AWS services that work with IAM

The AWS services listed below are grouped by their AWS product categories and include information about what IAM features they support:

Service – You can choose the name of a service to view the AWS documentation about IAM authorization and access for that service.
Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use * in the Action element. For a list of actions in each service, see Actions, Resources, and Condition Keys for AWS Services.
Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use * in the Resource element. Some actions, such as List* actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table. See the documentation for that service for more information.
Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a Principal element to specify which IAM identities can access that resource. For more information, see Identity-based policies and resource-based policies.
Authorization based on tags – You can use resource tags in the condition of a policy to control access to a resource in the service. You do this using the aws:ResourceTag global condition key or service-specific tags, such as iam:ResourceTag. For more information about defining permissions based on attributes such as tags, see What is ABAC for AWS?.
Temporary credentials – You can use short-term credentials that you obtain when you sign in using SSO, switch roles in the console, or that you generate using AWS STS in the AWS CLI or AWS API. You can access services with a No value only while using your long-term IAM user credentials. This includes a user name and password or your user access keys. For more information, see Temporary security credentials in IAM.
Service-linked roles – A service-linked role is a special type of service role that gives the service permission to access resources in other services on your behalf. Choose the Yes link to see the documentation for services that support these roles. This column does not indicate if the service uses standard service roles. For more information, see Using service-linked roles.
More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.

Compute services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS App Runner	Yes	Yes	No	Yes	Yes	Yes
AWS Batch	Yes	Partial	No	Yes	Yes	Yes
Amazon Elastic Compute Cloud (Amazon EC2)	Yes	Partial	No	Yes	Yes	Partial¹
Amazon EC2 Auto Scaling	Yes	Yes	No	Yes	Yes	Yes
EC2 Image Builder	Yes	Yes	No	Yes	Yes	Yes
Amazon EC2 Instance Connect	Yes	Yes	No	Partial	Yes	No
AWS Elastic Beanstalk	Yes	Partial	No	Yes	Yes	Yes
Amazon Elastic Inference	Yes	Yes	No	No	Yes	No
Elastic Load Balancing	Yes	Partial	No	Partial	Yes	Yes
AWS Lambda	Yes	Yes	Yes	No	Yes	Partial²
Amazon Lightsail	Yes	Partial³	No	Partial³	Yes	Yes
AWS Outposts	Yes	No	No	No	Yes	Yes
AWS Serverless Application Repository	Yes	Yes	Yes	No	Yes	No

¹ Amazon EC2 service-linked roles can be used only for the following features: Spot Instance Requests and Spot Fleet Requests.

² AWS Lambda doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

³ Amazon Lightsail partially supports resource-level permissions and authorization based on tags. For more information, see Support for resource-level permissions and authorization based on tags in Amazon Lightsail

Containers services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS App Runner	Yes	Yes	No	Yes	Yes	Yes
Amazon Elastic Container Registry (Amazon ECR)	Yes	Yes	Yes	Yes	Yes	Yes
Amazon Elastic Container Registry Public (Amazon ECR Public)	Yes	Yes	No	Yes	Yes	No
Amazon Elastic Container Service (Amazon ECS)	Yes	Partial¹	No	Yes	Yes	Yes
Amazon Elastic Kubernetes Service (Amazon EKS)	Yes	Yes	No	Yes	Yes	Yes

¹ Only some Amazon ECS actions support resource-level permissions.

Storage services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Backup	Yes	Yes	Yes	Yes	Yes	Yes
AWS Backup Gateway	Yes	Yes	No	Yes	Yes	No
AWS Backup Storage	Yes	Yes	No	No	Yes	No
Amazon Elastic Block Store (Amazon EBS)	Yes	Partial	No	Yes	Yes	No
AWS Elastic Disaster Recovery	Yes	Yes	No	Yes	Yes	No
Amazon Elastic File System (Amazon EFS)	Yes	Yes	Yes	Yes	Yes	Yes
Amazon FSx	Yes	Yes	No	Yes	Yes	Yes
Amazon S3 Glacier	Yes	Yes	Yes	Yes	Yes	No
AWS Import/Export	Yes	No	No	No	Yes	No
Amazon Simple Storage Service (Amazon S3)	Yes	Yes	Yes	Partial¹	Yes	Partial²
Amazon Simple Storage Service (Amazon S3) on AWS Outposts	Yes	Yes	Yes	Partial¹	Yes	No
Amazon Simple Storage Service (Amazon S3) Object Lambda	Yes	Yes	No	No	Yes	No
AWS Snow Device Management	Yes	Yes	No	Yes	Yes	No
AWS Snowball	Yes	No	No	No	Yes	No
AWS Snowball Edge	Yes	No	No	No	Yes	No
AWS Storage Gateway	Yes	Yes	No	Yes	Yes	No

¹ Amazon S3 supports tag-based authorization for only object resources.

² Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.

Database services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon DynamoDB	Yes	Yes	No	No	Yes	Yes
Amazon ElastiCache	Yes	Yes	No	Yes	Yes	Yes
Amazon Keyspaces (for Apache Cassandra)	Yes	Yes	No	Yes	Yes	Yes
Amazon MediaImport	Yes	No	No	No	No	No
Amazon MemoryDB for Redis	Yes	Yes	No	Yes	Yes	Yes
Amazon Neptune	Yes	Yes	No	No	Yes	Yes
AWS Performance Insights	Yes	Yes	No	No	Yes	No
Amazon Quantum Ledger Database (Amazon QLDB)	Yes	Yes	No	Yes	Yes	No
Amazon Redshift	Yes	Yes	No	Yes	Yes	Yes
Amazon Redshift Data API	Yes	Yes	No	Yes	Yes	No
Amazon Relational Database Service (Amazon RDS)	Yes	Yes	No	Yes	Yes	Yes
Amazon RDS Data API	Yes	Yes	No	Yes	Yes	No
Amazon SimpleDB	Yes	Yes	No	No	Yes	No
AWS SQL Workbench	Yes	Yes	No	Yes	Yes	No
Amazon Timestream	Yes	Yes	No	Yes	Yes	No
Database Query Metadata Service	Yes	No	No	No	Yes	No

Developer tools services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Cloud9	Yes	Yes	Yes	Yes	Yes	Yes
AWS Cloud Control API	Yes	No	No	No	Yes	No
AWS CloudShell	Yes	Yes	No	No	No	No
AWS CodeArtifact	Yes	Yes	Yes	Yes	Yes	No
CodeBuild	Yes	Yes	Yes¹	Partial²	Yes	No
CodeCommit	Yes	Yes	No	Yes	Yes	No
AWS CodeDeploy	Yes	Yes	No	Yes	Yes	No
CodePipeline	Yes	Partial	No	Yes	Yes	No
AWS CodeStar	Yes	Partial	No	Yes	Yes	No
AWS CodeStar Connections	Yes	Yes	No	Yes	Yes	No
AWS CodeStar Notifications	Yes	Yes	No	Yes	Yes	Yes
AWS Fault Injection Simulator	Yes	Yes	No	Yes	Yes	Yes
AWS X-Ray	Yes	Partial³	No	Partial⁴	Yes	No

¹ CodeBuild supports cross-account resource sharing using AWS RAM.

² CodeBuild supports authorization based on tags for project-based actions.

³ X-Ray does not support resource-level permissions for all actions.

⁴ X-Ray supports tag-based access control for groups and sampling rules.

Security, identity, and compliance services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Artifact	Yes	Yes	No	No	Yes	No
AWS Audit Manager	Yes	Yes	No	Yes	Yes	Yes
Amazon Cloud Directory	Yes	Yes	No	No	Yes	No
Amazon Cognito	Yes	Yes	No	Yes	Yes	Yes
Amazon Cognito Sync	Yes	Yes	No	No	Yes	Yes
Amazon Cognito user pools	Yes	Yes	No	Yes	Yes	Yes
Amazon Detective	Yes	Yes	No	Yes	Yes	No
AWS Directory Service	Yes	Yes	No	Yes	Yes	No
AWS Firewall Manager	Yes	Yes	No	Yes	Yes	Partial
Amazon GuardDuty	Yes	Yes	No	Yes	Yes	Yes
AWS Identity and Access Management (IAM)	Yes	Yes	Partial¹	Partial²	Partial³	No
AWS Identity and Access Management Access Analyzer	Yes	Yes	No	Yes	Yes	Partial
Amazon Inspector Classic	Yes	No	No	No	Yes	Yes
Amazon Inspector	Yes	Yes	No	Yes	Yes	Yes
Amazon Macie	Yes	Yes	No	Yes	Yes	Yes
Amazon Macie Classic	Yes	No	No	No	Yes	Yes
AWS Network Firewall	Yes	Yes	No	Yes	Yes	Yes
AWS Resource Access Manager (AWS RAM)	Yes	Yes	No	Yes	Yes	No
AWS Secrets Manager	Yes	Yes	Yes	Yes	Yes	No
AWS Security Hub	Yes	Yes	No	Yes	Yes	Yes
AWS Single Sign-On (AWS SSO)	Yes	Yes	No	Yes	Yes	Yes
AWS SSO Directory	Yes	No	No	No	Yes	No
AWS SSO Identity Store	Yes	No	No	No	Yes	No
AWS Security Token Service (AWS STS)	Yes	Partial⁴	No	Yes	Partial⁵	No
AWS Shield	Yes	Yes	No	Yes	Yes	No
AWS WAF	Yes	Yes	No	Yes	Yes	Yes
AWS WAF Classic	Yes	Yes	No	Yes	Yes	Yes
AWS WAF Regional	Yes	Yes	No	Yes	Yes	Yes

¹ IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Granting a user permissions to switch roles.

² IAM supports tag-based access control for most IAM resources. For more information, see Tagging IAM resources.

³ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options.

⁴ AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

⁵ Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.

Cryptography and PKI services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Certificate Manager Private Certificate Authority (ACM)	Yes	Yes	Yes	Yes	Yes	No
AWS Certificate Manager (ACM)	Yes	Yes	No	Yes	Yes	Yes
AWS CloudHSM	Yes	Yes	No	Yes	Yes	Yes
AWS Key Management Service (AWS KMS)	Yes	Yes	Yes	Yes	Yes	Yes
AWS Signer	Yes	Yes	No	Yes	Yes	No

Machine learning services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS BugBust	Yes	Yes	No	Yes	Yes	Yes
Amazon CodeGuru Profiler	Yes	Yes	No	Yes	Yes	Yes
Amazon CodeGuru Reviewer	Yes	Yes	No	Yes	Yes	Yes
Amazon Comprehend	Yes	Yes	No	Yes	Yes	No
Amazon Comprehend Medical	Yes	No	No	No	Yes	No
AWS DeepComposer	Yes	Yes	No	Yes	Yes	No
AWS DeepRacer	Yes	Yes	No	Yes	Yes	Yes
AWS Panorama	Yes	Yes	No	Yes	Yes	Yes
Amazon DevOps Guru	Yes	Yes	No	No	Yes	Yes
Amazon Forecast	Yes	Yes	No	Yes	Yes	No
Amazon Fraud Detector	Yes	Yes	No	Yes	Yes	No
Ground Truth Labeling	Yes	No	No	No	Yes	No
Amazon HealthLake	Yes	Yes	No	Yes	Yes	No
Amazon Kendra	Yes	Yes	No	Yes	Yes	No
Amazon Lex	Yes	Yes	No	Yes	Yes	Yes
Amazon Lex V2	Yes	Yes	Yes	Yes	Yes	Yes
Amazon Lookout for Equipment	Yes	Yes	No	Yes	Yes	No
Amazon Lookout for Metrics	Yes	Yes	No	Yes	Yes	No
Amazon Lookout for Vision	Yes	Yes	No	Yes	Yes	No
Amazon Monitron	Yes	Yes	No	Yes	Yes	No
Amazon Machine Learning	Yes	Yes	No	Yes	Yes	No
Amazon Personalize	Yes	Yes	No	No	Yes	No
Amazon Polly	Yes	Yes	No	No	Yes	No
Amazon Rekognition	Yes	Yes	No	Yes	Yes	No
Amazon SageMaker	Yes	Yes	No	Yes	Yes	No
Amazon Textract	Yes	No	No	No	Yes	No
Amazon Transcribe	Yes	No	No	No	Yes	No
Amazon Translate	Yes	No	No	No	Yes	No

Management and governance services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Account Management	Yes	Yes	No	Yes	Yes	No
Application Auto Scaling	Yes	No	No	No	Yes	Yes
AWS AppConfig	Yes	Yes	No	Yes	Yes	No
AWS Auto Scaling	Yes	No	No	No	Yes	Yes
AWS Chatbot	Yes	Yes	No	No	Yes	Yes
AWS CloudFormation	Yes	Yes	No	Yes	Yes	No
AWS CloudTrail	Yes	Yes	No	No	Yes	Yes
Amazon CloudWatch	Yes	Yes	No	Yes	Yes	Partial¹
Amazon CloudWatch Application Insights	Yes	No	No	No	Yes	No
Amazon CloudWatch Events	Yes	Yes	No	Yes	Yes	No
Amazon CloudWatch Logs	Yes	Yes	Yes	Yes	Yes	Yes
Amazon CloudWatch Synthetics	Yes	Yes	No	Partial	Yes	No
AWS Compute Optimizer	Yes	No	No	No	Yes	Yes
AWS Config	Yes	Partial²	No	Yes	Yes	Yes
AWS Control Tower	Yes	No	No	No	Yes	No
Amazon Data Lifecycle Manager	Yes	Yes	No	Yes	Yes	No
AWS Health	Yes	Yes	No	No	Yes	No
AWS License Manager	Yes	Yes	No	Yes	Yes	Yes
Amazon Managed Grafana	Yes	Yes	No	No	Yes	No
Amazon Managed Service for Prometheus	Yes	Yes	No	Yes	Yes	No
AWS OpsWorks	Yes	Yes	No	No	Yes	No
AWS OpsWorks Configuration Management	Yes	Yes	No	No	Yes	No
AWS Organizations	Yes	Yes	No	Yes	Yes	Yes
AWS Proton	Yes	Yes	No	Yes	Yes	No
AWS Resilience Hub	Yes	Yes	No	Yes	Yes	No
AWS Resource Groups	Yes	Yes	No	Yes	Partial³	No
AWS Resource Groups Tagging API	Yes	No	No	No	Yes	No
AWS Service Catalog	Yes	Yes	No	Partial⁴	Yes	Yes
Amazon Session Manager Message Gateway Service	Yes	No	No	No	No	No
AWS Systems Manager	Yes	Yes	No	Yes	Yes	Yes
AWS Systems Manager GUI Connect	Yes	No	No	No	Yes	No
AWS Systems Manager Incident Manager	Yes	Yes	No	No	Yes	Yes
AWS Systems Manager Incident Manager Contacts	Yes	Yes	No	No	Yes	No
AWS Tag Editor	Yes	No	No	No	Yes	No
AWS Trusted Advisor	Partial⁵	Yes	No	No	Partial	Yes
AWS Well-Architected Tool	Yes	Yes	No	Yes	Yes	No
Service Quotas	Yes	Yes	No	Yes	Yes	No

¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.

² AWS Config supports resource-level permissions for multi-account multi-Region data aggregation and AWS Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and AWS Config Rules section of AWS Config API Guide.

³ Users can assume a role with a policy that allows AWS Resource Groups operations.

⁴ AWS Service Catalog supports tag-based access control for only actions that match API operations with one resource in the input.

⁵ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

Migration and transfer services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Application Discovery Service	Yes	No	No	No	Yes	Yes
AWS Application Discovery Arsenal	Yes	No	No	No	Yes	No
AWS Application Migration Service	Yes	Yes	No	Yes	Yes	Yes
AWS Connector Service	Yes	No	No	No	Yes	No
AWS Transfer Family	Yes	Yes	No	Yes	Yes	No
AWS Database Migration Service	Yes	Yes	No¹	Yes	Yes	No
AWS DataSync	Yes	Yes	No	Yes	Yes	No
AWS Migration Hub	Yes	Yes	No	No	Yes	Yes
AWS Migration Hub Strategy Recommendations	Yes	No	No	No	Yes	Yes
AWS Server Migration Service	Yes	No	No	No	Yes	Yes

¹ You can create and modify policies that are attached to AWS KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using AWS KMS Keys to Encrypt Amazon Redshift Target Data and Creating AWS KMS Keys to Encrypt Amazon S3 Target Objects in the AWS Database Migration Service User Guide.

Mobile services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Amplify	Yes	Yes	No	Yes	Yes	No
AWS Amplify Admin	Yes	Yes	No	No	Yes	No
AWS AppSync	Yes	Yes	No	Yes	Yes	No
AWS Device Farm	Yes	Yes	No	Yes	Yes	No
Amazon Location	Yes	Yes	No	Yes	Yes	No

Networking and content delivery services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon API Gateway	Yes	Yes	Yes	Yes	Yes	Yes
Amazon API Gateway Management	Yes	Yes	No	Yes	Yes	No
Amazon API Gateway Management V2	Yes	Yes	No	Yes	Yes	No
AWS App Mesh	Yes	Yes	No	Yes	Yes	Yes
AWS App Mesh Preview	Yes	Yes	No	No	Yes	Yes
Amazon CloudFront	Yes	Yes	No	Yes	Yes	Partial³
AWS Cloud Map	Yes	Yes	No	Yes	Yes	No
AWS Direct Connect	Yes	Yes	No	Yes	Yes	Yes
AWS Global Accelerator	Yes	Yes	No	Yes	Yes	Yes
AWS Network Manager	Yes	Yes	No	Yes	Yes	Yes
Amazon Route 53	Yes	Yes	No	No	Yes	No
Amazon Route 53 Domains	Yes	No	No	No	No	No
Amazon Route 53 Recovery Cluster	Yes	Yes	No	No	Yes	No
Amazon Route 53 Recovery Controls	Yes	Yes	No	No	Yes	No
Amazon Route 53 Recovery Readiness	Yes	Yes	No	Yes	Yes	No
Amazon Route 53 Resolver	Yes	Yes	No	Yes	Yes	Yes
AWS Tiros API (for VPC Reachability Analyzer)	Yes	No	No	No	No	No
Amazon Virtual Private Cloud (Amazon VPC)	Yes	Partial¹	Partial²	Yes	Yes	No

¹ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

² Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

³ Amazon CloudFront doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

Media services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Elastic Transcoder	Yes	Yes	No	No	Yes	No
AWS Elemental Appliances and Software	Yes	Yes	No	Yes	Yes	No
AWS Elemental Appliances and Software Activation Service	Yes	Yes	No	Yes	Yes	No
AWS Elemental MediaConnect	Yes	Yes	No	No	Yes	No
AWS Elemental MediaConvert	Yes	Yes	No	Yes	Yes	No
AWS Elemental MediaLive	Yes	Yes	No	Yes	Yes	No
AWS Elemental MediaPackage	Yes	Yes	No	Yes	Yes	No
AWS Elemental MediaPackage VOD	Yes	Yes	No	Yes	Yes	No
AWS Elemental MediaStore	Yes	Yes	Yes	No	Yes	No
AWS Elemental MediaTailor	Yes	Yes	No	Yes	Yes	Yes
AWS Elemental Support Cases	Yes	No	No	No	Yes	No
AWS Elemental Support Content	Yes	No	No	No	Yes	No
Amazon Interactive Video Service	Yes	Yes	No	Yes	Yes	Yes
Kinesis Video Streams	Yes	Yes	No	Yes	Yes	No
Amazon Nimble Studio	Yes	Yes	No	Yes	Yes	No

Analytics services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Athena	Yes	Yes	No	Yes	Yes	No
Amazon CloudSearch	Yes	Yes	No	No	Yes	No
AWS Data Exchange	Yes	Yes	No	Yes	Yes	No
AWS Data Pipeline	Yes	No	No	Yes	Yes	No
Amazon OpenSearch Service	Yes	Yes	Yes	Yes	Yes	Yes
Amazon EMR	Yes	Yes	No	Yes	Yes	Yes
Amazon EMR on EKS (EMR Containers)	Yes	Yes	No	Yes	Yes	Yes
Amazon FinSpace	Yes	Yes	No	Yes	Yes	No
AWS Glue	Yes	Yes	Yes	Partial	Yes	No
AWS Glue DataBrew	Yes	Yes	No	Yes	Yes	No
Amazon Kinesis Data Analytics	Yes	Yes	No	Yes	Yes	No
Amazon Kinesis Data Analytics V2	Yes	Yes	No	Yes	Yes	No
Amazon Kinesis Data Firehose	Yes	Yes	No	Yes	Yes	No
Amazon Kinesis Data Streams	Yes	Yes	No	No	Yes	No
AWS Lake Formation	Yes	No	No	No	Yes	Yes
Amazon Managed Streaming for Apache Kafka (MSK)	Yes	Yes	No	Yes	Yes	No
Amazon Managed Streaming for Kafka Connect	Yes	Yes	No	No	Yes	Yes
Apache Kafka APIs for Amazon MSK clusters	Yes	Yes	No	Yes	Yes	No
Amazon Managed Workflows for Apache Airflow	Yes	Yes	No	Yes	Yes	No
Amazon QuickSight	Yes	Yes	No	Yes	Yes	No

Application integration services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon AppFlow	Yes	Yes	No	Yes	Yes	No
Amazon EventBridge	Yes	Yes	Yes	Yes	Yes	No
Amazon EventBridge Schemas	Yes	Yes	Yes	Yes	Yes	No
Amazon MQ	Yes	Yes	No	Yes	Yes	Yes
Amazon Simple Notification Service (Amazon SNS)	Yes	Yes	Yes	No	Yes	No
Amazon Simple Queue Service (Amazon SQS)	Yes	Yes	Yes	No	Yes	No
AWS Step Functions	Yes	Yes	No	Yes	Yes	No
Amazon Simple Workflow Service (Amazon SWF)	Yes	Yes	No	Yes	Yes	No

Business applications services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Alexa for Business	Yes	Yes	No	Yes	Yes	No
Amazon Chime	Yes	Yes	No	Yes	Yes	Yes
Amazon Honeycode	Yes	Yes	No	No	Yes	No
Amazon WorkMail	Yes	Yes	No	Yes	Yes	Yes
Amazon WorkMail Message Flow	Yes	Yes	No	No	Yes	No

Satellite services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Ground Station	Yes	Yes	No	Yes	Yes	No

Internet of Things services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS IoT 1-Click	Yes	Yes	No	Yes	Yes	No
AWS IoT Greengrass	Yes	Yes	No	Yes	Yes	No
AWS IoT Greengrass V2	Yes	Yes	No	Yes	Yes	No
AWS IoT	Yes	Yes	Partial¹	Yes	Yes	No
AWS IoT Analytics	Yes	Yes	No	Yes	Yes	No
AWS IoT Core Device Advisor	Yes	Yes	No	Yes	Yes	No
AWS IoT Core for LoRaWAN	Yes	Yes	No	Yes	Yes	No
AWS IoT Device Tester	Yes	No	No	No	Yes	No
AWS IoT Events	Yes	Yes	No	Yes	Yes	No
AWS IoT SiteWise	Yes	Yes	No	Yes	Yes	Yes
AWS IoT Things Graph	Yes	Yes	No	Yes	Yes	No
AWS IoT Fleet Hub for Device Management	Yes	Yes	No	Yes	Yes	No
FreeRTOS	Yes	Yes	No	Yes	Yes	No

¹ Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.

Robotics services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
RoboMaker	Yes	Yes	No	Yes	Yes	Yes

Quantum Computing Services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Braket	Yes	Yes	No	Yes	Yes	Yes

Blockchain services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Managed Blockchain	Yes	Yes	No	Yes	Yes	No

Game development services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon GameLift	Yes	Yes	No	Yes	Yes	No

AR & VR services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon Sumerian	Yes	Yes	No	No	Yes	No

Customer enablement services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS IQ	Yes	No	No	No	Yes	No
AWS IQ Permissions	No	No	No	No	Yes	No
AWS Support	Yes	No	No	No	Yes	Yes

Customer engagement services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon AppIntegrations	Yes	Yes	No	Yes	Yes	No
Amazon Connect	Yes	Yes	No	Yes	Yes	Yes
Amazon Connect Customer Profiles	Yes	Yes	No	Yes	Yes	No
Amazon Connect Voice ID	Yes	Yes	No	Yes	Yes	No
Amazon Connect Wisdom	Yes	Yes	No	Yes	Yes	No
High-volume outbound communications	Yes	Yes	No	Yes	Yes	No
Amazon Pinpoint	Yes	Yes	No	Yes	Yes	No
Amazon Pinpoint Email Service	Yes	Yes	No	Yes	Yes	No
Amazon Pinpoint SMS and Voice Service	Yes	No	No	No	Yes	No
Amazon Simple Email Service (Amazon SES) v2	Yes	Partial¹	Yes	Yes	Partial²	No

¹ You can only use resource-level permissions in policy statements that refer to actions related to sending email, such as ses:SendEmail or ses:SendRawEmail. For policy statements that refer to any other actions, the Resource element can only contain *.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

End user computing services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
Amazon AppStream	Yes	No	No	No	Yes	No
Amazon AppStream 2.0	Yes	Yes	No	Yes	Yes	No
Amazon WAM	Yes	No	No	No	Yes	No
Amazon WorkDocs	Yes	No	No	No	Yes	No
Amazon WorkLink	Yes	Yes	No	Yes	Yes	Yes
Amazon WorkSpaces	Yes	Yes	No	Yes	Yes	No

Billing and cost management services

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Application Cost Profiler Service	Yes	No	No	No	Yes	No
AWS Billing and Cost Management	Yes	No	No	No	Yes	No
AWS Cost and Usage Report	Yes	Yes	No	No	Yes	No
AWS Cost Explorer	Yes	No	No	No	Yes	No
AWS Savings Plans	Yes	Yes	No	Yes	Yes	No

Additional resources

Service	Actions	Resource-level permissions	Resource-based policies	Authorization based on tags	Temporary credentials	Service-linked roles
AWS Activate	Yes	No	No	No	Yes	No
AWS Budget Service	Yes	Yes	No	No	No	No
AWS Marketplace	Yes	No	No	No	Yes	Yes
AWS Marketplace Catalog	Yes	Yes	No	No	Yes	No
AWS Marketplace Commerce Analytics Service	Yes	No	No	No	No	No
AWS Marketplace Metering Service	Yes	No	No	No	Yes	No
AWS Marketplace Private Marketplace	Yes	No	No	No	Yes	No

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Quotas

Policy reference