AWS Services That Work with IAM

The AWS services listed below are grouped by their AWS product categories and include information about what IAM features they support:

Service – You can choose the name of a service to view the AWS documentation about IAM authorization and access for that service.
Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use * in the Action element. For a list of actions in each service, see Actions, Resources, and Condition Keys for AWS Services.
Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use * in the Resource element. Some actions, such as List* actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table. See the documentation for that service for more information.
Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a Principal element to specify which IAM identities can access that resource. For more information, see Identity-Based Policies and Resource-Based Policies.
Authorization based on tags – You can use resource tags in the condition of a policy. For example, you might create a policy that allows tag owners full access to Amazon RDS resources that they have tagged. You do this by using a condition key such as rds:db-tag/Owner.
Temporary credentials – Users signed in with federation, a cross-account role, or a service role can access the service. Temporary security credentials are obtained by calling AWS STS API operations like AssumeRole or GetFederationToken. For more information, see Temporary Security Credentials.
Service-linked roles – A service-linked role gives the service permission to access resources in other services to complete an action on your behalf. Choose the Yes link to see the documentation for services that support these roles. For more information, see Using Service-Linked Roles.
More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.

Compute Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Batch	Yes	Yes	No	No	Yes	No
Amazon Elastic Compute Cloud (Amazon EC2)	Yes	Yes	No	Yes	Yes	Yes¹
Amazon EC2 Auto Scaling	Yes	Yes	No	No	Yes	Yes
AWS Elastic Beanstalk	Yes	Yes	No	Yes	Yes	Yes
Amazon Elastic Container Registry (Amazon ECR)	Yes	Yes	Yes	No	Yes	No
Amazon Elastic Container Service (Amazon ECS)	Yes	Yes	No	No	Yes	Yes
Amazon Elastic Container Service for Kubernetes (Amazon EKS)	Yes	No	No	No	Yes	No
Amazon Elastic Inference	Yes	Yes	Yes	No	No	No
Elastic Load Balancing	Yes	Yes	No	No	Yes	Yes
AWS Lambda	Yes	Yes	Yes	No	Yes	Yes
Amazon Lightsail	Yes	No	No	No	Yes	No

¹ Amazon EC2 service-linked roles cannot be created using the AWS Management Console, and can be used only for the following features: Scheduled Instances, Spot Instance Requests, Spot Fleet Requests

Storage Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Backup	Yes	Yes	Yes	No	Yes	No
Amazon Elastic Block Store (Amazon EBS)	Yes	Yes	No	Yes	Yes	No
Amazon Elastic File System (Amazon EFS)	Yes	Yes	No	No	Yes	No
Amazon S3 Glacier	Yes	Yes	Yes	Yes	Yes	No
AWS Import/Export	Yes	No	No	No	Yes	No
AWS Migration Hub	Yes	Yes	No	No	Yes	No
Amazon Simple Storage Service (Amazon S3)	Yes	Yes	Yes	Yes	Yes	No
AWS Snowball	Yes	No	No	No	Yes	No
AWS Snowball Edge	Yes	No	No	No	No	No
AWS Storage Gateway	Yes	Yes	No	No	Yes	No

Database Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon DynamoDB	Yes	Yes	No	No	Yes	Yes
Amazon ElastiCache	Yes	No¹	No	No	Yes	Yes
Amazon Redshift	Yes	Yes	No	Yes	Yes	Yes
Amazon Relational Database Service (Amazon RDS)	Yes	Yes	No	Yes	Yes	Yes
Amazon SimpleDB	Yes	Yes	No	No	Yes	No

¹ Two API operations specify an Amazon S3 ARN resource when seeding a cluster/replication group.

Developer Tools Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Cloud9	Yes	Yes	Yes	Yes	Yes	Yes
CodeBuild	Yes	Yes	No	No	Yes	No
CodeCommit	Yes	Yes	No	No	Yes	No
AWS CodeDeploy	Yes	Yes	No	No	Yes	No
CodePipeline	Yes	Yes	No	No	Yes	No
AWS CodeStar	Yes	Yes¹	No	No	Yes	No
AWS X-Ray	Yes	No	No	No	Yes	No

Security, Identity, and Compliance Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Artifact	Yes	Yes	No	No	Yes	No
AWS Certificate Manager (ACM)	Yes	Yes	No	No	Yes	No
AWS CloudHSM	Yes	No	No	No	Yes	Yes
AWS CloudHSM Classic	Yes	No	No	No	No	No
Amazon Cognito	Yes	Yes	No	No	Yes	No
AWS Directory Service	Yes	No	No	No	Yes	No
Amazon GuardDuty	Yes	Yes	No	No	Yes	Yes
AWS Identity and Access Management (IAM)	Yes	Yes	Yes¹	No	Yes²	No
Amazon Inspector	Yes	No	No	No	Yes	Yes
AWS Key Management Service (AWS KMS)	Yes	Yes	Yes	No	Yes	Yes
Amazon Macie	Yes	No	No	No	Yes	Yes
AWS Secrets Manager	Yes	Yes	Yes	Yes	Yes	No
AWS Security Hub	Yes	Yes	No	No	Yes	Yes
AWS Single Sign-On (AWS SSO)	Yes	No	No	No	Yes	Yes
AWS Security Token Service (AWS STS)	Yes	Yes³	No	No	Yes⁴	No
AWS Shield Advanced	Yes	No	No	No	Yes	No
AWS WAF	Yes	Yes	No	No	Yes	Yes

¹ IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Granting a User Permissions to Switch Roles.

² Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options

³ AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

⁴ Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.

Machine Learning Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Comprehend	Yes	No	No	No	Yes	No
AWS DeepRacer	Yes	No	No	No	Yes	Yes
Forecast	Yes	Yes	No	No	Yes	No
Amazon Lex	Yes	Yes	No	No	Yes	Yes
Amazon Machine Learning	Yes	Yes	No	Yes	Yes	No
Amazon Personalize	Yes	Yes	No	No	Yes	No
Amazon Polly	Yes	Yes	No	No	Yes	No
Amazon Rekognition	Yes	Yes	No	No	No	No
Amazon SageMaker	Yes	Yes	No	Yes¹	Yes	No
Amazon Transcribe	Yes	No	No	No	Yes	No
Amazon Translate	Yes	No	No	No	Yes	No

¹ Amazon SageMaker does not support using tag-based authorization for calls to InvokeEndpoint.

Management and Governance Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Application Auto Scaling	Yes	No	No	No	Yes	Yes
AWS Auto Scaling	Yes	No	No	No	Yes	Yes
AWS CloudFormation	Yes	Yes	No	No	Yes	No
AWS CloudTrail	Yes	Yes	No	No	Yes	No
Amazon CloudWatch	Yes	No	No	No	Yes	Yes¹
Amazon CloudWatch Events	Yes	Yes	No	No	Yes	No
Amazon CloudWatch Logs	Yes	Yes	No	No	Yes	No
AWS Config	Yes	Yes²	No	No	Yes	Yes
AWS Health	Yes	No	No	No	Yes	No
AWS OpsWorks	Yes	Yes	No	No	Yes	No
AWS OpsWorks for Chef Automate	Yes	Yes	No	No	Yes	No
AWS Organizations	Yes	Yes	No	No	Yes	Yes
AWS Service Catalog	Yes	No	No	No	Yes	No
AWS Systems Manager	Yes	Yes	No	Yes	Yes	Yes
AWS Trusted Advisor	Yes³	Yes	No	No	Yes⁴	Yes

¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.

² AWS Config supports resource-level permissions for multi-account multi-Region data aggregation and AWS Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and AWS Config Rules section of AWS Config API Guide.

³ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

⁴ Trusted Advisor supports the following tagging condition: ssm:resourceTag for Key/Value pairs and ssm:Overwrite.

Migration and Transfer Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Application Discovery Service	Yes	No	No	No	No	Yes
AWS Database Migration Service	Yes	Yes	No	Yes	Yes	No
AWS Migration Hub	Yes	Yes	No	No	Yes	No

Mobile Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Amplify	Yes	Yes	No	No	No	No
AWS Device Farm	Yes	No	No	No	Yes	No

Networking and Content Delivery Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon API Gateway	Yes	Yes	Yes	No	Yes	Yes
AWS App Mesh	Yes	No	No	No	Yes	No
Amazon CloudFront	Yes¹	No	No	No	Yes	No
AWS Cloud Map	Yes	No	No	No	Yes	No
AWS Direct Connect	Yes	No	No	No	Yes	No
AWS Global Accelerator	Yes	Yes	No	No	Yes	No
Amazon Route 53	Yes	Yes	No	No	Yes	No
Amazon Virtual Private Cloud (Amazon VPC)	Yes	Yes²	Yes³	Yes	Yes	No

¹ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS account root user to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.

² In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

³ Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

Media Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Elastic Transcoder	Yes	Yes	No	No	Yes	No
AWS Elemental MediaConnect	Yes	Yes	No	No	Yes	No
AWS Elemental MediaConvert	Yes	Yes	No	Yes	Yes	No
AWS Elemental MediaStore	Yes	Yes	Yes	No	Yes	No
AWS Elemental MediaTailor	Yes	Yes	No	Yes	Yes	No
Kinesis Video Streams	Yes	Yes	No	No	Yes	No

Analytics Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Athena	Yes	Yes	No	Yes	Yes	No
Amazon CloudSearch	Yes	Yes	No	No	Yes	No
AWS Data Pipeline	Yes	No	No	Yes	Yes	No
Amazon Elasticsearch Service	Yes	Yes	Yes	No	Yes	Yes
Amazon EMR	Yes	No	No	Yes	Yes	Yes
AWS Glue	Yes	Yes	Yes	No	Yes	No
Amazon Kinesis Data Analytics	Yes	Yes	No	No	Yes	No
Amazon Kinesis Data Firehose	Yes	Yes	No	No	Yes	No
Amazon Kinesis Data Streams	Yes	Yes	No	No	Yes	No
Amazon QuickSight	Yes	No	No	No	No	No

Application Integration Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon MQ	Yes	Yes	No	Yes	Yes	No
Amazon Simple Notification Service (Amazon SNS)	Yes	Yes	Yes	No	Yes	No
Amazon Simple Queue Service (Amazon SQS)	Yes	Yes	Yes	No	Yes	No
AWS Step Functions	Yes	Yes	No	Yes	Yes	No
Amazon Simple Workflow Service (Amazon SWF)	Yes	Yes	No	Yes	Yes	No

Business Applications Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Alexa for Business	Yes	Yes	No	Yes	Yes	No
Amazon WorkMail	Yes	No	No	No	Yes	Yes

Internet of Things Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS IoT Greengrass	Yes	Yes	No	No	Yes	No
AWS IoT	Yes	Yes	Yes¹	Yes	Yes	No
AWS IoT Things Graph	Yes	No	No	No	Yes	No

¹ Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.

Robotics Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
RoboMaker	Yes	Yes	No	Yes	No	Yes

Game Development Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon GameLift	Yes	No	No	No	Yes	No

AR & VR Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Sumerian	Yes	Yes	No	No	Yes	No

Customer Engagement Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Connect	Yes	Yes	No	No	Yes	Yes
Amazon Pinpoint	Yes	Yes	No	Yes	Yes	No
Amazon Simple Email Service (Amazon SES)	Yes	Yes¹	Yes	No	Yes²	No

¹ You can only use resource-level permissions in policy statements that refer to actions related to sending email, such as ses:SendEmail or ses:SendRawEmail. For policy statements that refer to any other actions, the Resource element can only contain *.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

End User Computing Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon AppStream	Yes	No	No	No	Yes	No
Amazon AppStream 2.0	Yes	No	No	No	Yes	No
Amazon WAM	Yes	No	No	No	Yes	No
Amazon WorkDocs	Yes	No	No	No	Yes	No
Amazon WorkLink	Yes	Yes	Yes	No	Yes	Yes
Amazon WorkSpaces	Yes	Yes	No	No	Yes	No

Additional Resources

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Billing and Cost Management	Yes	No	No	No	Yes	No
AWS Marketplace	Yes	Yes	No	No	Yes	No
AWS Support	No	No	No	No	Yes	Yes

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »