Actions, resources, and condition keys for Amazon CloudFront

Amazon CloudFront (service prefix: cloudfront) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon CloudFront
Resource types defined by Amazon CloudFront
Condition keys for Amazon CloudFront

Actions defined by Amazon CloudFront

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateAlias	Grants permission to associate an alias to a CloudFront distribution	Write	distribution*
CopyDistribution	Grants permission to copy an existing distribution and create a new web distribution	Write	distribution*		cloudfront:CopyDistribution cloudfront:CreateDistribution cloudfront:GetDistribution
CreateCachePolicy	Grants permission to add a new cache policy to CloudFront	Write	cache-policy*
CreateCloudFrontOriginAccessIdentity	Grants permission to create a new CloudFront origin access identity	Write	origin-access-identity*
CreateContinuousDeploymentPolicy	Grants permission to add a new continuous-deployment policy to CloudFront	Write	continuous-deployment-policy*
CreateDistribution	Grants permission to create a new web distribution	Write	distribution*
CreateFieldLevelEncryptionConfig	Grants permission to create a new field-level encryption configuration	Write
CreateFieldLevelEncryptionProfile	Grants permission to create a field-level encryption profile	Write
CreateFunction	Grants permission to create a CloudFront function	Write	function*
CreateInvalidation	Grants permission to create a new invalidation batch request	Write	distribution*
CreateKeyGroup	Grants permission to add a new key group to CloudFront	Write
CreateKeyValueStore	Grants permission to create a CloudFront KeyValueStore	Write	key-value-store*
CreateMonitoringSubscription	Grants permission to enable additional CloudWatch metrics for the specified CloudFront distribution. The additional metrics incur an additional cost	Write
CreateOriginAccessControl	Grants permission to create a new origin access control	Write
CreateOriginRequestPolicy	Grants permission to add a new origin request policy to CloudFront	Write	origin-request-policy*
CreatePublicKey	Grants permission to add a new public key to CloudFront	Write
CreateRealtimeLogConfig	Grants permission to create a real-time log configuration	Write	realtime-log-config*
CreateResponseHeadersPolicy	Grants permission to add a new response headers policy to CloudFront	Write	response-headers-policy*
CreateSavingsPlan [permission only]	Grants permission to create a new savings plan	Write
CreateStreamingDistribution	Grants permission to create a new RTMP distribution	Write	streaming-distribution*
CreateStreamingDistributionWithTags	Grants permission to create a new RTMP distribution with tags	Write	streaming-distribution*
CreateStreamingDistributionWithTags		Write		aws:RequestTag/${TagKey} aws:TagKeys
DeleteCachePolicy	Grants permission to delete a cache policy	Write	cache-policy*
DeleteCloudFrontOriginAccessIdentity	Grants permission to delete a CloudFront origin access identity	Write	origin-access-identity*
DeleteContinuousDeploymentPolicy	Grants permission to delete a continuous-deployment policy	Write	continuous-deployment-policy*
DeleteDistribution	Grants permission to delete a web distribution	Write	distribution*
DeleteFieldLevelEncryptionConfig	Grants permission to delete a field-level encryption configuration	Write	field-level-encryption-config*
DeleteFieldLevelEncryptionProfile	Grants permission to delete a field-level encryption profile	Write	field-level-encryption-profile*
DeleteFunction	Grants permission to delete a CloudFront function	Write	function*
DeleteKeyGroup	Grants permission to delete a key group	Write
DeleteKeyValueStore	Grants permission to delete a CloudFront KeyValueStore	Write	key-value-store*
DeleteMonitoringSubscription	Grants permission to disable additional CloudWatch metrics for the specified CloudFront distribution	Write
DeleteOriginAccessControl	Grants permission to delete an origin access control	Write	origin-access-control*
DeleteOriginRequestPolicy	Grants permission to delete an origin request policy	Write	origin-request-policy*
DeletePublicKey	Grants permission to delete a public key from CloudFront	Write
DeleteRealtimeLogConfig	Grants permission to delete a real-time log configuration	Write	realtime-log-config*
DeleteResponseHeadersPolicy	Grants permission to delete a response headers policy	Write	response-headers-policy*
DeleteStreamingDistribution	Grants permission to delete an RTMP distribution	Write	streaming-distribution*
DescribeFunction	Grants permission to get a CloudFront function summary	Read	function*
DescribeKeyValueStore	Grants permission to get a CloudFront KeyValueStore summary	Read	key-value-store*
GetCachePolicy	Grants permission to get the cache policy	Read	cache-policy*
GetCachePolicyConfig	Grants permission to get the cache policy configuration	Read	cache-policy*
GetCloudFrontOriginAccessIdentity	Grants permission to get the information about a CloudFront origin access identity	Read	origin-access-identity*
GetCloudFrontOriginAccessIdentityConfig	Grants permission to get the configuration information about a Cloudfront origin access identity	Read	origin-access-identity*
GetContinuousDeploymentPolicy	Grants permission to get the continuous-deployment policy	Read	continuous-deployment-policy*
GetContinuousDeploymentPolicyConfig	Grants permission to get the continuous-deployment policy configuration	Read	continuous-deployment-policy*
GetDistribution	Grants permission to get the information about a web distribution	Read	distribution*
GetDistributionConfig	Grants permission to get the configuration information about a distribution	Read	distribution*
GetFieldLevelEncryption	Grants permission to get the field-level encryption configuration information	Read	field-level-encryption-config*
GetFieldLevelEncryptionConfig	Grants permission to get the field-level encryption configuration information	Read	field-level-encryption-config*
GetFieldLevelEncryptionProfile	Grants permission to get the field-level encryption configuration information	Read	field-level-encryption-profile*
GetFieldLevelEncryptionProfileConfig	Grants permission to get the field-level encryption profile configuration information	Read	field-level-encryption-profile*
GetFunction	Grants permission to get a CloudFront function's code	Read	function*
GetInvalidation	Grants permission to get the information about an invalidation	Read	distribution*
GetKeyGroup	Grants permission to get a key group	Read
GetKeyGroupConfig	Grants permission to get a key group configuration	Read
GetMonitoringSubscription	Grants permission to get information about whether additional CloudWatch metrics are enabled for the specified CloudFront distribution	Read
GetOriginAccessControl	Grants permission to get the origin access control	Read	origin-access-control*
GetOriginAccessControlConfig	Grants permission to get the origin access control configuration	Read	origin-access-control*
GetOriginRequestPolicy	Grants permission to get the origin request policy	Read	origin-request-policy*
GetOriginRequestPolicyConfig	Grants permission to get the origin request policy configuration	Read	origin-request-policy*
GetPublicKey	Grants permission to get the public key information	Read
GetPublicKeyConfig	Grants permission to get the public key configuration information	Read
GetRealtimeLogConfig	Grants permission to get a real-time log configuration	Read	realtime-log-config*
GetResponseHeadersPolicy	Grants permission to get the response headers policy	Read	response-headers-policy*
GetResponseHeadersPolicyConfig	Grants permission to get the response headers policy configuration	Read	response-headers-policy*
GetSavingsPlan [permission only]	Grants permission to get a savings plan	Read
GetStreamingDistribution	Grants permission to get the information about an RTMP distribution	Read	streaming-distribution*
GetStreamingDistributionConfig	Grants permission to get the configuration information about a streaming distribution	Read	streaming-distribution*
ListCachePolicies	Grants permission to list all cache policies that have been created in CloudFront for this account	List
ListCloudFrontOriginAccessIdentities	Grants permission to list your CloudFront origin access identities	List
ListConflictingAliases	Grants permission to list all aliases that conflict with the given alias in CloudFront	List	distribution*
ListContinuousDeploymentPolicies	Grants permission to list all continuous-deployment policies in the account	List
ListDistributions	Grants permission to list the distributions associated with your AWS account	List
ListDistributionsByCachePolicyId	Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy	List
ListDistributionsByKeyGroup	Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified key group	List
ListDistributionsByLambdaFunction [permission only]	Grants permission to list the distributions associated a Lambda function	List
ListDistributionsByOriginRequestPolicyId	Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy	List
ListDistributionsByRealtimeLogConfig	Grants permission to get a list of distributions that have a cache behavior that's associated with the specified real-time log configuration	List
ListDistributionsByResponseHeadersPolicyId	Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified response headers policy	List
ListDistributionsByWebACLId	Grants permission to list the distributions associated with your AWS account with given AWS WAF web ACL	List
ListFieldLevelEncryptionConfigs	Grants permission to list all field-level encryption configurations that have been created in CloudFront for this account	List
ListFieldLevelEncryptionProfiles	Grants permission to list all field-level encryption profiles that have been created in CloudFront for this account	List
ListFunctions	Grants permission to get a list of CloudFront functions	List
ListInvalidations	Grants permission to list your invalidation batches	List	distribution*
ListKeyGroups	Grants permission to list all key groups that have been created in CloudFront for this account	List
ListKeyValueStores	Grants permission to get a list of CloudFront KeyValueStores	List
ListOriginAccessControls	Grants permission to list all origin access controls in the account	List
ListOriginRequestPolicies	Grants permission to list all origin request policies that have been created in CloudFront for this account	List
ListPublicKeys	Grants permission to list all public keys that have been added to CloudFront for this account	List
ListRateCards [permission only]	Grants permission to list CloudFront rate cards for the account	List
ListRealtimeLogConfigs	Grants permission to get a list of real-time log configurations	List
ListResponseHeadersPolicies	Grants permission to list all response headers policies that have been created in CloudFront for this account	List
ListSavingsPlans [permission only]	Grants permission to list savings plans in the account	List
ListStreamingDistributions	Grants permission to list your RTMP distributions	List
ListTagsForResource	Grants permission to list tags for a CloudFront resource	Read	distribution
ListUsages [permission only]	Grants permission to list CloudFront usage	List
PublishFunction	Grants permission to publish a CloudFront function	Write	function*
TagResource	Grants permission to add tags to a CloudFront resource	Tagging	distribution
			streaming-distribution
				aws:RequestTag/${TagKey} aws:TagKeys
TestFunction	Grants permission to test a CloudFront function	Write	function*
UntagResource	Grants permission to remove tags from a CloudFront resource	Tagging	distribution
			streaming-distribution
				aws:TagKeys
UpdateCachePolicy	Grants permission to update a cache policy	Write	cache-policy*
UpdateCloudFrontOriginAccessIdentity	Grants permission to set the configuration for a CloudFront origin access identity	Write	origin-access-identity*
UpdateContinuousDeploymentPolicy	Grants permission to update a continuous-deployment policy	Write	continuous-deployment-policy*
UpdateDistribution	Grants permission to update the configuration for a web distribution	Write	distribution*
UpdateDistributionWithStagingConfig	Grants permission to copy the configuration from a staging web distribution to its corresponding primary web distribution	Write	distribution*
UpdateFieldLevelEncryptionConfig	Grants permission to update a field-level encryption configuration	Write
UpdateFieldLevelEncryptionProfile	Grants permission to update a field-level encryption profile	Write	field-level-encryption-profile*
UpdateFunction	Grants permission to update a CloudFront function	Write	function*
UpdateKeyGroup	Grants permission to update a key group	Write
UpdateKeyValueStore	Grants permission to update a CloudFront KeyValueStore	Write	key-value-store*
UpdateOriginAccessControl	Grants permission to update an origin access control	Write	origin-access-control*
UpdateOriginRequestPolicy	Grants permission to update an origin request policy	Write	origin-request-policy*
UpdatePublicKey	Grants permission to update public key information	Write
UpdateRealtimeLogConfig	Grants permission to update a real-time log configuration	Write	realtime-log-config*
UpdateResponseHeadersPolicy	Grants permission to update a response headers policy	Write	response-headers-policy*
UpdateSavingsPlan [permission only]	Grants permission to update a savings plan	Write
UpdateStreamingDistribution	Grants permission to update the configuration for an RTMP distribution	Write	streaming-distribution*

Resource types defined by Amazon CloudFront

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
distribution	`arn:${Partition}:cloudfront::${Account}:distribution/${DistributionId}`	aws:ResourceTag/${TagKey}
streaming-distribution	`arn:${Partition}:cloudfront::${Account}:streaming-distribution/${DistributionId}`	aws:ResourceTag/${TagKey}
origin-access-identity	`arn:${Partition}:cloudfront::${Account}:origin-access-identity/${Id}`
field-level-encryption-config	`arn:${Partition}:cloudfront::${Account}:field-level-encryption-config/${Id}`
field-level-encryption-profile	`arn:${Partition}:cloudfront::${Account}:field-level-encryption-profile/${Id}`
cache-policy	`arn:${Partition}:cloudfront::${Account}:cache-policy/${Id}`
origin-request-policy	`arn:${Partition}:cloudfront::${Account}:origin-request-policy/${Id}`
realtime-log-config	`arn:${Partition}:cloudfront::${Account}:realtime-log-config/${Name}`
function	`arn:${Partition}:cloudfront::${Account}:function/${Name}`
key-value-store	`arn:${Partition}:cloudfront::${Account}:key-value-store/${Name}`
response-headers-policy	`arn:${Partition}:cloudfront::${Account}:response-headers-policy/${Id}`
origin-access-control	`arn:${Partition}:cloudfront::${Account}:origin-access-control/${Id}`
continuous-deployment-policy	`arn:${Partition}:cloudfront::${Account}:continuous-deployment-policy/${Id}`

Condition keys for Amazon CloudFront

Amazon CloudFront defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the presence of tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by the presence of tag keys in the request	ArrayOfString

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudFormation

Amazon CloudFront KeyValueStore