AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS CloudHSM

AWS CloudHSM (service prefix: cloudhsm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS CloudHSM

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddTagsToResource Adds or overwrites one or more tags for the specified AWS CloudHSM resource Tagging
CreateCluster Creates a new AWS CloudHSM cluster Write
CreateHapg Creates a high-availability partition group Write
CreateHsm Creates a new hardware security module (HSM) in the specified AWS CloudHSM cluster. Write
CreateLunaClient Creates an HSM client Write
DeleteCluster Deletes the specified AWS CloudHSM cluster. Write
DeleteHapg Deletes a high-availability partition group Write
DeleteHsm Deletes the specified HSM. Write
DeleteLunaClient Deletes a client Write
DescribeBackups Gets information about backups of AWS CloudHSM clusters. Read
DescribeClusters Gets information about AWS CloudHSM clusters. Read
DescribeHapg Retrieves information about a high-availability partition group Read
DescribeHsm Retrieves information about an HSM. You can identify the HSM by its ARN or its serial number Read
DescribeLunaClient Retrieves information about an HSM client Read
GetConfig Gets the configuration files necessary to connect to all high availability partition groups the client is associated with Read
InitializeCluster Claims an AWS CloudHSM cluster. Write
ListAvailableZones Lists the Availability Zones that have available AWS CloudHSM capacity List
ListHapgs Lists the high-availability partition groups for the account List
ListHsms Retrieves the identifiers of all of the HSMs provisioned for the current customer List
ListLunaClients Lists all of the clients List
ListTags Gets a list of tags for the specified AWS CloudHSM cluster. Read
ListTagsForResource Returns a list of all tags for the specified AWS CloudHSM resource Read
ModifyHapg Modifies an existing high-availability partition group Write
ModifyHsm Modifies an HSM Write
ModifyLunaClient Modifies the certificate used by the client Write
RemoveTagsFromResource Removes one or more tags from the specified AWS CloudHSM resource Tagging
TagResource Adds or overwrites one or more tags for the specified AWS CloudHSM cluster. Tagging
UntagResource Removes the specified tag or tags from the specified AWS CloudHSM cluster. Tagging

Resources Defined by CloudHSM

AWS CloudHSM has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for AWS CloudHSM

CloudHSM has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.