Actions, resources, and condition keys for Amazon Lightsail
Amazon Lightsail (service prefix: lightsail) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service
. -
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM
permission policies.
Topics
Actions defined by Amazon Lightsail
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AllocateStaticIp | Creates a static IP address that can be attached to an instance. | Write | |||
| AttachDisk | Attaches a disk to an instance. | Write | |||
| AttachInstancesToLoadBalancer | Attaches one or more instances to a load balancer. | Write | |||
| AttachLoadBalancerTlsCertificate | Attaches a TLS certificate to a load balancer. | Write | |||
| AttachStaticIp | Attaches a static IP address to an instance. | Write | |||
| CloseInstancePublicPorts | Closes a public port of an instance. | Write | |||
| CopySnapshot | Copies a snapshot from one AWS Region to another in Amazon Lightsail. | Write | |||
| CreateCloudFormationStack | Creates a new Amazon EC2 instance from an exported Amazon Lightsail snapshot. | Write | |||
| CreateDisk | Creates a disk. | Write | |||
| CreateDiskFromSnapshot | Creates a disk from snapshot. | Write | |||
| CreateDiskSnapshot | Creates a disk snapshot. | Write | |||
| CreateDomain | Creates a domain resource for the specified domain name. | Write | |||
| CreateDomainEntry | Creates one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT). | Write | |||
| CreateInstanceSnapshot | Creates an instance snapshot. | Write | |||
| CreateInstances | Creates one or more instances. | Write | |||
| CreateInstancesFromSnapshot | Creates one or more instances based on an instance snapshot. | Write | |||
| CreateKeyPair | Creates a key pair used to authenticate and connect to an instance. | Write | |||
| CreateLoadBalancer | Creates a load balancer. | Write | |||
| CreateLoadBalancerTlsCertificate | Creates a load balancer TLS certificate. | Write | |||
| CreateRelationalDatabase | Creates a new relational database. | Write | |||
| CreateRelationalDatabaseFromSnapshot | Creates a new relational database from a snapshot. | Write | |||
| CreateRelationalDatabaseSnapshot | Creates a relational database snapshot. | Write | |||
| DeleteDisk | Deletes a disk. | Write | |||
| DeleteDiskSnapshot | Deletes a disk snapshot. | Write | |||
| DeleteDomain | Deletes a domain resource and all of its DNS records. | Write | |||
| DeleteDomainEntry | Deletes a DNS record entry for a domain resource. | Write | |||
| DeleteInstance | Deletes an instance. | Write | |||
| DeleteInstanceSnapshot | Deletes an instance snapshot. | Write | |||
| DeleteKeyPair | Deletes a key pair used to authenticate and connect to an instance. | Write | |||
| DeleteKnownHostKeys | Deletes the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance. | Write | |||
| DeleteLoadBalancer | Deletes a load balancer. | Write | |||
| DeleteLoadBalancerTlsCertificate | Deletes a load balancer TLS certificate. | Write | |||
| DeleteRelationalDatabase | Deletes a relational database. | Write | |||
| DeleteRelationalDatabaseSnapshot | Deletes relational database snapshot. | Write | |||
| DetachDisk | Detaches a disk from an instance. | Write | |||
| DetachInstancesFromLoadBalancer | Detaches one or more instances from a load balancer. | Write | |||
| DetachStaticIp | Detaches a static IP from an instance to which it is attached. | Write | |||
| DownloadDefaultKeyPair | Downloads the default key pair used to authenticate and connect to instances in a specific AWS Region. | Write | |||
| ExportSnapshot | Exports an Amazon Lightsail snapshot to Amazon EC2. | Write | |||
| GetActiveNames | Returns the names of all active (not deleted) resources. | Read | |||
| GetBlueprints | Returns a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance. | List | |||
| GetBundles | Returns a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance. | List | |||
| GetCloudFormationStackRecords | Returns information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots. | List | |||
| GetDisk | Returns information about a disk. | Read | |||
| GetDiskSnapshot | Returns information about a disk snapshot. | Read | |||
| GetDiskSnapshots | Returns information about all disk snapshots. | List | |||
| GetDisks | Returns information about all disks. | List | |||
| GetDomain | Returns DNS records for a domain resource. | Read | |||
| GetDomains | Returns DNS records for all domain resources. | Read | |||
| GetExportSnapshotRecords | Returns information about all records to export Amazon Lightsail snapshots to Amazon EC2. | List | |||
| GetInstance | Returns information about an instance. | Read | |||
| GetInstanceAccessDetails | Returns temporary keys you can use to authenticate and connect to an instance. | Write | |||
| GetInstanceMetricData | Returns the data points for the specified metric of an instance. | Read | |||
| GetInstancePortStates | Returns the port states of an instance. | Read | |||
| GetInstanceSnapshot | Returns information about an instance snapshot. | Read | |||
| GetInstanceSnapshots | Returns information about all instance snapshots. | List | |||
| GetInstanceState | Returns the state of an instance. | Read | |||
| GetInstances | Returns information about all instances. | Read | |||
| GetKeyPair | Returns information about a key pair. | List | |||
| GetKeyPairs | Returns information about all key pairs. | Read | |||
| GetLoadBalancer | Returns information about a load balancer. | Read | |||
| GetLoadBalancerMetricData | Returns the data points for the specified metric of a load balancer. | Read | |||
| GetLoadBalancerTlsCertificates | Returns information about a load balancer TLS certificate. | Read | |||
| GetLoadBalancers | Returns information about load balancers. | Read | |||
| GetOperation | Returns information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on. | Read | |||
| GetOperations | Returns information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on. | Read | |||
| GetOperationsForResource | Returns operations for a resource. | Read | |||
| GetRegions | Returns a list of all valid AWS Regions for Amazon Lightsail. | List | |||
| GetRelationalDatabase | Returns information about a relational database. | List | |||
| GetRelationalDatabaseBlueprints | Returns a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database. | List | |||
| GetRelationalDatabaseBundles | Returns a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database. | List | |||
| GetRelationalDatabaseEvents | Returns events for a relational database. | Read | |||
| GetRelationalDatabaseLogEvents | Returns events for the specified log stream of a relational database. | Read | |||
| GetRelationalDatabaseLogStreams | Returns the log streams available for a relational database. | Read | |||
| GetRelationalDatabaseMasterUserPassword | Returns the master user password of a relational database. | Write | |||
| GetRelationalDatabaseMetricData | Returns the data points for the specified metric of a relational database. | Read | |||
| GetRelationalDatabaseParameters | Returns the parameters of a relational database. | List | |||
| GetRelationalDatabaseSnapshot | Returns information about a relational database snapshot. | List | |||
| GetRelationalDatabaseSnapshots | Returns information about all relational database snapshots. | List | |||
| GetRelationalDatabases | Return information about all relational databases. | Read | |||
| GetStaticIp | Returns information about a static IP. | Read | |||
| GetStaticIps | Returns information about all static IPs. | Read | |||
| ImportKeyPair | Imports a public key from a key pair. | Write | |||
| IsVpcPeered | Returns a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered. | Read | |||
| OpenInstancePublicPorts | Adds, or opens a public port of an instance. | Write | |||
| PeerVpc | Tries to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC. | Write | |||
| PutInstancePublicPorts | Sets the specified open ports for an instance, and closes all ports for every protocol not included in the request. | Write | |||
| RebootInstance | Reboots an instance that is in a running state. | Write | |||
| RebootRelationalDatabase | Reboots a relational database that is in a running state. | Write | |||
| ReleaseStaticIp | Deletes a static IP. | Write | |||
| StartInstance | Starts an instance that is in a stopped state. | Write | |||
| StartRelationalDatabase | Starts a relational database that is in a stopped state. | Write | |||
| StopInstance | Stops an instance that is in a running state. | Write | |||
| StopRelationalDatabase | Stops a relational database that is in a running state. | Write | |||
| TagResource | Tags a resource. | Write | |||
| UnpeerVpc | Attempts to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC. | Write | |||
| UntagResource | Untags a resource. | Write | |||
| UpdateDomainEntry | Updates a domain recordset after it is created. | Write | |||
| UpdateLoadBalancerAttribute | Updates a load balancer attribute, such as the health check path and session stickiness. | Write | |||
| UpdateRelationalDatabase | Updates a relational database. | Write | |||
| UpdateRelationalDatabaseParameters | Updates the parameters of a relational database. | Write |
Resource types defined by Amazon Lightsail
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| Domain |
arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}
|
|
| Instance |
arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}
|
|
| InstanceSnapshot |
arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}
|
|
| KeyPair |
arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}
|
|
| StaticIp |
arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}
|
|
| Disk |
arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}
|
|
| DiskSnapshot |
arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}
|
|
| LoadBalancer |
arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}
|
|
| PeeredVpc |
arn:${Partition}:lightsail:${Region}:${Account}:PeeredVpc/${Id}
|
|
| LoadBalancerTlsCertificate |
arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}
|
|
| ExportSnapshotRecord |
arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}
|
|
| CloudFormationStackRecord |
arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}
|
|
| RelationalDatabase |
arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}
|
|
| RelationalDatabaseSnapshot |
arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}
|
Condition keys for Amazon Lightsail
Amazon Lightsail defines the following condition keys that can be used in the
Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters actions based on the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters actions based on tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters actions based on the presence of tag keys in the request | String |
