Actions, resources, and condition keys for Amazon ElastiCache - Service Authorization Reference

Actions, resources, and condition keys for Amazon ElastiCache

Amazon ElastiCache (service prefix: elasticache) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon ElastiCache

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Note

When you create an ElastiCache policy in IAM you must use the "*" wildcard character for the Resource block. For information about using the following ElastiCache API actions in an IAM policy, see ElastiCache Actions and IAM in the Amazon ElastiCache User Guide.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddTagsToResource Grants permission to add tags to an ElastiCache resource Tagging

cluster

parametergroup

replicationgroup

reserved-instance

securitygroup

snapshot

subnetgroup

user

usergroup

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

AuthorizeCacheSecurityGroupIngress Grants permission to authorize an EC2 security group on a ElastiCache security group Write

securitygroup*

ec2:AuthorizeSecurityGroupIngress

aws:ResourceTag/${TagKey}

BatchApplyUpdateAction Grants permission to apply ElastiCache service updates to sets of clusters and replication groups Write

cluster

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

s3:GetObject

replicationgroup

aws:ResourceTag/${TagKey}

BatchStopUpdateAction Grants permission to stop ElastiCache service updates from being executed on a set of clusters Write

cluster

replicationgroup

aws:ResourceTag/${TagKey}

CompleteMigration Grants permission to complete an online migration of data from hosted Redis on Amazon EC2 to ElastiCache Write

cluster

replicationgroup

aws:ResourceTag/${TagKey}

CopySnapshot Grants permission to make a copy of an existing snapshot Write

snapshot*

elasticache:AddTagsToResource

s3:DeleteObject

s3:GetBucketAcl

s3:PutObject

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:KmsKeyId

CreateCacheCluster Grants permission to create a cache cluster Write

parametergroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

cluster

replicationgroup

securitygroup

snapshot

subnetgroup

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:EngineType

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

CreateCacheParameterGroup Grants permission to create a parameter group Write

parametergroup*

elasticache:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:CacheParameterGroupName

CreateCacheSecurityGroup Grants permission to create a cache security group Write

securitygroup*

elasticache:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCacheSubnetGroup Grants permission to create a cache subnet group Write

subnetgroup*

elasticache:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGlobalReplicationGroup Grants permission to create a global replication group Write

globalreplicationgroup*

replicationgroup*

aws:ResourceTag/${TagKey}

CreateReplicationGroup Grants permission to create a replication group Write

parametergroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

cluster

globalreplicationgroup

replicationgroup

securitygroup

snapshot

subnetgroup

usergroup

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:NumNodeGroups

elasticache:CacheNodeType

elasticache:ReplicasPerNodeGroup

elasticache:EngineVersion

elasticache:EngineType

elasticache:AtRestEncryptionEnabled

elasticache:TransitEncryptionEnabled

elasticache:AutomaticFailoverEnabled

elasticache:MultiAZEnabled

elasticache:ClusterModeEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:KmsKeyId

elasticache:CacheParameterGroupName

CreateSnapshot Grants permission to create a copy of an entire Redis cluster at a specific moment in time Write

snapshot*

elasticache:AddTagsToResource

s3:DeleteObject

s3:GetBucketAcl

s3:PutObject

cluster

replicationgroup

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:KmsKeyId

CreateUser Grants permission to create a Redis user for Redis engine version 6.x and onwards Write

user*

elasticache:AddTagsToResource

aws:TagKeys

aws:RequestTag/${TagKey}

CreateUserGroup Grants permission to create a Redis user group for Redis engine version 6.x and onwards Write

user*

elasticache:AddTagsToResource

usergroup*

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

DecreaseNodeGroupsInGlobalReplicationGroup Grants permission to decrease the number of node groups in global replication groups Write

globalreplicationgroup*

elasticache:NumNodeGroups

DecreaseReplicaCount Grants permission to decrease the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

elasticache:ReplicasPerNodeGroup

DeleteCacheCluster Grants permission to delete a previously provisioned cluster Write

cluster*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

snapshot

aws:ResourceTag/${TagKey}

DeleteCacheParameterGroup Grants permission to delete the specified cache parameter group Write

parametergroup*

aws:ResourceTag/${TagKey}

elasticache:CacheParameterGroupName

DeleteCacheSecurityGroup Grants permission to delete a cache security group Write

securitygroup*

aws:ResourceTag/${TagKey}

DeleteCacheSubnetGroup Grants permission to delete a cache subnet group Write

subnetgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

DeleteGlobalReplicationGroup Grants permission to delete an existing global replication group Write

globalreplicationgroup*

DeleteReplicationGroup Grants permission to delete an existing replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

snapshot

aws:ResourceTag/${TagKey}

DeleteSnapshot Grants permission to delete an existing snapshot Write

snapshot*

aws:ResourceTag/${TagKey}

DeleteUser Grants permission to delete an existing user and thus remove it from all user groups and replication groups where it was assigned Write

user*

aws:ResourceTag/${TagKey}

DeleteUserGroup Grants permission to delete an existing user group Write

usergroup*

aws:ResourceTag/${TagKey}

DescribeCacheClusters Grants permission to list information about provisioned cache clusters List

cluster*

aws:ResourceTag/${TagKey}

DescribeCacheEngineVersions Grants permission list available cache engines and their versions List
DescribeCacheParameterGroups Grants permission to list cache parameter group descriptions List

parametergroup*

aws:ResourceTag/${TagKey}

DescribeCacheParameters Grants permission to retrieve the detailed parameter list for a particular cache parameter group List

parametergroup*

aws:ResourceTag/${TagKey}

DescribeCacheSecurityGroups Grants permission to list cache security group descriptions List

securitygroup*

aws:ResourceTag/${TagKey}

DescribeCacheSubnetGroups Grants permission to list cache subnet group descriptions List

subnetgroup*

aws:ResourceTag/${TagKey}

DescribeEngineDefaultParameters Grants permission to retrieve the default engine and system parameter information for the specified cache engine List
DescribeEvents Grants permission to list events related to clusters, cache security groups, and cache parameter groups List
DescribeGlobalReplicationGroups Grants permission to list information about global replication groups List

globalreplicationgroup*

DescribeReplicationGroups Grants permission to list information about provisioned replication groups List

replicationgroup*

aws:ResourceTag/${TagKey}

DescribeReservedCacheNodes Grants permission to list information about purchased reserved cache nodes List

reserved-instance*

aws:ResourceTag/${TagKey}

DescribeReservedCacheNodesOfferings Grants permission to list available reserved cache node offerings List
DescribeServiceUpdates Grants permission to list details of the service updates List
DescribeSnapshots Grants permission to list information about cluster or replication group snapshots List

snapshot*

aws:ResourceTag/${TagKey}

DescribeUpdateActions Grants permission to list details of the update actions for a set of clusters or replication groups List

cluster

replicationgroup

aws:ResourceTag/${TagKey}

DescribeUserGroups Grants permission to list information about Redis user groups List

usergroup*

aws:ResourceTag/${TagKey}

DescribeUsers Grants permission to list information about Redis users List

user*

aws:ResourceTag/${TagKey}

DisassociateGlobalReplicationGroup Grants permission to remove a secondary replication group from the global replication group Write

globalreplicationgroup*

FailoverGlobalReplicationGroup Grants permission to failover the primary region to a selected secondary region of a global replication group Write

globalreplicationgroup*

IncreaseNodeGroupsInGlobalReplicationGroup Grants permission to increase the number of node groups in a global replication group Write

globalreplicationgroup*

elasticache:NumNodeGroups

IncreaseReplicaCount Grants permission to increase the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

elasticache:ReplicasPerNodeGroup

ListAllowedNodeTypeModifications Grants permission to list available node type that can be used to scale a particular Redis cluster or replication group List

cluster

replicationgroup

aws:ResourceTag/${TagKey}

ListTagsForResource Grants permission to list tags for an ElastiCache resource Read

cluster

snapshot

aws:ResourceTag/${TagKey}

ModifyCacheCluster Grants permission to modify settings for a cluster Write

cluster*

parametergroup

securitygroup

aws:ResourceTag/${TagKey}

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

ModifyCacheParameterGroup Grants permission to modify parameters of a cache parameter group Write

parametergroup*

aws:ResourceTag/${TagKey}

elasticache:CacheParameterGroupName

ModifyCacheSubnetGroup Grants permission to modify an existing cache subnet group Write

subnetgroup*

aws:ResourceTag/${TagKey}

ModifyGlobalReplicationGroup Grants permission to modify settings for a global replication group Write

globalreplicationgroup*

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:AutomaticFailoverEnabled

ModifyReplicationGroup Grants permission to modify the settings for a replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

parametergroup

securitygroup

usergroup

aws:ResourceTag/${TagKey}

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:AutomaticFailoverEnabled

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

ModifyReplicationGroupShardConfiguration Grants permission to add shards, remove shards, or rebalance the keyspaces among existing shards of a replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

elasticache:NumNodeGroups

ModifyUser Grants permission to change Redis user password(s) and/or access string Write

user*

aws:ResourceTag/${TagKey}

ModifyUserGroup Grants permission to change list of users that belong to the user group Write

user*

usergroup*

aws:ResourceTag/${TagKey}

PurchaseReservedCacheNodesOffering Grants permission to purchase a reserved cache node offering Write

reserved-instance*

elasticache:AddTagsToResource

aws:TagKeys

aws:RequestTag/${TagKey}

RebalanceSlotsInGlobalReplicationGroup Grants permission to perform a key space rebalance operation to redistribute slots and ensure uniform key distribution across existing shards in a global replication group Write

globalreplicationgroup*

RebootCacheCluster Grants permission to reboot some, or all, of the cache nodes within a provisioned cache cluster or replication group (cluster mode disabled) Write

cluster*

aws:ResourceTag/${TagKey}

RemoveTagsFromResource Grants permission to remove tags from a ElastiCache resource Tagging

cluster

parametergroup

replicationgroup

reserved-instance

securitygroup

snapshot

subnetgroup

user

usergroup

aws:TagKeys

aws:ResourceTag/${TagKey}

ResetCacheParameterGroup Grants permission to modify parameters of a cache parameter group back to their default values Write

parametergroup*

aws:ResourceTag/${TagKey}

elasticache:CacheParameterGroupName

RevokeCacheSecurityGroupIngress Grants permission to remove an EC2 security group ingress from a ElastiCache security group Write

securitygroup*

aws:ResourceTag/${TagKey}

StartMigration Grants permission to start a migration of data from hosted Redis on Amazon EC2 to ElastiCache for Redis Write

replicationgroup*

aws:ResourceTag/${TagKey}

TestFailover Grants permission to test automatic failover on a specified node group in a replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

Resource types defined by Amazon ElastiCache

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
parametergroup arn:${Partition}:elasticache:${Region}:${Account}:parametergroup:${CacheParameterGroupName}

aws:ResourceTag/${TagKey}

securitygroup arn:${Partition}:elasticache:${Region}:${Account}:securitygroup:${CacheSecurityGroupName}

aws:ResourceTag/${TagKey}

subnetgroup arn:${Partition}:elasticache:${Region}:${Account}:subnetgroup:${CacheSubnetGroupName}

aws:ResourceTag/${TagKey}

replicationgroup arn:${Partition}:elasticache:${Region}:${Account}:replicationgroup:${ReplicationGroupId}

aws:ResourceTag/${TagKey}

cluster arn:${Partition}:elasticache:${Region}:${Account}:cluster:${CacheClusterId}

aws:ResourceTag/${TagKey}

reserved-instance arn:${Partition}:elasticache:${Region}:${Account}:reserved-instance:${ReservedCacheNodeId}

aws:ResourceTag/${TagKey}

snapshot arn:${Partition}:elasticache:${Region}:${Account}:snapshot:${SnapshotName}

aws:ResourceTag/${TagKey}

globalreplicationgroup arn:${Partition}:elasticache::${Account}:globalreplicationgroup:${GlobalReplicationGroupId}
user arn:${Partition}:elasticache:${Region}:${Account}:user:${UserId}

aws:ResourceTag/${TagKey}

usergroup arn:${Partition}:elasticache:${Region}:${Account}:usergroup:${UserGroupId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon ElastiCache

Amazon ElastiCache defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Note

For information about conditions in an IAM policy to control access to ElastiCache, see ElastiCache Keys in the Amazon ElastiCache User Guide.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters actions based on the tags associated with the resource String
aws:TagKeys Filters actions based on the tag keys that are passed in the request String
elasticache:AtRestEncryptionEnabled Filters access by the AtRestEncryptionEnabled parameter present in the request or default false value if parameter is not present Bool
elasticache:AuthTokenEnabled Filters access by the presence of non empty AuthToken parameter in the request Bool
elasticache:AutomaticFailoverEnabled Filters access by the AutomaticFailoverEnabled parameter in the request Bool
elasticache:CacheNodeType Filters access by the cacheNodeType parameter present in the request. This key can be used to restrict which cache node types can be used on cluster creation or scaling operations String
elasticache:CacheParameterGroupName Filters access by the the CacheParameterGroupName parameter in the request String
elasticache:ClusterModeEnabled Filters access by the cluster mode parameter present in the request. Default value for single node group (shard) creations is false Bool
elasticache:EngineType Filters access by the engine type present in creation requests. For replication group creations, default engine ‘redis’ is used as key if parameter is not present String
elasticache:EngineVersion Filters access by the engineVersion parameter present in creation or cluster modification requests String
elasticache:KmsKeyId Filters access by the KmsKeyId parameter in the request String
elasticache:MultiAZEnabled Filters access by the AZMode parameter, MultiAZEnabled parameter or the number of availability zones that the cluster or replication group can be placed in Bool
elasticache:NumNodeGroups Filters access by the NumNodeGroups or NodeGroupCount parameter specified in the request. This key can be used to restrict the number of node groups (shards) clusters can have after creation or scaling operations Numeric
elasticache:ReplicasPerNodeGroup Filters access by the number of replicas per node group (shards) specified in creations or scaling requests Numeric
elasticache:SnapshotRetentionLimit Filters access by the SnapshotRetentionLimit parameter in the request Numeric
elasticache:TransitEncryptionEnabled Filters access by the TransitEncryptionEnabled parameter present in the request or default false value if parameter is not present Bool