AWS services that work with IAM
The AWS services listed below are grouped alphabetically and include information about what IAM features they support:
-
Service – You can choose the name of a service to view the AWS documentation about IAM authorization and access for that service.
-
Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use
*
in theAction
element. For a list of actions in each service, see Actions, Resources, and Condition Keys for AWS Services. -
Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use
*
in theResource
element. Some actions, such asList*
actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by Partial in the table. See the documentation for that service for more information. -
Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a
Principal
element to specify which IAM identities can access that resource. For more information, see Identity-based policies and resource-based policies. -
ABAC (authorization based on tags) – To control access based on tags, you provide tag information in the condition element of a policy using the
aws:ResourceTag/
,key-name
aws:RequestTag/
, orkey-name
aws:TagKeys
condition keys. If a service supports all three condition keys for every resource type, then the value is Yes for the service. If a service supports all three condition keys for only some resource types, then the value is Partial. For more information about defining permissions based on attributes such as tags, see Define permissions based on attributes with ABAC authorization. To view a tutorial with steps for setting up ABAC, see Use attribute-based access control (ABAC). -
Temporary credentials – You can use short-term credentials that you obtain when you sign in using IAM Identity Center, switch roles in the console, or that you generate using AWS STS in the AWS CLI or AWS API. You can access services with a No value only while using your long-term IAM user credentials. This includes a user name and password or your user access keys. For more information, see Temporary security credentials in IAM.
-
Service-linked roles – A service-linked role is a special type of service role that gives the service permission to access resources in other services on your behalf. Choose the Yes or Partial link to see the documentation for services that support these roles. This column does not indicate if the service uses standard service roles. For more information, see Service-linked roles.
-
More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.
Services that work with IAM
More information
AWS CloudTrail
CloudTrail supports resource-based policies only on CloudTrail channels used for CloudTrail Lake integrations with event sources outside of AWS.
Amazon CloudWatch
CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.
AWS CodeBuild
CodeBuild supports cross-account resource sharing using AWS RAM.
CodeBuild supports ABAC for project-based actions.
AWS Config
AWS Config supports resource-level permissions for multi-account multi-Region data aggregation and AWS Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and AWS Config Rules section of the AWS Config API Guide.
AWS Database Migration Service
You can create and modify policies that are attached to AWS KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using AWS KMS Keys to Encrypt Amazon Redshift Target Data and Creating AWS KMS Keys to Encrypt Amazon S3 Target Objects in the AWS Database Migration Service User Guide.
Amazon Elastic Compute Cloud
Amazon EC2 service-linked roles can be used only for the following features: Spot Instance Requests, Spot Fleet Requests, Amazon EC2 Fleets, and Fast launching for Windows instances.
Amazon Elastic Container Service
Only some Amazon ECS actions support resource-level permissions.
AWS Elemental MediaPackage
MediaPackage supports service-linked roles for publishing customer access logs to CloudWatch but not for other API actions.
AWS Identity and Access Management
IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Grant a user permissions to switch roles.
IAM supports tag-based access control for most IAM resources. For more information, see Tags for AWS Identity and Access Management resources.
Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options.
AWS IoT
Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.
AWS Lambda
Lambda supports attribute-based access control (ABAC) for API actions that use a Lambda function as the required resource. Layers, event source mappings, and code signing config resources are not supported.
Lambda doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.
Amazon Lightsail
Lightsail partially supports resource-level permissions and ABAC. For more information, see Actions, resources, and condition keys for Amazon Lightsail.
Amazon Managed Streaming for Apache Kafka (MSK)
You can attach a cluster policy to an Amazon MSK cluster that has been configured for multi-VPC connectivity.
AWS Network Manager
AWS Cloud WAN also supports service-linked roles. For more information, see AWS Cloud WAN service-linked roles in the Amazon VPC AWS Cloud WAN Guide.
Amazon Relational Database Service
Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. You can choose the Aurora MySQL or Aurora PostgreSQL as the DB engine option when setting up new database servers through Amazon RDS. For more information, see Identity and access management for Amazon Aurora in the Amazon Aurora User Guide.
Amazon Rekognition
Resource-based policies are only supported for copying Amazon Rekognition Custom Labels models.
AWS Resource Groups
Users can assume a role with a policy that allows Resource Groups operations.
Amazon SageMaker
Service-linked roles are currently available for SageMaker Studio and SageMaker training jobs.
AWS Security Token Service
AWS STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.
Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.
Amazon Simple Email Service
You can only use resource-level permissions in policy statements that refer to actions
related to sending email, such as ses:SendEmail
or
ses:SendRawEmail
. For policy statements that refer to any other actions, the
Resource element can only contain *
.
Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.
Amazon Simple Storage Service
Amazon S3 supports tag-based authorization for only object resources.
Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.
AWS Trusted Advisor
API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.
Amazon Virtual Private Cloud
In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint.
Any Action
element that includes the ec2:*VpcEndpoint*
or
ec2:DescribePrefixLists
API actions must specify ""Resource":
"*"
". For more information, see Identity and access management for VPC
endpoints and VPC endpoint services in the
AWS PrivateLink Guide.
Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Control access to services using endpoint policies in the AWS PrivateLink Guide.
Amazon VPC doesn't have service-linked roles, but AWS Transit Gateway does. For more information, see Use service-linked roles for transit gateway in the Amazon VPC AWS Transit Gateway Guide.
AWS X-Ray
X-Ray does not support resource-level permissions for all actions.
X-Ray supports tag-based access control for groups and sampling rules.