AWS Services That Work with IAM
The AWS services listed below are grouped by their AWS product categories and include information about what IAM features they support:
-
Service – You can choose the name of a service to view the AWS documentation about IAM authorization and access for that service.
-
Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use
*in theActionelement. For a list of actions in each service, see Actions, Resources, and Condition Keys for AWS Services. -
Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use
*in theResourceelement. Some actions, such asList*actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table. See the documentation for that service for more information. -
Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a
Principalelement to specify which IAM identities can access that resource. For more information, see Identity-Based Policies and Resource-Based Policies. -
Authorization based on tags – You can use resource tags in the condition of a policy. For example, you might create a policy that allows tag owners full access to Amazon RDS resources that they have tagged. You do this by using a condition key such as
rds:db-tag/Owner. -
Temporary credentials – Users signed in with federation, a cross-account role, or a service role can access the service. Temporary security credentials are obtained by calling AWS STS API operations like AssumeRole or GetFederationToken. For more information, see Temporary Security Credentials.
-
Service-linked roles – A service-linked role gives the service permission to access resources in other services to complete an action on your behalf. Choose the
Yeslink to see the documentation for services that support these roles. For more information, see Using Service-Linked Roles. -
More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.
Compute Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Application Auto Scaling | Yes | Yes | No | No | Yes | Yes |
| Amazon EC2 Auto Scaling | Yes | Yes | No | No | Yes | Yes |
| AWS Batch | Yes | No | No | No | Yes | No |
| Amazon Elastic Compute Cloud (Amazon EC2) | Yes | Yes | No | Yes | Yes | Yes¹ |
| AWS Elastic Beanstalk | Yes | Yes | No | No | Yes | Yes |
| Amazon Elastic Container Registry (Amazon ECR) | Yes | Yes | Yes | No | Yes | No |
| Amazon Elastic Container Service (Amazon ECS) | Yes | Yes | No | No | Yes | Yes |
| Amazon Elastic Container Service for Kubernetes (Amazon EKS) | Yes | No | No | No | Yes | No |
| Elastic Load Balancing | Yes | Yes | No | No | Yes | Yes |
| AWS Lambda | Yes | Yes | Yes² | No | Yes | Yes |
| Amazon Lightsail | Yes | No | No | No | Yes | No |
¹ Amazon EC2 service-linked roles cannot be created using the AWS Management Console, and can be used only for the following features: Scheduled Instances, Spot Instance Requests, Spot Fleet Requests
² The only AWS Lambda API action that can be specified in a resource-based policy is lambda:InvokeFunction. For more information, see Using Resource-Based Policies for AWS Lambda (Lambda Function Policies) in the AWS Lambda Developer Guide.
Storage and Migration Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Application Discovery Service | Yes | No | No | No | No | Yes |
| Amazon Elastic Block Store (Amazon EBS) | Yes | Yes | No | Yes | Yes | No |
| Amazon Elastic File System (Amazon EFS) | Yes | Yes | No | No | Yes | No |
| Amazon Glacier | Yes | Yes | Yes | Yes | Yes | No |
| AWS Import/Export | Yes | No | No | No | Yes | No |
| AWS Migration Hub | Yes | Yes | No | No | Yes | No |
| Amazon Simple Storage Service (Amazon S3) | Yes | Yes | Yes | Yes | Yes | No |
| AWS Snowball | Yes | No | No | No | Yes | No |
| AWS Snowball Edge | Yes | No | No | No | No | No |
| AWS Storage Gateway | Yes | Yes | No | No | Yes | No |
Database Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Database Migration Service | Yes | Yes | No | Yes | Yes | No |
| Amazon DynamoDB | Yes | Yes | No | No | Yes | Yes |
| Amazon ElastiCache | Yes | No¹ | No | No | Yes | Yes |
| Amazon Redshift | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Relational Database Service (Amazon RDS) | Yes | Yes | No | Yes | Yes | Yes |
| Amazon SimpleDB | Yes | Yes | No | No | Yes | No |
¹ Two API operations specify an Amazon S3 ARN resource when seeding a cluster/replication group.
Networking and Content Delivery Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon API Gateway | Yes | Yes | Yes | No | Yes | No |
| Yes¹ | No | No | No | Yes | No | |
| AWS Direct Connect | Yes | No | No | No | Yes | No |
| Amazon Route 53 | Yes | Yes | No | No | Yes | No |
| Amazon Virtual Private Cloud (Amazon VPC) | Yes | Yes² | Yes³ | Yes | Yes | No |
¹ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS account root user to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.
² In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC
endpoint. Any Action element that includes the ec2:*VpcEndpoint* or
ec2:DescribePrefixLists API actions must specify ""Resource":
"*"". For more information, see Controlling the Use of
Endpoints in the Amazon VPC User Guide.
³ Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.
Developer Tools and Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Cloud9 | Yes | Yes | Yes | Yes | Yes | Yes |
| AWS CodeBuild | Yes | Yes | No | No | Yes | No |
| AWS CodeCommit | Yes | Yes | No | No | Yes | No |
| AWS CodeDeploy | Yes | Yes | No | No | Yes | No |
| AWS CodePipeline | Yes | Yes | No | No | Yes | No |
| AWS CodeStar | Yes | Yes¹ | No | No | Yes | No |
Management Tools and Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS CloudFormation | Yes | Yes | No | No | Yes | No |
| AWS CloudTrail | Yes | Yes | No | No | Yes | No |
| Amazon CloudWatch | Yes | No | No | No | Yes | Yes¹ |
| Amazon CloudWatch Events | Yes | Yes | No | No | Yes | No |
| Amazon CloudWatch Logs | Yes | Yes | No | No | Yes | No |
| AWS Config | Yes | Yes² | No | No | Yes | Yes |
| AWS Health | Yes | No | No | No | Yes | No |
| AWS OpsWorks | Yes | Yes | Yes | No | Yes | No |
| AWS OpsWorks for Chef Automate | Yes | Yes | Yes | No | Yes | No |
| AWS Service Catalog | Yes | No | No | No | Yes | No |
| AWS Systems Manager | Yes | Yes | No | Yes | Yes | Yes |
| AWS Trusted Advisor | Yes³ | Yes | No | No | Yes⁴ | Yes |
¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.
² AWS Config supports resource-level permissions for only multi-account multi-region data aggregation. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section of AWS Config API Guide.
³ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.
⁴ Trusted Advisor supports the following tagging condition: ssm:resourceTag
for Key/Value pairs and ssm:Overwrite.
Media Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon Elastic Transcoder | Yes | Yes | No | No | Yes | No |
| AWS Elemental MediaConvert | Yes | Yes | No | No | Yes | No |
| AWS Elemental MediaStore | Yes | Yes | No | No | Yes | No |
| AWS Elemental MediaTailor | Yes | Yes | Yes | No | Yes | No |
| Kinesis Video Streams | Yes | Yes | No | No | Yes | No |
Machine Learning Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon Comprehend | Yes | No | No | No | Yes | No |
| Amazon Lex | Yes | Yes | No | No | Yes | Yes |
| Amazon Machine Learning | Yes | Yes | No | Yes | Yes | No |
| Amazon Polly | Yes | Yes | No | No | Yes | No |
| Amazon Rekognition | Yes | Yes | No | No | No | No |
| Amazon SageMaker | Yes | Yes | No | Yes¹ | Yes | No |
| Amazon Transcribe | Yes | No | No | No | Yes | No |
| Amazon Translate | Yes | No | No | No | Yes | No |
¹ Amazon SageMaker does not support using tag-based authorization for calls
to InvokeEndpoint.
Analytics Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon Athena | Yes | No | No | No | Yes | No |
| Amazon CloudSearch | Yes | Yes | No | No | Yes | No |
| AWS Data Pipeline | Yes | No | No | Yes | Yes | No |
| Amazon Elasticsearch Service | Yes | Yes | Yes | No | Yes | Yes |
| Amazon EMR | Yes | No | No | Yes | Yes | Yes |
| AWS Glue | Yes | No | No | No | Yes | No |
| Amazon Kinesis Data Analytics | Yes | Yes | No | No | Yes | No |
| Amazon Kinesis Data Firehose | Yes | Yes | No | No | Yes | No |
| Amazon Kinesis Data Streams | Yes | Yes | No | No | Yes | No |
| Amazon QuickSight | Yes | No | No | No | No | No |
Security, Identity, and Compliance Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Artifact | Yes | Yes | No | No | Yes | No |
| AWS Certificate Manager (ACM) | Yes | Yes | No | No | Yes | No |
| AWS CloudHSM | Yes | No | No | No | Yes | Yes |
| AWS CloudHSM Classic | Yes | No | No | No | No | No |
| Amazon Cognito | Yes | Yes | No | No | Yes | No |
| AWS Directory Service | Yes | No | No | No | Yes | No |
| Amazon GuardDuty | Yes | Yes | No | No | Yes | Yes |
| AWS Identity and Access Management (IAM) | Yes | Yes | No | No | Yes¹ | No |
| Amazon Inspector | Yes | No | No | No | Yes | Yes |
| AWS Key Management Service (AWS KMS) | Yes | Yes | Yes | No | Yes | No |
| Amazon Macie | Yes | No | No | No | Yes | Yes |
| AWS Organizations | Yes | Yes | No | No | Yes | Yes |
| AWS Secrets Manager | Yes | Yes | Yes | Yes | Yes | No |
| AWS Single Sign-On (AWS SSO) | Yes | No | No | No | Yes | Yes |
| AWS Security Token Service (AWS STS) | Yes | Yes² | No | No | Yes³ | No |
| AWS Shield Advanced | Yes | No | No | No | Yes | No |
| AWS WAF | Yes | Yes | No | No | Yes | Yes |
¹ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options
² AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.
³ Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.
Mobile Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Device Farm | Yes | No | No | No | Yes | No |
| Amazon Mobile Analytics | Yes | No | No | No | Yes | No |
| AWS Mobile Hub | Yes | Yes | No | No | Yes | No |
| Amazon Pinpoint | Yes | Yes | No | No | Yes | No |
Application Integration Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon MQ | Yes | No | No | No | Yes | No |
| Amazon Simple Email Service (Amazon SES) | Yes | Yes¹ | No | No | Yes² | No |
| Amazon Simple Notification Service (Amazon SNS) | Yes | Yes | Yes | No | Yes | No |
| Amazon Simple Queue Service (Amazon SQS) | Yes | Yes | Yes | No | Yes | No |
| Amazon Simple Workflow Service (Amazon SWF) | Yes | Yes | No | Yes | Yes | No |
¹ Amazon SES supports resource-level permissions in policies that grant permissions to delegate senders to access specific SES identities.
² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.
Business Productivity Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Alexa for Business | Yes | Yes | No | Yes | Yes | No |
| Amazon WorkDocs | Yes | No | No | No | Yes | No |
| Amazon WorkMail | Yes | No | No | No | Yes | No |
Desktop and App Streaming Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon AppStream | Yes | No | No | No | Yes | No |
| Amazon AppStream 2.0 | Yes | No | No | No | Yes | No |
| Amazon WorkSpaces | Yes | Yes | No | No | Yes | No |
| Amazon WAM | Yes | No | No | No | Yes | No |
Internet of Things Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Greengrass | Yes | Yes | Yes | No | Yes | No |
| AWS IoT | Yes | Yes | Yes¹ | No | Yes | No |
¹ Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.
Customer Engagement Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon Connect | Yes | Yes | No | No | Yes | Yes |
Game Development Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| Amazon GameLift | Yes | No | No | No | Yes | No |
Software Services
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Marketplace | Yes | Yes | No | No | Yes | No |
Additional Resources
| Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles |
| AWS Billing and Cost Management | Yes | No | No | No | Yes | No |
| AWS Support | No | No | No | No | Yes | Yes |
