Post

AWS - IdenAccessManage - AWS services that work with IAM

Posted
By Grace L
22 min read

AWS services that work with IAM

The AWS services listed below are grouped by their AWS product categories and include information about what IAM features they support:

  • Service
    • choose the name of a service to view the AWS documentation about IAM authorization and access for that service.
  • Actions
    • can specify individual actions in a policy.
    • If the service does not support this feature, then All actions is selected in the visual editor
    • In a JSON policy document, you must use * in the Action element.
  • Resource-level permissions
    • can use ARNs to specify individual resources in the policy.
    • If the service does not support this feature, then All resources is chosen in the policy visual editor
    • In a JSON policy document, you must use * in the Resource element.
    • Some actions, such as List* actions, do not support specifying an ARN because they are designed to return multiple resources.
    • If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table. See the documentation for that service for more information.
  • Resource-based policies
    • can attach resource-based policies to a resource within the service.
    • Resource-based policies include a Principal element to specify which IAM identities can access that resource.
  • Authorization based on tags
    • can use resource tags in the condition of a policy to control access to a resource in the service.
    • You do this using the aws:ResourceTag global condition key or service-specific tags, such as ec2:ResourceTag
  • Temporary credentials
    • can use short-term credentials that you obtain when you sign in using SSO, switch roles in the console, or that you generate using AWS STS in the AWS CLI or AWS API.
    • You can access services with a No value only while using your long-term IAM user credentials.
    • This includes a user name and password or your user access keys.
  • Service-linked roles
    • A service-linked role is a special type of service role that gives the service permission to access resources in other services on your behalf.
    • Choose the Yes link to see the documentation for services that support these roles.
    • This column does not indicate if the service uses standard service roles.
  • More information
    • If a service doesn’t fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.

Compute services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS BatchYesPartialNoYesYesYes
Amazon Elastic Compute Cloud (Amazon EC2)YesPartialNoPartialYesPartial¹
Amazon EC2 Auto ScalingYesYesNoYesYesYes
EC2 Image BuilderYesYesNoYesYesYes
AWS Elastic BeanstalkYesPartialNoYesYesYes
Amazon Elastic InferenceYesYesNoNoYesNo
Elastic Load BalancingYesPartialNoPartialYesYes
AWS LambdaYesYesYesNoYesPartial²
Amazon LightsailYesYesNoYesYesNo
AWS OutpostsYesNoNoNoYesYes
AWS Serverless Application RepositoryYesYesYesNoYesNo

¹ Amazon EC2 service-linked roles cannot be created using the AWS Management Console, and can be used only for the following features: Scheduled Instances, Spot Instance Requests, Spot Fleet Requests.

² AWS Lambda doesn’t have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

Containers services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon Elastic Container Registry (Amazon ECR)YesYesYesYesYesNo
Amazon Elastic Container Registry Public (Amazon ECR Public)YesYesNoNoYesNo
Amazon Elastic Container Service (Amazon ECS)YesPartial¹NoYesYesYes
Amazon Elastic Kubernetes Service (Amazon EKS)YesYesNoYesYesYes

¹ Only some Amazon ECS actions support resource-level permissions.

Storage services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS BackupYesYesYesYesYesYes
AWS Backup StorageYesYesNoNoYesNo
Amazon Elastic Block Store (Amazon EBS)YesPartialNoYesYesNo
Amazon Elastic File System (Amazon EFS)YesYesYesYesYesYes
Amazon FSxYesYesNoYesYesYes
Amazon S3 GlacierYesYesYesYesYesNo
AWS Import/ExportYesNoNoNoYesNo
Amazon Simple Storage Service (Amazon S3)YesYesYesPartial¹YesPartial²
Amazon Simple Storage Service (Amazon S3) on AWS OutpostsYesYesYesPartial¹YesNo
AWS SnowballYesNoNoNoYesNo
AWS Snowball EdgeYesNoNoNoYesNo
AWS Storage GatewayYesYesNoYesYesNo

¹ Amazon S3 supports tag-based authorization for only object resources.

² Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.

Database services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon DynamoDBYesYesNoNoYesYes
Amazon ElastiCacheYesYesNoNoYesYes
Amazon Keyspaces (for Apache Cassandra)YesYesNoYesYesYes
Amazon NeptuneYesYesNoNoYesYes
Amazon Quantum Ledger Database (Amazon QLDB)YesYesNoYesYesNo
Amazon RedshiftYesYesNoYesYesYes
Amazon Redshift Data APIYesNoNoNoYesNo
Amazon Relational Database Service (Amazon RDS)YesYesNoYesYesYes
Amazon RDS Data APIYesNoNoYesYesNo
Amazon SimpleDBYesYesNoNoYesNo
Amazon TimestreamYesYesNoYesYesNo

Developer tools services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS Cloud9YesYesYesYesYesYes
AWS CloudShellYesYesNoNoNoNo
AWS CodeArtifactYesYesYesYesYesNo
CodeBuildYesYesYes¹Partial²YesNo
CodeCommitYesYesNoYesYesNo
AWS CodeDeployYesYesNoYesYesNo
CodePipelineYesPartialNoYesYesNo
AWS CodeStarYesPartial¹NoYesYesNo
AWS CodeStar ConnectionsYesYesNoYesYesNo
AWS CodeStar NotificationsYesYesNoYesYesYes
AWS X-RayYesYesNoPartial³YesNo

¹ CodeBuild supports cross-account resource sharing using AWS RAM.

² CodeBuild supports authorization based on tags for project-based actions.

³ X-Ray supports tag-based access control for groups and sampling rules.

Security, identity, and compliance services

Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles | —|—|—|—|—|—|— AWS Artifact | Yes | Yes | No | No | Yes | No AWS Audit Manager | Yes | Yes | No | Yes | Yes | Yes Amazon Cognito | Yes | Yes | No | Yes | Yes | Yes Amazon Detective | Yes | Yes | No | No | Yes | No AWS Directory Service | Yes | Yes | No | Yes | Yes | No AWS Firewall Manager | Yes | Yes | No | Yes | Yes | Partial Amazon GuardDuty | Yes | Yes | No | Yes | Yes | Partial AWS Identity and Access Management (IAM) | Yes | Yes | Partial¹ | Partial² | Partial³ | No IAM Access Analyzer | Yes | Yes | No | Yes | Yes Partial Amazon Inspector | Yes | No | No | No | Yes | Yes Amazon Macie | Yes | Yes | No | Yes | Yes | Yes Amazon Macie Classic | Yes | No | No | No | Yes | Yes AWS Network Firewall | Yes | Yes | No | Yes | Yes | Yes AWS Resource Access Manager (AWS RAM) | Yes | Yes | No | Yes | Yes | No AWS Secrets Manager | Yes | Yes | Yes | Yes | Yes | No AWS Security Hub | Yes | Yes | No | Yes | Yes | Yes AWS Single Sign-On (AWS SSO) | Yes | Yes | No | Yes | Yes | Yes AWS SSO Directory | Yes | No | No | No | Yes | No AWS SSO Identity Store | Yes | No | No | No | Yes | No AWS Security Token Service (AWS STS) | Yes | Partial⁴ | No | Yes | Partial⁵ | No AWS Shield Advanced | Yes | Yes | No | No | Yes | No AWS WAF | Yes | Yes | No | Yes | Yes | Yes AWS WAF Classic | Yes | Yes | No | Yes | Yes | Yes

¹ IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Granting a user permissions to switch roles .

² IAM supports tag-based access control for most IAM resources. For more information, see Tagging IAM resources .

³ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options.

⁴ AWS STS does not have “resources,” but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

⁵ Only some of the API operations for AWS STS support calling with temporary credentials. For more information, see Comparing your API options.

Cryptography and PKI services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS Certificate Manager Private Certificate Authority (ACM)YesYesNoYesYesNo
AWS Certificate Manager (ACM)YesYesNoYesYesYes
AWS CloudHSMYesYesNoYesYesYes
AWS Key Management Service (AWS KMS)YesYesYesYesYesYes
AWS SignerYesYesNoYesYesNo

Machine learning services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon CodeGuruYesNoNoNoYesNo
Amazon CodeGuru ProfilerYesYesNoYesYesYes
Amazon CodeGuru ReviewerYesYesNoYesYesNo
Amazon ComprehendYesYesNoYesYesNo
AWS DeepComposerYesYesNoYesYesNo
AWS DeepRacerYesNoNoNoYesYes
AWS PanoramaYesYesNoYesYesNo
Amazon DevOps GuruYesYesNoNoYesYes
Amazon ForecastYesYesNoYesYesNo
Amazon Fraud DetectorYesYesNoYesYesNo
Ground Truth LabelingYesNoNoNoYesNo
Amazon KendraYesYesNoYesYesNo
Amazon LexYesYesNoYesYesYes
Amazon Lex V2YesYesNoYesYesYes
Amazon Lookout for EquipmentYesYesNoYesYesNo
Amazon Lookout for VisionYesYesNoYesYesNo
Amazon MonitronYesYesNoYesYesNo
Amazon Machine LearningYesYesNoYesYesNo
Amazon PersonalizeYesYesNoNoYesNo
Amazon PollyYesYesNoNoYesNo
Amazon RekognitionYesYesNoNoYesNo
Amazon SageMakerYesYesNoYesYesNo
Amazon TextractYesYesNoNoYesNo
Amazon TranscribeYesNoNoNoYesNo
Amazon TranslateYesNoNoNoYesNo

Management and governance services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Application Auto ScalingYesNoNoNoYesYes
AWS AppConfigYesYesNoYesYesNo
AWS Auto ScalingYesNoNoNoYesYes
AWS ChatbotYesYesNoNoYesYes
AWS CloudFormationYesYesNoYesYesNo
AWS CloudTrailYesYesNoNoYesYes
Amazon CloudWatchYesYesNoYesYesPartial¹
Amazon CloudWatch Application InsightsYesNoNoNoYesNo
Amazon CloudWatch EventsYesYesNoYesYesNo
Amazon CloudWatch LogsYesYesYesNoYesYes
Amazon CloudWatch SyntheticsYesYesNoNoYesNo
AWS Compute OptimizerYesNoNoNoYesYes
AWS ConfigYesPartial²NoYesYesYes
Amazon Data Lifecycle ManagerYesYesNoYesYesNo
AWS HealthYesYesNoNoYesNo
AWS License ManagerYesYesNoYesYesYes
Amazon Managed Service for GrafanaYesYesNoNoYesNo
Amazon Managed Service for PrometheusYesYesNoNoYesNo
AWS OpsWorksYesYesNoYesYesNo
AWS OpsWorks for Chef AutomateYesYesNoYesYesNo
AWS OpsWorks Configuration ManagementYesNoNoNoYesNo
AWS OrganizationsYesYesNoYesYesYes
AWS ProtonYesYesNoNoYesNo
AWS Resource GroupsYesYesNoYesPartial³No
Resource Groups Tagging APIYesNoNoNoYesNo
AWS Service CatalogYesYesNoPartial⁴YesNo
AWS Systems ManagerYesYesNoYesYesYes
AWS Tag EditorYesNoNoNoYesNo
AWS Trusted AdvisorPartial⁵YesNoNoPartialYes
AWS Well-Architected ToolYesYesNoNoYesNo
Service QuotasYesYesNoYesYesNo

¹ Amazon CloudWatch service-linked roles cannot be created using the AWS Management Console, and support only the Alarm Actions feature.

² AWS Config supports resource-level permissions for multi-account multi-Region data aggregation and AWS Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and AWS Config Rules section of AWS Config API Guide.

³ Users can assume a role with a policy that allows AWS Resource Groups operations.

⁴ AWS Service Catalog supports tag-based access control for only actions that match API operations with one resource in the input.

⁵ API access to Trusted Advisor is through the AWS Support API and is controlled by AWS Support IAM policies.

Migration and transfer services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS Application Discovery ServiceYesNoNoNoYesYes
AWS Application Discovery ArsenalYesNoNoNoYesNo
AWS Connector ServiceYesNoNoNoYesNo
AWS Transfer for SFTPYesYesNoYesYesNo
AWS Database Migration ServiceYesYesYes¹YesYesNo
AWS DataSyncYesYesNoYesYesNo
AWS Migration HubYesYesNoNoYesYes
AWS Server Migration ServiceYesNoNoNoYesYes

¹ You can create and modify policies that are attached to AWS KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using AWS KMS Keys to Encrypt Amazon Redshift Target Data and Creating AWS KMS Keys to Encrypt Amazon S3 Target Objects in the AWS Database Migration Service User Guide.

Mobile services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS AmplifyYesYesNoYesYesNo
AWS Amplify AdminYesYesNoNoYesNo
AWS AppSyncYesYesNoYesYesNo
AWS Device FarmYesYesNoYesYesNo
Amazon LocationYesYesNoNoYesNo

Networking and content delivery services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon API GatewayYesYesYesYesYesYes
AWS App MeshYesYesNoYesYesYes
Amazon CloudFrontYesYesNoYesYesPartial³
AWS Cloud MapYesYesNoYesYesNo
AWS Direct ConnectYesYesNoYesYesNo
AWS Global AcceleratorYesYesNoYesYesYes
Network ManagerYesYesYesYesYesYes
Amazon Route 53YesYesNoNoYesNo
Amazon Route 53 ResolverYesYesNoYesYesNo
AWS TirosYesNoNoNoNoNo
Amazon Virtual Private Cloud (Amazon VPC)YesPartial¹Partial²NoYesNo

¹ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify “"Resource": "*"”. For more information, see Controlling the Use of Endpoints in the Amazon VPC User Guide.

² Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Using Endpoint Policies in the Amazon VPC User Guide.

³ Amazon CloudFront doesn’t have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

Media services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon Elastic TranscoderYesYesNoNoYesNo
AWS Elemental Appliances and SoftwareYesYesNoYesYesNo
AWS Elemental Appliances and Software Activation ServiceYesYesNoYesYesNo
AWS Elemental MediaConnectYesYesNoNoYesNo
AWS Elemental MediaConvertYesYesNoYesYesNo
AWS Elemental MediaLiveYesYesNoYesYesNo
AWS Elemental MediaPackageYesYesNoYesYesNo
AWS Elemental MediaPackage VODYesYesNoYesYesNo
AWS Elemental MediaStoreYesYesYesNoYesNo
AWS Elemental MediaTailorYesYesNoYesYesNo
AWS Elemental Support CasesYesNoNoNoYesNo
AWS Elemental Support ContentYesNoNoNoYesNo
Amazon Interactive Video ServiceYesYesNoYesYesNo
Kinesis Video StreamsYesYesNoYesYesNo

Analytics services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon AthenaYesYesNoYesYesNo
Amazon CloudSearchYesYesNoNoYesNo
AWS Data ExchangeYesYesNoYesYesNo
AWS Data PipelineYesNoNoYesYesNo
Amazon Elasticsearch ServiceYesYesYesNoYesYes
Amazon EMRYesYesNoYesYesYes
Amazon EMR on EKS (EMR Containers)YesYesNoYesYesYes
AWS GlueYesYesYesPartialYesNo
AWS Glue DataBrewYesYesNoYesYesNo
Amazon Kinesis Data AnalyticsYesYesNoYesYesNo
Amazon Kinesis Data Analytics V2YesYesNoYesYesNo
Amazon Kinesis Data FirehoseYesYesNoYesYesNo
Amazon Kinesis Data StreamsYesYesNoNoYesNo
AWS Lake FormationYesNoNoNoYesYes
Amazon Managed Streaming for Apache Kafka (MSK)YesYesNoYesYesNo
Amazon Managed Workflows for Apache AirflowYesYesNoYesYesNo
Amazon QuickSightYesYesNoYesYesNo

Application integration services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon AppFlowYesYesNoYesYesNo
Amazon EventBridgeYesYesYesYesYesNo
Amazon EventBridge SchemasYesYesYesYesYesNo
Amazon MQYesYesNoYesYesYes
Amazon Simple Notification Service (Amazon SNS)YesYesYesNoYesNo
Amazon Simple Queue Service (Amazon SQS)YesYesYesNoYesNo
AWS Step FunctionsYesYesNoYesYesNo
Amazon Simple Workflow Service (Amazon SWF)YesYesNoYesYesNo

Business applications services

Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles | —|—|—|—|—|—|—

Alexa for BusinessYesYesNoNoYesNo
Amazon ChimeYesYesNoYesYesYes
Amazon HoneycodeYesYesNoNoYesNo
Amazon WorkMailYesYesNoYesYesYes

Satellite services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS Ground StationYesYesNoYesYesNo

Internet of Things services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS IoT 1-ClickYesYesNoYesYesNo
AWS IoT GreengrassYesYesNoYesYesNo
AWS IoT Greengrass V2YesYesNoYesYesNo
AWS IoTYesYesPartial¹YesYesNo
AWS IoT AnalyticsYesYesNoYesYesNo
AWS IoT Core Device AdvisorYesYesNoYesYesNo
AWS IoT Core for LoRaWANYesYesNoYesYesNo
AWS IoT Device TesterYesNoNoNoYesNo
AWS IoT EventsYesYesNoYesYesNo
AWS IoT SiteWiseYesYesNoYesYesYes
AWS IoT Things GraphYesNoNoNoYesNo
Fleet Hub for AWS IoT Device ManagementYesYesNoYesYesNo
FreeRTOSYesYesNoYesYesNo

¹ Devices connected to AWS IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach AWS IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for AWS IoT in the AWS IoT Developer Guide.

Robotics services

Service | Actions | Resource-level permissions | Resource-based policies | Authorization based on tags | Temporary credentials | Service-linked roles | —|—|—|—|—|—|—

RoboMakerYesYesNoYesYesYes

Quantum Computing Services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon BraketYesYesNoYesYesYes

Blockchain services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon Managed BlockchainYesYesNoYesYesNo

Game development services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon GameLiftYesYesNoYesYesNo

AR & VR services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon SumerianYesYesNoNoYesNo

Customer enablement services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS IQYesNoNoNoYesNo
AWS IQ PermissionsNoNoNoNoYesNo
AWS SupportYesNoNoNoYesYes

Customer engagement services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon AppIntegrationsYesYesNoYesYesNo
Amazon ConnectYesYesNoYesYesYes
Amazon Connect Customer ProfilesYesYesNoYesYesNo
Amazon PinpointYesYesNoYesYesNo
Amazon Pinpoint Email ServiceYesYesNoYesYesNo
Amazon Pinpoint SMS and Voice ServiceYesNoNoNoYesNo
Amazon Simple Email Service (Amazon SES)YesPartial¹YesYesPartial²No

¹ You can only use resource-level permissions in policy statements that refer to actions related to sending email, such as ses:SendEmail or ses:SendRawEmail. For policy statements that refer to any other actions, the Resource element can only contain *.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

End user computing services

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
Amazon AppStreamYesNoNoNoYesNo
Amazon AppStream 2.0YesYesNoYesYesNo
Amazon WAMYesNoNoNoYesNo
Amazon WorkDocsYesNoNoNoYesNo
Amazon WorkLinkYesYesNoYesYesYes
Amazon WorkSpacesYesYesNoYesYesNo

Additional resources

ServiceActionsResource-level permissionsResource-based policiesAuthorization based on tagsTemporary credentialsService-linked roles
AWS ActivateYesNoNoNoYesNo
AWS Billing and Cost ManagementYesNoNoNoYesNo
AWS Budget ServiceYesYesNoNoNoNo
AWS Cost and Usage ReportYesYesNoNoYesNo
AWS Cost ExplorerYesNoNoNoYesNo
AWS MarketplaceYesNoNoNoYesNo
AWS Marketplace CatalogYesYesNoNoYesNo
AWS Marketplace Commerce Analytics ServiceYesNoNoNoNoNo
AWS Private MarketplaceYesNoNoNoNoNo
AWS Savings PlansYesYesNoYesYesNo

.

01AWS, IdenAccessManage
AWS IdenAccessManage
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.