Actions, resources, and condition keys for Amazon VPC Lattice

Amazon VPC Lattice (service prefix: vpc-lattice) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon VPC Lattice
Resource types defined by Amazon VPC Lattice
Condition keys for Amazon VPC Lattice

Actions defined by Amazon VPC Lattice

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
CreateAccessLogSubscription	Grants permission to create an access log subscription	Write	AccessLogSubscription*		logs:CreateLogDelivery logs:GetLogDelivery
CreateAccessLogSubscription	Grants permission to create an access log subscription	Write		aws:TagKeys aws:RequestTag/${TagKey}
CreateListener	Grants permission to create a listener	Write	Listener*
CreateListener	Grants permission to create a listener	Write		vpc-lattice:Protocol vpc-lattice:TargetGroupArns aws:TagKeys aws:RequestTag/${TagKey}
CreateRule	Grants permission to create a rule	Write	Rule*
CreateRule	Grants permission to create a rule	Write		vpc-lattice:TargetGroupArns aws:TagKeys aws:RequestTag/${TagKey}
CreateService	Grants permission to create a service	Write	Service*		iam:CreateServiceLinkedRole
CreateService	Grants permission to create a service	Write		vpc-lattice:AuthType aws:TagKeys aws:RequestTag/${TagKey}
CreateServiceNetwork	Grants permission to create a service network	Write	ServiceNetwork*		iam:CreateServiceLinkedRole
CreateServiceNetwork	Grants permission to create a service network	Write		vpc-lattice:AuthType aws:TagKeys aws:RequestTag/${TagKey}
CreateServiceNetworkServiceAssociation	Grants permission to create a service network and service association	Write	Service*
			ServiceNetwork*
			ServiceNetworkServiceAssociation*
				vpc-lattice:ServiceNetworkArn vpc-lattice:ServiceArn aws:TagKeys aws:RequestTag/${TagKey}
CreateServiceNetworkVpcAssociation	Grants permission to create a service network and VPC association	Write	ServiceNetwork*		ec2:DescribeVpcs
			ServiceNetworkVpcAssociation*
				vpc-lattice:VpcId vpc-lattice:ServiceNetworkArn vpc-lattice:SecurityGroupIds aws:TagKeys aws:RequestTag/${TagKey}
CreateTargetGroup	Grants permission to create a target group	Write	TargetGroup*		iam:CreateServiceLinkedRole
CreateTargetGroup	Grants permission to create a target group	Write		vpc-lattice:VpcId aws:TagKeys aws:RequestTag/${TagKey}
DeleteAccessLogSubscription	Grants permission to delete an access log subscription	Write	AccessLogSubscription*		logs:DeleteLogDelivery logs:GetLogDelivery
DeleteAccessLogSubscription	Grants permission to delete an access log subscription	Write		aws:ResourceTag/${TagKey}
DeleteAuthPolicy	Grants permission to delete an auth policy	Permissions management	Service
DeleteAuthPolicy	Grants permission to delete an auth policy	Permissions management	ServiceNetwork
DeleteListener	Grants permission to delete a listener	Write	Listener*
DeleteListener	Grants permission to delete a listener	Write		aws:ResourceTag/${TagKey}
DeleteResourcePolicy	Grants permission to delete a resource policy	Write	Service
DeleteResourcePolicy	Grants permission to delete a resource policy	Write	ServiceNetwork
DeleteRule	Grants permission to delete a rule	Write	Rule*
DeleteRule	Grants permission to delete a rule	Write		aws:ResourceTag/${TagKey}
DeleteService	Grants permission to delete a service	Write	Service*
DeleteService	Grants permission to delete a service	Write		aws:ResourceTag/${TagKey}
DeleteServiceNetwork	Grants permission to delete a service network	Write	ServiceNetwork*
DeleteServiceNetwork	Grants permission to delete a service network	Write		aws:ResourceTag/${TagKey}
DeleteServiceNetworkServiceAssociation	Grants permission to delete a service network service association	Write	ServiceNetworkServiceAssociation*
DeleteServiceNetworkServiceAssociation		Write		vpc-lattice:ServiceNetworkArn vpc-lattice:ServiceArn aws:ResourceTag/${TagKey}
DeleteServiceNetworkVpcAssociation	Grants permission to delete a service network and VPC association	Write	ServiceNetworkVpcAssociation*
DeleteServiceNetworkVpcAssociation		Write		vpc-lattice:VpcId vpc-lattice:ServiceNetworkArn aws:ResourceTag/${TagKey}
DeleteTargetGroup	Grants permission to delete a target group	Write	TargetGroup*
DeleteTargetGroup	Grants permission to delete a target group	Write		aws:ResourceTag/${TagKey}
DeregisterTargets	Grants permission to deregister targets from a target group	Write	TargetGroup*
GetAccessLogSubscription	Grants permission to get information about an access log subscription	Read	AccessLogSubscription*		logs:GetLogDelivery
GetAccessLogSubscription		Read		aws:ResourceTag/${TagKey}
GetAuthPolicy	Grants permission to get information about an auth policy	Read	Service
GetAuthPolicy	Grants permission to get information about an auth policy	Read	ServiceNetwork
GetListener	Grants permission to get information about a listener	Read	Listener*
GetListener	Grants permission to get information about a listener	Read		aws:ResourceTag/${TagKey}
GetResourcePolicy	Grants permission to get information about a resource policy	Read	Service
GetResourcePolicy		Read	ServiceNetwork
GetRule	Grants permission to get information about a rule	Read	Rule*
GetRule	Grants permission to get information about a rule	Read		aws:ResourceTag/${TagKey}
GetService	Grants permission to get information about a service	Read	Service*
GetService	Grants permission to get information about a service	Read		aws:ResourceTag/${TagKey}
GetServiceNetwork	Grants permission to get information about a service network	Read	ServiceNetwork*
GetServiceNetwork		Read		aws:ResourceTag/${TagKey}
GetServiceNetworkServiceAssociation	Grants permission to get information about a service network and service association	Read	ServiceNetworkServiceAssociation*
GetServiceNetworkServiceAssociation		Read		vpc-lattice:ServiceNetworkArn vpc-lattice:ServiceArn aws:ResourceTag/${TagKey}
GetServiceNetworkVpcAssociation	Grants permission to get information about a service network and VPC association	Read	ServiceNetworkVpcAssociation*
GetServiceNetworkVpcAssociation		Read		vpc-lattice:VpcId vpc-lattice:ServiceNetworkArn aws:ResourceTag/${TagKey}
GetTargetGroup	Grants permission to get information about a target group	Read	TargetGroup*
GetTargetGroup	Grants permission to get information about a target group	Read		aws:ResourceTag/${TagKey}
ListAccessLogSubscriptions	Grants permission to list some or all access log subscriptions about a service network or a service	List
ListListeners	Grants permission to list some or all listeners	List
ListRules	Grants permission to list some or all rules	List
ListServiceNetworkServiceAssociations	Grants permission to list some or all service network and service associations	List		vpc-lattice:ServiceNetworkArn vpc-lattice:ServiceArn
ListServiceNetworkVpcAssociations	Grants permission to list some or all service network and VPC associations	List		vpc-lattice:VpcId vpc-lattice:ServiceNetworkArn
ListServiceNetworks	Grants permission to list the service networks owned by a caller account or shared with the caller account	List
ListServices	Grants permission to list the services owned by a caller account or shared with the caller account	List
ListTagsForResource	Grants permission to list tags for a vpc-lattice resource	Read
ListTargetGroups	Grants permission to list some or all target groups	List
ListTargets	Grants permission to list some or all targets in a target group	List	TargetGroup*
PutAuthPolicy	Grants permission to create or update the auth policy for a service network or a service	Permissions management	Service
PutAuthPolicy		Permissions management	ServiceNetwork
PutResourcePolicy	Grants permission to create a resource policy for a service network or a service	Write	Service
PutResourcePolicy		Write	ServiceNetwork
RegisterTargets	Grants permission to register targets to a target group	Write	TargetGroup*
TagResource	Grants permission to tag a vpc-lattice resource	Tagging	AccessLogSubscription
			Listener
			Rule
			Service
			ServiceNetwork
			ServiceNetworkServiceAssociation
			ServiceNetworkVpcAssociation
			TargetGroup
				aws:TagKeys aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey}
UntagResource	Grants permission to untag a vpc-lattice resource	Tagging	AccessLogSubscription
			Listener
			Rule
			Service
			ServiceNetwork
			ServiceNetworkServiceAssociation
			ServiceNetworkVpcAssociation
			TargetGroup
				aws:TagKeys
UpdateAccessLogSubscription	Grants permission to update an access log subscription	Write	AccessLogSubscription*		logs:GetLogDelivery logs:UpdateLogDelivery
UpdateAccessLogSubscription	Grants permission to update an access log subscription	Write		aws:ResourceTag/${TagKey}
UpdateListener	Grants permission to update a listener	Write	Listener*
UpdateListener	Grants permission to update a listener	Write		vpc-lattice:TargetGroupArns aws:ResourceTag/${TagKey}
UpdateRule	Grants permission to update a rule	Write	Rule*
UpdateRule	Grants permission to update a rule	Write		vpc-lattice:TargetGroupArns aws:ResourceTag/${TagKey}
UpdateService	Grants permission to update a service	Write	Service*
UpdateService	Grants permission to update a service	Write		vpc-lattice:AuthType aws:ResourceTag/${TagKey}
UpdateServiceNetwork	Grants permission to update a service network	Write	ServiceNetwork*
UpdateServiceNetwork	Grants permission to update a service network	Write		vpc-lattice:AuthType aws:ResourceTag/${TagKey}
UpdateServiceNetworkVpcAssociation	Grants permission to update a service network and VPC association	Write	ServiceNetworkVpcAssociation*		ec2:DescribeSecurityGroups ec2:DescribeVpcs
UpdateServiceNetworkVpcAssociation		Write		vpc-lattice:VpcId vpc-lattice:ServiceNetworkArn vpc-lattice:SecurityGroupIds aws:ResourceTag/${TagKey}
UpdateTargetGroup	Grants permission to update a target group	Write	TargetGroup*
UpdateTargetGroup	Grants permission to update a target group	Write		aws:ResourceTag/${TagKey}

Resource types defined by Amazon VPC Lattice

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
ServiceNetwork	`arn:${Partition}:vpc-lattice:${Region}:${Account}:servicenetwork/${ServiceNetworkId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:AuthType
Service	`arn:${Partition}:vpc-lattice:${Region}:${Account}:service/${ServiceId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:AuthType
ServiceNetworkVpcAssociation	`arn:${Partition}:vpc-lattice:${Region}:${Account}:servicenetworkvpcassociation/${ServiceNetworkVpcAssociationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:SecurityGroupIds vpc-lattice:ServiceNetworkArn vpc-lattice:VpcId
ServiceNetworkServiceAssociation	`arn:${Partition}:vpc-lattice:${Region}:${Account}:servicenetworkserviceassociation/${ServiceNetworkServiceAssociationId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:ServiceArn vpc-lattice:ServiceNetworkArn
TargetGroup	`arn:${Partition}:vpc-lattice:${Region}:${Account}:targetgroup/${TargetGroupId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:VpcId
Listener	`arn:${Partition}:vpc-lattice:${Region}:${Account}:service/${ServiceId}/listener/${ListenerId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:Protocol vpc-lattice:TargetGroupArns
Rule	`arn:${Partition}:vpc-lattice:${Region}:${Account}:service/${ServiceId}/listener/${ListenerId}/rule/${RuleId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys vpc-lattice:TargetGroupArns
AccessLogSubscription	`arn:${Partition}:vpc-lattice:${Region}:${Account}:accesslogsubscription/${AccessLogSubscriptionId}`	aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey} aws:TagKeys

Condition keys for Amazon VPC Lattice

Amazon VPC Lattice defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the presence of tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by the presence of tag keys in the request	ArrayOfString
vpc-lattice:AuthType	Filters access by the auth type specified in the request	String
vpc-lattice:Protocol	Filters access by the protocol specified in the request	String
vpc-lattice:SecurityGroupIds	Filters access by the IDs of security groups	ArrayOfString
vpc-lattice:ServiceArn	Filters access by the ARN of a service	ARN
vpc-lattice:ServiceNetworkArn	Filters access by the ARN of a service network	ARN
vpc-lattice:TargetGroupArns	Filters access by the ARNs of target groups	ArrayOfARN
vpc-lattice:VpcId	Filters access by the ID of a virtual private cloud (VPC)	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Verified Permissions

Amazon VPC Lattice Services