AWS Identity and Access Management
User Guide

AWS Services That Work with IAM

The AWS services listed below are grouped by their AWS product categories and include information about what IAM features they support:

  • Service – You can choose the name of a service to view the AWS documentation about IAM authorization and access for that service.

  • Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use * in the Action element. For a list of actions in each service, see Actions, Resources, and Condition Keys for AWS Services.

  • Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use * in the Resource element. Some actions, such as List* actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table. See the documentation for that service for more information.

  • Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a Principal element to specify which IAM identities can access that resource. For more information, see Identity-Based Policies and Resource-Based Policies.

  • Authorization based on tags – You can use resource tags in the condition of a policy. For example, you might create a policy that allows tag owners full access to Amazon RDS resources that they have tagged. You do this by using a condition key such as rds:db-tag/Owner.

  • Temporary credentials – Users signed in with federation, a cross-account role, or a service role can access the service. Temporary security credentials are obtained by calling AWS STS API operations like AssumeRole or GetFederationToken. For more information, see Temporary Security Credentials.

  • Service-linked roles – A service-linked role gives the service permission to access resources in other services to complete an action on your behalf. Choose the Yes link to see the documentation for services that support these roles. For more information, see Using Service-Linked Roles.

  • More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.

Compute Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Application Auto Scaling Yes No No No Yes Yes
AWS Auto Scaling Yes No No No Yes Yes
AWS Batch Yes Yes No No Yes No
Amazon Elastic Compute Cloud (Amazon EC2) Yes Yes No Yes Yes Yes¹
Amazon EC2 Auto Scaling Yes Yes No No Yes Yes
AWS Elastic Beanstalk Yes Yes No No Yes Yes
Amazon Elastic Container Registry (Amazon ECR) Yes Yes Yes No Yes No
Amazon Elastic Container Service (Amazon ECS) Yes Yes No No Yes Yes
Amazon Elastic Container Service for Kubernetes (Amazon EKS) Yes No No No Yes No
Amazon Elastic Inference Yes Yes Yes No No No
Elastic Load Balancing Yes Yes No No Yes Yes
AWS Lambda Yes Yes Yes² No Yes Yes
Amazon Lightsail Yes No No No Yes No

¹ Amazon EC2 service-linked roles cannot be created using the AWS Management Console, and can be used only for the following features: Scheduled Instances, Spot Instance Requests, Spot Fleet Requests

² The only AWS Lambda API action that can be specified in a resource-based policy is lambda:InvokeFunction. For more information, see Using Resource-Based Policies for AWS Lambda (Lambda Function Policies) in the AWS Lambda Developer Guide.

Storage Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Elastic Block Store (Amazon EBS) Yes Yes No Yes Yes No
Amazon Elastic File System (Amazon EFS) Yes Yes No No Yes No
Amazon S3 Glacier Yes Yes Yes Yes Yes No
AWS Import/Export Yes No No No Yes No
AWS Migration Hub Yes Yes No No Yes No
Amazon Simple Storage Service (Amazon S3) Yes Yes Yes Yes Yes No
AWS Snowball Yes No No No Yes No
AWS Snowball Edge Yes No No No No No
AWS Storage Gateway Yes Yes No No Yes No

Database Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon DynamoDB Yes Yes No No Yes Yes
Amazon ElastiCache Yes No¹ No No Yes Yes
Amazon Redshift Yes Yes No Yes Yes Yes
Amazon Relational Database Service (Amazon RDS) Yes Yes No Yes Yes Yes
Amazon SimpleDB Yes Yes No No Yes No

¹ Two API operations specify an Amazon S3 ARN resource when seeding a cluster/replication group.

Developer Tools Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Cloud9 Yes Yes Yes Yes Yes Yes
AWS CodeBuild Yes Yes No No Yes No
AWS CodeCommit Yes Yes No No Yes No
AWS CodeDeploy Yes Yes No No Yes No
AWS CodePipeline Yes Yes No No Yes No
AWS CodeStar Yes Yes¹ No No Yes No

Security, Identity, and Compliance Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Artifact Yes Yes No No Yes No
AWS Certificate Manager (ACM) Yes Yes No No Yes No
AWS CloudHSM Yes No No No Yes Yes
AWS CloudHSM Classic Yes No No No No No
Amazon Cognito Yes Yes No No Yes No
AWS Directory Service Yes No No No Yes No
Amazon GuardDuty Yes Yes No No Yes Yes
AWS Identity and Access Management (IAM) Yes Yes No No Yes¹ No
Amazon Inspector Yes No No No Yes Yes
AWS Key Management Service (AWS KMS) Yes Yes Yes No Yes Yes
Amazon Macie Yes No No No Yes Yes
AWS Organizations Yes Yes No No Yes Yes
AWS Secrets Manager Yes Yes Yes Yes Yes No
AWS Security Hub Yes Yes No No Yes Yes
AWS Single Sign-On (AWS SSO) Yes No No No Yes Yes
AWS Security Token Service (AWS STS) Yes Yes² No No Yes³ No
AWS Shield Advanced Yes No No No Yes No
AWS WAF Yes Yes No No Yes Yes

¹ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options

² AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

³ Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.

Machine Learning Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Comprehend Yes No No No Yes No
AWS DeepRacer Yes No No No Yes Yes
Amazon Lex Yes Yes No No Yes Yes
Amazon Machine Learning Yes Yes No Yes Yes No
Amazon Polly Yes Yes No No Yes No
Amazon Rekognition Yes Yes No No No No
Amazon SageMaker Yes Yes No Yes¹ Yes No
Amazon Transcribe Yes No No No Yes No
Amazon Translate Yes No No No Yes No

¹ Amazon SageMaker does not support using tag-based authorization for calls to InvokeEndpoint.

Management and Governance Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS CloudFormation Yes Yes No No Yes No
AWS CloudTrail Yes Yes No No Yes No
Amazon CloudWatch Yes No No No Yes Yes¹
Amazon CloudWatch Events Yes Yes No No Yes No
Amazon CloudWatch Logs Yes Yes No No Yes No
AWS Config Yes Yes² No No Yes Yes
AWS Health Yes No No No Yes No
AWS OpsWorks Yes Yes Yes No Yes No
AWS OpsWorks for Chef Automate Yes Yes Yes No Yes No
AWS Service Catalog Yes No No No Yes No
AWS Systems Manager Yes Yes No Yes Yes Yes
AWS Trusted Advisor Yes³ Yes No No Yes⁴ Yes

¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.

² AWS Config supports resource-level permissions for only multi-account multi-region data aggregation. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section of AWS Config API Guide.

³ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

⁴ Trusted Advisor supports the following tagging condition: ssm:resourceTag for Key/Value pairs and ssm:Overwrite.

Migration and Transfer Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Application Discovery Service Yes No No No No Yes
AWS Database Migration Service Yes Yes No Yes Yes No
AWS Migration Hub Yes Yes No No Yes No

Mobile Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Amplify Yes Yes Yes No No No
AWS Device Farm Yes No No No Yes No
Amazon Pinpoint Yes Yes No No Yes No

Networking and Content Delivery Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon API Gateway Yes Yes Yes No Yes No

AWS App Mesh

Yes No No No Yes No

Amazon CloudFront

Yes¹ No No No Yes No

AWS Cloud Map

Yes No No No Yes No
AWS Direct Connect Yes No No No Yes No

AWS Global Accelerator

Yes Yes No No Yes No
Amazon Route 53 Yes Yes No No Yes No
Amazon Virtual Private Cloud (Amazon VPC) Yes Yes² Yes³ Yes Yes No

¹ CloudFront does not support action-level permissions for creating CloudFront key pairs. You must use an AWS account root user to create a CloudFront key pair. For more information, see Creating CloudFront Key Pairs for Your Trusted Signers in the Amazon CloudFront Developer Guide.

² In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

³ Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

Media Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Elastic Transcoder Yes Yes No No Yes No
Elemental MediaConnect Yes Yes No No Yes No
AWS Elemental MediaConvert Yes Yes No No Yes No
AWS Elemental MediaStore Yes Yes No No Yes No
AWS Elemental MediaTailor Yes Yes Yes No Yes No
Kinesis Video Streams Yes Yes No No Yes No

Desktop and App Streaming Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon AppStream Yes No No No Yes No
Amazon AppStream 2.0 Yes No No No Yes No
Amazon WorkSpaces Yes Yes No No Yes No
Amazon WAM Yes No No No Yes No

Analytics Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Athena Yes No No No Yes No
Amazon CloudSearch Yes Yes No No Yes No
AWS Data Pipeline Yes No No Yes Yes No
Amazon Elasticsearch Service Yes Yes Yes No Yes Yes
Amazon EMR Yes No No Yes Yes Yes
AWS Glue Yes Yes Yes No Yes No
Amazon Kinesis Data Analytics Yes Yes No No Yes No
Amazon Kinesis Data Firehose Yes Yes No No Yes No
Amazon Kinesis Data Streams Yes Yes No No Yes No
Amazon QuickSight Yes No No No No No

Application Integration Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon MQ Yes No No No Yes No
Amazon Simple Email Service (Amazon SES) Yes Yes¹ No No Yes² No
Amazon Simple Notification Service (Amazon SNS) Yes Yes Yes No Yes No
Amazon Simple Queue Service (Amazon SQS) Yes Yes Yes No Yes No
Amazon Simple Workflow Service (Amazon SWF) Yes Yes No Yes Yes No

¹ Amazon SES supports resource-level permissions in policies that grant permissions to delegate senders to access specific SES identities.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

Business Applications Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Alexa for Business Yes Yes No Yes Yes No
Amazon WorkDocs Yes No No No Yes No
Amazon WorkMail Yes No No No Yes No

Internet of Things Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS IoT Greengrass Yes Yes Yes No Yes No
AWS IoT Yes Yes Yes¹ Yes Yes No
AWS IoT Things Graph Yes No No No Yes No

¹ Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.

Robotics Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
RoboMaker Yes Yes No No No Yes

Game Development Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon GameLift Yes No No No Yes No

Customer Engagement Services

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
Amazon Connect Yes Yes No No Yes Yes

Additional Resources

Service Actions Resource-level permissions Resource-based policies Authorization based on tags Temporary credentials Service-linked roles
AWS Billing and Cost Management Yes No No No Yes No
AWS Marketplace Yes Yes No No Yes No
AWS Support No No No No Yes Yes