Actions, resources, and condition keys for AWS services
Each AWS service can define API operations, actions, resources, and condition context keys for use in IAM policies. This topic describes how the elements provided for each service are documented.
Each topic consists of tables that provide the list of available operations, actions, resources, and condition keys.
The operations table
The Operations table lists the API operations defined by the service and maps each one to the IAM actions that authorize it. A single operation can authorize more than one IAM action. Some services do not yet have an operations table. This does not mean there are no operations for that service. This table does not yet include actions that downstream services authorize through forward access sessions.
-
The Operation column lists the name of the API operation. When an operation authorizes multiple actions, the operation name spans the rows for all of its authorized actions.
-
The IAM action column lists each IAM action authorized by the operation, in the form
service:ActionName. When the action belongs to the same service as the operation, the entry links to that action's row in the Actions table on the same page. When the action belongs to a different service, the entry links to that service's authorization reference page. -
The Condition key and Possible value(s) columns list only the condition keys that this operation sets to a fixed, known value when it authorizes this action, along with the value it sets. This is not the full set of condition keys that may be available during authorization. The keys shown are the ones with values determined statically by the API itself. For the full set of condition keys supported by the action, see the Actions table and the Condition keys table on the same page.
-
The Access level column shows the access level classification of the authorized action. For more information about access levels, see Understanding access level summaries within policy summaries.
The actions table
The Actions table lists all the actions that you can use in an
IAM policy statement's Action element. Some services include
permission-only actions that don't directly correspond to an API operation. These
actions are listed in a separate Permission-only actions table on
the same page. Use these tables to determine which actions you can use in an IAM policy.
For more information about the Action, Resource, or
Condition elements, see IAM
JSON policy elements reference. The Actions and
Description table columns are self-descriptive.
-
The Access level column describes how the action is classified (List, Read, Write, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Understanding access level summaries within policy summaries.
-
The Resource types column indicates whether the action supports resource-level permissions. If the column is empty, then the action does not support resource-level permissions and you must specify all resources ("*") in your policy. If the column includes a resource type, then you can specify the resource ARN in the
Resourceelement of your policy. For more information about that resource, refer to that row in the Resource types table. All actions and resources that are included in one statement must be compatible with each other. If you specify a resource that is not valid for the action, any request to use that action fails, and the statement'sEffectdoes not apply.Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
-
The Condition keys column includes keys that you can specify in a policy statement's
Conditionelement. Condition keys might be supported with an action, or with an action and a specific resource. Pay close attention to whether the key is in the same row as a specific resource type. This table does not include global condition keys that are available for any action or under unrelated circumstances. For more information about global condition keys, see AWS global condition keys.
The resource types table
The Resource types table lists all the resource types that you
can specify as an ARN in the Resource policy element. Not every resource
type can be specified with every action. Some resource types work with only certain
actions. For more
information about the Resource element, see IAM JSON policy elements: Resource.
-
The ARN column specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a $ must be replaced by the actual values for your scenario. For example, if you see
$user-namein an ARN, you must replace that string with either the actual user's name or a policy variable that contains a user's name. For more information about ARNs, see IAM ARNs. -
The Condition keys column specifies condition context keys that you can include in an IAM policy statement only when both this resource and a supporting action from the table above are included in the statement.
The condition keys table
The condition keys table lists all of the condition keys
that you can use in an IAM policy statement's Condition element. Not
every key can be specified with every action or resource. Certain keys only work with
certain types of actions and resources. For more information about the
Condition element, see IAM JSON policy elements: Condition.
-
The Type column specifies the data type of the condition key. This data type determines which condition operators you can use to compare values in the request with the values in the policy statement. You must use an operator that is appropriate for the data type. If you use an incorrect operator, then the match always fails and the policy statement never applies.
If the Type column specifies "ArrayOf.." one of the simple types, then you must use multivalued set operators in your policies. Use the
ForAllValuesprefix to specify that all values in the request must match a value in the policy statement. Use theForAnyValueprefix to specify that at least one value in the request matches one of the values in the policy statement.
Topics
AWS Application Transformation Service (application-transformation)
AWS CodeDeploy secure host commands service (codedeploy-commands-secure)
AWS Elemental Appliances and Software (elemental-appliances-software)
AWS Elemental Appliances and Software Activation Service (elemental-activations)
AWS Identity and Access Management Roles Anywhere (rolesanywhere)
AWS License Manager Linux Subscriptions Manager (license-manager-linux-subscriptions)
AWS License Manager User Subscriptions (license-manager-user-subscriptions)
AWS Migration Hub Strategy Recommendations (migrationhub-strategy)
AWS Partner central account management (partnercentral-account-management)
AWS Private CA Connector for Active Directory (pca-connector-ad)
AWS reInvent event pass amount charge to customer AWS account (eventsbilltoaws)
AWS service providing managed private networks (private-networks)
AWS Shield network security director (network-security-director)
AWS Systems Manager Incident Manager Contacts (ssm-contacts)
AWS Billing And Cost Management Data Exports (bcm-data-exports)
AWS Billing And Cost Management Pricing Calculator (bcm-pricing-calculator)
AWS Billing And Cost Management Recommended Actions (bcm-recommended-actions)
AWS Marketplace Commerce Analytics Service (marketplacecommerceanalytics)
AWS Marketplace Management Portal (aws-marketplace-management)
AWS Marketplace Procurement Systems Integration (aws-marketplace)
Amazon Application Recovery Controller - Zonal Shift (arc-zonal-shift)
Amazon CloudWatch Application Insights (applicationinsights)
Amazon CloudWatch Application Signals MCP Server (application-signals-mcp)
Amazon CloudWatch Network Synthetic Monitor (networkmonitor)
Amazon CloudWatch Observability Admin Service (observabilityadmin)
Amazon Route 53 Recovery Controls (route53-recovery-control-config)
Amazon Route 53 Recovery Readiness (route53-recovery-readiness)
Amazon SageMaker data science assistant (sagemaker-data-science-assistant)
Amazon SageMaker geospatial capabilities (sagemaker-geospatial)
Amazon SageMaker Unified Studio MCP (sagemaker-unified-studio-mcp)