AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Services

Each AWS service can define actions, resources, and condition context keys for use in IAM policies. This topic describes how the elements provided for each service are documented.

How to Read the Tables

Each topic consists of tables that provide the list of available actions, resources, and condition keys.

The Actions Table

The Actions table lists all the actions that you can use in an IAM policy statement's Action element. Not all API operations that are defined by a service can be used as an action in an IAM policy. In addition, a service might define some actions that don't directly correspond to an API operation. Use this list to determine which actions you can use in an IAM policy. For more information about the Action, Resource, or Condition elements, see IAM Policy Element Reference. The Actions and Description table columns are self-descriptive.

  • The Access Level column specifies how the action is classified (List, Read, Write, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy.

  • The Resource Types column specifies the resource types that you can use in an IAM policy statement's Resource element when the associated action is included in the Action element. For more information about that resource, refer to that row in the Resource Types table. All actions and resources that are included in one statement must be compatible with each other. If you specify a resource that is not valid for the action, any request to use that action fails, and the statement's Effect does not apply.

  • The Condition Keys column specifies keys that you can use in a policy statement's Condition element when the associated action is specified in the Action element. You can also use globally available keys.

  • The Dependent Actions column specifies any additional permissions that you must have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.

The Resource Types Table

The Resource Types table lists all the resource types that you can use in an IAM policy statement's Resource element. Not every resource type can be specified with every action; certain actions only work with certain types of resources. If you specify a resource type that is not valid for the action specified in the same statement, then you are denied access. For more information about the Resource element, see IAM JSON Policy Elements: Resource.

  • The ARN column specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a $ must be replaced by the actual values for your scenario. For example, if you see $user-name in an ARN, you must replace that string with either the actual IAM user's name or a policy variable that contains an IAM user's name. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

  • The Condition Keys column specifies condition context keys that you can include in an IAM policy statement only when both this action and this resource are included in the statement.

The Condition Keys Table

The Condition Keys table lists all of the condition keys that you can use in an IAM policy statement's Condition element. Not every key can be specified with every action or resource. Certain keys only work with certain types of actions and resources. For more information about the Condition element, see IAM JSON Policy Elements: Condition.

  • The Type column specifies the data type of the condition key. This data type determines which condition operators you can use to compare values in the request with the values in the policy statement. You must use an operator that is appropriate for the data type. If you use an incorrect operator, then the match always fails and the policy statement never applies.

    If the Type column specifies a "List of …" one of the simple types, then you can use the condition set prefixes with your operators. These prefixes include: ForAllValues to specify that all values in the request must match a value in the policy statement, and ForAnyValue to specify that at least one value in the request matches one of the values in the policy statement.

Topics

On this page: