Actions, resources, and condition keys for Amazon Lightsail
Amazon Lightsail (service prefix: lightsail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service
. -
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM
permission policies.
Topics
Actions defined by Amazon Lightsail
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AllocateStaticIp | Grants permission to create a static IP address that can be attached to an instance | Write | |||
| AttachCertificateToDistribution | Grants permission to attach an SSL/TLS certificate to your Amazon Lightsail content delivery network (CDN) distribution | Write | |||
| AttachDisk | Grants permission to attach a disk to an instance | Write | |||
| AttachInstancesToLoadBalancer | Grants permission to attach one or more instances to a load balancer | Write | |||
| AttachLoadBalancerTlsCertificate | Grants permission to attach a TLS certificate to a load balancer | Write | |||
| AttachStaticIp | Grants permission to attach a static IP address to an instance | Write | |||
| CloseInstancePublicPorts | Grants permission to close a public port of an instance | Write | |||
| CopySnapshot | Grants permission to copy a snapshot from one AWS Region to another in Amazon Lightsail | Write | |||
| CreateBucket | Grants permission to create an Amazon Lightsail bucket | Write | |||
| CreateBucketAccessKey | Grants permission to create a new access key for the specified bucket | Write | |||
| CreateCertificate | Grants permission to create an SSL/TLS certificate | Write |
lightsail:CreateDomainEntry lightsail:GetDomains |
||
| CreateCloudFormationStack | Grants permission to create a new Amazon EC2 instance from an exported Amazon Lightsail snapshot | Write | |||
| CreateContactMethod | Grants permission to create an email or SMS text message contact method | Write | |||
| CreateContainerService | Grants permission to create an Amazon Lightsail container service | Write | |||
| CreateContainerServiceDeployment | Grants permission to create a deployment for your Amazon Lightsail container service | Write | |||
| CreateContainerServiceRegistryLogin | Grants permission to create a temporary set of log in credentials that you can use to log in to the Docker process on your local machine | Write | |||
| CreateDisk | Grants permission to create a disk | Write | |||
| CreateDiskFromSnapshot | Grants permission to create a disk from snapshot | Write | |||
| CreateDiskSnapshot | Grants permission to create a disk snapshot | Write | |||
| CreateDistribution | Grants permission to create an Amazon Lightsail content delivery network (CDN) distribution | Write | |||
| CreateDomain | Grants permission to create a domain resource for the specified domain name | Write |
route53:DeleteHostedZone route53:GetHostedZone route53:ListHostedZonesByName route53domains:GetDomainDetail route53domains:GetOperationDetail route53domains:ListDomains route53domains:ListOperations route53domains:UpdateDomainNameservers |
||
| CreateDomainEntry | Grants permission to create one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT) | Write | |||
| CreateGUISessionAccessDetails | Grants permission to create URLs that are used to access an instance's graphical user interface (GUI) session | Write | |||
| CreateInstanceSnapshot | Grants permission to create an instance snapshot | Write | |||
| CreateInstances | Grants permission to create one or more instances | Write | |||
| CreateInstancesFromSnapshot | Grants permission to create one or more instances based on an instance snapshot | Write | |||
| CreateKeyPair | Grants permission to create a key pair used to authenticate and connect to an instance | Write | |||
| CreateLoadBalancer | Grants permission to create a load balancer | Write |
lightsail:CreateDomainEntry lightsail:GetDomains |
||
| CreateLoadBalancerTlsCertificate | Grants permission to create a load balancer TLS certificate | Write |
lightsail:CreateDomainEntry lightsail:GetDomains |
||
| CreateRelationalDatabase | Grants permission to create a new relational database | Write | |||
| CreateRelationalDatabaseFromSnapshot | Grants permission to create a new relational database from a snapshot | Write | |||
| CreateRelationalDatabaseSnapshot | Grants permission to create a relational database snapshot | Write | |||
| DeleteAlarm | Grants permission to delete an alarm | Write | |||
| DeleteAutoSnapshot | Grants permission to delete an automatic snapshot of an instance or disk | Write | |||
| DeleteBucket | Grants permission to delete an Amazon Lightsail bucket | Write | |||
| DeleteBucketAccessKey | Grants permission to delete an access key for the specified Amazon Lightsail bucket | Write | |||
| DeleteCertificate | Grants permission to delete an SSL/TLS certificate | Write | |||
| DeleteContactMethod | Grants permission to delete a contact method | Write | |||
| DeleteContainerImage | Grants permission to delete a container image that is registered to your Amazon Lightsail container service | Write | |||
| DeleteContainerService | Grants permission to delete your Amazon Lightsail container service | Write | |||
| DeleteDisk | Grants permission to delete a disk | Write | |||
| DeleteDiskSnapshot | Grants permission to delete a disk snapshot | Write | |||
| DeleteDistribution | Grants permission to delete your Amazon Lightsail content delivery network (CDN) distribution | Write | |||
| DeleteDomain | Grants permission to delete a domain resource and all of its DNS records | Write | |||
| DeleteDomainEntry | Grants permission to delete a DNS record entry for a domain resource | Write | |||
| DeleteInstance | Grants permission to delete an instance | Write | |||
| DeleteInstanceSnapshot | Grants permission to delete an instance snapshot | Write | |||
| DeleteKeyPair | Grants permission to delete a key pair used to authenticate and connect to an instance | Write | |||
| DeleteKnownHostKeys | Grants permission to delete the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance | Write | |||
| DeleteLoadBalancer | Grants permission to delete a load balancer | Write | |||
| DeleteLoadBalancerTlsCertificate | Grants permission to delete a load balancer TLS certificate | Write | |||
| DeleteRelationalDatabase | Grants permission to delete a relational database | Write | |||
| DeleteRelationalDatabaseSnapshot | Grants permission to delete a relational database snapshot | Write | |||
| DetachCertificateFromDistribution | Grants permission to detach an SSL/TLS certificate from your Amazon Lightsail content delivery network (CDN) distribution | Write | |||
| DetachDisk | Grants permission to detach a disk from an instance | Write | |||
| DetachInstancesFromLoadBalancer | Grants permission to detach one or more instances from a load balancer | Write | |||
| DetachStaticIp | Grants permission to detach a static IP from an instance to which it is attached | Write | |||
| DisableAddOn | Grants permission to disable an add-on for an Amazon Lightsail resource | Write | |||
| DownloadDefaultKeyPair | Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region | Write | |||
| EnableAddOn | Grants permission to enable or modify an add-on for an Amazon Lightsail resource | Write | |||
| ExportSnapshot | Grants permission to export an Amazon Lightsail snapshot to Amazon EC2 | Write |
iam:CreateServiceLinkedRole iam:PutRolePolicy |
||
| GetActiveNames | Grants permission to get the names of all active (not deleted) resources | Read | |||
| GetAlarms | Grants permission to view information about the configured alarms | Read | |||
| GetAutoSnapshots | Grants permission to view the available automatic snapshots for an instance or disk | Read | |||
| GetBlueprints | Grants permission to get a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance | Read | |||
| GetBucketAccessKeys | Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket | Read | |||
| GetBucketBundles | Grants permission to get the bundles that can be applied to an Amazon Lightsail bucket | Read | |||
| GetBucketMetricData | Grants permission to get the data points of a specific metric for an Amazon Lightsail bucket | Read | |||
| GetBuckets | Grants permission to get information about one or more Amazon Lightsail buckets | Read | |||
| GetBundles | Grants permission to get a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance | Read | |||
| GetCertificates | Grants permission to view information about one or more Amazon Lightsail SSL/TLS certificates | Read | |||
| GetCloudFormationStackRecords | Grants permission to get information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots | Read | |||
| GetContactMethods | Grants permission to view information about the configured contact methods | Read | |||
| GetContainerAPIMetadata | Grants permission to view information about Amazon Lightsail containers, such as the current version of the Lightsail Control (lightsailctl) plugin | Read | |||
| GetContainerImages | Grants permission to view the container images that are registered to your Amazon Lightsail container service | Read | |||
| GetContainerLog | Grants permission to view the log events of a container of your Amazon Lightsail container service | Read | |||
| GetContainerServiceDeployments | Grants permission to view the deployments for your Amazon Lightsail container service | Read | |||
| GetContainerServiceMetricData | Grants permission to view the data points of a specific metric of your Amazon Lightsail container service | Read | |||
| GetContainerServicePowers | Grants permission to view the list of powers that can be specified for your Amazon Lightsail container services | Read | |||
| GetContainerServices | Grants permission to view information about one or more of your Amazon Lightsail container services | Read | |||
| GetCostEstimate | Grants permission to get the information about the cost estimate for a specified resource | Read | |||
| GetDisk | Grants permission to get information about a disk | Read | |||
| GetDiskSnapshot | Grants permission to get information about a disk snapshot | Read | |||
| GetDiskSnapshots | Grants permission to get information about all disk snapshots | Read | |||
| GetDisks | Grants permission to get information about all disks | Read | |||
| GetDistributionBundles | Grants permission to view the list of bundles that can be applied to you Amazon Lightsail content delivery network (CDN) distributions | Read | |||
| GetDistributionLatestCacheReset | Grants permission to view the timestamp and status of the last cache reset of a specific Amazon Lightsail content delivery network (CDN) distribution | Read | |||
| GetDistributionMetricData | Grants permission to view the data points of a specific metric for an Amazon Lightsail content delivery network (CDN) distribution | Read | |||
| GetDistributions | Grants permission to view information about one or more of your Amazon Lightsail content delivery network (CDN) distributions | Read | |||
| GetDomain | Grants permission to get DNS records for a domain resource | Read | |||
| GetDomains | Grants permission to get DNS records for all domain resources | Read | |||
| GetExportSnapshotRecords | Grants permission to get information about all records of exported Amazon Lightsail snapshots to Amazon EC2 | Read | |||
| GetInstance | Grants permission to get information about an instance | Read | |||
| GetInstanceAccessDetails | Grants permission to get temporary keys you can use to authenticate and connect to an instance | Write | |||
| GetInstanceMetricData | Grants permission to get the data points for the specified metric of an instance | Read | |||
| GetInstancePortStates | Grants permission to get the port states of an instance | Read | |||
| GetInstanceSnapshot | Grants permission to get information about an instance snapshot | Read | |||
| GetInstanceSnapshots | Grants permission to get information about all instance snapshots | Read | |||
| GetInstanceState | Grants permission to get the state of an instance | Read | |||
| GetInstances | Grants permission to get information about all instances | Read | |||
| GetKeyPair | Grants permission to get information about a key pair | Read | |||
| GetKeyPairs | Grants permission to get information about all key pairs | Read | |||
| GetLoadBalancer | Grants permission to get information about a load balancer | Read | |||
| GetLoadBalancerMetricData | Grants permission to get the data points for the specified metric of a load balancer | Read | |||
| GetLoadBalancerTlsCertificates | Grants permission to get information about a load balancer's TLS certificates | Read | |||
| GetLoadBalancerTlsPolicies | Grants permission to get a list of TLS security policies that you can apply to Lightsail load balancers | Read | |||
| GetLoadBalancers | Grants permission to get information about load balancers | Read | |||
| GetOperation | Grants permission to get information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on | Read | |||
| GetOperations | Grants permission to get information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on | Read | |||
| GetOperationsForResource | Grants permission to get operations for a resource | Read | |||
| GetRegions | Grants permission to get a list of all valid AWS Regions for Amazon Lightsail | Read | |||
| GetRelationalDatabase | Grants permission to get information about a relational database | Read | |||
| GetRelationalDatabaseBlueprints | Grants permission to get a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database | Read | |||
| GetRelationalDatabaseBundles | Grants permission to get a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database | Read | |||
| GetRelationalDatabaseEvents | Grants permission to get events for a relational database | Read | |||
| GetRelationalDatabaseLogEvents | Grants permission to get events for the specified log stream of a relational database | Read | |||
| GetRelationalDatabaseLogStreams | Grants permission to get the log streams available for a relational database | Read | |||
| GetRelationalDatabaseMasterUserPassword | Grants permission to get the master user password of a relational database | Write | |||
| GetRelationalDatabaseMetricData | Grants permission to get the data points for the specified metric of a relational database | Read | |||
| GetRelationalDatabaseParameters | Grants permission to get the parameters of a relational database | Read | |||
| GetRelationalDatabaseSnapshot | Grants permission to get information about a relational database snapshot | Read | |||
| GetRelationalDatabaseSnapshots | Grants permission to get information about all relational database snapshots | Read | |||
| GetRelationalDatabases | Grants permission to get information about all relational databases | Read | |||
| GetStaticIp | Grants permission to get information about a static IP | Read | |||
| GetStaticIps | Grants permission to get information about all static IPs | Read | |||
| ImportKeyPair | Grants permission to import a public key from a key pair | Write | |||
| IsVpcPeered | Grants permission to get a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered | Read | |||
| OpenInstancePublicPorts | Grants permission to add, or open a public port of an instance | Write | |||
| PeerVpc | Grants permission to try to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC | Write | |||
| PutAlarm | Grants permission to creates or update an alarm, and associate it with the specified metric | Write | |||
| PutInstancePublicPorts | Grants permission to set the specified open ports for an instance, and closes all ports for every protocol not included in the request | Write | |||
| RebootInstance | Grants permission to reboot an instance that is in a running state | Write | |||
| RebootRelationalDatabase | Grants permission to reboot a relational database that is in a running state | Write | |||
| RegisterContainerImage | Grants permission to register a container image to your Amazon Lightsail container service | Write | |||
| ReleaseStaticIp | Grants permission to delete a static IP | Write | |||
| ResetDistributionCache | Grants permission to delete currently cached content from your Amazon Lightsail content delivery network (CDN) distribution | Write | |||
| SendContactMethodVerification | Grants permission to send a verification request to an email contact method to ensure it's owned by the requester | Write | |||
| SetIpAddressType | Grants permission to set the IP address type for a Amazon Lightsail resource | Write | |||
| SetResourceAccessForBucket | Grants permission to set the Amazon Lightsail resources that can access the specified Amazon Lightsail bucket | Write | |||
| StartGUISession | Grants permission to initiate a graphical user interface (GUI) session used to access an instance's operating system or application | Write | |||
| StartInstance | Grants permission to start an instance that is in a stopped state | Write | |||
| StartRelationalDatabase | Grants permission to start a relational database that is in a stopped state | Write | |||
| StopGUISession | Grants permission to terminate a graphical user interface (GUI) session used to access an instance's operating system or application | Write | |||
| StopInstance | Grants permission to stop an instance that is in a running state | Write | |||
| StopRelationalDatabase | Grants permission to stop a relational database that is in a running state | Write | |||
| TagResource | Grants permission to tag a resource | Tagging | |||
| TestAlarm | Grants permission to test an alarm by displaying a banner on the Amazon Lightsail console or if a notification trigger is configured for the specified alarm, by sending a notification to the notification protocol | Write | |||
| UnpeerVpc | Grants permission to try to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC | Write | |||
| UntagResource | Grants permission to untag a resource | Tagging | |||
| UpdateBucket | Grants permission to update an existing Amazon Lightsail bucket | Write | |||
| UpdateBucketBundle | Grants permission to update the bundle, or storage plan, of an existing Amazon Lightsail bucket | Write | |||
| UpdateContainerService | Grants permission to update the configuration of your Amazon Lightsail container service, such as its power, scale, and public domain names | Write | |||
| UpdateDistribution | Grants permission to update an existing Amazon Lightsail content delivery network (CDN) distribution or its configuration | Write | |||
| UpdateDistributionBundle | Grants permission to update the bundle of your Amazon Lightsail content delivery network (CDN) distribution | Write | |||
| UpdateDomainEntry | Grants permission to update a domain recordset after it is created | Write | |||
| UpdateInstanceMetadataOptions | Grants permission to update metadata options for an instance | Write | |||
| UpdateLoadBalancerAttribute | Grants permission to update a load balancer attribute, such as the health check path and session stickiness | Write | |||
| UpdateRelationalDatabase | Grants permission to update a relational database | Write | |||
| UpdateRelationalDatabaseParameters | Grants permission to update the parameters of a relational database | Write |
Resource types defined by Amazon Lightsail
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| Domain |
arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}
|
|
| Instance |
arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}
|
|
| InstanceSnapshot |
arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}
|
|
| KeyPair |
arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}
|
|
| StaticIp |
arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}
|
|
| Disk |
arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}
|
|
| DiskSnapshot |
arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}
|
|
| LoadBalancer |
arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}
|
|
| LoadBalancerTlsCertificate |
arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}
|
|
| ExportSnapshotRecord |
arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}
|
|
| CloudFormationStackRecord |
arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}
|
|
| RelationalDatabase |
arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}
|
|
| RelationalDatabaseSnapshot |
arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}
|
|
| Alarm |
arn:${Partition}:lightsail:${Region}:${Account}:Alarm/${Id}
|
|
| Certificate |
arn:${Partition}:lightsail:${Region}:${Account}:Certificate/${Id}
|
|
| ContactMethod |
arn:${Partition}:lightsail:${Region}:${Account}:ContactMethod/${Id}
|
|
| ContainerService |
arn:${Partition}:lightsail:${Region}:${Account}:ContainerService/${Id}
|
|
| Distribution |
arn:${Partition}:lightsail:${Region}:${Account}:Distribution/${Id}
|
|
| Bucket |
arn:${Partition}:lightsail:${Region}:${Account}:Bucket/${Id}
|
Condition keys for Amazon Lightsail
Amazon Lightsail defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by a tag key and value pair that is allowed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by a tag key and value pair of a resource | String |
| aws:TagKeys | Filters access by a list of tag keys that are allowed in the request | ArrayOfString |
