational database. Write
GetRelationalDatabaseMetricData Returns the data points for the specified metric of a relational database. Read
GetRelationalDatabaseParameters Returns the parameters of a relational database. List
GetRelationalDatabaseSnapshot Returns information about a relational database snapshot. List

RelationalDatabase*

GetRelationalDatabaseSnapshots Returns information about all relational database snapshots. List

RelationalDatabase*

GetRelationalDatabases Return information about all relational databases. Read

RelationalDatabase*

GetStaticIp Returns information about a static IP. Read

StaticIp*

GetStaticIps Returns information about all static IPs. Read

StaticIp*

ImportKeyPair Imports a public key from a key pair. Write

KeyPair*

IsVpcPeered Returns a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered. Read
OpenInstancePublicPorts Adds, or opens a public port of an instance. Write

Instance*

PeerVpc Tries to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC. Write
PutInstancePublicPorts Sets the specified open ports for an instance, and closes all ports for every protocol not included in the request. Write

Instance*

RebootInstance Reboots an instance that is in a running state. Write

Instance*

RebootRelationalDatabase Reboots a relational database that is in a running state. Write

RelationalDatabase*

ReleaseStaticIp Deletes a static IP. Write

StaticIp*

StartInstance Starts an instance that is in a stopped state. Write

Instance*

StartRelationalDatabase Starts a relational database that is in a stopped state. Write

RelationalDatabase*

StopInstance Stops an instance that is in a running state. Write

Instance*

StopRelationalDatabase Stops a relational database that is in a running state. Write

RelationalDatabase*

TagResource Tags a resource. Write

Disk

DiskSnapshot

Domain

Instance

InstanceSnapshot

KeyPair

LoadBalancer

RelationalDatabase

RelationalDatabaseSnapshot

StaticIp

aws:RequestTag/${TagKey}

aws:TagKeys

UnpeerVpc Attempts to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC. Write
UntagResource Untags a resource. Write

Disk

DiskSnapshot

Domain

Instance

InstanceSnapshot

KeyPair

LoadBalancer

RelationalDatabase

RelationalDatabaseSnapshot

StaticIp

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDomainEntry Updates a domain recordset after it is created. Write

Domain*

UpdateLoadBalancerAttribute Updates a load balancer attribute, such as the health check path and session stickiness. Write

LoadBalancer*

UpdateRelationalDatabase Updates a relational database. Write

RelationalDatabase*

UpdateRelationalDatabaseParameters Updates the parameters of a relational database. Write

Resource Types Defined by Amazon Lightsail

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
Domain arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}

aws:ResourceTag/${TagKey}

Instance arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}

aws:ResourceTag/${TagKey}

InstanceSnapshot arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}

aws:ResourceTag/${TagKey}

KeyPair arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}

aws:ResourceTag/${TagKey}

StaticIp arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}

aws:ResourceTag/${TagKey}

Disk arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}

aws:ResourceTag/${TagKey}

DiskSnapshot arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}

aws:ResourceTag/${TagKey}

LoadBalancer arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}

aws:ResourceTag/${TagKey}

PeeredVpc arn:${Partition}:lightsail:${Region}:${Account}:PeeredVpc/${Id}
LoadBalancerTlsCertificate arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}
ExportSnapshotRecord arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}
CloudFormationStackRecord arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}
RelationalDatabase arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}

aws:ResourceTag/${TagKey}

RelationalDatabaseSnapshot arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}

aws:ResourceTag/${TagKey}

Condition Keys for Amazon Lightsail

Amazon Lightsail defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String