Actions, resources, and condition keys for Amazon CloudFront - Service Authorization Reference

Actions, resources, and condition keys for Amazon CloudFront

Amazon CloudFront (service prefix: cloudfront) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon CloudFront

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AllowVendedLogDeliveryForResource [permission only] Grants permission to configure vended log delivery for a distribution Permissions management

distribution

AssociateAlias Grants permission to associate an alias to a CloudFront distribution Write

distribution*

CopyDistribution Grants permission to copy an existing distribution and create a new web distribution Write

distribution*

cloudfront:CopyDistribution

cloudfront:CreateDistribution

cloudfront:GetDistribution

CreateAnycastIpList Grants permission to create an Anycast static IP list Write

anycast-ip-list*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCachePolicy Grants permission to add a new cache policy to CloudFront Write

cache-policy*

CreateCloudFrontOriginAccessIdentity Grants permission to create a new CloudFront origin access identity Write

origin-access-identity*

CreateContinuousDeploymentPolicy Grants permission to add a new continuous-deployment policy to CloudFront Write

continuous-deployment-policy*

CreateDistribution Grants permission to create a new web distribution Write

distribution*

CreateFieldLevelEncryptionConfig Grants permission to create a new field-level encryption configuration Write
CreateFieldLevelEncryptionProfile Grants permission to create a field-level encryption profile Write
CreateFunction Grants permission to create a CloudFront function Write

function*

CreateInvalidation Grants permission to create a new invalidation batch request Write

distribution*

CreateKeyGroup Grants permission to add a new key group to CloudFront Write
CreateKeyValueStore Grants permission to create a CloudFront KeyValueStore Write

key-value-store*

CreateMonitoringSubscription Grants permission to enable additional CloudWatch metrics for the specified CloudFront distribution. The additional metrics incur an additional cost Write
CreateOriginAccessControl Grants permission to create a new origin access control Write
CreateOriginRequestPolicy Grants permission to add a new origin request policy to CloudFront Write

origin-request-policy*

CreatePublicKey Grants permission to add a new public key to CloudFront Write
CreateRealtimeLogConfig Grants permission to create a real-time log configuration Write

realtime-log-config*

CreateResponseHeadersPolicy Grants permission to add a new response headers policy to CloudFront Write

response-headers-policy*

CreateSavingsPlan [permission only] Grants permission to create a new savings plan Write
CreateStreamingDistribution Grants permission to create a new RTMP distribution Write

streaming-distribution*

CreateStreamingDistributionWithTags Grants permission to create a new RTMP distribution with tags Write

streaming-distribution*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateVpcOrigin Grants permission to create a VPC origin Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAnycastIpList Grants permission to delete an Anycast static IP list Write

anycast-ip-list*

DeleteCachePolicy Grants permission to delete a cache policy Write

cache-policy*

DeleteCloudFrontOriginAccessIdentity Grants permission to delete a CloudFront origin access identity Write

origin-access-identity*

DeleteContinuousDeploymentPolicy Grants permission to delete a continuous-deployment policy Write

continuous-deployment-policy*

DeleteDistribution Grants permission to delete a web distribution Write

distribution*

DeleteFieldLevelEncryptionConfig Grants permission to delete a field-level encryption configuration Write

field-level-encryption-config*

DeleteFieldLevelEncryptionProfile Grants permission to delete a field-level encryption profile Write

field-level-encryption-profile*

DeleteFunction Grants permission to delete a CloudFront function Write

function*

DeleteKeyGroup Grants permission to delete a key group Write
DeleteKeyValueStore Grants permission to delete a CloudFront KeyValueStore Write

key-value-store*

DeleteMonitoringSubscription Grants permission to disable additional CloudWatch metrics for the specified CloudFront distribution Write
DeleteOriginAccessControl Grants permission to delete an origin access control Write

origin-access-control*

DeleteOriginRequestPolicy Grants permission to delete an origin request policy Write

origin-request-policy*

DeletePublicKey Grants permission to delete a public key from CloudFront Write
DeleteRealtimeLogConfig Grants permission to delete a real-time log configuration Write

realtime-log-config*

DeleteResponseHeadersPolicy Grants permission to delete a response headers policy Write

response-headers-policy*

DeleteStreamingDistribution Grants permission to delete an RTMP distribution Write

streaming-distribution*

DeleteVpcOrigin Grants permission to delete a VPC origin Write

vpcorigin*

DescribeFunction Grants permission to get a CloudFront function summary Read

function*

DescribeKeyValueStore Grants permission to get a CloudFront KeyValueStore summary Read

key-value-store*

GetAnycastIpList Grants permission to get an Anycast static IP list Read

anycast-ip-list*

GetCachePolicy Grants permission to get the cache policy Read

cache-policy*

GetCachePolicyConfig Grants permission to get the cache policy configuration Read

cache-policy*

GetCloudFrontOriginAccessIdentity Grants permission to get the information about a CloudFront origin access identity Read

origin-access-identity*

GetCloudFrontOriginAccessIdentityConfig Grants permission to get the configuration information about a Cloudfront origin access identity Read

origin-access-identity*

GetContinuousDeploymentPolicy Grants permission to get the continuous-deployment policy Read

continuous-deployment-policy*

GetContinuousDeploymentPolicyConfig Grants permission to get the continuous-deployment policy configuration Read

continuous-deployment-policy*

GetDistribution Grants permission to get the information about a web distribution Read

distribution*

GetDistributionConfig Grants permission to get the configuration information about a distribution Read

distribution*

GetFieldLevelEncryption Grants permission to get the field-level encryption configuration information Read

field-level-encryption-config*

GetFieldLevelEncryptionConfig Grants permission to get the field-level encryption configuration information Read

field-level-encryption-config*

GetFieldLevelEncryptionProfile Grants permission to get the field-level encryption configuration information Read

field-level-encryption-profile*

GetFieldLevelEncryptionProfileConfig Grants permission to get the field-level encryption profile configuration information Read

field-level-encryption-profile*

GetFunction Grants permission to get a CloudFront function's code Read

function*

GetInvalidation Grants permission to get the information about an invalidation Read

distribution*

GetKeyGroup Grants permission to get a key group Read
GetKeyGroupConfig Grants permission to get a key group configuration Read
GetMonitoringSubscription Grants permission to get information about whether additional CloudWatch metrics are enabled for the specified CloudFront distribution Read
GetOriginAccessControl Grants permission to get the origin access control Read

origin-access-control*

GetOriginAccessControlConfig Grants permission to get the origin access control configuration Read

origin-access-control*

GetOriginRequestPolicy Grants permission to get the origin request policy Read

origin-request-policy*

GetOriginRequestPolicyConfig Grants permission to get the origin request policy configuration Read

origin-request-policy*

GetPublicKey Grants permission to get the public key information Read
GetPublicKeyConfig Grants permission to get the public key configuration information Read
GetRealtimeLogConfig Grants permission to get a real-time log configuration Read

realtime-log-config*

GetResponseHeadersPolicy Grants permission to get the response headers policy Read

response-headers-policy*

GetResponseHeadersPolicyConfig Grants permission to get the response headers policy configuration Read

response-headers-policy*

GetSavingsPlan [permission only] Grants permission to get a savings plan Read
GetStreamingDistribution Grants permission to get the information about an RTMP distribution Read

streaming-distribution*

GetStreamingDistributionConfig Grants permission to get the configuration information about a streaming distribution Read

streaming-distribution*

GetVpcOrigin Grants permission to get the information about a VPC origin Read

vpcorigin*

ListAnycastIpLists Grants permission to list your Anycast static IP lists List
ListCachePolicies Grants permission to list all cache policies that have been created in CloudFront for this account List
ListCloudFrontOriginAccessIdentities Grants permission to list your CloudFront origin access identities List
ListConflictingAliases Grants permission to list all aliases that conflict with the given alias in CloudFront List

distribution*

ListContinuousDeploymentPolicies Grants permission to list all continuous-deployment policies in the account List
ListDistributions Grants permission to list the distributions associated with your AWS account List
ListDistributionsByAnycastIpListId Grants permission to list the distributions in your account that are associated with the specified AnycastIpListId List
ListDistributionsByCachePolicyId Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy List
ListDistributionsByKeyGroup Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified key group List
ListDistributionsByLambdaFunction [permission only] Grants permission to list the distributions associated a Lambda function List
ListDistributionsByOriginRequestPolicyId Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy List
ListDistributionsByRealtimeLogConfig Grants permission to get a list of distributions that have a cache behavior that's associated with the specified real-time log configuration List
ListDistributionsByResponseHeadersPolicyId Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified response headers policy List
ListDistributionsByVpcOriginId Grants permission to list IDs for distributions associated with the specified VPC origin List
ListDistributionsByWebACLId Grants permission to list the distributions associated with your AWS account with given AWS WAF web ACL List
ListFieldLevelEncryptionConfigs Grants permission to list all field-level encryption configurations that have been created in CloudFront for this account List
ListFieldLevelEncryptionProfiles Grants permission to list all field-level encryption profiles that have been created in CloudFront for this account List
ListFunctions Grants permission to get a list of CloudFront functions List
ListInvalidations Grants permission to list your invalidation batches List

distribution*

ListKeyGroups Grants permission to list all key groups that have been created in CloudFront for this account List
ListKeyValueStores Grants permission to get a list of CloudFront KeyValueStores List
ListOriginAccessControls Grants permission to list all origin access controls in the account List
ListOriginRequestPolicies Grants permission to list all origin request policies that have been created in CloudFront for this account List
ListPublicKeys Grants permission to list all public keys that have been added to CloudFront for this account List
ListRateCards [permission only] Grants permission to list CloudFront rate cards for the account List
ListRealtimeLogConfigs Grants permission to get a list of real-time log configurations List
ListResponseHeadersPolicies Grants permission to list all response headers policies that have been created in CloudFront for this account List
ListSavingsPlans [permission only] Grants permission to list savings plans in the account List
ListStreamingDistributions Grants permission to list your RTMP distributions List
ListTagsForResource Grants permission to list tags for a CloudFront resource Read

anycast-ip-list

distribution

vpcorigin

ListUsages [permission only] Grants permission to list CloudFront usage List
ListVpcOrigins Grants permission to list VPC origins List
PublishFunction Grants permission to publish a CloudFront function Write

function*

TagResource Grants permission to add tags to a CloudFront resource Tagging

anycast-ip-list

distribution

streaming-distribution

vpcorigin

aws:RequestTag/${TagKey}

aws:TagKeys

TestFunction Grants permission to test a CloudFront function Write

function*

UntagResource Grants permission to remove tags from a CloudFront resource Tagging

anycast-ip-list

distribution

streaming-distribution

vpcorigin

aws:TagKeys

UpdateCachePolicy Grants permission to update a cache policy Write

cache-policy*

UpdateCloudFrontOriginAccessIdentity Grants permission to set the configuration for a CloudFront origin access identity Write

origin-access-identity*

UpdateContinuousDeploymentPolicy Grants permission to update a continuous-deployment policy Write

continuous-deployment-policy*

UpdateDistribution Grants permission to update the configuration for a web distribution Write

distribution*

UpdateDistributionWithStagingConfig Grants permission to copy the configuration from a staging web distribution to its corresponding primary web distribution Write

distribution*

UpdateFieldLevelEncryptionConfig Grants permission to update a field-level encryption configuration Write
UpdateFieldLevelEncryptionProfile Grants permission to update a field-level encryption profile Write

field-level-encryption-profile*

UpdateFunction Grants permission to update a CloudFront function Write

function*

UpdateKeyGroup Grants permission to update a key group Write
UpdateKeyValueStore Grants permission to update a CloudFront KeyValueStore Write

key-value-store*

UpdateOriginAccessControl Grants permission to update an origin access control Write

origin-access-control*

UpdateOriginRequestPolicy Grants permission to update an origin request policy Write

origin-request-policy*

UpdatePublicKey Grants permission to update public key information Write
UpdateRealtimeLogConfig Grants permission to update a real-time log configuration Write

realtime-log-config*

UpdateResponseHeadersPolicy Grants permission to update a response headers policy Write

response-headers-policy*

UpdateSavingsPlan [permission only] Grants permission to update a savings plan Write
UpdateStreamingDistribution Grants permission to update the configuration for an RTMP distribution Write

streaming-distribution*

UpdateVpcOrigin Grants permission to update a VPC origin Write

vpcorigin*

Resource types defined by Amazon CloudFront

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
distribution arn:${Partition}:cloudfront::${Account}:distribution/${DistributionId}

aws:ResourceTag/${TagKey}

streaming-distribution arn:${Partition}:cloudfront::${Account}:streaming-distribution/${DistributionId}

aws:ResourceTag/${TagKey}

origin-access-identity arn:${Partition}:cloudfront::${Account}:origin-access-identity/${Id}
field-level-encryption-config arn:${Partition}:cloudfront::${Account}:field-level-encryption-config/${Id}
field-level-encryption-profile arn:${Partition}:cloudfront::${Account}:field-level-encryption-profile/${Id}
cache-policy arn:${Partition}:cloudfront::${Account}:cache-policy/${Id}
origin-request-policy arn:${Partition}:cloudfront::${Account}:origin-request-policy/${Id}
realtime-log-config arn:${Partition}:cloudfront::${Account}:realtime-log-config/${Name}
function arn:${Partition}:cloudfront::${Account}:function/${Name}
key-value-store arn:${Partition}:cloudfront::${Account}:key-value-store/${Name}
response-headers-policy arn:${Partition}:cloudfront::${Account}:response-headers-policy/${Id}
origin-access-control arn:${Partition}:cloudfront::${Account}:origin-access-control/${Id}
continuous-deployment-policy arn:${Partition}:cloudfront::${Account}:continuous-deployment-policy/${Id}
anycast-ip-list arn:${Partition}:cloudfront::${Account}:anycast-ip-list/${Id}

aws:ResourceTag/${TagKey}

vpcorigin arn:${Partition}:cloudfront::${Account}:vpcorigin/${Id}

aws:ResourceTag/${TagKey}

Condition keys for Amazon CloudFront

Amazon CloudFront defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString