Actions, resources, and condition keys for Amazon Comprehend - Service Authorization Reference

Actions, resources, and condition keys for Amazon Comprehend

Amazon Comprehend (service prefix: comprehend) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Comprehend

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchDetectDominantLanguage Grants permission to detect the language or languages present in the list of text documents Read
BatchDetectEntities Grants permission to detect the named entities ("People", "Places", "Locations", etc) within the given list of text documents Read
BatchDetectKeyPhrases Grants permission to detect the phrases in the list of text documents that are most indicative of the content Read
BatchDetectSentiment Grants permission to detect the sentiment of a text in the list of documents (Positive, Negative, Neutral, or Mixed) Read
BatchDetectSyntax Grants permission to detect syntactic information (like Part of Speech, Tokens) in a list of text documents Read
BatchDetectTargetedSentiment Grants permission to detect the sentiments associated with specific entities (such as brands or products) within the given list of text documents Read
ClassifyDocument Grants permission to create a new document classification request to analyze a single document in real-time, using a previously created and trained custom model and an endpoint Read

document-classifier-endpoint*

ContainsPiiEntities Grants permission to classify the personally identifiable information within given documents in real-time Read
CreateDataset Grants permission to create a new dataset within a flywheel Write

flywheel*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDocumentClassifier Grants permission to create a new document classifier that you can use to categorize documents Write

document-classifier*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:ModelKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

CreateEndpoint Grants permission to create a model-specific endpoint for synchronous inference for a previously trained custom model Write

document-classifier*

document-classifier-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

entity-recognizer*

entity-recognizer-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

flywheel

CreateEntityRecognizer Grants permission to create an entity recognizer using submitted files Write

entity-recognizer*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:ModelKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

CreateFlywheel Grants permission to create a new flywheel that you can use to train model versions Write

flywheel*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:ModelKmsKey

comprehend:DataLakeKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

document-classifier

entity-recognizer

DeleteDocumentClassifier Grants permission to delete a previously created document classifier Write

document-classifier*

DeleteEndpoint Grants permission to delete a model-specific endpoint for a previously-trained custom model. All endpoints must be deleted in order for the model to be deleted Write

document-classifier-endpoint*

entity-recognizer-endpoint*

DeleteEntityRecognizer Grants permission to delete a submitted entity recognizer Write

entity-recognizer*

DeleteFlywheel Grants permission to Delete a flywheel Write

flywheel*

DeleteResourcePolicy Grants permission to remove policy on resource Write

document-classifier*

entity-recognizer*

DescribeDataset Grants permission to get the properties associated with a dataset Read

flywheel-dataset*

DescribeDocumentClassificationJob Grants permission to get the properties associated with a document classification job Read

document-classification-job*

DescribeDocumentClassifier Grants permission to get the properties associated with a document classifier Read

document-classifier*

DescribeDominantLanguageDetectionJob Grants permission to get the properties associated with a dominant language detection job Read

dominant-language-detection-job*

DescribeEndpoint Grants permission to get the properties associated with a specific endpoint. Use this operation to get the status of an endpoint Read

document-classifier-endpoint*

entity-recognizer-endpoint*

DescribeEntitiesDetectionJob Grants permission to get the properties associated with an entities detection job Read

entities-detection-job*

DescribeEntityRecognizer Grants permission to provide details about an entity recognizer including status, S3 buckets containing training data, recognizer metadata, metrics, and so on Read

entity-recognizer*

DescribeEventsDetectionJob Grants permission to get the properties associated with an Events detection job Read

events-detection-job*

DescribeFlywheel Grants permission to get the properties associated with a flywheel Read

flywheel*

DescribeFlywheelIteration Grants permission to get the properties associated with a flywheel iteration for a flywheel Read

flywheel*

comprehend:FlywheelIterationId

DescribeKeyPhrasesDetectionJob Grants permission to get the properties associated with a key phrases detection job Read

key-phrases-detection-job*

DescribePiiEntitiesDetectionJob Grants permission to get the properties associated with a PII entities detection job Read

pii-entities-detection-job*

DescribeResourcePolicy Grants permission to read attached policy on resource Read

document-classifier*

entity-recognizer*

DescribeSentimentDetectionJob Grants permission to get the properties associated with a sentiment detection job Read

sentiment-detection-job*

DescribeTargetedSentimentDetectionJob Grants permission to get the properties associated with a targeted sentiment detection job Read

targeted-sentiment-detection-job*

DescribeTopicsDetectionJob Grants permission to get the properties associated with a topic detection job Read

topics-detection-job*

DetectDominantLanguage Grants permission to detect the language or languages present in the text Read
DetectEntities Grants permission to detect the named entities ("People", "Places", "Locations", etc) within the given text document Read

entity-recognizer-endpoint

DetectKeyPhrases Grants permission to detect the phrases in the text that are most indicative of the content Read
DetectPiiEntities Grants permission to detect the personally identifiable information entities ("Name", "SSN", "PIN", etc) within the given text document Read
DetectSentiment Grants permission to detect the sentiment of a text in a document (Positive, Negative, Neutral, or Mixed) Read
DetectSyntax Grants permission to detect syntactic information (like Part of Speech, Tokens) in a text document Read
DetectTargetedSentiment Grants permission to detect the sentiments associated with specific entities (such as brands or products) in a document Read
DetectToxicContent Grants permission to detect toxic content within the given list of text segments Read
ImportModel Grants permission to import a trained Comprehend model Write

document-classifier*

entity-recognizer*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:ModelKmsKey

ListDatasets Grants permission to get a list of the Datasets associated with a flywheel Read

flywheel*

ListDocumentClassificationJobs Grants permission to get a list of the document classification jobs that you have submitted Read
ListDocumentClassifierSummaries Grants permission to get a list of summaries of the document classifiers that you have created Read
ListDocumentClassifiers Grants permission to get a list of the document classifiers that you have created Read
ListDominantLanguageDetectionJobs Grants permission to get a list of the dominant language detection jobs that you have submitted Read
ListEndpoints Grants permission to get a list of all existing endpoints that you've created Read
ListEntitiesDetectionJobs Grants permission to get a list of the entity detection jobs that you have submitted Read
ListEntityRecognizerSummaries Grants permission to get a list of summaries for the entity recognizers that you have created Read
ListEntityRecognizers Grants permission to get a list of the properties of all entity recognizers that you created, including recognizers currently in training Read
ListEventsDetectionJobs Grants permission to get a list of Events detection jobs that you have submitted Read
ListFlywheelIterationHistory Grants permission to get a list of iterations associated for a flywheel Read

flywheel*

ListFlywheels Grants permission to get a list of the flywheels that you have created Read
ListKeyPhrasesDetectionJobs Grants permission to get a list of key phrase detection jobs that you have submitted Read
ListPiiEntitiesDetectionJobs Grants permission to get a list of PII entities detection jobs that you have submitted Read
ListSentimentDetectionJobs Grants permission to get a list of sentiment detection jobs that you have submitted Read
ListTagsForResource Grants permission to list tags for a resource Read

document-classification-job

document-classifier

document-classifier-endpoint

dominant-language-detection-job

entities-detection-job

entity-recognizer

entity-recognizer-endpoint

events-detection-job

flywheel

flywheel-dataset

key-phrases-detection-job

pii-entities-detection-job

sentiment-detection-job

targeted-sentiment-detection-job

topics-detection-job

ListTargetedSentimentDetectionJobs Grants permission to get a list of targeted sentiment detection jobs that you have submitted Read
ListTopicsDetectionJobs Grants permission to get a list of the topic detection jobs that you have submitted Read
PutResourcePolicy Grants permission to attach policy to resource Write

document-classifier*

entity-recognizer*

StartDocumentClassificationJob Grants permission to start an asynchronous document classification job Write

document-classification-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

document-classifier

flywheel

StartDominantLanguageDetectionJob Grants permission to start an asynchronous dominant language detection job for a collection of documents Write

dominant-language-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

StartEntitiesDetectionJob Grants permission to start an asynchronous entity detection job for a collection of documents Write

entities-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

entity-recognizer

flywheel

StartEventsDetectionJob Grants permission to start an asynchronous Events detection job for a collection of documents Write

events-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:OutputKmsKey

StartFlywheelIteration Grants permission to start a flywheel iteration for a flywheel Write

flywheel*

StartKeyPhrasesDetectionJob Grants permission to start an asynchronous key phrase detection job for a collection of documents Write

key-phrases-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

StartPiiEntitiesDetectionJob Grants permission to start an asynchronous PII entities detection job for a collection of documents Write

pii-entities-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:OutputKmsKey

StartSentimentDetectionJob Grants permission to start an asynchronous sentiment detection job for a collection of documents Write

sentiment-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

StartTargetedSentimentDetectionJob Grants permission to start an asynchronous targeted sentiment detection job for a collection of documents Write

targeted-sentiment-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

StartTopicsDetectionJob Grants permission to start an asynchronous job to detect the most common topics in the collection of documents and the phrases associated with each topic Write

topics-detection-job*

aws:RequestTag/${TagKey}

aws:TagKeys

comprehend:VolumeKmsKey

comprehend:OutputKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

StopDominantLanguageDetectionJob Grants permission to stop a dominant language detection job Write

dominant-language-detection-job*

StopEntitiesDetectionJob Grants permission to stop an entity detection job Write

entities-detection-job*

StopEventsDetectionJob Grants permission to stop an Events detection job Write

events-detection-job*

StopKeyPhrasesDetectionJob Grants permission to stop a key phrase detection job Write

key-phrases-detection-job*

StopPiiEntitiesDetectionJob Grants permission to stop a PII entities detection job Write

pii-entities-detection-job*

StopSentimentDetectionJob Grants permission to stop a sentiment detection job Write

sentiment-detection-job*

StopTargetedSentimentDetectionJob Grants permission to stop a targeted sentiment detection job Write

targeted-sentiment-detection-job*

StopTrainingDocumentClassifier Grants permission to stop a previously created document classifier training job Write

document-classifier*

StopTrainingEntityRecognizer Grants permission to stop a previously created entity recognizer training job Write

entity-recognizer*

TagResource Grants permission to tag a resource with given key value pairs Tagging

document-classification-job

document-classifier

document-classifier-endpoint

dominant-language-detection-job

entities-detection-job

entity-recognizer

entity-recognizer-endpoint

events-detection-job

flywheel

flywheel-dataset

key-phrases-detection-job

pii-entities-detection-job

sentiment-detection-job

targeted-sentiment-detection-job

topics-detection-job

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource with given key Tagging

document-classification-job

document-classifier

document-classifier-endpoint

dominant-language-detection-job

entities-detection-job

entity-recognizer

entity-recognizer-endpoint

events-detection-job

flywheel

flywheel-dataset

key-phrases-detection-job

pii-entities-detection-job

sentiment-detection-job

targeted-sentiment-detection-job

topics-detection-job

aws:TagKeys

UpdateEndpoint Grants permission to update information about the specified endpoint Write

document-classifier-endpoint*

entity-recognizer-endpoint*

flywheel

UpdateFlywheel Grants permission to Update a flywheel's configuration Write

flywheel*

comprehend:VolumeKmsKey

comprehend:ModelKmsKey

comprehend:VpcSecurityGroupIds

comprehend:VpcSubnets

document-classifier

entity-recognizer

Resource types defined by Amazon Comprehend

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
targeted-sentiment-detection-job arn:${Partition}:comprehend:${Region}:${Account}:targeted-sentiment-detection-job/${JobId}

aws:ResourceTag/${TagKey}

document-classifier arn:${Partition}:comprehend:${Region}:${Account}:document-classifier/${DocumentClassifierName}

aws:ResourceTag/${TagKey}

document-classifier-endpoint arn:${Partition}:comprehend:${Region}:${Account}:document-classifier-endpoint/${DocumentClassifierEndpointName}

aws:ResourceTag/${TagKey}

entity-recognizer arn:${Partition}:comprehend:${Region}:${Account}:entity-recognizer/${EntityRecognizerName}

aws:ResourceTag/${TagKey}

entity-recognizer-endpoint arn:${Partition}:comprehend:${Region}:${Account}:entity-recognizer-endpoint/${EntityRecognizerEndpointName}

aws:ResourceTag/${TagKey}

dominant-language-detection-job arn:${Partition}:comprehend:${Region}:${Account}:dominant-language-detection-job/${JobId}

aws:ResourceTag/${TagKey}

entities-detection-job arn:${Partition}:comprehend:${Region}:${Account}:entities-detection-job/${JobId}

aws:ResourceTag/${TagKey}

pii-entities-detection-job arn:${Partition}:comprehend:${Region}:${Account}:pii-entities-detection-job/${JobId}

aws:ResourceTag/${TagKey}

events-detection-job arn:${Partition}:comprehend:${Region}:${Account}:events-detection-job/${JobId}

aws:ResourceTag/${TagKey}

key-phrases-detection-job arn:${Partition}:comprehend:${Region}:${Account}:key-phrases-detection-job/${JobId}

aws:ResourceTag/${TagKey}

sentiment-detection-job arn:${Partition}:comprehend:${Region}:${Account}:sentiment-detection-job/${JobId}

aws:ResourceTag/${TagKey}

topics-detection-job arn:${Partition}:comprehend:${Region}:${Account}:topics-detection-job/${JobId}

aws:ResourceTag/${TagKey}

document-classification-job arn:${Partition}:comprehend:${Region}:${Account}:document-classification-job/${JobId}

aws:ResourceTag/${TagKey}

flywheel arn:${Partition}:comprehend:${Region}:${Account}:flywheel/${FlywheelName}

aws:ResourceTag/${TagKey}

flywheel-dataset arn:${Partition}:comprehend:${Region}:${Account}:flywheel/${FlywheelName}/dataset/${DatasetName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Comprehend

Amazon Comprehend defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by requiring tag values present in a resource creation request String
aws:ResourceTag/${TagKey} Filters access by requiring tag value associated with the resource String
aws:TagKeys Filters access by requiring the presence of mandatory tags in the request ArrayOfString
comprehend:DataLakeKmsKey Filters access by the DataLake Kms Key associated with the flywheel resource in the request ARN
comprehend:FlywheelIterationId Filters access by particular Iteration Id for a flywheel String
comprehend:ModelKmsKey Filters access by the model KMS key associated with the resource in the request ARN
comprehend:OutputKmsKey Filters access by the output KMS key associated with the resource in the request ARN
comprehend:VolumeKmsKey Filters access by the volume KMS key associated with the resource in the request ARN
comprehend:VpcSecurityGroupIds Filters access by the list of all VPC security group ids associated with the resource in the request ArrayOfString
comprehend:VpcSubnets Filters access by the list of all VPC subnets associated with the resource in the request ArrayOfString