Actions, resources, and condition keys for Amazon Comprehend
Amazon Comprehend (service prefix: comprehend
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Comprehend
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
BatchDetectDominantLanguage | Grants permission to detect the language or languages present in the list of text documents | Read | |||
BatchDetectEntities | Grants permission to detect the named entities ("People", "Places", "Locations", etc) within the given list of text documents | Read | |||
BatchDetectKeyPhrases | Grants permission to detect the phrases in the list of text documents that are most indicative of the content | Read | |||
BatchDetectSentiment | Grants permission to detect the sentiment of a text in the list of documents (Positive, Negative, Neutral, or Mixed) | Read | |||
BatchDetectSyntax | Grants permission to detect syntactic information (like Part of Speech, Tokens) in a list of text documents | Read | |||
ClassifyDocument | Grants permission to create a new document classification request to analyze a single document in real-time, using a previously created and trained custom model and an endpoint | Read | |||
CreateDocumentClassifier | Grants permission to create a new document classifier that you can use to categorize documents | Write | |||
CreateEndpoint | Grants permission to create a model-specific endpoint for synchronous inference for a previously trained custom model | Write | |||
CreateEntityRecognizer | Grants permission to create an entity recognizer using submitted files | Write | |||
DeleteDocumentClassifier | Grants permission to delete a previously created document classifier | Write | |||
DeleteEndpoint | Grants permission to delete a model-specific endpoint for a previously-trained custom model. All endpoints must be deleted in order for the model to be deleted | Write | |||
DeleteEntityRecognizer | Grants permission to delete a submitted entity recognizer | Write | |||
DescribeDocumentClassificationJob | Grants permission to get the properties associated with a document classification job | Read | |||
DescribeDocumentClassifier | Grants permission to get the properties associated with a document classifier | Read | |||
DescribeDominantLanguageDetectionJob | Grants permission to get the properties associated with a dominant language detection job | Read | |||
DescribeEndpoint | Grants permission to get the properties associated with a specific endpoint. Use this operation to get the status of an endpoint | Read | |||
DescribeEntitiesDetectionJob | Grants permission to get the properties associated with an entities detection job | Read | |||
DescribeEntityRecognizer | Grants permission to provide details about an entity recognizer including status, S3 buckets containing training data, recognizer metadata, metrics, and so on | Read | |||
DescribeEventsDetectionJob | Grants permission to get the properties associated with an Events detection job | Read | |||
DescribeKeyPhrasesDetectionJob | Grants permission to get the properties associated with a key phrases detection job | Read | |||
DescribePiiEntitiesDetectionJob | Grants permission to get the properties associated with a PII entities detection job | Read | |||
DescribeSentimentDetectionJob | Grants permission to get the properties associated with a sentiment detection job | Read | |||
DescribeTopicsDetectionJob | Grants permission to get the properties associated with a topic detection job | Read | |||
DetectDominantLanguage | Grants permission to detect the language or languages present in the text | Read | |||
DetectEntities | Grants permission to detect the named entities ("People", "Places", "Locations", etc) within the given text document | Read | |||
DetectKeyPhrases | Grants permission to detect the phrases in the text that are most indicative of the content | Read | |||
DetectPiiEntities | Grants permission to detect the personally identifiable information entities ("Name", "SSN", "PIN", etc) within the given text document | Read | |||
DetectSentiment | Grants permission to detect the sentiment of a text in a document (Positive, Negative, Neutral, or Mixed) | Read | |||
DetectSyntax | Grants permission to detect syntactic information (like Part of Speech, Tokens) in a text document | Read | |||
ListDocumentClassificationJobs | Grants permission to get a list of the document classification jobs that you have submitted | List | |||
ListDocumentClassifiers | Grants permission to get a list of the document classifiers that you have created | List | |||
ListDominantLanguageDetectionJobs | Grants permission to get a list of the dominant language detection jobs that you have submitted | List | |||
ListEndpoints | Grants permission to get a list of all existing endpoints that you've created | List | |||
ListEntitiesDetectionJobs | Grants permission to get a list of the entity detection jobs that you have submitted | List | |||
ListEntityRecognizers | Grants permission to get a list of the properties of all entity recognizers that you created, including recognizers currently in training | List | |||
ListEventsDetectionJobs | Grants permission to get a list of Events detection jobs that you have submitted | List | |||
ListKeyPhrasesDetectionJobs | Grants permission to get a list of key phrase detection jobs that you have submitted | List | |||
ListPiiEntitiesDetectionJobs | Grants permission to get a list of PII entities detection jobs that you have submitted | List | |||
ListSentimentDetectionJobs | Grants permission to get a list of sentiment detection jobs that you have submitted | List | |||
ListTagsForResource | Grants permission to list tags for a resource | List | |||
ListTopicsDetectionJobs | Grants permission to get a list of the topic detection jobs that you have submitted | List | |||
StartDocumentClassificationJob | Grants permission to start an asynchronous document classification job | Write | |||
StartDominantLanguageDetectionJob | Grants permission to start an asynchronous dominant language detection job for a collection of documents | Write | |||
StartEntitiesDetectionJob | Grants permission to start an asynchronous entity detection job for a collection of documents | Write | |||
StartEventsDetectionJob | Grants permission to start an asynchronous Events detection job for a collection of documents | Write | |||
StartKeyPhrasesDetectionJob | Grants permission to start an asynchronous key phrase detection job for a collection of documents | Write | |||
StartPiiEntitiesDetectionJob | Grants permission to start an asynchronous PII entities detection job for a collection of documents | Write | |||
StartSentimentDetectionJob | Grants permission to start an asynchronous sentiment detection job for a collection of documents | Write | |||
StartTopicsDetectionJob | Grants permission to start an asynchronous job to detect the most common topics in the collection of documents and the phrases associated with each topic | Write | |||
StopDominantLanguageDetectionJob | Grants permission to stop a dominant language detection job | Write | |||
StopEntitiesDetectionJob | Grants permission to stop an entity detection job | Write | |||
StopEventsDetectionJob | Grants permission to stop an Events detection job | Write | |||
StopKeyPhrasesDetectionJob | Grants permission to stop a key phrase detection job | Write | |||
StopPiiEntitiesDetectionJob | Grants permission to stop a PII entities detection job | Write | |||
StopSentimentDetectionJob | Grants permission to stop a sentiment detection job | Write | |||
StopTrainingDocumentClassifier | Grants permission to stop a previously created document classifier training job | Write | |||
StopTrainingEntityRecognizer | Grants permission to stop a previously created entity recognizer training job | Write | |||
TagResource | Grants permission to tag a resource with given key value pairs | Tagging | |||
UntagResource | Grants permission to untag a resource with given key | Tagging | |||
UpdateEndpoint | Grants permission to update information about the specified endpoint | Write | |||
Resource types defined by Amazon Comprehend
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
Condition keys for Amazon Comprehend
Amazon Comprehend defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access to create requests based on the allowed set of values for each of the mandatory tags | String |
aws:ResourceTag/${TagKey} | Filters access to actions based on the tag value associated with the resource | String |
aws:TagKeys | Filters access to create requests based on the presence of mandatory tags in the request | String |
comprehend:OutputKmsKey | Filters access by the output KMS key associated with the resource in the request. | ARN |
comprehend:VolumeKmsKey | Filters access by the volume KMS key associated with the resource in the request. | ARN |
comprehend:VpcSecurityGroupIds | Filters access by the list of all VPC security group ids associated with the resource in the request. | ArrayOfString |
comprehend:VpcSubnets | Filters access by the list of all VPC subnets associated with the resource in the request. | ArrayOfString |