AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for Amazon WorkMail

Amazon WorkMail (service prefix: workmail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon WorkMail

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddMembersToGroup [permission only] Adds a list of members (users or groups) to a group. Write
AssociateDelegateToResource Adds a member (user or group) to the resource's set of delegates. Write
AssociateMemberToGroup Adds a member (user or group) to the group's set. Write
CreateAlias Adds an alias to the set of a given member (user or group) of WorkMail. Write
CreateGroup Creates a group that can be used in WorkMail by calling the RegisterToWorkMail operation. Write
CreateMailDomain [permission only] Creates a mail domain. Write
CreateMailUser [permission only] Creates a user in the directory and the WorkMail storage but does not enable the user for mail. Write
CreateOrganization [permission only] Creates an organization, either using an existing directory or creates a new directory on-the-fly. Also creates and enables the complementary mail domain. Optionally creates KMS key Write
CreateResource Creates a new WorkMail resource. Write
CreateUser Creates a user who can be used in WorkMail by calling the RegisterToWorkMail operation. Write
DeleteAlias Remove one or more specified aliases from a set of aliases for a given user. Write
DeleteGroup Deletes a group from WorkMail. Write
DeleteMailDomain [permission only] Removes an unused mail domain from an organization Write
DeleteMailboxPermissions Deletes permissions granted to a member (user or group). Write
DeleteMobileDevice [permission only] Removes a mobile device from a user Write
DeleteOrganization [permission only] Removes an organization from an account, either removing the directory from directory services or leaving it available for re-use Write
DeleteResource Deletes the specified resource. Write
DeleteUser Deletes a user from WorkMail and all subsequent systems. The action cannot be undone. Write
DeregisterFromWorkMail Mark a user, group, or resource as no longer used in WorkMail. Write
DescribeDirectories [permission only] Shows a list of directories available for use in creating an organization List
DescribeGroup Returns the data available for the group. List
DescribeKmsKeys [permission only] Shows a list of KMS Keys available for use in creating an organization List
DescribeMailDomains [permission only] Shows the details of all mail domains associated with the organization List
DescribeMailGroups [permission only] Shows the details of all groups associated with the organization List
DescribeMailUsers [permission only] Shows the details of all users associated with the orgaization List
DescribeOrganization Provides more information regarding a given organization based on its identifier. List
DescribeOrganizations [permission only] Shows a summary of all organizations associated with the account List
DescribeResource Returns the data available for the resource. List
DescribeUser Provides information regarding the user. List
DisableMailGroups [permission only] Disable a mail group when it is not being used and, to allow it to be deleted Write
DisableMailUsers [permission only] Disable a user mailbox when it is no longer being used, and to allow it to be deleted Write
DisassociateDelegateFromResource Removes a member from the resource's set of delegates. Write
DisassociateMemberFromGroup Removes a member from a group. Write
EnableMailDomain [permission only] Enable a mail domain in the organization Write
EnableMailGroups [permission only] Enable a mail group after it has been created to allow it to receive mail Write
EnableMailUsers [permission only] Enable a user's mailbox after it has been created to allow it to receive mail Write
GetMailDomainDetails [permission only] Get the details of the mail domain Read
GetMailGroupDetails [permission only] Get the details of the mail group Read
GetMailUserDetails [permission only] Get the details of the user's mailbox and account Read
GetMailboxDetails Returns the details of the user's mailbox. Read
GetMobileDeviceDetails [permission only] Get the details of the mobile device Read
GetMobileDevicesForUser [permission only] Get a list of the mobile devices associated with the user Read
GetMobilePolicyDetails [permission only] Get the details of the mobile device policy associated with the organization Read
ListAliases Creates a paginated call to list the aliases associated with a given entity. List
ListGroupMembers Returns an overview of the members of a group. Users and groups can be members of a group. List
ListGroups Returns summaries of the organization's groups. List
ListMailboxPermissions Lists the mailbox permissions associated with a user, group, or resource mailbox. List
ListMembersInMailGroup [permission only] Get a list of all the members in a mail group Read
ListOrganizations Returns summaries of the customer's non-deleted organizations. List
ListResourceDelegates Lists the delegates associated with a resource. List
ListResources Returns summaries of the organization's resources. List
ListUsers Returns summaries of the organization's users. List
PutMailboxPermissions Sets permissions for a user, group, or resource. This replaces any pre-existing permissions. Write
RegisterToWorkMail Registers an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities. Write
RemoveMembersFromGroup [permission only] Remove members from a mail group Write
ResetPassword Allows the administrator to reset the password for a user. Write
ResetUserPassword [permission only] Reset the password for a user's account Write
SearchMembers [permission only] Prefix search to find a specific user in a mail group Read
SetAdmin [permission only] Mark a user as being an administrator Write
SetDefaultMailDomain [permission only] Set the default mail domain for the organization Write
SetMailGroupDetails [permission only] Set the details of the mail group which has just been created Write
SetMailUserDetails [permission only] Set the details for the user account which has just been created Write
SetMobilePolicyDetails [permission only] Set the details of a mobile policy associated with the organization Write
UpdateMailboxQuota Updates the maximum size (in MB) of the user's mailbox. Write
UpdatePrimaryEmailAddress Updates the primary email for a user, group, or resource. Write
UpdateResource Updates data for the resource. To retrieve the latest information, it must be preceded by a DescribeResource call. Write
WipeMobileDevice [permission only] Remotely wipe the mobile device associated with a user's account Write

Resources Defined by Amazon WorkMail

Amazon WorkMail has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for Amazon WorkMail

WorkMail has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.