Actions, resources, and condition keys for Amazon WorkMail - Service Authorization Reference

Actions, resources, and condition keys for Amazon WorkMail

Amazon WorkMail (service prefix: workmail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon WorkMail

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddMembersToGroup [permission only] Grants permission to add a list of members (users or groups) to a group Write

organization*

AssociateDelegateToResource Grants permission to add a member (user or group) to the resource's set of delegates Write

organization*

AssociateMemberToGroup Grants permission to add a member (user or group) to the group's set Write

organization*

CancelMailboxExportJob Grants permission to cancel a currently running mailbox export job Write

organization*

CreateAlias Grants permission to add an alias to the set of a given member (user or group) of WorkMail Write

organization*

CreateGroup Grants permission to create a group that can be used in WorkMail by calling the RegisterToWorkMail operation Write

organization*

CreateInboundMailFlowRule [permission only] Grants permission to create an inbound email flow rule which will apply to all email sent to an organization Write

organization*

CreateMailDomain [permission only] Grants permission to create a mail domain Write

organization*

CreateMailUser [permission only] Grants permission to create a user in the directory Write

organization*

CreateMobileDeviceAccessRule Grants permission to create a new mobile device access rule Write

organization*

CreateOrganization Grants permission to create a new Amazon WorkMail organization Write
CreateOutboundMailFlowRule [permission only] Grants permission to create an outbound email flow rule which will apply to all email sent from an organization Write

organization*

CreateResource Grants permission to create a new WorkMail resource Write

organization*

CreateSmtpGateway [permission only] Grants permission to register an SMTP gateway to a WorkMail organization Write

organization*

CreateUser Grants permission to create a user, which can be enabled afterwards by calling the RegisterToWorkMail operation Write

organization*

DeleteAccessControlRule Grants permission to delete an access control rule Write

organization*

DeleteAlias Grants permission to remove one or more specified aliases from a set of aliases for a given user Write

organization*

DeleteEmailMonitoringConfiguration Grants permission to delete the email monitoring configuration for an organization Write

organization*

DeleteGroup Grants permission to delete a group from WorkMail Write

organization*

DeleteInboundMailFlowRule [permission only] Grants permission to remove an inbound email flow rule to no longer apply to emails sent to an organization Write

organization*

DeleteMailDomain [permission only] Grants permission to remove an unused mail domain from an organization Write

organization*

DeleteMailboxPermissions Grants permission to delete permissions granted to a member (user or group) Write

organization*

DeleteMobileDevice [permission only] Grants permission to remove a mobile device from a user Write

organization*

DeleteMobileDeviceAccessOverride Grants permission to delete a mobile device access override Write

organization*

DeleteMobileDeviceAccessRule Grants permission to delete a mobile device access rule Write

organization*

DeleteOrganization Grants permission to delete an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization Write

organization*

DeleteOutboundMailFlowRule [permission only] Grants permission to remove an outbound email flow rule so that it no longer applies to emails sent from an organization Write

organization*

DeleteResource Grants permission to delete the specified resource Write

organization*

DeleteRetentionPolicy Grants permission to delete the retention policy based on the supplied organization and policy identifiers Write

organization*

DeleteSmtpGateway [permission only] Grants permission to remove an SMTP gateway from an organization Write

organization*

DeleteUser Grants permission to delete a user from WorkMail and all subsequent systems Write

organization*

DeregisterFromWorkMail Grants permission to mark a user, group, or resource as no longer used in WorkMail Write

organization*

DeregisterMailDomain Grants permission to deregister a mail domain from an organization Write

organization*

DescribeDirectories [permission only] Grants permission to show a list of directories available for use in creating an organization List
DescribeEmailMonitoringConfiguration Grants permission to retrieve the email monitoring configuration for an organization Read

organization*

DescribeGroup Grants permission to read the details for a group List

organization*

DescribeInboundDmarcSettings Grants permission to read the settings in a DMARC policy for a specified organization Read

organization*

DescribeInboundMailFlowRule [permission only] Grants permission to read the details of an inbound mail flow rule configured for an organization Read

organization*

DescribeKmsKeys [permission only] Grants permission to show a list of KMS Keys available for use in creating an organization List
DescribeMailDomains [permission only] Grants permission to show the details of all mail domains associated with the organization List

organization*

DescribeMailGroups [permission only] Grants permission to show the details of all groups associated with the organization List

organization*

DescribeMailUsers [permission only] Grants permission to show the details of all users associated with the organization List

organization*

DescribeMailboxExportJob Grants permission to retrieve details of a mailbox export job Read

organization*

DescribeOrganization Grants permission to read details of an organization List

organization*

DescribeOrganizations [permission only] Grants permission to show a summary of all organizations associated with the account List
DescribeOutboundMailFlowRule [permission only] Grants permission to read the details of an outbound mail flow rule configured for an organization Read

organization*

DescribeResource Grants permission to read the details for a resource List

organization*

DescribeSmtpGateway [permission only] Grants permission to read the details of an SMTP gateway registered to an organization Read

organization*

DescribeUser Grants permission to read details for a user List

organization*

DisableMailGroups [permission only] Grants permission to disable a mail group when it is not being used, in order to allow it to be deleted Write

organization*

DisableMailUsers [permission only] Grants permission to disable a user mailbox when it is no longer being used, in order to allow it to be deleted Write

organization*

DisassociateDelegateFromResource Grants permission to remove a member from the resource's set of delegates Write

organization*

DisassociateMemberFromGroup Grants permission to remove a member from a group Write

organization*

EnableMailDomain [permission only] Grants permission to enable a mail domain in the organization Write

organization*

EnableMailGroups [permission only] Grants permission to enable a mail group after it has been created to allow it to receive mail Write

organization*

EnableMailUsers [permission only] Grants permission to enable a user's mailbox after it has been created to allow it to receive mail Write

organization*

GetAccessControlEffect Grants permission to get the effects of access control rules as they apply to a specified IPv4 address, access protocol action, or user ID Read

organization*

GetDefaultRetentionPolicy Grants permission to retrieve the retention policy associated at an organizational level Read

organization*

GetJournalingRules [permission only] Grants permission to read the configured journaling and fallback email addresses for email journaling Read

organization*

GetMailDomain Grants permission to retrieve details of a given mail domain in an organization Read

organization*

GetMailDomainDetails [permission only] Grants permission to get the details of the mail domain Read

organization*

GetMailGroupDetails [permission only] Grants permission to get the details of the mail group Read

organization*

GetMailUserDetails [permission only] Grants permission to get the details of the user's mailbox and account Read

organization*

GetMailboxDetails Grants permission to read the details of the user's mailbox Read

organization*

GetMobileDeviceAccessEffect Grants permission to simulate the effect of the mobile device access rules for the given attributes of a sample access event Read

organization*

GetMobileDeviceAccessOverride Grants permission to retrieve a mobile device access override Read

organization*

GetMobileDeviceDetails [permission only] Grants permission to get the details of the mobile device Read

organization*

GetMobileDevicesForUser [permission only] Grants permission to get a list of the mobile devices associated with the user Read

organization*

GetMobilePolicyDetails [permission only] Grants permission to get the details of the mobile device policy associated with the organization Read

organization*

ListAccessControlRules Grants permission to list the access control rules Read

organization*

ListAliases Grants permission to list the aliases associated with a given entity List

organization*

ListGroupMembers Grants permission to read an overview of the members of a group. Users and groups can be members of a group List

organization*

ListGroups Grants permission to list summaries of the organization's groups List

organization*

ListInboundMailFlowRules [permission only] Grants permission to list inbound mail flow rules configured for an organization List

organization*

ListMailDomains Grants permission to list the mail domains for a given organization List

organization*

ListMailboxExportJobs Grants permission to list mailbox export jobs List

organization*

ListMailboxPermissions Grants permission to list the mailbox permissions associated with a user, group, or resource mailbox List

organization*

ListMembersInMailGroup [permission only] Grants permission to get a list of all the members in a mail group Read

organization*

ListMobileDeviceAccessOverrides Grants permission to list the mobile device access overrides Read

organization*

ListMobileDeviceAccessRules Grants permission to list the mobile device access rules Read

organization*

ListOrganizations Grants permission to list the non-deleted organizations List
ListOutboundMailFlowRules [permission only] Grants permission to list outbound mail flow rules configured for an organization List

organization*

ListResourceDelegates Grants permission to list the delegates associated with a resource List

organization*

ListResources Grants permission to list the organization's resources List

organization*

ListSmtpGateways [permission only] Grants permission to list SMTP gateways registered to the organization List

organization*

ListTagsForResource Grants permission to list the tags applied to an Amazon WorkMail organization resource List

organization*

aws:TagKeys

aws:RequestTag/${TagKey}

ListUsers Grants permission to list the organization's users List

organization*

PutAccessControlRule Grants permission to add a new access control rule Write

organization*

PutEmailMonitoringConfiguration Grants permission to add or update the email monitoring configuration for an organization Write

organization*

PutInboundDmarcSettings Grants permission to enable or disable a DMARC policy for a given organization Write

organization*

PutMailboxPermissions Grants permission to set permissions for a user, group, or resource, replacing any existing permissions Write

organization*

PutMobileDeviceAccessOverride Grants permission to add or update a mobile device access override Write

organization*

PutRetentionPolicy Grants permission to add or update the retention policy Write

organization*

RegisterMailDomain Grants permission to register a new mail domain in an organization Write

organization*

RegisterToWorkMail Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities Write

organization*

RemoveMembersFromGroup [permission only] Grants permission to remove members from a mail group Write

organization*

ResetPassword Grants permission to allow the administrator to reset the password for a user Write

organization*

ResetUserPassword [permission only] Grants permission to reset the password for a user's account Write

organization*

SearchMembers [permission only] Grants permission to perform a prefix search to find a specific user in a mail group Read

organization*

SetAdmin [permission only] Grants permission to mark a user as being an administrator Write

organization*

SetDefaultMailDomain [permission only] Grants permission to set the default mail domain for the organization Write

organization*

SetJournalingRules [permission only] Grants permission to set journaling and fallback email addresses for email journaling Write

organization*

SetMailGroupDetails [permission only] Grants permission to set the details of the mail group which has just been created Write

organization*

SetMailUserDetails [permission only] Grants permission to set the details for the user account which has just been created Write

organization*

SetMobilePolicyDetails [permission only] Grants permission to set the details of a mobile policy associated with the organization Write

organization*

StartMailboxExportJob Grants permission to start a new mailbox export job Write

organization*

TagResource Grants permission to tag the specified Amazon WorkMail organization resource Tagging

organization*

aws:TagKeys

aws:RequestTag/${TagKey}

TestInboundMailFlowRules [permission only] Grants permission to test what inbound rules will apply to an email with a given sender and recipient Write

organization*

TestOutboundMailFlowRules [permission only] Grants permission to test what outbound rules will apply to an email with a given sender and recipient Write

organization*

UntagResource Grants permission to untag the specified Amazon WorkMail organization resource Tagging

organization*

aws:TagKeys

aws:RequestTag/${TagKey}

UpdateDefaultMailDomain Grants permission to update which domain is the default domain for an organization Write

organization*

UpdateInboundMailFlowRule [permission only] Grants permission to update the details of an inbound email flow rule which will apply to all email sent to an organization Write

organization*

UpdateMailboxQuota Grants permission to update the maximum size (in MB) of the user's mailbox Write

organization*

UpdateMobileDeviceAccessRule Grants permission to update a mobile device access rule Write

organization*

UpdateOutboundMailFlowRule [permission only] Grants permission to update the details of an outbound email flow rule which will apply to all email sent from an organization Write

organization*

UpdatePrimaryEmailAddress Grants permission to update the primary email for a user, group, or resource Write

organization*

UpdateResource Grants permission to update details for the resource Write

organization*

UpdateSmtpGateway [permission only] Grants permission to update the details of an existing SMTP gateway registered to an organization Write

organization*

WipeMobileDevice [permission only] Grants permission to remotely wipe the mobile device associated with a user's account Write

organization*

Resource types defined by Amazon WorkMail

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
organization arn:${Partition}:workmail:${Region}:${Account}:organization/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon WorkMail

Amazon WorkMail defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tag key-value pairs that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString