AWS Serverless Application Repository
Developer Guide

Using the AWS Serverless Application Model (AWS SAM)

The AWS Serverless Application Model (AWS SAM) is a model that defines serverless applications. AWS SAM is natively supported by AWS CloudFormation and defines a simplified syntax for expressing serverless resources. The specification currently covers API operations, AWS Lambda functions, and Amazon DynamoDB tables. The specification is available under Apache 2.0 for AWS partners and customers to adopt and extend within their own tool sets. For details on the specification, see the AWS Serverless Application Model Developer Guide.

AWS SAM supports special resource types that simplify how to express functions, API operations, mappings, and DynamoDB tables for serverless applications. AWS SAM also supports certain other features for these services, such as environment variables. The AWS CloudFormation description of these resources conforms to the AWS Serverless Application Model Specification. To deploy your application, specify the resources that you need as part of your application. You specify these along with their associated permissions policies in an AWS CloudFormation template file (written in either JSON or YAML). You then package your deployment artifacts, and deploy the template.

The sections below list the AWS Resources and Policy Templates currently supported by AWS Serverless Application Repository.

Supported AWS Resources in the AWS Serverless Application Repository

Serverless applications that you publish to the AWS Serverless Application Repository can include additional AWS CloudFormation resources. Below is a complete list of supported AWS Resources.

If you would like to request an additional AWS Resource to be supported, please contact AWS Support.

Important

If your application template contains one of the following custom IAM roles or resource policies, your application will not show up by default in search results. Also, customers will need to acknowledge the application's custom IAM roles or resource policies before they can deploy the application. For more information see Acknowledging Application Capabilities.

The list of resources that this applies to are:

Supported AWS Resources:

  • AWS::ApiGateway::Account

  • AWS::ApiGateway::ApiKey

  • AWS::ApiGateway::Authorizer

  • AWS::ApiGateway::BasePathMapping

  • AWS::ApiGateway::ClientCertificate

  • AWS::ApiGateway::Deployment

  • AWS::ApiGateway::DocumentationPart

  • AWS::ApiGateway::DocumentationVersion

  • AWS::ApiGateway::DomainName

  • AWS::ApiGateway::GatewayResponse

  • AWS::ApiGateway::Method

  • AWS::ApiGateway::Model

  • AWS::ApiGateway::RequestValidator

  • AWS::ApiGateway::Resource

  • AWS::ApiGateway::RestApi

  • AWS::ApiGateway::Stage

  • AWS::ApiGateway::UsagePlan

  • AWS::ApiGateway::UsagePlanKey

  • AWS::ApiGateway::VpcLink

  • AWS::AppSync::ApiKey

  • AWS::AppSync::DataSource

  • AWS::AppSync::GraphQLApi

  • AWS::AppSync::GraphQLSchema

  • AWS::AppSync::Resolver

  • AWS::ApplicationAutoScaling::ScalableTarget

  • AWS::ApplicationAutoScaling::ScalingPolicy

  • AWS::Athena::NamedQuery

  • AWS::CertificateManager::Certificate

  • AWS::CloudFormation::CustomResource

  • AWS::CloudFormation::WaitConditionHandle

  • AWS::CloudFront::CloudFrontOriginAccessIdentity

  • AWS::CloudFront::Distribution

  • AWS::CloudFront::StreamingDistribution

  • AWS::CloudWatch::Alarm

  • AWS::CloudWatch::Dashboard

  • AWS::CodeBuild::Project

  • AWS::CodePipeline::CustomActionType

  • AWS::CodePipeline::Pipeline

  • AWS::CodePipeline::Webhook

  • AWS::Cognito::IdentityPool

  • AWS::Cognito::IdentityPoolRoleAttachment

  • AWS::Cognito::UserPool

  • AWS::Cognito::UserPoolClient

  • AWS::Cognito::UserPoolGroup

  • AWS::Cognito::UserPoolUser

  • AWS::Cognito::UserPoolUserToGroupAttachment

  • AWS::Config::AggregationAuthorization

  • AWS::Config::ConfigRule

  • AWS::Config::ConfigurationAggregator

  • AWS::Config::ConfigurationRecorder

  • AWS::Config::DeliveryChannel

  • AWS::DataPipeline::Pipeline

  • AWS::DynamoDB::Table

  • AWS::ECR::Repository

  • AWS::Elasticsearch::Domain

  • AWS::Events::Rule

  • AWS::Glue::Classifier

  • AWS::Glue::Connection

  • AWS::Glue::Crawler

  • AWS::Glue::Database

  • AWS::Glue::DevEndpoint

  • AWS::Glue::Job

  • AWS::Glue::Partition

  • AWS::Glue::Table

  • AWS::Glue::Trigger

  • AWS::IAM::Group

  • AWS::IAM::InstanceProfile

  • AWS::IAM::ManagedPolicy

  • AWS::IAM::Policy

  • AWS::IAM::Role

  • AWS::IoT::Certificate

  • AWS::IoT::Policy

  • AWS::IoT::PolicyPrincipalAttachment

  • AWS::IoT::Thing

  • AWS::IoT::ThingPrincipalAttachment

  • AWS::IoT::TopicRule

  • AWS::KMS::Alias

  • AWS::KMS::Key

  • AWS::Kinesis::Stream

  • AWS::Kinesis::Streams

  • AWS::KinesisAnalytics::Application

  • AWS::KinesisAnalytics::ApplicationOutput

  • AWS::KinesisFirehose::DeliveryStream

  • AWS::Lambda::Alias

  • AWS::Lambda::EventSourceMapping

  • AWS::Lambda::Function

  • AWS::Lambda::Permission

  • AWS::Lambda::Version

  • AWS::Logs::Destination

  • AWS::Logs::LogGroup

  • AWS::Logs::LogStream

  • AWS::Logs::MetricFilter

  • AWS::Logs::SubscriptionFilter

  • AWS::Route53::HealthCheck

  • AWS::Route53::HostedZone

  • AWS::Route53::RecordSet

  • AWS::Route53::RecordSetGroup

  • AWS::S3::Bucket

  • AWS::S3::BucketPolicy

  • AWS::SNS::Subscription

  • AWS::SNS::Topic

  • AWS::SNS::TopicPolicy

  • AWS::SQS::Queue

  • AWS::SQS::QueuePolicy

  • AWS::SSM::Association

  • AWS::SSM::Document

  • AWS::SSM::MaintenanceWindowTask

  • AWS::SSM::Parameter

  • AWS::SSM::PatchBaseline

  • AWS::SSM::ResourceDataSync

  • AWS::Serverless::Api

  • AWS::Serverless::Function

  • AWS::Serverless::SimpleTable

  • AWS::StepFunctions::Activity

  • AWS::StepFunctions::StateMachine

Policy Templates

When you add a serverless application to the AWS Serverless Application Repository, AWS SAM allows you to choose from a list of policy templates. When you choose one of these templates, your AWS Lambda functions are scoped to the resources that are used by your application.

Below is the list of available policy templates, along with the permissions that are applied to each one. AWS SAM automatically populates the placeholder items (such as AWS Region and account ID) with the appropriate information.

Important

For applications published to the AWS Serverless Application Repository, you're only allowed to use the supported policy templates to extend the permissions for AWS::Serverless::Function resources. Custom policies and AWS managed policies aren't allowed, and are rejected when the application is published to the AWS Serverless Application Repository.

If you want to request a new policy template to be added, do the following:

  1. Submit a pull request against the policy_templates.json source file in the develop branch of the AWS SAM GitHub project. You can find the source file here: policy_templates.json.

  2. Submit an issue in the AWS SAM GitHub project that includes the reasons for your pull request and a link to the request. Use this link to submit a new issue: AWS Serverless Application Model: Issues.

Examples

There are two AWS SAM template examples in this section, one with a policy template that includes placeholder values, and one that does not include placeholder values.

Example 1: Policy template with placeholder values

The following example shows that the SQSPollerPolicy policy template expects a QueueName as a resource. The AWS SAM template retrieves the name of the"MyQueue" Amazon SQS queue, which can be created in the same application or requested as a parameter to the application.

MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName: !GetAtt MyQueue.QueueName

Example 2: Policy template with no placeholder values

The following example contains the CloudWatchPutMetricPolicy policy template, which has no placeholder values.

MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - CloudWatchPutMetricPolicy: {}

SQSPollerPolicy: Gives Permissions to Poll an Amazon SQS Queue

"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]

LambdaInvokePolicy: Gives Permission to Invoke a Lambda Function, Alias, or Version

"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]

CloudWatchPutMetricPolicy: Gives Permissions to Put Metrics to CloudWatch

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]

EC2DescribePolicy: Gives Permission to Describe Amazon EC2 Instances

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]

DynamoDBCrudPolicy: Gives Create/Read/Update/Delete Permissions to a DynamoDB Table

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBReadPolicy: Gives Read-Only Access to a DynamoDB Table

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

SESSendBouncePolicy: Gives SendBounce Permission to an Amazon SES Identity

"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

ElasticsearchHttpPostPolicy: Gives POST Permissions to Amazon Elasticsearch Service

"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}", { "domainName": { "Ref": "DomainName" } } ] } } ]

S3ReadPolicy: Gives Read Permissions to Objects in the Amazon S3 Bucket

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

S3CrudPolicy: Gives Create/Read/Update Permissions to Objects in the Amazon S3 Bucket

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

AMIDescribePolicy: Gives Permissions to Describe Amazon Machine Images (AMIs)

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" } } ]

CloudFormationDescribeStacksPolicy: Gives Permission to Describe AWS CloudFormation Stacks

"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]

RekognitionDetectOnlyPolicy: Gives permission to detect faces, labels and text

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]

RekognitionNoDataAccessPolicy: Gives Permission to Compare and Detect Faces and Labels

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionReadPolicy: Gives Permission to List and Search Faces

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionWriteOnlyAccessPolicy: Gives Permission to Create Collection and Index Faces

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

SQSSendMessagePolicy: Gives Permission to Send Message to Amazon SQS Queue

"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]

SNSPublishMessagePolicy: Gives Permission to Publish a Message to an Amazon SNS Topic

"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]

VPCAccessPolicy: Gives Access to Create, Delete, Describe, and Detach Elastic Network Interfaces

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]

DynamoDBStreamReadPolicy: Gives Permission to Describe and Read a DynamoDB Stream and Records

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } } ]

KinesisStreamReadPolicy: Gives Permission to List and Read an Amazon Kinesis Stream

"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]

SESCrudPolicy: Gives Permission to Send Email and Verify Identity

"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

SNSCrudPolicy: Gives Permissions to Create, Publish, and Subscribe to Amazon SNS Topics

"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]

KinesisCrudPolicy: Gives Permission to Create, Publish, and Delete an Amazon Kinesis Stream

"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]

KMSDecryptPolicy: Gives Permission to Decrypt with an AWS KMS Key

"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]

PollyFullAccessPolicy: Gives full access permissions to Amazon Polly lexicon resources

"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]

S3FullAccessPolicy: Gives full access permissions to objects in the Amazon S3 Bucket

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

CodePipelineLambdaExecutionPolicy: Gives permission for a Lambda function invoked by AWS CodePipeline to report back status of the job

"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]

ServerlessRepoReadWriteAccessPolicy: Gives access permissions to create and list applications in the AWS Serverless Application Repository service

"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]

EC2CopyImagePolicy: Gives permission to copy Amazon EC2 Images

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]

AWSSecretsManagerRotationPolicy: Grants permissions to APIs required to rotate a secret in AWS Secrets Manager

"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]

AWSSecretsManagerGetSecretValuePolicy: Grants permissions to GetSecretValue for the specified AWS Secrets Manager secret

"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]

CodePipelineReadOnlyPolicy: Gives read permissions to get details about a CodePipeline pipeline

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]

RekognitionFacesPolicy: Gives permission to compare and detect faces and labels

"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } ]

RekognitionLabelsPolicy: Gives permission to compare and detect faces and labels

"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]

DynamoDBBackupFullAccessPolicy: Gives read/write permissions to DynamoDB on-demand backups for a table

"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBRestoreFromBackupPolicy: Gives permissions to restore a table from backup

"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

ComprehendBasicAccessPolicy: Gives access to Amazon Comprehend APIs for detecting entities, key phrases, languages and sentiments

"Statement": [{ "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]

MobileAnalyticsWriteOnlyAccessPolicy: Gives write only permissions to put event data for all application resources

"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]

PinpointEndpointAccessPolicy: Gives permissions to get and update endpoints for a Pinpoint application

"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]

FirehoseWritePolicy: Gives permission to write to a Kinesis Firehose Delivery Stream

"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]

FirehoseCrudPolicy: Gives permission to create, write to, update, and delete a Kinesis Firehose Delivery Stream

"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]

On this page: