Actions, resources, and condition keys for Amazon Kendra - Service Authorization Reference

Actions, resources, and condition keys for Amazon Kendra

Amazon Kendra (service prefix: kendra) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Kendra

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateEntitiesToExperience Grants permission to put principal mapping in index Write

experience*

index*

AssociatePersonasToEntities Defines the specific permissions of users or groups in your AWS SSO identity source with access to your Amazon Kendra experience Write

experience*

index*

BatchDeleteDocument Grants permission to batch delete document Write

index*

BatchGetDocumentStatus Grants permission to do batch get document status Read

index*

BatchPutDocument Grants permission to batch put document Write

index*

ClearQuerySuggestions Grants permission to clear out the suggestions for a given index, generated so far Write

index*

CreateDataSource Grants permission to create a data source Write

index*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateExperience Creates an Amazon Kendra experience such as a search application Write

index*

CreateFaq Grants permission to create an Faq Write

index*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateIndex Grants permission to create an Index Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateQuerySuggestionsBlockList Grants permission to create a QuerySuggestions BlockList Write

index*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThesaurus Grants permission to create a Thesaurus Write

index*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDataSource Grants permission to delete a data source Write

data-source*

index*

DeleteExperience Deletes your Amazon Kendra experience such as a search application Write

experience*

index*

DeleteFaq Grants permission to delete an Faq Write

faq*

index*

DeleteIndex Grants permission to delete an Index Write

index*

DeletePrincipalMapping Grants permission to delete principal mapping from index Write

index*

data-source

DeleteQuerySuggestionsBlockList Grants permission to delete a QuerySuggestions BlockList Write

index*

query-suggestions-block-list*

DeleteThesaurus Grants permission to delete a Thesaurus Write

index*

thesaurus*

DescribeDataSource Grants permission to describe a data source Read

data-source*

index*

DescribeExperience Gets information about your Amazon Kendra experience such as a search application Read

experience*

index*

DescribeFaq Grants permission to describe an Faq Read

faq*

index*

DescribeIndex Grants permission to describe an Index Read

index*

DescribePrincipalMapping Grants permission to describe principal mapping from index Read

index*

data-source

DescribeQuerySuggestionsBlockList Grants permission to describe a QuerySuggestions BlockList Read

index*

query-suggestions-block-list*

DescribeQuerySuggestionsConfig Grants permission to describe the query suggestions configuration for an index Read

index*

DescribeThesaurus Grants permission to describe a Thesaurus Read

index*

thesaurus*

DisassociateEntitiesFromExperience Prevents users or groups in your AWS SSO identity source from accessing your Amazon Kendra experience Write

experience*

index*

DisassociatePersonasFromEntities Removes the specific permissions of users or groups in your AWS SSO identity source with access to your Amazon Kendra experience Write

experience*

index*

GetQuerySuggestions Grants permission to get suggestions for a query prefix Read

index*

GetSnapshots Retrieves search metrics data Read

index*

ListDataSourceSyncJobs Grants permission to get Data Source sync job history List

data-source*

index*

ListDataSources Grants permission to list the data sources List

index*

ListEntityPersonas Lists specific permissions of users and groups with access to your Amazon Kendra experience List

experience*

index*

ListExperienceEntities Lists users or groups in your AWS SSO identity source that are granted access to your Amazon Kendra experience List

experience*

index*

ListExperiences Lists one or more Amazon Kendra experiences. You can create an Amazon Kendra experience such as a search application List

index*

ListFaqs Grants permission to list the Faqs List

index*

ListGroupsOlderThanOrderingId Grants permission to list groups that are older than an ordering id List

index*

data-source

ListIndices Grants permission to list the indexes List
ListQuerySuggestionsBlockLists Grants permission to list the QuerySuggestions BlockLists List

index*

ListTagsForResource Grants permission to list tags for a resource Read

data-source

faq

index

query-suggestions-block-list

thesaurus

ListThesauri Grants permission to list the Thesauri List

index*

PutPrincipalMapping Grants permission to put principal mapping in index Write

index*

data-source

Query Grants permission to query documents and faqs Read

index*

StartDataSourceSyncJob Grants permission to start Data Source sync job Write

data-source*

index*

StopDataSourceSyncJob Grants permission to stop Data Source sync job Write

data-source*

index*

SubmitFeedback Grants permission to send feedback about a query results Write

index*

TagResource Grants permission to tag a resource with given key value pairs Tagging

data-source

faq

index

query-suggestions-block-list

thesaurus

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove the tag with the given key from a resource Tagging

data-source

faq

index

query-suggestions-block-list

thesaurus

aws:TagKeys

UpdateDataSource Grants permission to update a data source Write

data-source*

index*

UpdateExperience Updates your Amazon Kendra experience such as a search application Write

index*

UpdateIndex Grants permission to update an Index Write

index*

UpdateQuerySuggestionsBlockList Grants permission to update a QuerySuggestions BlockList Write

index*

query-suggestions-block-list*

UpdateQuerySuggestionsConfig Grants permission to update the query suggestions configuration for an index Write

index*

UpdateThesaurus Grants permission to update a thesaurus Write

index*

thesaurus*

Resource types defined by Amazon Kendra

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
index arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}

aws:ResourceTag/${TagKey}

data-source arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/data-source/${DataSourceId}

aws:ResourceTag/${TagKey}

faq arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/faq/${FaqId}

aws:ResourceTag/${TagKey}

experience arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/experience/${ExperienceId}
thesaurus arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/thesaurus/${ThesaurusId}

aws:ResourceTag/${TagKey}

query-suggestions-block-list arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/query-suggestions-block-list/${QuerySuggestionsBlockListId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Kendra

Amazon Kendra defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
aws:TagKeys Filters access based on the tag keys that are passed in the request ArrayOfString