Actions, resources, and condition keys for Amazon ElastiCache - Service Authorization Reference

Actions, resources, and condition keys for Amazon ElastiCache

Amazon ElastiCache (service prefix: elasticache) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon ElastiCache

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Note

When you create an ElastiCache policy in IAM you must use the "*" wildcard character for the Resource block. For information about using the following ElastiCache API actions in an IAM policy, see ElastiCache Actions and IAM in the Amazon ElastiCache User Guide.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddTagsToResource The AddTagsToResource action adds up to 10 cost allocation tags to the named resource. Tagging

cluster

snapshot

AuthorizeCacheSecurityGroupIngress The AuthorizeCacheSecurityGroupIngress action allows network ingress to a cache security group. Write

securitygroup*

ec2:AuthorizeSecurityGroupIngress

BatchApplyUpdateAction Apply the service update. Write

cluster

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

s3:GetObject

replicationgroup

BatchStopUpdateAction Stop the service update. Write

cluster

replicationgroup

CompleteMigration Stop the service update. Write

cluster

replicationgroup

CopySnapshot The CopySnapshot action makes a copy of an existing snapshot. Write

snapshot*

elasticache:AddTagsToResource

s3:DeleteObject

s3:GetBucketAcl

s3:PutObject

CreateCacheCluster The CreateCacheCluster action creates a cache cluster. Write

parametergroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

cluster

replicationgroup

securitygroup

snapshot

subnetgroup

CreateCacheParameterGroup The CreateCacheParameterGroup action creates a new cache parameter group. Write

parametergroup*

elasticache:AddTagsToResource

CreateCacheSecurityGroup The CreateCacheSecurityGroup action creates a new cache security group. Write

securitygroup*

elasticache:AddTagsToResource

CreateCacheSubnetGroup The CreateCacheSubnetGroup action creates a new cache subnet group. Write

subnetgroup*

elasticache:AddTagsToResource

CreateGlobalReplicationGroup The CreateGlobalReplicationGroup action creates a global datastore. Write

globalreplicationgroup*

replicationgroup*

CreateReplicationGroup The CreateReplicationGroup action creates a replication group. Write

parametergroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

cluster

globalreplicationgroup

replicationgroup

securitygroup

snapshot

subnetgroup

usergroup

CreateSnapshot The CreateSnapshot action creates a copy of an entire cache cluster at a specific moment in time. Write

snapshot*

elasticache:AddTagsToResource

s3:DeleteObject

s3:GetBucketAcl

s3:PutObject

cluster

replicationgroup

CreateUser The CreateUser action creates a new user. Write

user*

CreateUserGroup The CreateUserGroup action creates a new user group. Write

user*

usergroup*

DecreaseNodeGroupsInGlobalReplicationGroup The DecreaseNodeGroupsInGlobalReplicationGroup action dec a global datastore. Write

globalreplicationgroup*

DecreaseReplicaCount The DecreaseReplicaCount action decreases the number of replicas in a Redis replication group. Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

DeleteCacheCluster The DeleteCacheCluster action deletes a previously provisioned cache cluster. Write

cluster*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

snapshot

DeleteCacheParameterGroup The DeleteCacheParameterGroup action deletes the specified cache parameter group. Write

parametergroup*

DeleteCacheSecurityGroup The DeleteCacheSecurityGroup action deletes a cache security group. Write

securitygroup*

DeleteCacheSubnetGroup The DeleteCacheSubnetGroup action deletes a cache subnet group. Write

subnetgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

DeleteGlobalReplicationGroup The DeleteGlobalReplicationGroup action deletes a global datastore. Write

globalreplicationgroup*

DeleteReplicationGroup The DeleteReplicationGroup action deletes an existing replication group. Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

snapshot

DeleteSnapshot The DeleteSnapshot action deletes an existing snapshot. Write

snapshot*

DeleteUser The DeleteUser action deletes an existing user. Write

user*

DeleteUserGroup The DeleteUserGroup action deletes an existing user group. Write

usergroup*

DescribeCacheClusters The DescribeCacheClusters action returns information about all provisioned cache clusters if no cache cluster identifier is specified, or about a specific cache cluster if a cache cluster identifier is supplied. List

cluster*

DescribeCacheEngineVersions The DescribeCacheEngineVersions action returns a list of the available cache engines and their versions. List
DescribeCacheParameterGroups The DescribeCacheParameterGroups action returns information about parameter groups for this account, or a particular parameter group. List

parametergroup*

DescribeCacheParameters The DescribeCacheParameters action returns the detailed parameter list for a particular cache parameter group. List

parametergroup*

DescribeCacheSecurityGroups The DescribeCacheSecurityGroups action returns a list of cache security group descriptions, or the description of the specified security group. List

securitygroup*

DescribeCacheSubnetGroups The DescribeCacheSubnetGroups action returns a list of cache subnet group descriptions, or the description of the specified subnet group. List

subnetgroup*

DescribeEngineDefaultParameters The DescribeEngineDefaultParameters action returns the default engine and system parameter information for the specified cache engine. List
DescribeEvents The DescribeEvents action returns events related to cache clusters, cache security groups, and cache parameter groups. List
DescribeGlobalReplicationGroups The DescribeGlobalReplicationGroups action returns information about global datastores for this account, or a particular global datastore. List

globalreplicationgroup*

DescribeReplicationGroups The DescribeReplicationGroups action returns information about replication groups for this account, or a particular replication group. List

replicationgroup*

DescribeReservedCacheNodes The DescribeReservedCacheNodes action returns information about reserved cache nodes for this account, or a particular reserved cache node. List

reserved-instance*

DescribeReservedCacheNodesOfferings The DescribeReservedCacheNodesOfferings action lists available reserved cache node offerings. List
DescribeServiceUpdates Returns details of the service updates List
DescribeSnapshots The DescribeSnapshots action returns information about cache cluster snapshots. List

snapshot*

DescribeUpdateActions Returns details of the update actions. List

cluster

replicationgroup

DescribeUserGroups The DescribeUserGroups action returns information about all user groups for this account, or a particular user group. List

usergroup*

DescribeUsers The DescribeUsers action returns information about all users for this account, or a particular user. List

user*

DisassociateGlobalReplicationGroup The DisassociateGlobalReplicationGroup action removes a secondary Replication Group from the Global Datastore. Write

globalreplicationgroup*

FailoverGlobalReplicationGroup The FailoverGlobalReplicationGroup action removes a secondary Replication Group from the Global Datastore. Write

globalreplicationgroup*

IncreaseNodeGroupsInGlobalReplicationGroup The IncreaseNodeGroupsInGlobalReplicationGroup action increases the number of node groups in the Global Datastore. Write

globalreplicationgroup*

IncreaseReplicaCount The IncreaseReplicaCount action increases the number of replicas in a Redis replication group. Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

ListAllowedNodeTypeModifications List Allowed Node Type Modifications List

cluster

replicationgroup

ListTagsForResource The ListTagsForResource action lists all cost allocation tags currently on the named resource. Read

cluster

snapshot

ModifyCacheCluster The ModifyCacheCluster action modifies the settings for a cache cluster. Write

cluster*

parametergroup

securitygroup

ModifyCacheParameterGroup The ModifyCacheParameterGroup action modifies the parameters of a cache parameter group. Write

parametergroup*

ModifyCacheSubnetGroup The ModifyCacheSubnetGroup action modifies an existing cache subnet group. Write

subnetgroup*

ModifyGlobalReplicationGroup The ModifyGlobalReplicationGroup action modifies the settings for a Global Datastore. Write

globalreplicationgroup*

ModifyReplicationGroup The ModifyReplicationGroup action modifies the settings for a replication group. Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

parametergroup

securitygroup

usergroup

ModifyReplicationGroupShardConfiguration The ModifyReplicationGroupShardConfiguration action allows you to add shards, remove shards, or rebalance the keyspaces among exisiting shards. Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

ModifyUser The ModifyUser action modifies an existing user. Write

user*

ModifyUserGroup The ModifyUserGroup action modifies an existing user group. Write

user*

usergroup*

PurchaseReservedCacheNodesOffering The PurchaseReservedCacheNodesOffering action allows you to purchase a reserved cache node offering. Write

reserved-instance*

elasticache:AddTagsToResource

RebalanceSlotsInGlobalReplicationGroup The RebalanceSlotsInGlobalReplicationGroup action redistributes slots to ensure uniform distribution across existing shards in the cluster. Write

globalreplicationgroup*

RebootCacheCluster The RebootCacheCluster action reboots some, or all, of the cache nodes within a provisioned cache cluster. Write

cluster*

RemoveTagsFromResource The RemoveTagsFromResource action removes the tags identified by the TagKeys list from the named resource. Tagging

cluster

snapshot

ResetCacheParameterGroup The ResetCacheParameterGroup action modifies the parameters of a cache parameter group to the engine or system default value. Write

parametergroup*

RevokeCacheSecurityGroupIngress The RevokeCacheSecurityGroupIngress action revokes ingress from a cache security group. Write

securitygroup*

StartMigration Start the migration of data. Write

replicationgroup*

TestFailover The TestFailover action allows you to test automatic failover on a specified node group in a replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

Resource types defined by Amazon ElastiCache

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
parametergroup arn:${Partition}:elasticache:${Region}:${Account}:parametergroup:${CacheParameterGroupName}
securitygroup arn:${Partition}:elasticache:${Region}:${Account}:securitygroup:${CacheSecurityGroupName}
subnetgroup arn:${Partition}:elasticache:${Region}:${Account}:subnetgroup:${CacheSubnetGroupName}
replicationgroup arn:${Partition}:elasticache:${Region}:${Account}:replicationgroup:${ReplicationGroupId}
cluster arn:${Partition}:elasticache:${Region}:${Account}:cluster:${CacheClusterId}
reserved-instance arn:${Partition}:elasticache:${Region}:${Account}:reserved-instance:${ReservedCacheNodeId}
snapshot arn:${Partition}:elasticache:${Region}:${Account}:snapshot:${SnapshotName}
globalreplicationgroup arn:${Partition}:elasticache::${Account}:globalreplicationgroup:${GlobalReplicationGroupId}
user arn:${Partition}:elasticache:${Region}:${Account}:user:${UserId}
usergroup arn:${Partition}:elasticache:${Region}:${Account}:usergroup:${UserGroupId}

Condition keys for Amazon ElastiCache

ElastiCache has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.

Note

For information about conditions in an IAM policy to control access to ElastiCache, see ElastiCache Keys in the Amazon ElastiCache User Guide.