Actions, resources, and condition keys for Amazon Lightsail - Service Authorization Reference

Actions, resources, and condition keys for Amazon Lightsail

Amazon Lightsail (service prefix: lightsail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Lightsail

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AllocateStaticIp Grants permission to create a static IP address that can be attached to an instance Write
AttachCertificateToDistribution Grants permission to attach an SSL/TLS certificate to your Amazon Lightsail content delivery network (CDN) distribution Write

Certificate*

Distribution*

AttachDisk Grants permission to attach a disk to an instance Write

Disk*

AttachInstancesToLoadBalancer Grants permission to attach one or more instances to a load balancer Write

LoadBalancer*

AttachLoadBalancerTlsCertificate Grants permission to attach a TLS certificate to a load balancer Write

LoadBalancer*

AttachStaticIp Grants permission to attach a static IP address to an instance Write

Instance*

StaticIp*

CloseInstancePublicPorts Grants permission to close a public port of an instance Write

Instance*

CopySnapshot Grants permission to copy a snapshot from one AWS Region to another in Amazon Lightsail Write
CreateBucket Grants permission to create an Amazon Lightsail bucket Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBucketAccessKey Grants permission to create a new access key for the specified bucket Write

Bucket*

CreateCertificate Grants permission to create an SSL/TLS certificate Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCloudFormationStack Grants permission to create a new Amazon EC2 instance from an exported Amazon Lightsail snapshot Write
CreateContactMethod Grants permission to create an email or SMS text message contact method Write
CreateContainerService Grants permission to create an Amazon Lightsail container service Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateContainerServiceDeployment Grants permission to create a deployment for your Amazon Lightsail container service Write

ContainerService*

CreateContainerServiceRegistryLogin Grants permission to create a temporary set of log in credentials that you can use to log in to the Docker process on your local machine Write
CreateDisk Grants permission to create a disk Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDiskFromSnapshot Grants permission to create a disk from snapshot Write

DiskSnapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDiskSnapshot Grants permission to create a disk snapshot Write

Disk

Instance

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDistribution Grants permission to create an Amazon Lightsail content delivery network (CDN) distribution Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomain Grants permission to create a domain resource for the specified domain name Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomainEntry Grants permission to create one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT) Write

Domain*

CreateInstanceSnapshot Grants permission to create an instance snapshot Write

Instance*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInstances Grants permission to create one or more instances Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInstancesFromSnapshot Grants permission to create one or more instances based on an instance snapshot Write

InstanceSnapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKeyPair Grants permission to create a key pair used to authenticate and connect to an instance Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLoadBalancer Grants permission to create a load balancer Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLoadBalancerTlsCertificate Grants permission to create a load balancer TLS certificate Write

LoadBalancer*

CreateRelationalDatabase Grants permission to create a new relational database Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRelationalDatabaseFromSnapshot Grants permission to create a new relational database from a snapshot Write

RelationalDatabaseSnapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRelationalDatabaseSnapshot Grants permission to create a relational database snapshot Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAlarm Grants permission to delete an alarm Write

Alarm*

DeleteAutoSnapshot Grants permission to delete an automatic snapshot of an instance or disk Write
DeleteBucket Grants permission to delete an Amazon Lightsail bucket Write

Bucket*

DeleteBucketAccessKey Grants permission to delete an access key for the specified Amazon Lightsail bucket Write

Bucket*

DeleteCertificate Grants permission to delete an SSL/TLS certificate Write

Certificate*

DeleteContactMethod Grants permission to delete a contact method Write
DeleteContainerImage Grants permission to delete a container image that is registered to your Amazon Lightsail container service Write

ContainerService*

DeleteContainerService Grants permission to delete your Amazon Lightsail container service Write

ContainerService*

DeleteDisk Grants permission to delete a disk Write

Disk*

DeleteDiskSnapshot Grants permission to delete a disk snapshot Write

DiskSnapshot*

DeleteDistribution Grants permission to delete your Amazon Lightsail content delivery network (CDN) distribution Write

Distribution*

DeleteDomain Grants permission to delete a domain resource and all of its DNS records Write

Domain*

DeleteDomainEntry Grants permission to delete a DNS record entry for a domain resource Write

Domain*

DeleteInstance Grants permission to delete an instance Write

Instance*

DeleteInstanceSnapshot Grants permission to delete an instance snapshot Write

InstanceSnapshot*

DeleteKeyPair Grants permission to delete a key pair used to authenticate and connect to an instance Write

KeyPair*

DeleteKnownHostKeys Grants permission to delete the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance Write

Instance*

DeleteLoadBalancer Grants permission to delete a load balancer Write

LoadBalancer*

DeleteLoadBalancerTlsCertificate Grants permission to delete a load balancer TLS certificate Write

LoadBalancer*

DeleteRelationalDatabase Grants permission to delete a relational database Write

RelationalDatabase*

DeleteRelationalDatabaseSnapshot Grants permission to delete a relational database snapshot Write

RelationalDatabaseSnapshot*

DetachCertificateFromDistribution Grants permission to detach an SSL/TLS certificate from your Amazon Lightsail content delivery network (CDN) distribution Write

Distribution*

DetachDisk Grants permission to detach a disk from an instance Write

Disk*

DetachInstancesFromLoadBalancer Grants permission to detach one or more instances from a load balancer Write

LoadBalancer*

DetachStaticIp Grants permission to detach a static IP from an instance to which it is attached Write

StaticIp*

DisableAddOn Grants permission to disable an add-on for an Amazon Lightsail resource Write
DownloadDefaultKeyPair Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region Write
EnableAddOn Grants permission to enable or modify an add-on for an Amazon Lightsail resource Write
ExportSnapshot Grants permission to export an Amazon Lightsail snapshot to Amazon EC2 Write

DiskSnapshot

iam:CreateServiceLinkedRole

iam:PutRolePolicy

InstanceSnapshot

GetActiveNames Grants permission to get the names of all active (not deleted) resources Read
GetAlarms Grants permission to view information about the configured alarms Read
GetAutoSnapshots Grants permission to view the available automatic snapshots for an instance or disk Read
GetBlueprints Grants permission to get a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance Read
GetBucketAccessKeys Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket Read
GetBucketBundles Grants permission to get the bundles that can be applied to an Amazon Lightsail bucket Read
GetBucketMetricData Grants permission to get the data points of a specific metric for an Amazon Lightsail bucket Read
GetBuckets Grants permission to get information about one or more Amazon Lightsail buckets Read
GetBundles Grants permission to get a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance Read
GetCertificates Grants permission to view information about one or more Amazon Lightsail SSL/TLS certificates Read
GetCloudFormationStackRecords Grants permission to get information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots Read
GetContactMethods Grants permission to view information about the configured contact methods Read
GetContainerAPIMetadata Grants permission to view information about Amazon Lightsail containers, such as the current version of the Lightsail Control (lightsailctl) plugin Read
GetContainerImages Grants permission to view the container images that are registered to your Amazon Lightsail container service Read
GetContainerLog Grants permission to view the log events of a container of your Amazon Lightsail container service Read
GetContainerServiceDeployments Grants permission to view the deployments for your Amazon Lightsail container service Read
GetContainerServiceMetricData Grants permission to view the data points of a specific metric of your Amazon Lightsail container service Read
GetContainerServicePowers Grants permission to view the list of powers that can be specified for your Amazon Lightsail container services Read
GetContainerServices Grants permission to view information about one or more of your Amazon Lightsail container services Read
GetDisk Grants permission to get information about a disk Read
GetDiskSnapshot Grants permission to get information about a disk snapshot Read
GetDiskSnapshots Grants permission to get information about all disk snapshots Read
GetDisks Grants permission to get information about all disks Read
GetDistributionBundles Grants permission to view the list of bundles that can be applied to you Amazon Lightsail content delivery network (CDN) distributions Read
GetDistributionLatestCacheReset Grants permission to view the timestamp and status of the last cache reset of a specific Amazon Lightsail content delivery network (CDN) distribution Read
GetDistributionMetricData Grants permission to view the data points of a specific metric for an Amazon Lightsail content delivery network (CDN) distribution Read
GetDistributions Grants permission to view information about one or more of your Amazon Lightsail content delivery network (CDN) distributions Read
GetDomain Grants permission to get DNS records for a domain resource Read
GetDomains Grants permission to get DNS records for all domain resources Read
GetExportSnapshotRecords Grants permission to get information about all records of exported Amazon Lightsail snapshots to Amazon EC2 Read
GetInstance Grants permission to get information about an instance Read
GetInstanceAccessDetails Grants permission to get temporary keys you can use to authenticate and connect to an instance Write

Instance*

GetInstanceMetricData Grants permission to get the data points for the specified metric of an instance Read
GetInstancePortStates Grants permission to get the port states of an instance Read
GetInstanceSnapshot Grants permission to get information about an instance snapshot Read
GetInstanceSnapshots Grants permission to get information about all instance snapshots Read
GetInstanceState Grants permission to get the state of an instance Read
GetInstances Grants permission to get information about all instances Read
GetKeyPair Grants permission to get information about a key pair Read
GetKeyPairs Grants permission to get information about all key pairs Read
GetLoadBalancer Grants permission to get information about a load balancer Read
GetLoadBalancerMetricData Grants permission to get the data points for the specified metric of a load balancer Read
GetLoadBalancerTlsCertificates Grants permission to get information about a load balancer's TLS certificates Read
GetLoadBalancerTlsPolicies Grants permission to get a list of TLS security policies that you can apply to Lightsail load balancers Read
GetLoadBalancers Grants permission to get information about load balancers Read
GetOperation Grants permission to get information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on Read
GetOperations Grants permission to get information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on Read
GetOperationsForResource Grants permission to get operations for a resource Read
GetRegions Grants permission to get a list of all valid AWS Regions for Amazon Lightsail Read
GetRelationalDatabase Grants permission to get information about a relational database Read
GetRelationalDatabaseBlueprints Grants permission to get a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database Read
GetRelationalDatabaseBundles Grants permission to get a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database Read
GetRelationalDatabaseEvents Grants permission to get events for a relational database Read
GetRelationalDatabaseLogEvents Grants permission to get events for the specified log stream of a relational database Read
GetRelationalDatabaseLogStreams Grants permission to get the log streams available for a relational database Read
GetRelationalDatabaseMasterUserPassword Grants permission to get the master user password of a relational database Write

RelationalDatabase*

GetRelationalDatabaseMetricData Grants permission to get the data points for the specified metric of a relational database Read
GetRelationalDatabaseParameters Grants permission to get the parameters of a relational database Read
GetRelationalDatabaseSnapshot Grants permission to get information about a relational database snapshot Read
GetRelationalDatabaseSnapshots Grants permission to get information about all relational database snapshots Read
GetRelationalDatabases Grants permission to get information about all relational databases Read
GetStaticIp Grants permission to get information about a static IP Read
GetStaticIps Grants permission to get information about all static IPs Read
ImportKeyPair Grants permission to import a public key from a key pair Write
IsVpcPeered Grants permission to get a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered Read
OpenInstancePublicPorts Grants permission to add, or open a public port of an instance Write

Instance*

PeerVpc Grants permission to try to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC Write
PutAlarm Grants permission to creates or update an alarm, and associate it with the specified metric Write

Alarm*

PutInstancePublicPorts Grants permission to set the specified open ports for an instance, and closes all ports for every protocol not included in the request Write

Instance*

RebootInstance Grants permission to reboot an instance that is in a running state Write

Instance*

RebootRelationalDatabase Grants permission to reboot a relational database that is in a running state Write

RelationalDatabase*

RegisterContainerImage Grants permission to register a container image to your Amazon Lightsail container service Write

ContainerService*

ReleaseStaticIp Grants permission to delete a static IP Write

StaticIp*

ResetDistributionCache Grants permission to delete currently cached content from your Amazon Lightsail content delivery network (CDN) distribution Write

Distribution*

SendContactMethodVerification Grants permission to send a verification request to an email contact method to ensure it's owned by the requester Write
SetIpAddressType Grants permission to set the IP address type for a Amazon Lightsail resource Write

Distribution

Instance

LoadBalancer

SetResourceAccessForBucket Grants permission to set the Amazon Lightsail resources that can access the specified Amazon Lightsail bucket Write

Bucket*

Instance*

StartInstance Grants permission to start an instance that is in a stopped state Write

Instance*

StartRelationalDatabase Grants permission to start a relational database that is in a stopped state Write

RelationalDatabase*

StopInstance Grants permission to stop an instance that is in a running state Write

Instance*

StopRelationalDatabase Grants permission to stop a relational database that is in a running state Write

RelationalDatabase*

TagResource Grants permission to tag a resource Tagging

Bucket

Certificate

ContainerService

Disk

DiskSnapshot

Distribution

Domain

Instance

InstanceSnapshot

KeyPair

LoadBalancer

RelationalDatabase

RelationalDatabaseSnapshot

StaticIp

aws:RequestTag/${TagKey}

aws:TagKeys

TestAlarm Grants permission to test an alarm by displaying a banner on the Amazon Lightsail console or if a notification trigger is configured for the specified alarm, by sending a notification to the notification protocol Write

Alarm*

UnpeerVpc Grants permission to try to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC Write
UntagResource Grants permission to untag a resource Tagging

Bucket

Certificate

ContainerService

Disk

DiskSnapshot

Distribution

Domain

Instance

InstanceSnapshot

KeyPair

LoadBalancer

RelationalDatabase

RelationalDatabaseSnapshot

StaticIp

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateBucket Grants permission to update an existing Amazon Lightsail bucket Write

Bucket*

UpdateBucketBundle Grants permission to update the bundle, or storage plan, of an existing Amazon Lightsail bucket Write

Bucket*

UpdateContainerService Grants permission to update the configuration of your Amazon Lightsail container service, such as its power, scale, and public domain names Write

ContainerService*

UpdateDistribution Grants permission to update an existing Amazon Lightsail content delivery network (CDN) distribution or its configuration Write

Distribution*

UpdateDistributionBundle Grants permission to update the bundle of your Amazon Lightsail content delivery network (CDN) distribution Write

Distribution*

UpdateDomainEntry Grants permission to update a domain recordset after it is created Write

Domain*

UpdateInstanceMetadataOptions Grants permission to update metadata options for an instance Write

Instance*

UpdateLoadBalancerAttribute Grants permission to update a load balancer attribute, such as the health check path and session stickiness Write

LoadBalancer*

UpdateRelationalDatabase Grants permission to update a relational database Write

RelationalDatabase*

UpdateRelationalDatabaseParameters Grants permission to update the parameters of a relational database Write

RelationalDatabase*

Resource types defined by Amazon Lightsail

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
Domain arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}

aws:ResourceTag/${TagKey}

Instance arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}

aws:ResourceTag/${TagKey}

InstanceSnapshot arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}

aws:ResourceTag/${TagKey}

KeyPair arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}

aws:ResourceTag/${TagKey}

StaticIp arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}

aws:ResourceTag/${TagKey}

Disk arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}

aws:ResourceTag/${TagKey}

DiskSnapshot arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}

aws:ResourceTag/${TagKey}

LoadBalancer arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}

aws:ResourceTag/${TagKey}

LoadBalancerTlsCertificate arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}
ExportSnapshotRecord arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}
CloudFormationStackRecord arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}
RelationalDatabase arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}

aws:ResourceTag/${TagKey}

RelationalDatabaseSnapshot arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}

aws:ResourceTag/${TagKey}

Alarm arn:${Partition}:lightsail:${Region}:${Account}:Alarm/${Id}
Certificate arn:${Partition}:lightsail:${Region}:${Account}:Certificate/${Id}

aws:ResourceTag/${TagKey}

ContactMethod arn:${Partition}:lightsail:${Region}:${Account}:ContactMethod/${Id}
ContainerService arn:${Partition}:lightsail:${Region}:${Account}:ContainerService/${Id}

aws:ResourceTag/${TagKey}

Distribution arn:${Partition}:lightsail:${Region}:${Account}:Distribution/${Id}

aws:ResourceTag/${TagKey}

Bucket arn:${Partition}:lightsail:${Region}:${Account}:Bucket/${Id}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Lightsail

Amazon Lightsail defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a tag key and value pair that is allowed in the request String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair of a resource String
aws:TagKeys Filters access by a list of tag keys that are allowed in the request ArrayOfString