AWS Identity and Access Management
User Guide

AWS Services That Work with IAM

The AWS services listed below are grouped by their AWS product categories and include information about what IAM features they support:

  • Service – You can choose the name of a service to view the AWS documentation about IAM authorization and access for that service.

  • Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use * in the Action element. For a list of actions in each service, see Actions, Resources, and Condition Keys for AWS Services.

  • Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use * in the Resource element. Some actions, such as List* actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table. See the documentation for that service for more information.

  • Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a Principal element to specify which IAM identities can access that resource. For more information, see Identity-Based Policies and Resource-Based Policies.

  • Authorization based on tags – You can use resource tags in the condition of a policy to control access to a resource in the service. You do this using the aws:ResourceTag global condition key or service-specific tags, such as ec2:ResourceTag. For more information about defining permissions based on attributes such as tags, see What Is ABAC for AWS?.

  • Temporary credentials – Users signed in with federation, a cross-account role, or a service role can access the service. Temporary security credentials are obtained by calling AWS STS API operations like AssumeRole or GetFederationToken. For more information, see Temporary Security Credentials.

  • Service-linked roles – A service-linked role gives the service permission to access resources in other services to complete an action on your behalf. Choose the Yes link to see the documentation for services that support these roles. For more information, see Using Service-Linked Roles.

  • More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.

Compute Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Batch Yes Yes No No Yes No
Compute Optimizer Yes No No No Yes No
Amazon Elastic Compute Cloud (Amazon EC2) Yes Yes No Yes Yes Yes¹
Amazon EC2 Auto Scaling Yes Yes No Yes Yes Yes
Amazon EC2 Image Builder Yes Yes No Yes Yes No
AWS Elastic Beanstalk Yes Yes No Yes Yes Yes
Amazon Elastic Container Registry (Amazon ECR) Yes Yes Yes Yes Yes No
Amazon Elastic Container Service (Amazon ECS) Yes Yes² No Yes Yes Yes
Amazon Elastic Kubernetes Service (Amazon EKS) Yes Yes No Yes Yes No
Amazon Elastic Inference Yes Yes Yes No No No
Elastic Load Balancing Yes Yes No Yes Yes Yes
AWS Lambda Yes Yes Yes No Yes Yes³
Amazon Lightsail Yes Yes No Yes Yes No

¹ Amazon EC2 service-linked roles cannot be created using the AWS Management Console, and can be used only for the following features: Scheduled Instances, Spot Instance Requests, Spot Fleet Requests

² Only some Amazon EC2 actions support resource-level permissions.

³ AWS Lambda doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

Storage Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Backup Yes Yes Yes No Yes No
Amazon Elastic Block Store (Amazon EBS) Yes Yes No Yes Yes No
Amazon Elastic File System (Amazon EFS) Yes Yes No Yes Yes Yes
Amazon FSx Yes Yes No Yes Yes Yes
Amazon S3 Glacier Yes Yes Yes Yes Yes No
AWS Import/Export Yes No No No Yes No
AWS Migration Hub Yes Yes No No Yes No
Amazon Simple Storage Service (Amazon S3) Yes Yes Yes Yes¹ Yes No
AWS Snowball Yes No No No Yes No
AWS Snowball Edge Yes No No No No No
AWS Storage Gateway Yes Yes No Yes Yes No

¹ Amazon S3 supports tag-based authorization for only object resources.

Database Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon DynamoDB Yes Yes No No Yes Yes
Amazon ElastiCache Yes No¹ No No Yes Yes
AWS Managed Apache Cassandra Service (MCS) Yes Yes No No Yes No
Amazon Quantum Ledger Database (Amazon QLDB) Yes Yes No Yes Yes No
Amazon Redshift Yes Yes No No Yes Yes
Amazon Relational Database Service (Amazon RDS) Yes Yes No Yes Yes Yes
Amazon RDS Data API Yes No No No Yes No
Amazon SimpleDB Yes Yes No No Yes No

¹ You cannot specify ElastiCache resource ARNs in a policy, but when seeding a cluster or replication, you can specify an Amazon S3 ARN with ElastiCache actions. group.

Developer Tools Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Cloud9 Yes Yes Yes Yes Yes Yes
CodeBuild Yes Yes No No Yes No
CodeCommit Yes Yes No Yes Yes No
AWS CodeDeploy Yes Yes No No Yes No
CodePipeline Yes Yes No Yes Yes No
AWS CodeStar Yes Yes¹ No Yes Yes No
AWS CodeStar Notifications Yes Yes No Yes Yes Yes
AWS X-Ray Yes No No No Yes No

Security, Identity, and Compliance Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Certificate Manager Private Certificate Authority (ACM) Yes Yes No Yes Yes No
AWS Artifact Yes Yes No No Yes No
AWS Certificate Manager (ACM) Yes Yes No Yes Yes No
AWS CloudHSM Yes No No No Yes Yes
AWS CloudHSM Classic Yes No No No No No
Amazon Cognito Yes Yes No Yes Yes No
Amazon Detective Yes Yes No No Yes No
AWS Directory Service Yes Yes No Yes Yes No
Amazon GuardDuty Yes Yes No No Yes Yes
AWS Identity and Access Management (IAM) Yes Yes Yes¹ Yes² Yes³ No
IAM Access Analyzer Yes Yes No Yes Yes Yes
Amazon Inspector Yes No No No Yes Yes
AWS Key Management Service (AWS KMS) Yes Yes Yes No Yes Yes
Amazon Macie Yes No No No Yes Yes
AWS Resource Access Manager (AWS RAM) Yes Yes No Yes Yes No
AWS Secrets Manager Yes Yes Yes Yes Yes No
AWS Security Hub Yes Yes No No Yes Yes
AWS Single Sign-On (AWS SSO) Yes No No No Yes Yes
AWS SSO Directory Yes No No No Yes No
AWS Security Token Service (AWS STS) Yes Yes⁴ No Yes Yes⁵ No
AWS Shield Advanced Yes No No No Yes No
AWS WAF Yes Yes No No Yes Yes

¹ IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Granting a User Permissions to Switch Roles.

² IAM supports tag-based access control for only user and role resources.

³ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options

⁴ AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

⁵ Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.

Machine Learning Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Comprehend Yes No No Yes Yes No
AWS DeepRacer Yes No No No Yes Yes
Forecast Yes Yes No No Yes No
Amazon Fraud Detector Yes No No No Yes No
Amazon Kendra Yes Yes No No Yes No
Amazon Lex Yes Yes No No Yes Yes
Amazon Machine Learning Yes Yes No Yes Yes No
Amazon Personalize Yes Yes No No Yes No
Amazon Polly Yes Yes No No Yes No
Amazon Rekognition Yes Yes No No Yes No
Amazon SageMaker Yes Yes No Yes Yes No
Amazon Textract Yes Yes No No No No
Amazon Transcribe Yes No No No Yes No
Amazon Translate Yes No No No Yes No

Management and Governance Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Application Auto Scaling Yes No No No Yes Yes
AWS Auto Scaling Yes No No No Yes Yes
AWS CloudFormation Yes Yes No Yes Yes No
AWS CloudTrail Yes Yes No No Yes No
Amazon CloudWatch Yes Yes No Yes Yes Yes¹
Amazon CloudWatch Events Yes Yes No Yes Yes No
Amazon CloudWatch Logs Yes Yes Yes Yes Yes No
Amazon CloudWatch Synthetics Yes Yes No No Yes No
AWS Config Yes Yes² No Yes Yes Yes
Amazon Data Lifecycle Manager Yes Yes No Yes Yes No
AWS Health Yes No No No Yes No
AWS OpsWorks Yes Yes No No Yes No
AWS OpsWorks for Chef Automate Yes Yes No No Yes No
AWS Organizations Yes Yes No No Yes Yes
AWS Resource Groups Yes Yes No Yes Yes³ No
Resource Groups Tagging API Yes No No No Yes No
AWS Service Catalog Yes No No Yes⁴ Yes No
AWS Systems Manager Yes Yes No Yes Yes Yes
AWS Trusted Advisor Yes⁵ Yes No No Yes Yes

¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.

² AWS Config supports resource-level permissions for multi-account multi-Region data aggregation and AWS Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and AWS Config Rules section of AWS Config API Guide.

³ Users can assume a role with a policy that allows AWS Resource Groups operations.

⁴ AWS Service Catalog supports tag-based access control for only actions that match API operations with one resource in the input.

⁵ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

Migration and Transfer Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Application Discovery Service Yes No No No No Yes
AWS Database Migration Service Yes Yes Yes¹ Yes Yes No
AWS Migration Hub Yes Yes No No Yes No
AWS Server Migration Service Yes No No No Yes Yes

¹ You can create and modify policies that are attached to AWS KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using AWS KMS Keys to Encrypt Amazon Redshift Target Data and Creating AWS KMS Keys to Encrypt Amazon S3 Target Objects in the AWS Database Migration Service User Guide.

Mobile Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Amplify Yes Yes No Yes No No
AWS Device Farm Yes Yes No Yes Yes No

Networking and Content Delivery Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon API Gateway Yes Yes Yes Yes Yes Yes

AWS App Mesh

Yes Yes No Yes Yes Yes

Amazon CloudFront

Yes¹ Yes No Yes Yes Yes⁴

AWS Cloud Map

Yes Yes No No Yes No
AWS Direct Connect Yes Yes No Yes Yes No
AWS Global Accelerator Yes Yes No No Yes Yes
Network Manager Yes Yes Yes Yes Yes Yes
Amazon Route 53 Yes Yes No No Yes No
Amazon Route 53 Resolver Yes Yes No Yes Yes No
Amazon Virtual Private Cloud (Amazon VPC) Yes Yes² Yes³ No Yes No

¹ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS account root user to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.

² In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

³ Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

⁴ Amazon CloudFront doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

Media Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Elastic Transcoder Yes Yes No No Yes No
AWS Elemental MediaConnect Yes Yes No No Yes No
AWS Elemental MediaConvert Yes Yes No Yes Yes No
AWS Elemental MediaLive Yes Yes Yes Yes Yes No
AWS Elemental MediaPackage Yes Yes No Yes Yes No
AWS Elemental MediaStore Yes Yes Yes No Yes No
AWS Elemental MediaTailor Yes Yes No Yes Yes No
Kinesis Video Streams Yes Yes No Yes Yes No

Analytics Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Athena Yes Yes No Yes Yes No
Amazon CloudSearch Yes Yes No No Yes No
AWS Data Exchange Yes Yes No Yes Yes No
AWS Data Pipeline Yes No No Yes Yes No
Amazon Elasticsearch Service Yes Yes Yes No Yes Yes
Amazon EMR Yes No No Yes Yes Yes
AWS Glue Yes Yes Yes Yes Yes No
Amazon Kinesis Data Analytics Yes Yes No Yes Yes No
Amazon Kinesis Data Firehose Yes Yes No Yes Yes No
Amazon Kinesis Data Streams Yes Yes No No Yes No
Amazon Managed Streaming for Apache Kafka (MSK) Yes Yes No Yes Yes No
Amazon QuickSight Yes Yes No No Yes No

Application Integration Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon EventBridge Yes Yes No Yes Yes No
Amazon EventBridge Schemas Yes Yes No Yes Yes No
Amazon MQ Yes Yes No Yes Yes No
Amazon Simple Notification Service (Amazon SNS) Yes Yes Yes No Yes No
Amazon Simple Queue Service (Amazon SQS) Yes Yes Yes No Yes No
AWS Step Functions Yes Yes No Yes Yes No
Amazon Simple Workflow Service (Amazon SWF) Yes Yes No Yes Yes No

Business Applications Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Alexa for Business Yes Yes No No Yes No
Amazon Chime Yes No No No Yes Yes
Amazon WorkMail Yes No No No Yes Yes

Satellite Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Ground Station Yes Yes No Yes Yes No

Internet of Things Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS IoT Yes Yes Yes¹ Yes Yes No
AWS IoT Analytics Yes Yes No Yes Yes No
AWS IoT Events Yes Yes No Yes Yes No
AWS IoT Greengrass Yes Yes No Yes Yes No
AWS IoT Things Graph Yes No No No Yes No
AWS IoT SiteWise Yes Yes No No Yes No

¹ Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.

Robotics Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
RoboMaker Yes Yes No Yes No Yes

Blockchain Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Managed Blockchain Yes Yes No No Yes No

Game Development Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon GameLift Yes No No No Yes No

AR & VR Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Sumerian Yes Yes No No Yes No

Customer Engagement Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Connect Yes Yes No No Yes Yes
Amazon Pinpoint Yes Yes No Yes Yes No
Amazon Simple Email Service (Amazon SES) Yes Yes¹ Yes Yes Yes² No

¹ You can only use resource-level permissions in policy statements that refer to actions related to sending email, such as ses:SendEmail or ses:SendRawEmail. For policy statements that refer to any other actions, the Resource element can only contain *.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

End User Computing Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon AppStream Yes No No No Yes No
Amazon AppStream 2.0 Yes Yes No Yes Yes No
Amazon WAM Yes No No No Yes No
Amazon WorkDocs Yes No No No Yes No
Amazon WorkLink Yes Yes Yes No Yes Yes
Amazon WorkSpaces Yes Yes No Yes Yes No

Additional Resources

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Billing and Cost Management Yes No No No Yes No
AWS Marketplace Yes No No No Yes No
AWS Private Marketplace Yes No No No No No
AWS Support Yes No No No Yes Yes