AWS Serverless Application Repository
Developer Guide

Using the AWS Serverless Application Model (AWS SAM)

The AWS Serverless Application Model (AWS SAM) is an open-source framework that you can use to build serverless applications on AWS.

A serverless application is a combination of Lambda functions, event sources, and other resources that work together to perform tasks. Note that a serverless application is more than just a Lambda function—it can include additional resources such as APIs, databases, and event source mappings. For more information about using AWS SAM to build your serverless application, see the AWS Serverless Application Model Developer Guide.

The sections below list the AWS Resources and Policy Templates that are currently supported by AWS Serverless Application Repository.

Supported AWS Resources in the AWS Serverless Application Repository

Serverless applications that you publish to the AWS Serverless Application Repository can include additional AWS CloudFormation resources. The following list is a complete list of supported AWS resources.

If you would like to request an additional AWS resource to be supported, contact AWS Support.

Important

If your application template contains one of the following custom IAM roles or resource policies, your application will not show up by default in search results. Also, customers need to acknowledge the application's custom IAM roles or resource policies before they can deploy the application. For more information, see Acknowledging Application Capabilities.

The list of resources that this applies to are:

If your application contains the AWS::Serverless::Application resource, customers need to acknowledge the application contains a nested application before they can deploy the application. For more information about nested applications, see Nested Applications in the AWS Serverless Application Model Developer Guide. For more information about acknowledging capabilities, see Acknowledging Application Capabilities.

Supported AWS resources:

  • AWS::ApiGateway::Account

  • AWS::ApiGateway::ApiKey

  • AWS::ApiGateway::Authorizer

  • AWS::ApiGateway::BasePathMapping

  • AWS::ApiGateway::ClientCertificate

  • AWS::ApiGateway::Deployment

  • AWS::ApiGateway::DocumentationPart

  • AWS::ApiGateway::DocumentationVersion

  • AWS::ApiGateway::DomainName

  • AWS::ApiGateway::GatewayResponse

  • AWS::ApiGateway::Method

  • AWS::ApiGateway::Model

  • AWS::ApiGateway::RequestValidator

  • AWS::ApiGateway::Resource

  • AWS::ApiGateway::RestApi

  • AWS::ApiGateway::Stage

  • AWS::ApiGateway::UsagePlan

  • AWS::ApiGateway::UsagePlanKey

  • AWS::ApiGateway::VpcLink

  • AWS::AppSync::ApiKey

  • AWS::AppSync::DataSource

  • AWS::AppSync::GraphQLApi

  • AWS::AppSync::GraphQLSchema

  • AWS::AppSync::Resolver

  • AWS::ApplicationAutoScaling::ScalableTarget

  • AWS::ApplicationAutoScaling::ScalingPolicy

  • AWS::Athena::NamedQuery

  • AWS::CertificateManager::Certificate

  • AWS::CloudFormation::CustomResource

  • AWS::CloudFormation::WaitConditionHandle

  • AWS::CloudFront::CloudFrontOriginAccessIdentity

  • AWS::CloudFront::Distribution

  • AWS::CloudFront::StreamingDistribution

  • AWS::CloudWatch::Alarm

  • AWS::CloudWatch::Dashboard

  • AWS::CodeBuild::Project

  • AWS::CodePipeline::CustomActionType

  • AWS::CodePipeline::Pipeline

  • AWS::CodePipeline::Webhook

  • AWS::Cognito::IdentityPool

  • AWS::Cognito::IdentityPoolRoleAttachment

  • AWS::Cognito::UserPool

  • AWS::Cognito::UserPoolClient

  • AWS::Cognito::UserPoolGroup

  • AWS::Cognito::UserPoolUser

  • AWS::Cognito::UserPoolUserToGroupAttachment

  • AWS::Config::AggregationAuthorization

  • AWS::Config::ConfigRule

  • AWS::Config::ConfigurationAggregator

  • AWS::Config::ConfigurationRecorder

  • AWS::Config::DeliveryChannel

  • AWS::DataPipeline::Pipeline

  • AWS::DynamoDB::Table

  • AWS::ECR::Repository

  • AWS::Elasticsearch::Domain

  • AWS::Events::EventBusPolicy

  • AWS::Events::Rule

  • AWS::Glue::Classifier

  • AWS::Glue::Connection

  • AWS::Glue::Crawler

  • AWS::Glue::Database

  • AWS::Glue::DevEndpoint

  • AWS::Glue::Job

  • AWS::Glue::Partition

  • AWS::Glue::Table

  • AWS::Glue::Trigger

  • AWS::IAM::Group

  • AWS::IAM::InstanceProfile

  • AWS::IAM::ManagedPolicy

  • AWS::IAM::Policy

  • AWS::IAM::Role

  • AWS::IoT::Certificate

  • AWS::IoT::Policy

  • AWS::IoT::PolicyPrincipalAttachment

  • AWS::IoT::Thing

  • AWS::IoT::ThingPrincipalAttachment

  • AWS::IoT::TopicRule

  • AWS::KMS::Alias

  • AWS::KMS::Key

  • AWS::Kinesis::Stream

  • AWS::Kinesis::StreamConsumer

  • AWS::Kinesis::Streams

  • AWS::KinesisAnalytics::Application

  • AWS::KinesisAnalytics::ApplicationOutput

  • AWS::KinesisFirehose::DeliveryStream

  • AWS::Lambda::Alias

  • AWS::Lambda::EventSourceMapping

  • AWS::Lambda::Function

  • AWS::Lambda::LayerVersion

  • AWS::Lambda::LayerVersionPermission

  • AWS::Lambda::Permission

  • AWS::Lambda::Version

  • AWS::Logs::Destination

  • AWS::Logs::LogGroup

  • AWS::Logs::LogStream

  • AWS::Logs::MetricFilter

  • AWS::Logs::SubscriptionFilter

  • AWS::Route53::HealthCheck

  • AWS::Route53::HostedZone

  • AWS::Route53::RecordSet

  • AWS::Route53::RecordSetGroup

  • AWS::S3::Bucket

  • AWS::S3::BucketPolicy

  • AWS::SNS::Subscription

  • AWS::SNS::Topic

  • AWS::SNS::TopicPolicy

  • AWS::SQS::Queue

  • AWS::SQS::QueuePolicy

  • AWS::SSM::Association

  • AWS::SSM::Document

  • AWS::SSM::MaintenanceWindowTask

  • AWS::SSM::Parameter

  • AWS::SSM::PatchBaseline

  • AWS::SSM::ResourceDataSync

  • AWS::Serverless::Api

  • AWS::Serverless::Application

  • AWS::Serverless::Function

  • AWS::Serverless::SimpleTable

  • AWS::StepFunctions::Activity

  • AWS::StepFunctions::StateMachine

Policy Templates

AWS SAM allows you to choose from a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application. Policy templates don't require additional customer acknowledgements to deploy the application.

Below is the list of available policy templates, along with the permissions that are applied to each one. AWS SAM automatically populates the placeholder items (such as AWS Region and account ID) with the appropriate information.

If you want to request a new policy template to be added, do the following:

  1. Submit a pull request against the policy_templates.json source file in the develop branch of the AWS SAM GitHub project. You can find the source file here: policy_templates.json.

  2. Submit an issue in the AWS SAM GitHub project that includes the reasons for your pull request and a link to the request. Use this link to submit a new issue: AWS Serverless Application Model: Issues.

Examples

There are two AWS SAM template examples in this section, one with a policy template that includes placeholder values, and one that does not include placeholder values.

Example 1: Policy Template with Placeholder Values

The following example shows that the SQSPollerPolicy policy template expects a QueueName as a resource. The AWS SAM template retrieves the name of the"MyQueue" Amazon SQS queue, which can be created in the same application or requested as a parameter to the application.

MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName: !GetAtt MyQueue.QueueName

Example 2: Policy Template with No Placeholder Values

The following example contains the CloudWatchPutMetricPolicy policy template, which has no placeholder values.

MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - CloudWatchPutMetricPolicy: {}

SQSPollerPolicy: Gives Permissions to Poll an Amazon SQS Queue

"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]

LambdaInvokePolicy: Gives Permission to Invoke a Lambda Function, Alias, or Version

"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]

CloudWatchPutMetricPolicy: Gives Permissions to Put Metrics to CloudWatch

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]

EC2DescribePolicy: Gives Permission to Describe Amazon EC2 Instances

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]

DynamoDBCrudPolicy: Gives Create/Read/Update/Delete Permissions to a DynamoDB Table

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBReadPolicy: Gives Read-Only Access to a DynamoDB Table

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

SESSendBouncePolicy: Gives SendBounce Permission to an Amazon SES Identity

"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

ElasticsearchHttpPostPolicy: Gives POST Permissions to Amazon Elasticsearch Service

"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}", { "domainName": { "Ref": "DomainName" } } ] } } ]

S3ReadPolicy: Gives Read Permissions to Objects in the Amazon S3 Bucket

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

S3CrudPolicy: Gives Create/Read/Update Permissions to Objects in the Amazon S3 Bucket

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

AMIDescribePolicy: Gives Permissions to Describe Amazon Machine Images (AMIs)

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" } } ]

CloudFormationDescribeStacksPolicy: Gives Permission to Describe AWS CloudFormation Stacks

"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]

RekognitionDetectOnlyPolicy: Gives Permission to Detect Faces, Labels, and Text

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]

RekognitionNoDataAccessPolicy: Gives Permission to Compare and Detect Faces and Labels

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionReadPolicy: Gives Permission to List and Search Faces

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionWriteOnlyAccessPolicy: Gives Permission to Create Collection and Index Faces

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

SQSSendMessagePolicy: Gives Permission to Send Message to Amazon SQS Queue

"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]

SNSPublishMessagePolicy: Gives Permission to Publish a Message to an Amazon SNS Topic

"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]

VPCAccessPolicy: Gives Access to Create, Delete, Describe, and Detach Elastic Network Interfaces

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]

DynamoDBStreamReadPolicy: Gives Permission to Describe and Read a DynamoDB Stream and Records

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } } ]

KinesisStreamReadPolicy: Gives Permission to List and Read an Amazon Kinesis Stream

"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]

SESCrudPolicy: Gives Permission to Send Email and Verify Identity

"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

SNSCrudPolicy: Gives Permissions to Create, Publish, and Subscribe to Amazon SNS Topics

"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]

KinesisCrudPolicy: Gives Permission to Create, Publish, and Delete an Amazon Kinesis Stream

"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]

KMSDecryptPolicy: Gives Permission to Decrypt with an AWS KMS Key

"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]

PollyFullAccessPolicy: Gives full access permissions to Amazon Polly lexicon resources

"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]

S3FullAccessPolicy: Gives full access permissions to objects in the Amazon S3 bucket

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

CodePipelineLambdaExecutionPolicy: Gives permission for a Lambda function invoked by AWS CodePipeline to report back status of the job

"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]

ServerlessRepoReadWriteAccessPolicy: Gives access permissions to create and list applications in the AWS Serverless Application Repository service

"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]

EC2CopyImagePolicy: Gives permission to copy Amazon EC2 Images

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]

AWSSecretsManagerRotationPolicy: Grants permissions to APIs required to rotate a secret in AWS Secrets Manager

"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]

AWSSecretsManagerGetSecretValuePolicy: Grants permissions to GetSecretValue for the specified AWS Secrets Manager secret

"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]

CodePipelineReadOnlyPolicy: Gives read permissions to get details about a CodePipeline pipeline

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]

RekognitionFacesPolicy: Gives permission to compare and detect faces and labels

"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } ]

RekognitionLabelsPolicy: Gives permission to compare and detect faces and labels

"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]

DynamoDBBackupFullAccessPolicy: Gives read/write permissions to DynamoDB on-demand backups for a table

"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBRestoreFromBackupPolicy: Gives permissions to restore a table from backup

"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

ComprehendBasicAccessPolicy: Gives access to Amazon Comprehend APIs for detecting entities, key phrases, languages, and sentiments

"Statement": [{ "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]

MobileAnalyticsWriteOnlyAccessPolicy: Gives write only permissions to put event data for all application resources

"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]

PinpointEndpointAccessPolicy: Gives permissions to get and update endpoints for an Amazon Pinpoint application

"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]

FirehoseWritePolicy: Gives permission to write to a Kinesis Data Firehose Delivery Stream

"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]

FirehoseCrudPolicy: Gives permission to create, write to, update, and delete a Kinesis Data Firehose Delivery Stream

"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]

On this page: