# Using AWS Identity and Access Management Access Analyzer
<a name="what-is-access-analyzer"></a>

AWS Identity and Access Management Access Analyzer provides the following capabilities:
+ IAM Access Analyzer external access analyzers help [identify resources](#what-is-access-analyzer-resource-identification) in your organization and accounts that are shared with an external entity.
+ IAM Access Analyzer internal access analyzers help [identify internal access to selected resources](#what-is-access-analyzer-internal-access-analysis) in your organization and accounts.
+ IAM Access Analyzer unused access analyzers help [identify unused access](#what-is-access-analyzer-unused-access-analysis) in your organization and accounts.
+ IAM Access Analyzer [validates IAM policies](#what-is-access-analyzer-policy-validation) against policy grammar and AWS best practices.
+ IAM Access Analyzer custom policy checks help [validate IAM policies against your specified security standards](#what-is-access-analyzer-policy-checks).
+ IAM Access Analyzer [generates IAM policies](#what-is-access-analyzer-policy-generation) based on access activity in your AWS CloudTrail logs.

## Identifying resources shared with an external entity
<a name="what-is-access-analyzer-resource-identification"></a>

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. For each instance of a resource shared outside of your account, IAM Access Analyzer generates a finding. Findings include information about the access and the external principal granted to it. You can review findings to determine if the access is intended and safe or if the access is unintended and a security risk. In addition to helping you identify resources shared with an external entity, you can use IAM Access Analyzer findings to preview how your policy affects public and cross-account access to your resource before deploying resource permissions. The findings are organized in a visual summary dashboard. The dashboard highlights the split between public and cross-account access findings, and provides a breakdown of findings by resource type. To learn more about the dashboard, see [View the IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md).

**Note**  
An external entity can be another AWS account, a root user, an IAM user or role, a federated user, an anonymous user, or another entity that you can use to create a filter. For more information, see [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html).

When you enable IAM Access Analyzer, you create an analyzer for your entire organization or your account. The organization or account you choose is known as the zone of trust for the analyzer. The analyzer monitors all of the [supported resources](access-analyzer-resources.md) within your zone of trust. Any access to resources by principals within your zone of trust is considered trusted. Once enabled, IAM Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. After the first analysis, IAM Access Analyzer analyzes these policies periodically. If you add a new policy or change an existing policy, IAM Access Analyzer analyzes the new or updated policy within about 30 minutes.

When analyzing the policies, if IAM Access Analyzer identifies one that grants access to an external principal that isn't within your zone of trust, it generates a finding. Each finding includes details about the resource, the external entity with access to it, and the permissions granted so that you can take appropriate action. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve. When you add a policy to a resource, or update an existing policy, IAM Access Analyzer analyzes the policy. IAM Access Analyzer also analyzes all resource-based policies periodically.

On rare occasions under certain conditions, IAM Access Analyzer does not receive notification of an added or updated policy, which can cause delays in generated findings. IAM Access Analyzer can take up to 6 hours to generate or resolve findings if you create or delete a multi-region access point associated with an Amazon S3 bucket, or update the policy for the multi-region access point. Also, if there is a delivery issue with AWS CloudTrail log delivery or resource control policy (RCP) restriction changes, the policy change does not trigger a rescan of the resource reported in the finding. When this happens, IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours. If you want to confirm a change you make to a policy resolves an access issue reported in a finding, you can rescan the resource reported in a finding by using the **Rescan** link in the **Findings** details page, or by using the [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_StartResourceScan.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_StartResourceScan.html) operation of the IAM Access Analyzer API. To learn more, see [Resolve IAM Access Analyzer findings](access-analyzer-findings-remediate.md).

**Important**  
For external access, IAM Access Analyzer analyzes only policies applied to resources in the same AWS Region where it's enabled. To monitor all resources in your AWS environment, you must create an external access analyzer to enable IAM Access Analyzer in each Region where you're using supported AWS resources.  
For unused access, findings for the analyzer do not change based on Region. Creating an unused access analyzer in each Region where you have resources is not required.

IAM Access Analyzer analyzes the following resource types for external access:
+ [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
+ [AWS Identity and Access Management roles](access-analyzer-resources.md#access-analyzer-iam-role)
+ [AWS Key Management Service keys](access-analyzer-resources.md#access-analyzer-kms-key)
+ [AWS Lambda functions and layers](access-analyzer-resources.md#access-analyzer-lambda)
+ [Amazon Simple Queue Service queues](access-analyzer-resources.md#access-analyzer-sqs)
+ [AWS Secrets Manager secrets](access-analyzer-resources.md#access-analyzer-secrets-manager)
+ [Amazon Simple Notification Service topics](access-analyzer-resources.md#access-analyzer-sns)
+ [Amazon Elastic Block Store volume snapshots](access-analyzer-resources.md#access-analyzer-ebs)
+ [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
+ [Amazon Elastic Container Registry repositories](access-analyzer-resources.md#access-analyzer-ecr)
+ [Amazon Elastic File System file systems](access-analyzer-resources.md#access-analyzer-efs)
+ [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)

## Identifying internal access to business-critical resources
<a name="what-is-access-analyzer-internal-access-analysis"></a>

For your selected business-critical resources, IAM Access Analyzer helps you identify which principals within your organization or account have access to them. This analysis supports implementing the principle of least privilege by ensuring that your specified resources can only be accessed by the intended principals within your organization.

Internal access analysis helps you:
+ Determine which IAM users or roles within your account or organization can access your specified resources
+ Understand access paths between principals and resources within your AWS environment
+ Verify that your access controls are working as intended
+ Review findings to determine if the access is intended and safe or if the access is unintended and presents a security risk
+ Identify and remediate unintended access within your organization

IAM Access Analyzer analyzes the following resource types for internal access:
+ [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
+ [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
+ [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)

## Identifying unused access granted to IAM users and roles
<a name="what-is-access-analyzer-unused-access-analysis"></a>

IAM Access Analyzer helps you identify and review unused access in your AWS organization and accounts. IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions.

IAM Access Analyzer reviews last accessed information for all roles in your AWS organization and accounts to help you identify unused access. IAM action last accessed information helps you identify unused actions for roles in your AWS accounts. For more information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).

The findings for external, internal, and unused access analyzers are organized into a visual summary dashboard. The dashboard highlights your AWS resources and AWS accounts that have the most findings and provides a breakdown of findings by type. For more information about the dashboard, see [View the IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md).

## Validating policies against AWS best practices
<a name="what-is-access-analyzer-policy-validation"></a>

You can validate your policies against IAM [policy grammar](reference_policies_grammar.md) and [AWS best practices](best-practices.md) using the basic policy checks provided by IAM Access Analyzer policy validation. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to AWS best practices. To learn more about validating policies using policy validation, see [Validate policies with IAM Access Analyzer](access-analyzer-policy-validation.md).

## Validating policies against your specified security standards
<a name="what-is-access-analyzer-policy-checks"></a>

You can validate your policies against your specified security standards using the IAM Access Analyzer custom policy checks. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. Through the console, you can check whether your updated policy grants new access compared to the existing version. Through AWS CLI and AWS API, you can also check specific IAM actions that you consider critical are not allowed by a policy. These checks highlight a policy statement that grants new access. You can update the policy statement and re-run the checks until the policy conform to your security standard. To learn more about validating policies using custom policy checks, see [Validate policies with IAM Access Analyzer custom policy checks](access-analyzer-custom-policy-checks.md).

## Generating policies
<a name="what-is-access-analyzer-policy-generation"></a>

IAM Access Analyzer analyzes your AWS CloudTrail logs to identify actions and services that have been used by an IAM entity (user or role) within your specified date range. It then generates an IAM policy that is based on that access activity. You can use the generated policy to refine an entity's permissions by attaching it to an IAM user or role. To learn more about generating policies using IAM Access Analyzer, see [IAM Access Analyzer policy generation](access-analyzer-policy-generation.md).

## Pricing for IAM Access Analyzer
<a name="what-is-access-analyzer-pricing"></a>

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per analyzer per month.
+ You will be charged for each unused access analyzer that you create.
+ Creating unused access analyzers across multiple Regions will result in you being charged for each analyzer.
+ Service-linked roles aren't analyzed for unused access activity and they aren't included in the total number of IAM roles analyzed.

IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per internal access analyzer per month.

IAM Access Analyzer charges for custom policy checks based on the number of API requests made to IAM Access Analyzer to check for new access.

For a complete list of charges and prices for IAM Access Analyzer, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

To see your bill, go to the **Billing and Cost Management Dashboard** in the [AWS Billing and Cost Management console](https://console.aws.amazon.com/billing/). Your bill contains links to usage reports that provide details about your bill. To learn more about AWS account billing, see the [AWS Billing User Guide](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/)

If you have questions concerning AWS billing, accounts, and events, [contact Support](https://aws.amazon.com/contact-us/).

# IAM Access Analyzer findings
<a name="access-analyzer-findings"></a>

IAM Access Analyzer generates findings for external access, internal access, and unused access in your AWS account or organization.

For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding.

For internal access, IAM Access Analyzer generates findings when there is a possible access path between an IAM role or user within your organization and your specified resources. Similar to external access analysis, the scope you choose (organization or account) determines what is considered internal. If you select an organization as the scope, IAM Access Analyzer will generate findings for access paths between principals and resources within your organization. If you select an account, findings will be generated for access paths within that specific account. IAM Access Analyzer uses automated reasoning to evaluate all IAM policies to monitor who has access to your resources.

The combination of external and internal access findings with the same zone of trust provides a comprehensive analysis of all possible access to a particular resource, both from within and outside your defined trust boundary.

For unused access, IAM Access Analyzer generates findings for unused access granted in your AWS organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access:
+ **Unused roles** – Roles with no access activity within the specified usage window.
+ **Unused IAM user access keys and passwords** – Credentials belonging to IAM users that have not been used to access your AWS account in the specified usage window.
+ **Unused permissions** – Service-level and action-level permissions that weren't used by a role within the specified usage window. IAM Access Analyzer uses identity-based policies attached to roles to determine the services and actions that those roles can access. IAM Access Analyzer supports review of unused permissions for all service-level permissions. For a complete list of action-level permissions that are supported for unused access findings, see [IAM action last accessed information services and actions](access_policies_last-accessed-action-last-accessed.md).

**Note**  
IAM Access Analyzer offers external access findings for free. There are charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. There are also charges for internal access findings based on the number of AWS resources monitored per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

**Topics**
+ [

# Understand how IAM Access Analyzer findings work
](access-analyzer-concepts.md)
+ [

# Getting started with AWS Identity and Access Management Access Analyzer
](access-analyzer-getting-started.md)
+ [

# View the IAM Access Analyzer findings dashboard
](access-analyzer-dashboard.md)
+ [

# Review IAM Access Analyzer findings
](access-analyzer-findings-view.md)
+ [

# Filter IAM Access Analyzer findings
](access-analyzer-findings-filter.md)
+ [

# Archive IAM Access Analyzer findings
](access-analyzer-findings-archive.md)
+ [

# Resolve IAM Access Analyzer findings
](access-analyzer-findings-remediate.md)
+ [

# IAM Access Analyzer error findings
](access-analyzer-error-findings.md)
+ [

# IAM Access Analyzer supported resource types for external and internal access
](access-analyzer-resources.md)
+ [

# Delegated administrator for IAM Access Analyzer
](access-analyzer-delegated-administrator.md)
+ [

# Archive rules
](access-analyzer-archive-rules.md)
+ [

# Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge
](access-analyzer-eventbridge.md)
+ [

# Integrate IAM Access Analyzer with AWS Security Hub CSPM
](access-analyzer-securityhub-integration.md)
+ [

# Logging IAM Access Analyzer API calls with AWS CloudTrail
](logging-using-cloudtrail.md)
+ [

# IAM Access Analyzer filter keys
](access-analyzer-reference-filter-keys.md)
+ [

# Using service-linked roles for AWS Identity and Access Management Access Analyzer
](access-analyzer-using-service-linked-roles.md)

# Understand how IAM Access Analyzer findings work
<a name="access-analyzer-concepts"></a>

This topic describes the concepts and terms that are used in IAM Access Analyzer to help you become familiar with how IAM Access Analyzer monitors access to your AWS resources.

## External access findings
<a name="access-analyzer-work-with-findings-external"></a>

External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the **Resource control policy (RCP) restriction** also generate a new finding. IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html). If the access in the first finding is removed, that finding is updated to a status of **Resolved**.

The status of all findings remains **Active** until you archive them or remove the access that generated the finding. When you remove the access, the finding status is updated to **Resolved**.

**Note**  
It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then update the external access finding. Changes to a resource control policy (RCP) do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours.

## How IAM Access Analyzer generates findings for external access
<a name="access-analyzer-concepts-external"></a>

AWS Identity and Access Management Access Analyzer uses a technology called [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/) to analyze IAM policies and identify external access to resources.

Zelkova translates IAM policies into equivalent logical statements and runs them through a suite of general-purpose and specialized logical solvers (satisfiability modulo theories). IAM Access Analyzer applies Zelkova repeatedly to a policy, using increasingly specific queries to characterize the types of access the policy allows based on its content. For more information about satisfiability modulo theories, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf).

For external access analyzers, IAM Access Analyzer does not examine access logs to determine whether an external entity has actually accessed a resource within your zone of trust. Instead, it generates a finding when a resource-based policy allows access to a resource, regardless of whether the resource was accessed by the external entity.

Additionally, IAM Access Analyzer does not consider the state of any external accounts when making its determinations. If it indicates that account 111122223333 can access your Amazon S3 bucket, it doesn't have any information about the users, roles, service control policies (SCP), or other relevant configurations in that account. This is for customer privacy, as IAM Access Analyzer doesn't know who owns the other account. This is also for security, as it's important to know about potential external access even if there are currently no active principals that can use it.

IAM Access Analyzer only considers certain IAM condition keys that external users can't directly influence or that are otherwise impactful to authorization. For examples of condition keys IAM Access Analyzer considers, see [IAM Access Analyzer filter keys](access-analyzer-reference-filter-keys.md).

IAM Access Analyzer doesn't currently report findings from AWS service principals or internal service accounts. In rare cases where it can't fully determine whether a policy statement grants access to an external entity, it errs on the side of declaring a false positive finding. This is because IAM Access Analyzer is designed to provide a comprehensive view of the resource sharing in your account and to minimize false negatives.

## Internal access findings
<a name="access-analyzer-work-with-findings-internal"></a>

To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP). IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html). 

**Note**  
Internal access findings are only available using the [ListFindingsV2](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html) API action.

## How IAM Access Analyzer generates findings for internal access
<a name="access-analyzer-concepts-internal"></a>

To analyze internal access, you must create a separate analyzer for internal access findings for your resources, even if you’ve already created an analyzer to generate external access findings or unused access findings.

After creating the internal access analyzer, IAM Access Analyzer evaluates all resource-based policies, identity-based policies, service control policies (SCPs), resource control policies (RCPs), and permissions boundaries within your specified account or organization.

By creating an analyzer dedicated to internal access to your selected resources, you can identify:
+ When a principal in your organization or account can access your selected resources
+ The total effective permissions allowed for a principal based on the intersection of all applicable policies
+ Complex access paths where a principal gains access based on the combination of identity policies and resource policies

**Note**  
IAM Access Analyzer cannot generate internal access findings for organizations that contain more than 70,000 principals (IAM users and roles combined).

## Unused access findings
<a name="access-analyzer-work-with-findings-unused"></a>

Unused access findings are generated for IAM entities (principals) within the selected account or organization based on the number of days specified while creating the analyzer. A new finding is generated the next time the analyzer scans the entities if one of the following conditions is met:
+ A role is inactive for the specified number of days.
+ An unused permission, unused user password, or unused user access key surpasses the specified number of days.

**Note**  
Unused access findings are only available using the [ListFindingsV2](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html) API action.

## How IAM Access Analyzer generates findings for unused access
<a name="access-analyzer-concepts-unused"></a>

To analyze unused access, you must create a separate analyzer for unused access findings for your roles, even if you’ve already created an analyzer to generate external or internal access findings for your resources.

After creating the unused access analyzer, IAM Access Analyzer reviews access activity to identify unused access. IAM Access Analyzer examines the last accessed information for all IAM users, IAM roles including service roles, user access keys, and user passwords across your AWS organization and accounts. This helps you identify unused access.

**Note**  
A [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) is a special type of service role that is linked to an AWS service and owned by the service. Service-linked roles are not analyzed by unused access analyzers.

For active IAM roles and users, IAM Access Analyzer uses last accessed information for IAM services and actions to identify unused permissions. This allows you to scale your review process at the AWS organization and account level. You can also use the action last accessed information for deeper investigation of individual roles. This provides more granular insights into which specific permissions are not being utilized.

By creating an analyzer dedicated to unused access, you can comprehensively review and identify unused access across your AWS environment, complementing the findings generated by your existing external access analyzer.

# Getting started with AWS Identity and Access Management Access Analyzer
<a name="access-analyzer-getting-started"></a>

Use the information in this topic to learn about the requirements necessary to use and manage AWS Identity and Access Management Access Analyzer.

## Permissions required to use IAM Access Analyzer
<a name="access-analyzer-permissions"></a>

To successfully configure and use IAM Access Analyzer, the account you use must be granted the required permissions. 

### AWS managed policies for IAM Access Analyzer
<a name="access-analyzer-permissions-awsmanpol"></a>

AWS Identity and Access Management Access Analyzer provides AWS managed policies to help you get started quickly.
+ [IAMAccessAnalyzerFullAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAccessAnalyzerFullAccess) - Allows full access to IAM Access Analyzer for administrators. This policy also allows creating the service-linked roles that are required to allow IAM Access Analyzer to analyze resources in your account or AWS organization.
+ [IAMAccessAnalyzerReadOnlyAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAccessAnalyzerReadOnlyAccess) - Allows read-only access to IAM Access Analyzer. You must add additional policies to your IAM identities (users, groups of users, or roles) to allow them to view their findings.

### Resources defined by IAM Access Analyzer
<a name="permission-resources"></a>

To view the resources defined by IAM Access Analyzer, see [Resource types defined by IAM Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html#awsiamaccessanalyzer-resources-for-iam-policies) in the *Service Authorization Reference*.

### Required IAM Access Analyzer service permissions
<a name="access-analyzer-permissions-service"></a>

IAM Access Analyzer uses a service-linked role (SLR) named `AWSServiceRoleForAccessAnalyzer`. This SLR grants the service read-only access to analyze AWS resources with resource-based policies and analyze unused access on your behalf. The service creates the role in your account in the following scenarios:
+ You create an external access analyzer with your account as the zone of trust.
+ You create an unused access analyzer with your account as the selected account.
+ You create an internal access analyzer with your account as the zone of trust.

For more information, see [Using service-linked roles for AWS Identity and Access Management Access Analyzer](access-analyzer-using-service-linked-roles.md).

**Note**  
IAM Access Analyzer is Regional. For external and internal access, you must enable IAM Access Analyzer in each Region independently.  
For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.

In some cases, after you create an analyzer in IAM Access Analyzer, the **Findings** page or dashboard loads with no findings or summary. This might be due to a delay in the console for populating your findings. You might need to manually refresh the browser or check back later to view your findings or summary. If you still don't see any findings for an external access analyzer, it's because you have no supported resources in your account that can be accessed by an external entity. If a policy that grants access to an external entity is applied to a resource, IAM Access Analyzer generates a finding.

**Note**  
For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then either generate a new finding or update an existing finding for the access to the resource.  
When you create an internal access analyzer, it might take several minutes or hours before findings are available. After the initial scan, IAM Access Analyzer automatically rescans all policies every 24 hours.  
For all types of access analyzers, updates for findings might not be reflected in the dashboard immediately.

### Required IAM Access Analyzer permissions to view the findings dashboard
<a name="access-analyzer-permissions-dashboard"></a>

To view the [IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md), the account you use must be granted access to perform the following required actions:
+ [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html)
+ [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html)
+ [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html)

To view all of the actions defined by IAM Access Analyzer, see [Actions defined by IAM Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html#awsiamaccessanalyzer-actions-as-permissions) in the *Service Authorization Reference*.

## IAM Access Analyzer status
<a name="access-analyzer-status"></a>

To view the status of your analyzers, choose **Analyzers**. Analyzers created for an organization or account can have the following status:


| Status | Description | 
| --- | --- | 
|  Active  |  For external and internal access analyzers, the analyzer is actively monitoring resources within its zone of trust. The analyzer actively generates new findings and updates existing findings. For unused access analyzers, the analyzer is actively monitoring unused access within the selected organization or AWS account in the specified tracking period. The analyzer actively generates new findings and updates existing findings.  | 
|  Creating  |  The creation of the analyzer is still in progress. The analyzer becomes active once creation is complete.  | 
|  Disabled  |  The analyzer is disabled due to an action taken by the AWS Organizations administrator. For example, removing the analyzer’s account as the delegated administrator for IAM Access Analyzer. When the analyzer is in a disabled state, it does not generate new findings or update existing findings.  | 
|  Failed  |  The creation of the analyzer failed due to a configuration issue. The analyzer won't generate any findings. Delete the analyzer and create a new analyzer.  | 

# Create an IAM Access Analyzer external access analyzer
<a name="access-analyzer-create-external"></a>

To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources.

**Note**  
After you create or update an analyzer, it can take time for findings to be available.

## Create an external access analyzer with the AWS account as the zone of trust
<a name="access-analyzer-create-external-account"></a>

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. Choose **Create analyzer**.

1. In the **Analysis** section, choose **Resource analysis - External access**.

1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

1. Enter a name for the analyzer.

1. Choose **Current account** as the zone of trust for the analyzer.
**Note**  
If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the zone of trust.

1. Optional. Add any tags that you want to apply to the analyzer.

1. Choose **Create analyzer**.

When you create an external access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.

## Create an external access analyzer with the organization as the zone of trust
<a name="access-analyzer-create-external-organization"></a>

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. Choose **Create analyzer**.

1. In the **Analysis** section, choose **Resource analysis - External access**.

1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

1. Enter a name for the analyzer.

1. Choose **Current organization** as the zone of trust for the analyzer.

1. Optional. Add any tags that you want to apply to the analyzer.

1. Choose **Submit**.

When you create an external access analyzer with the organization as the zone of trust, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in each account of your organization.

# Manage an IAM Access Analyzer external access analyzer
<a name="access-analyzer-manage-external"></a>

To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources.

**Note**  
After you create or update an analyzer, it can take time for findings to be available.

## Update an external access analyzer
<a name="access-analyzer-manage-external-update"></a>

Use the following procedure to update an external access analyzer.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. In the **Analyzers** section, choose the name of the external access analyzer to manage.

1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md).

1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).

## Delete an external access analyzer
<a name="access-analyzer-manage-external-delete"></a>

Use the following procedure to delete an external access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. In the **Analyzers** section, choose the name of the external access analyzer to delete.

1. Choose **Delete analyzer**.

1. Enter **delete** and choose **Delete** to confirm deleting the analyzer.

# Create an IAM Access Analyzer internal access analyzer
<a name="access-analyzer-create-internal"></a>

To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources.

IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

**Note**  
After you create or update an analyzer, it can take time for findings to be available.  
IAM Access Analyzer cannot generate internal access findings for organizations that contain more than 70,000 principals (IAM users and roles combined).  
You can only create one organization-level internal access analyzer in an AWS organization.

## Create an internal access analyzer with the AWS account as the zone of trust
<a name="access-analyzer-create-internal-account"></a>

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. Choose **Create analyzer**.

1. In the **Analysis** section, choose **Resource analysis - Internal access**.

1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

1. Enter a name for the analyzer.

1. Choose **Current account** as the zone of trust for the analyzer.
**Note**  
If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the zone of trust.

1. In the **Resources to analyze** section, add resources for the analyzer to monitor.
   + To add resources by account, choose **Add > Add resources from selected accounts**.

     1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list.

        Internal access analyzers support the following resource types:
        + [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
        + [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
        + [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
        + [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
        + [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
        + [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)

     1. Choose **Add resources**.
   + To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**.
**Note**  
ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported.

     1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.

     1. Choose **Add resources**.
   + To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**.

     You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.

     1. Choose **Choose file** and select the CSV file from your computer.

     1. Choose **Add resources**.

1. Optional. Add any tags that you want to apply to the analyzer.

1. Choose **Create analyzer**.

When you create an internal access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.

## Create an internal access analyzer with the organization as the zone of trust
<a name="access-analyzer-create-internal-organization"></a>

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. Choose **Create analyzer**.

1. In the **Analysis** section, choose **Resource analysis - Internal access**.

1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

1. Enter a name for the analyzer.

1. Choose **Entire organization** as the zone of trust for the analyzer.

1. In the **Resources to analyze** section, add resources for the analyzer to monitor.
   + To add resources for the account, choose **Add resources > Add resources from selected accounts**.

     1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list.

        Internal access analyzers support the following resource types:
        + [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
        + [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
        + [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
        + [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
        + [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
        + [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)

     1. To select accounts from your organization, choose **Select from organization**. In the **Select accounts** section, choose **Hierarchy** to select accounts by organizational structure or **List** to select accounts from a list of all accounts in your organization.

        To manually enter accounts from your organization, choose **Enter AWS account ID**. Enter one or more AWS account IDs separated by commas in the **AWS account ID** field.

     1. Choose **Add resources**.
   + To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**.
**Note**  
ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported.

     1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.

     1. Choose **Add resources**.
   + To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**.

     You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.

     1. Choose **Choose file** and select the CSV file from your computer.

     1. Choose **Add resources**.

1. Optional. Add any tags that you want to apply to the analyzer.

1. Choose **Submit**.

When you create an internal access analyzer with the organization as the zone of trust, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in each account of your organization.

# Manage an IAM Access Analyzer internal access analyzer
<a name="access-analyzer-manage-internal"></a>

To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources.

**Note**  
After you create or update an analyzer, it can take time for findings to be available.

## Update an internal access analyzer
<a name="access-analyzer-manage-internal-update"></a>

Use the following procedure to update an internal access analyzer.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. In the **Analyzers** section, choose the name of the internal access analyzer to manage.

1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md).

1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).

1. On the **Resources** tab, choose **Edit** in the **Resources to analyze** section.

   1. To add resources by account, choose **Add resources > Add resources from selected accounts**.

      1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list.

         Internal access analyzers support the following resource types:
         + [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
         + [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
         + [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
         + [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
         + [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
         + [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)

      1. Choose **Add resources**.

   1. To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**.
**Note**  
ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported.

      1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.

      1. Choose **Add resources**.

   1. To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**.

      You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.

      1. Choose **Choose file** and select the CSV file from your computer.

      1. Choose **Add resources**.

   1. To remove resources from the analyzer, select the check box next to the resources to remove and choose **Remove**.

   1. Choose **Save changes**.

**Note**  
Any updates to the analyzer will be evaluated at the next automatic rescan within 24 hours.

## Delete an internal access analyzer
<a name="access-analyzer-manage-internal-delete"></a>

Use the following procedure to delete an internal access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. In the **Analyzers** section, choose the name of the internal access analyzer to delete.

1. Choose **Delete analyzer**.

1. Enter **delete** and choose **Delete** to confirm deleting the analyzer.

# Create an IAM Access Analyzer unused access analyzer
<a name="access-analyzer-create-unused"></a>

## Create an unused access analyzer for the current account
<a name="access-analyzer-create-unused-account"></a>

Use the following procedure to create an unused access analyzer for a single AWS account. For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

**Note**  
After you create or update an analyzer, it can take time for findings to be available.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. Choose **Create analyzer**.

1. In the **Analysis** section, choose **Principal analysis - Unused access**.

1. Enter a name for the analyzer.

1. For **Tracking period**, enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the selected account that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days.

1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

1. For **Selected accounts**, choose **Current account**.
**Note**  
If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the selected account.

1. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude.

1. Optional. Add any tags that you want to apply to the analyzer.

1. Choose **Create analyzer**.

When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.

## Create an unused access analyzer with the current organization
<a name="access-analyzer-create-unused-organization"></a>

Use the following procedure to create an unused access analyzer for an organization to centrally review all AWS accounts in an organization. For unused access analysis, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

**Note**  
If a member account is removed from the organization, the unused access analyzer will stop generating new findings and updating existing findings for that account after 24 hours. Findings associated with the member account that is removed from the organization will be removed permanently after 90 days.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. Choose **Create analyzer**.

1. In the **Analysis** section, choose **Principal analysis - Unused access**.

1. Enter a name for the analyzer.

1. For **Tracking period**, enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the accounts of the selected organization that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days.

1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

1. For **Selected accounts**, choose **Current organization**.

1. Optional. In the **Exclude AWS accounts from analysis** section, you can choose AWS accounts in your organization to exclude from unused access analysis. Findings will not be generated for excluded accounts.

   1. To specify individual account IDs to exclude, choose **Specify AWS account ID** and enter the account IDs separated by commas in the **AWS account ID** field. Choose **Exclude**. The accounts are then listed in the **AWS accounts to exclude** table.

   1. To choose from a list of accounts in your organization to exclude, choose **Choose from organization**.

      1. You can search for accounts by name, email, and account ID in the **Exclude accounts from organization** field.

      1. Choose **Hierarchy** to view your accounts by organizational unit or choose **List** to view a list of all individual accounts in your organization.

      1. Choose **Exclude all current accounts** to exclude all accounts in an organizational unit or choose **Exclude** to exclude individual accounts.

   The accounts are then listed in the **AWS accounts to exclude** table.
**Note**  
Excluded accounts cannot include the organization analyzer owner account. When new accounts are added to your organization, they are not excluded from analysis, even if you previously excluded all current accounts within an organizational unit. For more information on excluding accounts after creating an unused access analyzer, see [Manage an IAM Access Analyzer unused access analyzer](access-analyzer-manage-unused.md).

1. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude.

1. Optional. Add any tags that you want to apply to the analyzer.

1. Choose **Create analyzer**.

When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.

# Manage an IAM Access Analyzer unused access analyzer
<a name="access-analyzer-manage-unused"></a>

Use the information in this topic to learn about how to update or delete an existing unused access analyzer.

**Note**  
After you create or update an analyzer, it can take time for findings to be available.

## Update an unused access analyzer
<a name="access-analyzer-manage-unused-update"></a>

Use the following procedure to update an unused access analyzer.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Analyzer settings**.

1. In the **Analyzers** section, choose the name of the unused access analyzer to manage.

1. On the **Exclusion** tab, if the analyzer was created for an organization as the scope of analysis, choose **Manage** in the **Excluded AWS accounts** section.

   1. To specify individual account IDs to exclude, choose **Specify AWS account ID** and enter the account IDs separated by commas in the **AWS account ID** field. Choose **Exclude**. The accounts are then listed in the **AWS accounts to exclude** table.

   1. To choose from a list of accounts in your organization to exclude, choose **Choose from organization**.

      1. You can search for accounts by name, email, and account ID in the **Exclude accounts from organization** field.

      1. Choose **Hierarchy** to view your accounts by organizational unit or choose **List** to view a list of all individual accounts in your organization.

      1. Choose **Exclude all current accounts** to exclude all accounts in an organizational unit or choose **Exclude** to exclude individual accounts.

      The accounts are then listed in the **AWS accounts to exclude** table.

   1. To remove accounts to exclude, choose **Remove** next to the account in the **AWS accounts to exclude** table.

   1. Choose **Save changes**.
**Note**  
Excluded accounts cannot include the organization analyzer owner account.
When new accounts are added to your organization, they are not excluded from analysis, even if you previously excluded all current accounts within an organizational unit.
After you update the exclusions for an analyzer, it can take up to two days for the list of excluded accounts to be updated.

1. On the **Exclusion** tab, choose **Manage** in the **Excluded IAM users and roles with tags** section.

   1. You can specify key-value pairs for IAM users and roles to exclude from unused access analysis. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**.

   1. Choose **Add new exclusion** to add additional key-value pairs to exclude.

   1. To remove key-value pairs to exclude, choose **Remove** next to the key-value pair.

   1. Choose **Save changes**.

1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md).

1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).

## Delete an unused access analyzer
<a name="access-analyzer-manage-unused-delete"></a>

Use the following procedure to delete an unused access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access analyzer**, choose **Unused access**.

1. Under **Access analyzer**, choose **Analyzer settings**.

1. In the **Analyzers** section, choose the name of the unused access analyzer to delete.

1. Choose **Delete analyzer**.

1. Enter **delete** and choose **Delete** to confirm deleting the analyzer.

# View the IAM Access Analyzer findings dashboard
<a name="access-analyzer-dashboard"></a>

AWS Identity and Access Management Access Analyzer organizes external, internal, and unused access findings into a visual summary dashboard. The dashboard helps you gain visibility into the effective use of permissions at scale and identify accounts and AWS resources that need attention. You can use the dashboard to review findings by AWS organization, account, and finding type.

For external and internal access findings:
+ The dashboard highlights the split between public access findings, external access findings, and internal access findings.
+ The dashboard provides a breakdown of findings by resource type.

For unused access findings:
+ The dashboard highlights the AWS accounts with the most unused access findings.
+ The dashboard provides a breakdown of findings by type.

After you create any type of access analyzer, IAM Access Analyzer automatically adds new findings to the relevant dashboard. This allows you to identify and prioritize the areas with the most security concerns.

The summary dashboards give you a high-level view of the access issues detected by IAM Access Analyzer across your AWS environment. You can then drill down into the individual findings to investigate further and take appropriate actions to resolve them.

## Viewing the summary dashboard for external and internal access analyzers
<a name="access-analyzer-dashboard-external-internal"></a>
**Note**  
After you create or update an analyzer, it can take time for the summary dashboard to reflect updates to findings.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Access Analyzer**. The **Summary** window is displayed.

1. Choose **Select analyzers**.

1. In the **Select analyzers** window, choose **Organization** or **Account** for the **Zone of trust**.
**Note**  
Only the AWS Organizations management account or delegated administrator can choose **Organization** as the zone of trust.

1. Choose external and internal access analyzers from the **Resource access analyzers** dropdown.
**Note**  
You can select a maximum of one external access analyzer and a maximum of one internal access analyzer.

1. Choose **Update**. A summary of the findings for the selected external and internal access analyzers is displayed in the **Resource access findings** section.

![\[Resource findings access analyzer dashboard.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-analyzer-dashboard-external-internal-new.png)


In the preceding image, the resource findings dashboard is visible from within the **Summary** page.

1. The **Active findings** section includes the number of active findings for public access, the number of active findings that provide access outside of the account or organization, and the number of active internal access findings for the selected analyzers. Choose a number to list all of the active findings of each type.

1. The **Resource types** section includes a breakdown of the resource types with active findings for the selected analyzers. Choose **View all active findings** for a complete list of active findings for the selected analyzers.

1. The **Key resources** section includes a summary of the key resources with active findings. This information helps you prioritize findings for your business-critical resources. Choose **View all active findings** for a complete list of active findings for the selected analyzers.

## Viewing the summary dashboard for unused access analyzers
<a name="access-analyzer-dashboard-unused"></a>
**Note**  
After you create or update an analyzer, based on the amount of users and roles, it can take time for the summary dashboard to reflect updates to findings.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Access Analyzer**. The **Access Analyzer Summary** window is displayed.

1. Choose **Select analyzers**.

1. In the **Select analyzers** window, choose **Organization** or **Account** for the **Zone of trust**.
**Note**  
Only the AWS Organizations management account or delegated administrator can choose **Organization** as the zone of trust.

1. Choose an unused access analyzer from the **Unused access analyzers** dropdown.

1. Choose **Update summary**. A summary of the findings for the selected unused access analyzer is displayed in the **Unused access findings** section.

![\[Unused access analyzer dashboard.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-analyzer-dashboard-unused-new.png)


In the preceding image, the unused access findings dashboard is visible from within the **Summary** page.

1. The **Active findings** section includes the number of active findings for unused roles, unused credentials, and unused permissions in your account or organization. **Unused credentials** include both unused access key and unused password findings. **Unused permissions** include both users and roles with unused permissions. Choose a number to list all of the active findings of each type.

1. The **Findings overview** section includes a breakdown of the type of active findings. Choose **View all active findings** for a complete list of active findings for the analyzer's account or organization.

1. The **Finding status** section includes a breakdown of the status of findings (**Active**, **Archived**, and **Resolved**) for your account or organization. You can select the findings statuses to display in the **Filter displayed data** dropdown.

1. The **Accounts with the most findings for unused access** section is only displayed if the selected accounts of your unused access analyzer is at the organization level. It includes a breakdown of the accounts in your organization with the most active findings. This is not an exhaustive list of every account in your organization. Your analyzer might have active findings for other accounts not listed in this section.

# Review IAM Access Analyzer findings
<a name="access-analyzer-findings-view"></a>

After you enable IAM Access Analyzer, the next step is to review any findings to determine whether the access identified in the finding is intentional or unintentional. You can also review findings to determine similar findings for access that is intended, and then [create an archive rule](access-analyzer-archive-rules.md) to automatically archive those findings. You can also review archived and resolved findings.

You should review all of the findings in your account to determine whether the external, internal, or unused access is expected and approved. If the access identified in the finding is expected, you can archive the finding. When you archive a finding, the status is changed to **Archived**, and the finding is removed from the active findings list. The finding is not deleted. You can view your archived findings at any time. Work through all of the findings in your account until you have zero active findings. After you get to zero findings, you know that any new **Active** findings that are generated are from a recent change in your environment.

**To review active findings for all types of access analyzers**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Access analyzer**. The findings dashboard is displayed. 

1. Choose **Select analyzers**.

1. In the **Select analyzers** window, choose a maximum of one external access analyzer and a maximum of one internal access analyzer from the **Resource access analyzers** dropdown. Choose an unused access analyzer from the **Unused access analyzers** dropdown.

1. Choose **Update summary**. A summary of the active findings for the selected access analyzers is displayed on the dashboard. Choose a finding type in the **Resource access findings** or **Unused access findings** sections to view all active findings of the selected type.

   For more information on viewing the findings dashboard, see [View the IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md).

**Note**  
Findings are displayed only if you have permission to view findings for the analyzer.

## External and internal access findings
<a name="access-analyzer-findings-view-external"></a>

**Note**  
IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per Region per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

1. Under **Access Analyzer**, choose **Resource analysis**.

1. Choose **Select analyzers**.

1. In the **Select analyzers** window, choose a maximum of one external access analyzer and a maximum of one internal access analyzer from the **Resource access analyzers** dropdown.

1. Choose **Update summary**.

   The **Resource analysis** page displays the following details about the resources with active findings for the selected access analyzers:

**Name**  
The name of the resource with active findings.

**Type**  
The type of the resource.

**Owner account**  
This column is displayed only if you are using an organization as the zone of trust for one or more of the selected analyzers. The account in the organization that owns the resource reported in the finding.

**Active findings**  
A visual representation of the number and type of active findings for the resource. Hover over the field to display more information about the findings for the resource.

**Public access**  
Indicates whether any of the findings for the resource allow public access.

## Unused access findings
<a name="access-analyzer-findings-view-unused"></a>

**Note**  
IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

1. Under **Access Analyzer**, choose **Unused access**.

1. Choose **Select analyzers**.

1. In the **Select analyzers** window, choose an unused access analyzer from the **Unused access analyzers** dropdown.

1. Choose **Update summary**.

   The **Unused access** page displays the following details about the IAM entities that generated the findings for the selected access analyzer:

**Finding ID**  
The unique ID assigned to the finding. Choose the finding ID to display additional details about the IAM entity that generated the finding.

**Finding type**  
The type of unused access finding: **Unused access key**, **Unused password**, **Unused permission**, or **Unused role**.

**IAM entity**  
The IAM entity reported in the finding. This can be an IAM user or role.

**AWS account ID**  
This column is displayed only if you set up the analyzer for all AWS accounts in the organization. The AWS account in the organization that owns the IAM entity reported in the finding.

**Last updated**  
The last time that the IAM entity reported in the finding was updated, or when the entity was created if no updates have been made.

**Status**  
The status of the finding (**Active**, **Archived**, or **Resolved**).

# Filter IAM Access Analyzer findings
<a name="access-analyzer-findings-filter"></a>

The default filtering for a findings page is to display all active findings. To view all findings, choose **All** from the **Status** dropdown. To view archived findings, choose **Archived**. To view resolved findings, choose **Resolved**. When you first start using IAM Access Analyzer, there are no archived findings.

Use filters to display only the findings that meet the specified property criteria. To create a filter, select the property to filter on, then choose whether the property equals or contains a value, then enter or choose a property value to filter on.

For a list of filter keys that you can use to create or update an archive rule, see [IAM Access Analyzer filter keys](access-analyzer-reference-filter-keys.md).

## Filtering resources with active findings
<a name="access-analyzer-findings-filter-resource"></a>

You can view and filter active findings by resource for a maximum of one external access analyzer and a maximum of one internal access analyzer.

**To filter resources with active findings**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Resource analysis**.

1. To filter by resource name, type all or part of the name of the resource in the search box.

1. In the **Filter access type** dropdown, choose the access type:
   + **All types** – display resources with all types of access findings.
   + **Public access** – display only resources with public access findings.
   + **External access** – display only resources with external access findings.
   + **Internal access within organization** – display only resources with internal access findings.

1. In the **Filter resource type** dropdown, choose a resource type to display only resources of the selected type.

## Filtering external access findings
<a name="access-analyzer-findings-filter-external"></a>

**To filter external access findings**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Analyzer settings** and then choose the external access analyzer in the **Analyzers** section.

1. Choose **View findings**.

1. Choose the search box to display a list of available properties.

1. Choose the property to use to filter the findings displayed.

1. Choose the value to match for the property. Only findings with that value in the finding are displayed.

   For example, choose **Resource** as the property, then choose **Resource:**, then type part or all of the name of a bucket, then press Enter. Only findings for the bucket that matches the filter criteria are displayed. To create a filter that displays only findings for resources that allow public access, you can choose the **Public access** property, then choose **Public access =**, then choose **Public access = true**.

You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer.

Some fields are displayed only when you are viewing findings for an analyzer with an organization as its zone of trust.

The following properties are available for defining filters for external access:
+ **Public access** – To filter by findings for resources that allow public access, filter by **Public access** then choose **Public access: true**.
+ **Resource** – To filter by resource, type all or part of the name of the resource.
+ **Resource Type** – To filter by resource type, choose the type from the list displayed.
+ **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding.
+ **Resource Control Policy Restriction** – Use this property to filter by the type of restriction applied by an Organizations resource control policy (RCP). To learn more, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the AWS Organizations User Guide.
  + **Failed to evaluate RCP**: There was an error evaluating the RCP.
  + **Not applicable**: No RCP restricts this resource or principal. This also includes resources where RCPs are not yet supported.
  + **Applicable**: Your organization administrator has set restrictions through a RCP that impacts the resource or resource type. Contact your organization administrator for more details.
+ **AWS Account** – Use this property to filter by AWS account that is granted access in the **Principal** section of a policy statement. To filter by AWS account, type all or part of the 12-digit AWS account ID, or all or part of the full account ARN of the external AWS user or role that has access to resources in the current account.
+ **Canonical User** – To filter by canonical user, type the canonical user ID as defined for Amazon S3 buckets. To learn more, see [AWS Account Identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html).
+ **Federated User** – To filter by federated user, type all or part of the ARN of the federated identity. To learn more, see [Identity Providers and Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html).
+ **Finding ID** – To filter by finding ID, type all or part of the finding ID.
+ **Error** – To filter by error type, choose **Access Denied** or **Internal Error**.
+ **Principal ARN** – Use this property to filter on the ARN of the principal (IAM user, role, or group) used in an **aws:PrincipalArn** condition key. To filter by Principal ARN, type all or part of the ARN of the IAM user, role, or group from an external AWS account reported in a finding.
+ **Principal OrgID** – To filter by Principal OrgID, type all or part of the organization ID associated with the external principals that belong to the AWS organization specified as a condition in the finding. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Principal OrgPaths** – To filter by Principal OrgPaths, type all or part of the ID for the AWS organization or organizational unit (OU) that allows access to all external principals that are account members of the specified organization or OU as a condition in the policy. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source Account** – To filter on Source Account, type all or part of the AWS account ID associated with the resources, as used in some cross-service permissions in AWS. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source ARN** – To filter by Source ARN, type all or part of the ARN specified as a condition in the finding. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source IP** – To filter by Source IP, type all or part of the IP address that allows external entities access to resources in the current account when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source OrgID** – To filter by Source OrgID, type all or part of the organization ID associated with the resources, as used in some cross-service permissions in AWS. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source OrgPaths** – To filter by Source OrgPaths, type all or part of the organizational unit (OU) associated with the resources, as used in some cross-service permission in AWS. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source VPC** – To filter by Source VPC, type all or part of the VPC ID that allows external entities access to resources in the current account when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source VPC ARN** – To filter by Source VPC ARN, type all or part of the VPC ARN that allows external entities access to resources in the current account when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **Source VPCE** – To filter by Source VPCE, type all or part of the VPC endpoint ID that allows external entities access to resources in the current account when using the specified VPC endpoint. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **VPCE Account** – To filter by VPCE Account, type all or part of the 12-digit AWS account ID that owns the the VPC endpoint external entities and allows external entities access to resources. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **VPCE OrgID** – To filter by VPCE OrgID, type all or part of the organization ID that owns the VPC endpoint external entities and allows external entities access to resources. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **VPCE OrgPaths** – To filter by VPCE OrgPaths, type all or part of the organizational unit (OU) that owns the VPC endpoint external entities and allows external entities access to resources. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **User ID** – To filter by User ID, type all or part of the user ID of the IAM user from an external AWS account who is allowed access to resource in the current account. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
+ **KMS Key ID** – To filter by KMS key ID, type all or part of the key ID for the KMS key specified as a condition for AWS KMS-encrypted Amazon S3 object access in your current account.
+ **Session Mode** – To filter by session mode for Amazon S3 directory buckets (`ReadOnly` or `ReadWrite`, type all or part of the session mode. To learn more, see [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the Amazon Simple Storage Service API Reference.
+ **Google Audience** – To filter by Google Audience, type all or part of the Google application ID specified as a condition for IAM role access in your current account. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html).
+ **Cognito Audience** – To filter by Amazon Cognito audience, type all or part of the Amazon Cognito identity pool ID specified as a condition for IAM role access in your current account. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html).
+ **Caller Account** – The AWS account ID of the account that owns or contains the calling entity, such as an IAM role, user, or account root user. This is used by services calling AWS KMS. To filter by caller account, type all or part of the AWS account ID.
+ **Facebook App ID** – To filter by Facebook App ID, type all or part of the Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to an IAM role in your current account. To learn more, see the **id** section in [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif).
+ **Amazon App ID** – To filter by Amazon App ID, type all or part of the Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to an IAM role in your current account. To learn more, see the **id** section in [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif).
+ **Lambda Event Source Token** – To filter on Lambda Event Source Token passed in with Alexa integrations, type all or part of the token string.

## Filtering internal access findings
<a name="access-analyzer-findings-filter-internal"></a>

**To filter internal access findings**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Analyzer settings** and then choose the internal access analyzer in the **Analyzers** section.

1. Choose **View findings**.

1. Choose the search box to display a list of available properties.

1. Choose the property to use to filter the findings displayed.

1. Choose the value to match for the property. Only findings with that value in the finding are displayed.

   For example, choose **Resource** as the property, then choose **Resource:**, then type part or all of the name of a bucket, then press Enter. Only findings for the bucket that matches the filter criteria are displayed.

You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer.

Some fields are displayed only when you are viewing findings for an analyzer with an organization as its zone of trust.

The following fields are displayed only when you are viewing findings for an analyzer that is monitoring internal access:
+ **Resource** – To filter by resource, type all or part of the name of the resource.
+ **Resource Type** – To filter by resource type, choose the type from the list displayed.
+ **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding.
+ **Finding id** – To filter by finding ID, type all or part of the finding ID.

## Filtering unused access findings
<a name="access-analyzer-findings-filter-unused"></a>

**To filter unused access findings**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Unused access** and then choose the analyzer in the **View analyzer** dropdown.

1. Choose the search box to display a list of available properties.

1. Choose the property to use to filter the findings displayed.

1. Choose the value to match for the property. Only findings with that value in the finding are displayed.

   For example, choose **Findings type** as the property, then choose **Findings type =**, then choose **Findings type = Unused role**. Only findings with a type of **Unused role** are displayed.

You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer.

The following fields are displayed only when you are viewing findings for an analyzer that is monitoring unused access:
+ **Findings type** – To filter by finding type, filter by **Findings type** and then choose the type of finding.
+ **Resource** – To filter by resource, type all or part of the name of the resource.
+ **Resource Type** – To filter by resource type, choose the type from the list displayed.
+ **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding.
+ **Finding id** – To filter by finding ID, type all or part of the finding ID.

# Archive IAM Access Analyzer findings
<a name="access-analyzer-findings-archive"></a>

When you get a finding for access to a resource that is intentional, you can archive the findings. For example, an external or internal access finding for an Amazon S3 bucket that is accessed for approved workflows or an unused access finding for an access key that may still be necessary. When you archive a finding, it is cleared from active findings list. Archived findings aren't deleted. You can filter the **Findings** page to display your archived findings, and unarchive them at any time.

**To archive findings from the **Findings** page**

1. Select the checkbox next to one or more findings to archive.

1. Choose **Actions** and then choose **Archive**.

   A confirmation is displayed at the top of the screen.

**To archive findings from the **Findings Details** page**

1. Choose the **Finding ID** for the finding to archive.

   

1. Choose **Archive**.

   A confirmation is displayed at the top of the screen.

To unarchive findings, repeat the preceding steps, but choose **Unarchive** instead of **Archive**. When you unarchive a finding, the status is set to Active.

# Resolve IAM Access Analyzer findings
<a name="access-analyzer-findings-remediate"></a>

## Resolving resource findings
<a name="access-analyzer-findings-remediate-external"></a>

To resolve external and internal access findings generated from unintended access, you should modify the policy statement to remove the permissions that allow access to the identified resource.

For findings related to Amazon S3 buckets, use the Amazon S3 console to configure the permissions on the bucket.

For IAM roles, use the IAM console to [modify the trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html#roles-managingrole_edit-trust-policy) for the listed IAM role.

For other supported resources, use the console to modify the policy statements that resulted in a generated finding.

After making a change to resolve a resource finding, such as modifying a policy applied to an IAM role, IAM Access Analyzer will scan the resource again. If the access to the resource is removed, the status of the finding is changed to **Resolved**. The finding will then be displayed in the resolved findings list instead of the active findings list.

**Note**  
This does not apply to **Error** findings. When IAM Access Analyzer is not able to analyze a resource, it will generate an error finding. If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding. For more information, see [IAM Access Analyzer error findings](access-analyzer-error-findings.md).

If the changes you made resulted in external or internal access to the resource, but in a different way, such as with a different principal or for a different permission, IAM Access Analyzer will resolve the original finding and generate a new **Active** finding. If the changes you made resulted in internal errors or access denied errors, all active non-error findings linked to the specific access of the resource are resolved and a new error finding is generated.

**Note**  
For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource again and then update the finding.  
For internal access analyzers, it might take several minutes or hours for IAM Access Analyzer to analyze the resource again and then update the finding. IAM Access Analyzer automatically rescans all policies every 24 hours.  
Resolved findings are deleted 90 days after the last update to the finding status.

## Resolving unused access findings
<a name="access-analyzer-findings-remediate-unused"></a>

IAM Access Analyzer provides recommended steps to resolve unused access analyzer findings based on the type of finding.

After you make a change to resolve an unused access finding, the status of the finding is changed to **Resolved** the next time the unused access analyzer runs. The finding is no longer displayed in the active findings list and instead is displayed in the resolved findings list. If you make a change that only partially addresses an unused access finding, the existing finding is changed to **Resolved** but a new finding is generated. For example, if you remove only some of the unused permissions in a finding, but not all of them.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

### Resolving unused permission findings
<a name="access-analyzer-findings-remediate-unused-permission"></a>

For unused permission findings, IAM Access Analyzer can recommend policies to remove from an IAM user or role and provide new policies to replace existing permissions policies. Policy recommendation is not supported for the following scenarios:
+ The unused permission finding is for an IAM user that is in a user group.
+ The unused permission finding is for an IAM role for IAM Identity Center.
+ The unused permission finding has an existing permissions policy that includes the `notAction` element.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Unused access**.

1. Choose a finding with the **Finding type** of **Unused permissions**.

1. In the **Recommendations** section, if there are policies listed in the **Recommended policy** column, choose **Preview policy** to view the existing policy with the recommended policy to replace the existing policy. If there are mutliple recommended policies, you can choose **Next policy** and **Previous policy** to view each existing and recommended policy.

1. Choose **Download JSON** to download a .zip file with JSON files of all the recommended policies.

1. Create and attach the recommended policies to the IAM user or role. For more information, see [Changing permissions for a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-change-console) and [Modifying a role permissions policy (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy).

1. Remove the policies listed in the **Existing permissions policy** column from the IAM user or role. For more information, see [Removing a permissions from a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console) and [Modifying a role permissions policy (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy).

### Resolving unused role findings
<a name="access-analyzer-findings-remediate-unused-role"></a>

For unused role findings, IAM Access Analyzer recommends deleting the unused IAM role.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Unused access**.

1. Choose a finding with the **Finding type** of **Unused role**.

1. In the **Recommendations** section, review the details of the IAM role.

1. Delete the IAM role. For more information, see [Deleting an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console).

### Resolving unused access key findings
<a name="access-analyzer-findings-remediate-unused-access-key"></a>

For unused access key findings, IAM Access Analyzer recommends deactivating or deleting the unused access key.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Unused access**.

1. Choose a finding with the **Finding type** of **Unused access keys**.

1. In the **Recommendations** section, review the details of the access key.

1. Deactivate or delete the access key. For more information, see [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).

### Resolving unused password findings
<a name="access-analyzer-findings-remediate-unused-password"></a>

For unused password findings, IAM Access Analyzer recommends deleting the unused password for the IAM user.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Unused access**.

1. Choose a finding with the **Finding type** of **Unused password**.

1. In the **Recommendations** section, review the details of the IAM user.

1. Delete the password for the IAM user. For more information, see [Creating, changing, or deleting an IAM user password (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console).

# IAM Access Analyzer error findings
<a name="access-analyzer-error-findings"></a>

When IAM Access Analyzer analyzes resources, it typically generates findings that show who has access to your resources. However, in some cases, the analyzer might encounter issues that prevent it from completing the analysis. In these situations, IAM Access Analyzer generates error findings instead.

Error findings indicate that IAM Access Analyzer couldn't complete the analysis for a specific resource or for a specific principal-resource pair. These findings help you identify resources that might need attention to ensure proper analysis.

## External access error findings
<a name="access-analyzer-error-findings-external"></a>

External access analyzers, which identify resources shared outside your account or organization, can generate two types of error findings:
+ INTERNAL\$1ERROR – Indicates that IAM Access Analyzer encountered an internal issue while analyzing the resource. This could be due to service limitations or temporary issues.

  ```
  {
  	"findingDetails": [
  		{
  			"externalAccessDetails": {}
  		}
  	],
  	"resource": "arn:aws:iam::941407043048:role/TestAccessAnalyzer",
  	"status": "ACTIVE",
  	"error": "INTERNAL_ERROR",
  	"createdAt": "2022-07-14T01:31:43.085000+00:00",
  	"resourceType": "AWS::IAM::Role",
  	"findingType": "ExternalAccess",
  	"resourceOwnerAccount": "941407043048",
  	"analyzedAt": "2025-03-19T06:51:46.109000+00:00",
  	"id": "4b035c7d-b7d2-40e4-a6c3-9887d1a995df",
  	"updatedAt": "2022-07-14T01:31:43.085000+00:00"
  }
  ```
+ ACCESS\$1DENIED – Indicates that IAM Access Analyzer doesn't have the required permissions to analyze the resource. This typically happens when the service-linked role (SLR) for IAM Access Analyzer is denied access to the resource.

  ```
  {
  	"findingDetails": [
  		{
  			"externalAccessDetails": {}
  		}
  	],
  	"resource": "arn:aws:kms:us-west-2:941407043048:key/01cae123-b7f2-4488-9a05-0070a072ea2c",
  	"status": "ACTIVE",
  	"error": "ACCESS_DENIED",
  	"createdAt": "2022-07-14T01:31:43.104000+00:00",
  	"resourceType": "AWS::KMS::Key",
  	"findingType": "ExternalAccess",
  	"resourceOwnerAccount": "941407043048",
  	"analyzedAt": "2025-03-19T06:51:46.090000+00:00",
  	"id": "7ef6f04a-9d2c-4038-9cc0-2a5f00a4d8f8",
  	"updatedAt": "2022-07-14T01:31:43.104000+00:00"
  }
  ```

## Internal access error findings
<a name="access-analyzer-error-findings-internal"></a>

Internal access analyzers, which identify access within your account or organization, can generate four types of error findings:
+ PRINCIPAL\$1LIMIT\$1EXCEEDED – Generated when more than 3,000 principals have access to a critical resource. This error helps you identify resources with overly broad access that might need to be restricted.

  If you make changes to the resource or principals in your environment that bring the number of principals below the limit, the analyzer will generate normal findings during the next scan, and the error finding will be marked as resolved.

  ```
  {
  	"id": "efec28fe-b304-412f-af0f-704d0d70c79c",
  	"status": "ACTIVE",
  	"error": "PRINCIPAL_LIMIT_EXCEEDED",
  	"resource": "arn:aws:s3:::critical-data",
  	"resourceType": "AWS::S3::Bucket",
  	"resourceOwnerAccount": "111122223333",
  	"createdAt": "2023-11-30T00:56:56.437000+00:00",
  	"analyzedAt": "2024-03-06T04:11:54.406000+00:00",
  	"updatedAt": "2023-11-30T00:56:56.437000+00:00",
  	"findingType": "InternalAccess",
  	"findingDetails": [
  		{
  			"internalAccessDetails": {}
  		}
  	]
  }
  ```
+ Resource-level errors (INTERNAL\$1ERROR or ACCESS\$1DENIED) – Similar to external access errors, these indicate that the analyzer couldn't analyze a specific resource due to internal issues or permission problems. When a resource-level error occurs, the analyzer generates a single error finding for the resource instead of normal findings.

  ```
  {
  	"id": "efec28fe-b304-412f-af0f-704d0d70c79c",
  	"status": "ACTIVE",
  	"error": "INTERNAL_ERROR", // can be INTERNAL_ERROR or ACCESS_DENIED
  	"resource": "arn:aws:s3:::critical-data",
  	"resourceType": "AWS::S3::Bucket",
  	"resourceOwnerAccount": "111122223333",
  	"createdAt": "2023-11-30T00:56:56.437000+00:00",
  	"analyzedAt": "2024-03-06T04:11:54.406000+00:00",
  	"updatedAt": "2023-11-30T00:56:56.437000+00:00",
  	"findingType": "InternalAccess",
  	"findingDetails": [
  		{
  			"internalAccessDetails": {}
  		}
  	]
  }
  ```
+ Principal-level errors (INTERNAL\$1ERROR or ACCESS\$1DENIED) – Indicates that the analyzer couldn't analyze access for a specific principal to a specific resource. Unlike resource-level errors, a resource can have both normal findings for some principals and error findings for other principals.

  ```
  {
  	"id": "efec28fe-b304-412f-af0f-704d0d70c79c",
  	"status": "ACTIVE",
  	"error": "INTERNAL_ERROR", // can be INTERNAL_ERROR or ACCESS_DENIED
  	"resource": "arn:aws:s3:::critical-data",
  	"resourceType": "AWS::S3::Bucket",
  	"resourceOwnerAccount": "111122223333",
  	"createdAt": "2023-11-30T00:56:56.437000+00:00",
  	"analyzedAt": "2024-03-06T04:11:54.406000+00:00",
  	"updatedAt": "2023-11-30T00:56:56.437000+00:00",
  	"findingType": "InternalAccess", 
  	"findingDetails": [
  		{
  			"internalAccessDetails": {
  				"principal": {
  					"AWS": "arn:aws:iam::111122223333:role/MyRole_1"
  				},
  				"principalOwnerAccount": "111122223333",
  				"principalType": "IAM_ROLE",
  				"accessType": "INTRA_ACCOUNT"
  			}
  		}
  	]
  }
  ```
+ PRINCIPAL\$1ERRORS\$1LIMIT\$1EXCEEDED – Generated when there are too many principal-level error findings for a single resource. This is a resource-level error finding that may appear alongside normal findings for the same resource.

  ```
  {
  	"id": "efec28fe-b304-412f-af0f-704d0d70c79c",
  	"status": "ACTIVE",
  	"error": "PRINCIPAL_ERRORS_LIMIT_EXCEEDED",
  	"resource": "arn:aws:s3:::critical-data",
  	"resourceType": "AWS::S3::Bucket",
  	"resourceOwnerAccount": "111122223333",
  	"createdAt": "2023-11-30T00:56:56.437000+00:00",
  	"analyzedAt": "2024-03-06T04:11:54.406000+00:00",
  	"updatedAt": "2023-11-30T00:56:56.437000+00:00",
  	"findingType": "InternalAccess",
  	"resourceControlPolicyRestriction": "NOT_APPLICABLE",
  	"serviceControlPolicyRestriction": "NOT_APPLICABLE",
  	"findingDetails": [
  		{
  			"internalAccessDetails": {}
  		}
  	]
  }
  ```

## Resolving error findings
<a name="access-analyzer-error-findings-resolve"></a>

If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding.

To resolve error findings, consider the following approaches based on the error type:
+ For ACCESS\$1DENIED errors, verify that the IAM Access Analyzer service-linked role has the necessary permissions to access the resource.
+ For PRINCIPAL\$1LIMIT\$1EXCEEDED errors, review the resource's access policies and consider restricting access to fewer principals.
+ For INTERNAL\$1ERROR findings, you may need to wait for a subsequent analysis cycle or contact AWS support if the issue persists.
+ For PRINCIPAL\$1ERRORS\$1LIMIT\$1EXCEEDED, review and potentially simplify the access patterns for the affected resource.

After making changes to address the underlying issues, IAM Access Analyzer will attempt to analyze the resources again during its next scan cycle.

# IAM Access Analyzer supported resource types for external and internal access
<a name="access-analyzer-resources"></a>

For external and internal access analyzers, IAM Access Analyzer analyzes the resource-based policies that are applied to AWS resources in the Region where you enabled IAM Access Analyzer. It only analyzes resource-based policies. For details about how IAM Access Analyzer generates findings for each resource type, review the resource type information.

**Note**  
The supported resource types listed are for external and internal access analyzers. Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [Understand how IAM Access Analyzer findings work](access-analyzer-concepts.md).

## Supported resource types for external access
<a name="access-analyzer-supported-external-resources"></a>
+ [Amazon Simple Storage Service buckets](#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](#access-analyzer-s3-directory)
+ [AWS Identity and Access Management roles](#access-analyzer-iam-role)
+ [AWS Key Management Service keys](#access-analyzer-kms-key)
+ [AWS Lambda functions and layers](#access-analyzer-lambda)
+ [Amazon Simple Queue Service queues](#access-analyzer-sqs)
+ [AWS Secrets Manager secrets](#access-analyzer-secrets-manager)
+ [Amazon Simple Notification Service topics](#access-analyzer-sns)
+ [Amazon Elastic Block Store volume snapshots](#access-analyzer-ebs)
+ [Amazon Relational Database Service DB snapshots](#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](#access-analyzer-rds-db-cluster)
+ [Amazon Elastic Container Registry repositories](#access-analyzer-ecr)
+ [Amazon Elastic File System file systems](#access-analyzer-efs)
+ [Amazon DynamoDB streams](#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](#access-analyzer-ddb-table)

## Supported resource types for internal access
<a name="access-analyzer-supported-internal-resources"></a>
+ [Amazon Simple Storage Service buckets](#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](#access-analyzer-s3-directory)
+ [Amazon Relational Database Service DB snapshots](#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](#access-analyzer-rds-db-cluster)
+ [Amazon DynamoDB streams](#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](#access-analyzer-ddb-table)

## Amazon Simple Storage Service buckets
<a name="access-analyzer-s3"></a>

When IAM Access Analyzer analyzes Amazon S3 buckets for external access analyzers, it generates a finding when an Amazon S3 bucket policy, access control list (ACL), or access point, including a multi-Region access point, applied to a bucket grants access to an external entity. An external entity is a principal or other entity that you can use to [create a filter](access-analyzer-findings-filter.md) that isn't within your zone of trust. For example, if a bucket policy grants access to another account or allows public access, IAM Access Analyzer generates a finding. However, if you enable [Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) on your bucket, you can block access at the account level or the bucket level.

For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon S3 bucket.

**Note**  
IAM Access Analyzer doesn’t analyze the access point policy attached to cross-account access points because the access point and its policy are outside the analyzer account. IAM Access Analyzer generates a public finding when a bucket delegates access to a cross-account access point and Block Public Access is not enabled on the bucket or account. When you enable Block Public Access, the public finding is resolved and IAM Access Analyzer generates a cross-account finding for the cross-account access point. 

Amazon S3 *Block Public Access* settings override the bucket policies applied to the bucket. The settings also override the access point policies applied to the bucket’s access points. IAM Access Analyzer analyzes Block Public Access settings at the bucket level whenever a policy changes. However, it evaluates the Block Public Access settings at the account level only once every 6 hours. This means that IAM Access Analyzer might not generate or resolve a finding for public access to a bucket for up to 6 hours. For example, if you have a bucket policy that allows public access, IAM Access Analyzer generates a finding for that access. If you then enable Block Public Access to block all public access to the bucket at the account level, IAM Access Analyzer doesn't resolve the finding for the bucket policy for up to 6 hours, even though all public access to the bucket is blocked. Resolution of public findings for cross-account access points can also take up to 6 hours once you enable Block Public Access at the account level. Changes to a resource control policy (RCP) without a change to the bucket policy do not trigger a rescan of the bucket reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours.

For a multi-Region access point, IAM Access Analyzer uses an established policy for generating findings. IAM Access Analyzer evaluates changes to multi-Region access points once every 6 hours. This means IAM Access Analyzer doesn’t generate or resolve a finding for up to 6 hours, even if you create or delete a multi-Region access point, or update the policy for it. 

## Amazon Simple Storage Service directory buckets
<a name="access-analyzer-s3-directory"></a>

Amazon S3 directory buckets organize data hierarchically into directories as opposed to the flat storage structure of general purpose buckets, which is recommended for performance-critical workloads or applications. For external access analyzers, IAM Access Analyzer analyzes the directory bucket policy, including condition statements in a policy, that allow an external entity to access a directory bucket.

For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon S3 directory bucket.

Amazon S3 directory buckets also support access points, which enforce distinct permissions and network controls for all requests made to the directory bucket through the access point. Each access point can have an access point policy that works in conjunction with the bucket policy that is attached to the underlying directory bucket. With access points for directory buckets, you can restrict access to specific prefixes, API actions, or a virtual private cloud (VPC).

**Note**  
IAM Access Analyzer doesn’t analyze the access point policy attached to cross-account access points because the access point and its policy are outside the analyzer account. IAM Access Analyzer generates a public finding when a bucket delegates access to a cross-account access point and Block Public Access is not enabled on the bucket or account. When you enable Block Public Access, the public finding is resolved and IAM Access Analyzer generates a cross-account finding for the cross-account access point. 

For more information about Amazon S3 directory buckets, see [Working with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html) in the Amazon Simple Storage Service User Guide.

## AWS Identity and Access Management roles
<a name="access-analyzer-iam-role"></a>

For IAM roles, IAM Access Analyzer analyzes [trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy). In a role trust policy, you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. IAM Access Analyzer generates findings for roles within the zone of trust that can be accessed by an external entity that is outside your zone of trust.

**Note**  
An IAM role is a global resource. If a role trust policy grants access to an external entity, IAM Access Analyzer generates a finding in each enabled Region.

## AWS Key Management Service keys
<a name="access-analyzer-kms-key"></a>

For AWS KMS keys, IAM Access Analyzer analyzes the key policies and grants applied to a key. IAM Access Analyzer generates a finding if a key policy or grant allows an external entity to access the key. For example, if you use the [kms:CallerAccount](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account) condition key in a policy statement to allow access to all users in a specific AWS account, and you specify an account other than the current account (the zone of trust for the current analyzer), IAM Access Analyzer generates a finding. To learn more about AWS KMS condition keys in IAM policy statements, see [AWS KMS Condition Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys).

When IAM Access Analyzer analyzes a KMS key it reads key metadata, such as the key policy and list of grants. If the key policy doesn't allow the IAM Access Analyzer role to read the key metadata, an Access Denied error finding is generated. For example, if the following example policy statement is the only policy applied to a key, it results in an Access denied error finding in IAM Access Analyzer.

```
{
    "Sid": "Allow access for Key Administrators",
    "Effect": "Allow",
    "Principal": {
       "AWS": "arn:aws:iam::111122223333:role/Admin"
    },
    "Action": "kms:*",
    "Resource": "*"
}
```

Because this statement allows only the role named *Admin* from the AWS account 111122223333 to access the key, an Access Denied error finding is generated because IAM Access Analyzer isn't able to fully analyze the key. An error finding is displayed in red text in the **Findings** table. The finding looks similar to the following.

```
{
    "error": "ACCESS_DENIED",
    "id": "12345678-1234-abcd-dcba-111122223333",
    "analyzedAt": "2019-09-16T14:24:33.352Z",
    "resource": "arn:aws:kms:us-west-2:1234567890:key/1a2b3c4d-5e6f-7a8b-9c0d-1a2b3c4d5e6f7g8a",
    "resourceType": "AWS::KMS::Key",
    "status": "ACTIVE",
    "updatedAt": "2019-09-16T14:24:33.352Z"
}
```

When you create a KMS key, the permissions granted to access the key depend on how you create the key. If you receive an Access Denied error finding for a key resource, apply the following policy statement to the key resource to grant IAM Access Analyzer permission to access the key.

```
{
    "Sid": "Allow IAM Access Analyzer access to key metadata",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
        },
    "Action": [
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:List*"
    ],
    "Resource": "*"
},
```

After you receive an Access Denied finding for a KMS key resource, and then resolve the finding by updating the key policy, the finding is updated to a status of Resolved. If there are policy statements or key grants that grant permission to the key to an external entity, you might see additional findings for the key resource. 

## AWS Lambda functions and layers
<a name="access-analyzer-lambda"></a>

For AWS Lambda functions, IAM Access Analyzer analyzes policies, including condition statements in a policy, that grant access to the function to an external entity. With Lambda, you can attach unique resource-based policies to functions, versions, aliases, and layers. IAM Access Analyzer reports external access based on resource-based policies attached to functions and layers. IAM Access Analyzer doesn't report external access based on resource-based policies attached to aliases and specific versions invoked using a qualified ARN.

For more information, see [Using resource-based policies for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html) and [Using versions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html#versioning-versions-using) in the AWS Lambda Developer Guide.

## Amazon Simple Queue Service queues
<a name="access-analyzer-sqs"></a>

For Amazon SQS queues, IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity access to a queue.

## AWS Secrets Manager secrets
<a name="access-analyzer-secrets-manager"></a>

For AWS Secrets Manager secrets, IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity to access a secret.

## Amazon Simple Notification Service topics
<a name="access-analyzer-sns"></a>

IAM Access Analyzer analyzes resource-based policies attached to Amazon SNS topics, including condition statements in the policies that allow external access to a topic. You can allow external accounts to perform Amazon SNS actions such as subscribing to and publishing topics through a resource-based policy. An Amazon SNS topic is externally accessible if principals from an account outside of your zone of trust can perform operations on the topic. When you choose `Everyone` in your policy when creating an Amazon SNS topic, you make the topic accessible to the public. `AddPermission` is another way to add a resource-based policy to an Amazon SNS topic that allows external access.

## Amazon Elastic Block Store volume snapshots
<a name="access-analyzer-ebs"></a>

Amazon Elastic Block Store volume snapshots do not have resource-based policies. A snapshot is shared through Amazon EBS sharing permissions. For Amazon EBS volume snapshots, IAM Access Analyzer analyzes access control lists that allow an external entity access to a snapshot. An Amazon EBS volume snapshot can be shared with external accounts when encrypted. An unencrypted volume snapshot can be shared with external accounts and grant public access. Sharing settings are in the `CreateVolumePermissions` attribute of the snapshot. When customers preview external access of an Amazon EBS snapshot, they can specify the encryption key as an indicator that the snapshot is encrypted, similar to how IAM Access Analyzer preview handles Secrets Manager secrets.

## Amazon Relational Database Service DB snapshots
<a name="access-analyzer-rds-db"></a>

Amazon RDS DB snapshots do not have resource-based policies. A DB snapshot is shared through Amazon RDS database permissions, and only manual DB snapshots can be shared. For external access analyzers, IAM Access Analyzer analyzes access control lists that allow an external entity access to a Amazon RDS DB snapshot. Unencrypted DB snapshots can be public. Encrypted DB snapshots cannot be shared publicly, but they can be shared with up to 20 other accounts. For more information, see [Creating a DB snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html). IAM Access Analyzer considers the ability to export a database manual snapshot (for example, to an Amazon S3 bucket) as trusted access.

For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon RDS DB snapshot.

**Note**  
IAM Access Analyzer does not identify public or cross-account access configured directly on the database itself. IAM Access Analyzer only identifies findings for public or cross-account access configured on the Amazon RDS DB snapshot.

## Amazon Relational Database Service DB cluster snapshots
<a name="access-analyzer-rds-db-cluster"></a>

Amazon RDS DB cluster snapshots do not have resource-based policies. A snapshot is shared through Amazon RDS DB cluster permissions. For external access analyzers, IAM Access Analyzer analyzes access control lists that allow an external entity access to a Amazon RDS DB cluster snapshot. Unencrypted cluster snapshots can be public. Encrypted cluster snapshots cannot be shared publicly. Both unencrypted and encrypted cluster snapshots can be shared with up to 20 other accounts. For more information, see [Creating a DB cluster snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_CreateSnapshotCluster.html). IAM Access Analyzer considers the ability to export a DB cluster snapshot (for example, to an Amazon S3 bucket) as trusted access.

For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon RDS DB cluster snapshot.

**Note**  
IAM Access Analyzer findings do not include monitoring of any share of Amazon RDS DB clusters and clones with another AWS account or organization using AWS Resource Access Manager. IAM Access Analyzer only identifies findings for public or cross-account access configured on the Amazon RDS DB cluster snapshot.

## Amazon Elastic Container Registry repositories
<a name="access-analyzer-ecr"></a>

For Amazon ECR repositories, IAM Access Analyzer analyzes resource-based policies, including condition statements in a policy, that allow an external entity access to a repository (similar to other resource types like Amazon SNS topics and Amazon EFS file systems). For Amazon ECR repositories, a principal must have permission to `ecr:GetAuthorizationToken` through an identity-based policy to be considered externally available.

## Amazon Elastic File System file systems
<a name="access-analyzer-efs"></a>

For Amazon EFS file systems, IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity access to a file system. An Amazon EFS file system is externally accessible if principals from an account outside of your zone of trust can perform operations on that file system. Access is defined by a file system policy that uses IAM, and by how the file system is mounted. For example, mounting your Amazon EFS file system in another account is considered externally accessible, unless that account is in your organization and you have defined the organization as your zone of trust. If you are mounting the file system from a virtual private cloud with a public subnet, the file system is externally accessible. When you use Amazon EFS with AWS Transfer Family, file system access requests received from a Transfer Family server that is owned by a different account than the file system are blocked if the file system allows public access.

## Amazon DynamoDB streams
<a name="access-analyzer-ddb-stream"></a>

For external access analyzers, IAM Access Analyzer generates a finding if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB stream. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide.

For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified DynamoDB stream.

## Amazon DynamoDB tables
<a name="access-analyzer-ddb-table"></a>

For external access analyzers, IAM Access Analyzer generates a finding for a DynamoDB table if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB table or index. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide.

For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified DynamoDB table.

# Delegated administrator for IAM Access Analyzer
<a name="access-analyzer-delegated-administrator"></a>

If you're configuring AWS Identity and Access Management Access Analyzer in your AWS Organizations management account, you can add a member account in the organization as the delegated administrator to manage IAM Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers within the organization. Only the management account can add a delegated administrator.

The delegated administrator for IAM Access Analyzer is a member account within the organization that has permissions to create and manage analyzers that analyze access across the organization. Only the management account can add, remove, or change a delegated administrator.

If you add a delegated administrator, you can later change to a different account for the delegated administrator. When you do, the former delegated administrator account loses permission to all analyzers that were created using that account to analyze access across the organization. These analyzers move to a disabled state and no longer generate new or update existing findings. The existing findings for these analyzers are also no longer accessible. You can access them again in the future by configuring the account as the delegated administrator. If you know that you won't use the same account as a delegated administrator, consider deleting the analyzers before changing the delegated administrator. This deletes all findings generated. When the new delegated administrator creates new analyzers, new instances of the same findings are generated. You don't lose any findings, they just get generated for the new analyzer in a different account. And you can continue to access findings for the organization using the organization management account, which also has administrator permissions. The new delegated administrator must create new analyzers for IAM Access Analyzer to start monitoring resources in your organization.

If the delegated administrator leaves the AWS organization, the delegated administration privileges are removed from the account. All analyzers in the account with the organization as the zone of trust move to a disabled state. The existing findings for these analyzers are also no longer accessible.

The first time that you configure analyzers in the management account, you can choose **Add delegated administrator** on the **Analyzer settings** page in the IAM Access Analyzer console.

**Note**  
IAM Access Analyzer charges for unused access analyzers based on the number of IAM roles and users analyzed per analyzer per month. If you create an unused access analyzer in the management account and the delegated administrator account, you will be charged for both unused access analyzers. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

After you change the delegated administrator, the new administrator must create analyzers to start monitoring access to the resources in your organization.

# Add a delegated administrator for IAM Access Analyzer
<a name="access-analyzer-delegated-administrator-add"></a>

If you're configuring AWS Identity and Access Management Access Analyzer in your AWS Organizations management account, you can add a member account in the organization as the delegated administrator to manage IAM Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers within the organization. Only the management account can add a delegated administrator.

**To add a delegated administrator using the console**

1. Log in to the AWS console using the management account for your organization.

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Under **Access Analyzer**, choose **Analyzer settings**.

1. Choose **Add delegated administrator**.

1. In the **Delegated administrator** field, enter the AWS account number of an organization member account to make the delegated administrator.

   The account must be a member of your organization.

1. Choose **Save changes**.

**To add a delegated administrator using the AWS CLI or the AWS SDKs**

When you create an analyzer to analyzer access across the organization in a delegated administrator account using the AWS CLI, AWS API (using the AWS SDKs) or CloudFormation, you must use AWS Organizations APIs to enable service access for IAM Access Analyzer and register the member account as a delegated administrator.

1. Enable trusted service access for IAM Access Analyzer in AWS Organizations. See [How to Enable or Disable Trusted Access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the AWS Organizations User Guide.

1. Register a valid member account of your AWS organization as a delegated administrator using the AWS Organizations [https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) API operation or the `register-delegated-administrator` AWS CLI command.

# Archive rules
<a name="access-analyzer-archive-rules"></a>

Archive rules automatically archive new findings that meet the criteria you define when you create the rule. You can also apply archive rules retroactively to archive existing findings that meet the archive rule criteria. For example, you can create an archive rule to automatically archive any findings for a specific Amazon S3 bucket that you regularly grant access to. Or if you grant access to multiple resources to a specific principal, you can create a rule that automatically archives any new finding generated for access granted to that principal. This lets you focus only on active findings that may indicate a security risk.

When you create an archive rule, only new findings that match the rule criteria are automatically archived. Existing findings are not automatically archived. When you create a rule, you can include up to 20 values per criterion in the rule. For a list of filter keys that you can use to create or update an archive rule, see [IAM Access Analyzer filter keys](access-analyzer-reference-filter-keys.md).

**Note**  
When you create or edit an archive rule, IAM Access Analyzer does not validate the values you include in the filter for the rule. For example, if you add a rule to match an AWS account, IAM Access Analyzer accepts any value in the field, even if it is not a valid AWS account number.

**To create an archive rule**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Access analyzer**, then choose **Analyzer settings**.

1. In the **Analyzers** section, choose the analyzer for which you want to create an archive rule.

1. On the **Archive rules** tab, choose **Create archive rule**.

1. Enter a name for the rule if you want to change the default name.

1. In the **Rule** section, under **Criteria**, select a property to match for the rule.

1. Choose an condition for the property value, such as **Contains**, **Is**, or **Not Equals**.

   The operators available depend on the property you choose.

1. Optionally, add additional values for the property, or add additional criteria for the rule. For external access findings, to ensure that your rule won’t archive new findings for public access, you can also include the criterion **Public access** and set it to **false**.

   To add another value for a criterion, choose **Add another value**. To add another criterion for the rule, choose **Add criterion**.

1. When you finish adding criteria and values, choose **Create rule** to apply the rule to new findings only. Choose **Create and archive active findings** to archive new and existing findings based on the rule criteria. In the **Results** section, you can review the list of active findings the archive rule applies to.

For example, to create a rule for external access findings that automatically archives any findings for Amazon S3 buckets: choose **Resource type**, and then choose **Is** for the condition. Next choose **S3 bucket** from the **Value** list.

To create a rule for unused access findings that automatically archives any finding for a particular account: choose **Resource Owner Account**, and then choose **Equals** for the condition. Type the AWS account ID in the **Value** text box.

Continue to define criteria to customize the rule as appropriate for your environment, and then choose **Create rule**.

If you are create a new rule and add multiple criteria, you can remove a single criterion from the rule by choosing **Remove this criterion**. You can remove a value added for a criterion by choosing **Remove value**.

**To edit an archive rule**

1. Choose name of the rule to edit in the **Name** column.

   You can edit only one archive rule at a time.

1. Add new criteria or remove the existing criteria and values for each criterion.

1. Choose **Save changes** to apply the rule to new findings only. Choose **Save and archive active findings** to archive new and existing findings based on the rule criteria. 

**To delete an archive rule**

1. Select the checkbox for the rules that you want to delete.

1. Choose **Delete**.

1. Type **delete** in the **Delete archive rule** confirmation dialog, and then choose **Delete**.

The rules are deleted only from the analyzer in the current Region. You must delete archive rules separately for each analyzer that you created in other Regions.

# Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge
<a name="access-analyzer-eventbridge"></a>

Use the information in this topic to learn how to monitor IAM Access Analyzer findings and access previews with Amazon EventBridge. EventBridge is the new version of Amazon CloudWatch Events.

## Findings events
<a name="access-analyzer-events-findings"></a>

IAM Access Analyzer sends an event to EventBridge for each generated finding, for a change to the status of an existing finding, and when a finding is deleted. To receive findings and notifications about findings, you must create an event rule in Amazon EventBridge. When you create an event rule, you can also specify a target action to trigger based on the rule. For example, you could create an event rule that triggers an Amazon SNS topic when an event for a new finding is received from IAM Access Analyzer. Details about the resource control policy (RCP) are available in the event detail section.

## Access preview events
<a name="access-analyzer-access-preview-events"></a>

IAM Access Analyzer sends an event to EventBridge for each access preview and change to its status. This includes an event when the access preview is first created (status Creating), when the access preview is complete (status Completed), or when the access preview creation failed (status Failed). To receive notifications about access previews, you must create an event rule in EventBridge. When you create an event rule, you can specify a target action to trigger based on the rule. For example, you could create an event rule that triggers an Amazon SNS topic when an event for a completed access preview is received from IAM Access Analyzer. 

## Event notification frequency
<a name="access-analyzer-event-frequency"></a>

IAM Access Analyzer sends events for new findings and findings with status updates to EventBridge within about an hour from when the event occurs in your account. IAM Access Analyzer also sends events to EventBridge when a resolved finding is deleted because the retention period has expired. For findings that are deleted because the analyzer that generated them is deleted, the event is sent to EventBridge approximately 24 hours after the analyzer was deleted. When a finding is deleted, the finding status is not changed. Instead, the `isDeleted` attribute is set to `true`. IAM Access Analyzer also sends events for newly created access previews and access preview status changes to EventBridge.



## Example external access findings events
<a name="access-analyzer-event-example"></a>

The following is an example IAM Access Analyzer external access finding event sent to EventBridge. The `id` listed is the ID for the event in EventBridge. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html).

In the `detail` object, the values for the `accountId` and `region` attributes refer to the account and region reported in the finding. The `isDeleted` attribute indicates whether the event was from the finding being deleted. The `id` is the finding ID. The `resources` array is a singleton with the ARN of the analyzer that generated the finding.

```
{
    "account": "111122223333",
    "detail": {
        "accountId": "111122223333",
        "action": [
            "s3:GetObject"
        ],
        "analyzedAt": "2019-11-21T01:22:22Z",
        "condition": {},
        "createdAt": "2019-11-20T04:58:50Z",
        "id": "22222222-dcba-4444-dcba-333333333333",
        "isDeleted": false,
        "isPublic": false,
        "principal": {
            "AWS": "999988887777"
        },
        "region": "us-west-2",
        "resource": "arn:aws:s3:::amzn-s3-demo-bucket",
        "resourceType": "AWS::S3::Bucket",
        "status": "ACTIVE",
        "updatedAt": "2019-11-21T01:14:07Z",
        "version": "1.0"
    },
    "detail-type": "Access Analyzer Finding",
    "id": "11111111-2222-4444-aaaa-333333333333",
    "region": "us-west-2",
    "resources": [
        "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer"
    ],
    "source": "aws.access-analyzer",
    "time": "2019-11-21T01:22:33Z",
    "version": "0"
}
```

IAM Access Analyzer also sends events to EventBridge for error findings. An error finding is a finding generated when IAM Access Analyzer can't analyze the resource. Events for error findings include an `error` attribute as shown in the following example.

```
{
    "account": "111122223333",
    "detail": {
        "accountId": "111122223333",
        "analyzedAt": "2019-11-21T01:22:22Z",
        "createdAt": "2019-11-20T04:58:50Z",
        "error": "ACCESS_DENIED",
        "id": "22222222-dcba-4444-dcba-333333333333",
        "isDeleted": false,
        "region": "us-west-2",
        "resource": "arn:aws:s3:::amzn-s3-demo-bucket",
        "resourceType": "AWS::S3::Bucket",
        "status": "ACTIVE",
        "updatedAt": "2019-11-21T01:14:07Z",
        "version": "1.0"
    },
    "detail-type": "Access Analyzer Finding",
    "id": "11111111-2222-4444-aaaa-333333333333",
    "region": "us-west-2",
    "resources": [
        "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer"
    ],
    "source": "aws.access-analyzer",
    "time": "2019-11-21T01:22:33Z",
    "version": "0"
}
```

## Example internal access findings events
<a name="access-analyzer-event-example-internal-access-findings-events"></a>

The following is an example IAM Access Analyzer internal access finding event sent to EventBridge. The `id` listed is the ID for the event in EventBridge. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html).

In the `detail` object, the values for the `accountId` and `principalOwnerAccount` attributes refer to the account of the principal reported in the finding. The `isDeleted` attribute indicates whether the event was from the finding being deleted. The `id` is the finding ID. The `resource` is the ARN of the analyzer that generated the finding.

```
{
    "version": "0",
    "id": "b45c3678-c278-b593-6121-c155259ce1b5",
    "detail-type": "Internal Access Finding",
    "source": "aws.access-analyzer",
    "account": "111122223333",
    "time": "2025-04-08T19:42:49Z",
    "region": "us-east-1",
    "resources": [
        "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/testAnalyzer"
    ],
    "detail": {
        "accessType": "INTRA_ACCOUNT",
        "action": [
            "s3:GetObject"
        ],
        "analyzedAt": "2025-04-08T03:18:43.509465073Z", 
        "condition": {},
        "createdAt": "2025-04-07T21:33:49.914099224Z",
        "id": "11111111-2222-4444-aaaa-333333333333",
        "isDeleted": false,
        "findingType": "InternalAccess",
        "principal": {
            "AWS": "arn:aws:iam::111122223333:role/MyRole_6"
        },
        "principalOwnerAccount": "111122223333",
        "principalType": "IAM_ROLE",
        "resource": "arn:aws:s3:::critical-data",
        "resourceControlPolicyRestrictionType": "NOT_APPLICABLE",
        "accountId": "111122223333",
        "resourceType": "AWS::S3::Bucket",
        "serviceControlPolicyRestrictionType": "NOT_APPLICABLE",
        "status": "ACTIVE",
        "updatedAt": "2025-04-08T03:22:12.654688231Z",
        "version": "1.0"
    }
}
```

IAM Access Analyzer also sends events to EventBridge for error findings. An error finding is a finding generated when IAM Access Analyzer can't analyze the resource. Events for error findings include an `error` attribute as shown in the following example.

```
{
    "version": "0",
    "id": "5a94b99b-e87d-a6a7-58c7-f47871532860",
    "detail-type": "Internal Access Finding",
    "source": "aws.access-analyzer-test",
    "account": "444455556666",
    "time": "2025-05-07T11:57:54Z",
    "region": "us-west-2",
    "resources": ["arn:aws:access-analyzer-beta:us-west-2:444455556666:analyzer/example-analyzer"],
    "detail": {
        "analyzedAt": "2025-03-24T19:58:52.512329448Z",
        "createdAt": "2025-03-22T03:30:46.920200692Z",
        "id": "ef573afd-12a5-4095-87a6-bf2f25109895",
        "isDeleted": false,
        "findingType": "InternalAccess",
        "resource": "arn:aws:s3:::test-entity-88",
        "accountId": "111122223333",
        "resourceControlPolicyRestrictionType": "NOT_APPLICABLE",
        "resourceType": "AWS::S3::Bucket",
        "serviceControlPolicyRestrictionType": "NOT_APPLICABLE",
        "error": "ACCESS_DENIED", // can be INTERNAL_ERROR and ACCESS_DENIED
        "status": "ACTIVE",
        "updatedAt": "2025-03-24T20:09:39.176075014Z",
        "version": "1.0"
    }
}
```

## Example unused access findings related events
<a name="access-analyzer-example-unused-access-findings-related-events"></a>

The following is an example IAM Access Analyzer unused access finding event sent to EventBridge. The `id` listed is the ID for the event in EventBridge. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html).

In the `detail` object, the values for the `accountId` and `region` attributes refer to the account and region reported in the finding. The `isDeleted` attribute indicates whether the event was from the finding being deleted. The `id` is the finding ID.

```
{
    "version": "0",
    "id": "dc7ce3ee-114b-3243-e249-7f10f9054b21",
    "detail-type": "Unused Access Finding for IAM entities",
    "source": "aws.access-analyzer",
    "account": "123456789012",
    "time": "2023-09-29T17:31:40Z",
    "region": "us-west-2",
    "resources": [
       "arn:aws:access-analyzer:us-west-2:123456789012:analyzer/integTestLongLivingAnalyzer-DO-NOT-DELETE"
       ],
    "detail": {
        "findingId": "b8ae0460-5d29-4922-b92a-ba956c986277",
        "resource": "arn:aws:iam::111122223333:role/FindingIntegTestFakeRole",
        "resourceType": "AWS::IAM::Role",
        "accountId": "111122223333",
        "createdAt": "2023-09-29T17:29:18.758Z",
        "updatedAt": "2023-09-29T17:29:18.758Z",
        "analyzedAt": "2023-09-29T17:29:18.758Z",
        "previousStatus": "",
        "status": "ACTIVE",
        "version": "62160bda-8e94-46d6-ac97-9670930d8ffb",
        "isDeleted": false,
        "findingType": "UnusedPermission",
        "numberOfUnusedServices": 0,
        "numberOfUnusedActions": 1
        }
    }
```

IAM Access Analyzer also sends events to EventBridge for error findings. An error finding is a finding generated when IAM Access Analyzer can't analyze the resource. Events for error findings include an `error` attribute as shown in the following example.

```
{
    "version": "0",
    "id": "c2e7aa1a-4df7-7652-f33e-64113b8997d4",
    "detail-type": "Unused Access Finding for IAM entities",
    "source": "aws.access-analyzer",
    "account": "111122223333",
    "time": "2023-10-31T20:26:12Z",
    "region": "us-west-2",
    "resources": [
      "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ba811f91-de99-41a4-97c0-7481898b53f2"
      ],
    "detail": {
        "findingId": "b01a34f2-e118-46c9-aef8-0d8526b495c7",
        "resource": "arn:aws:iam::123456789012:role/TestRole",
        "resourceType": "AWS::IAM::Role",
        "accountId": "444455556666",
        "createdAt": "2023-10-31T20:26:08.647Z",
        "updatedAt": "2023-10-31T20:26:09.245Z",
        "analyzedAt": "2023-10-31T20:26:08.525Z",
        "previousStatus": "",
        "status": "ACTIVE",
        "version": "7c7a72a2-7963-4c59-ac71-f0be597010f7",
        "isDeleted": false,
        "findingType": "UnusedIAMRole",
        "error": "INTERNAL_ERROR"
        }
  }
```

## Example access preview events
<a name="access-analyzer-example-access-preview-events"></a>

The following example shows data for the first event that is sent to EventBridge when you create an access preview. The `resources` array is a singleton with the ARN of the analyzer that the access preview is associated with. In the `detail` object, the `id` refers to the access preview ID and `configuredResources` refers to the resource for which the access preview was created. The `status` is `Creating` and refers to the access preview status. The `previousStatus` is not specified because the access preview was just created. 

```
{
    "account": "111122223333",
    "detail": {
        "accessPreviewId": "aaaabbbb-cccc-dddd-eeee-ffffaaaabbbb",
        "configuredResources": [
            "arn:aws:s3:::amzn-s3-demo-bucket"
        ],
        "createdAt": "2020-02-20T00:00:00.00Z",
        "region": "us-west-2",
        "status": "CREATING",
        "version": "1.0"
    },
    "detail-type": "Access Preview State Change",
    "id": "aaaabbbb-2222-3333-4444-555566667777",
    "region": "us-west-2",
    "resources": [
        "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer"
    ],
    "source": "aws.access-analyzer",
    "time": "2020-02-20T00:00:00.00Z",
    "version": "0"
}
```

The following example shows data for an event that is sent to EventBridge for an access preview with a status change from `Creating` to `Completed`. In the detail object, the `id` refers to the access preview ID. The `status` and `previousStatus` refer to the access preview status, where the previous status was `Creating` and the current status is `Completed`. 

```
{
    "account": "111122223333",
    "detail": {
        "accessPreviewId": "aaaabbbb-cccc-dddd-eeee-ffffaaaabbbb",
        "configuredResources": [
            "arn:aws:s3:::amzn-s3-demo-bucket"
        ],
        "createdAt": "2020-02-20T00:00:00.000Z",
        "previousStatus": "CREATING",
        "region": "us-west-2",
        "status": "COMPLETED",
        "version": "1.0"
    },
    "detail-type": "Access Preview State Change",
    "id": "11112222-3333-4444-5555-666677778888",
    "region": "us-west-2",
    "resources": [
        "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer"
    ],
    "source": "aws.access-analyzer",
    "time": "2020-02-20T00:00:00.00Z",
    "version": "0"
}
```

The following example shows data for an event that is sent to EventBridge for an access preview with a status change from `Creating` to `Failed`. In the `detail` object, the `id` refers to the access preview ID. The `status` and `previousStatus` refer to the access preview status, where the previous status was `Creating` and the current status is `Failed`. The `statusReason` field provides the reason code indicating that the access preview failed due to an invalid resource configuration.

```
{
    "account": "111122223333",
    "detail": {
        "accessPreviewId": "aaaabbbb-cccc-dddd-eeee-ffffaaaabbbb",
        "configuredResources": [
            "arn:aws:s3:::amzn-s3-demo-bucket"
        ],
        "createdAt": "2020-02-20T00:00:00.00Z",
        "previousStatus": "CREATING",
        "region": "us-west-2",
        "status": "FAILED",
        "statusReason": {
            "code": "INVALID_CONFIGURATION"
        },
        "version": "1.0"
    },
    "detail-type": "Access Preview State Change",
    "id": "99998888-7777-6666-5555-444433332222",
    "region": "us-west-2",
    "resources": [
        "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer"
    ],
    "source": "aws.access-analyzer",
    "time": "2020-02-20T00:00:00.00Z",
    "version": "0"
}
```

## Creating an event rule using the console
<a name="access-analyzer-create-rule"></a>

The following procedure describes how to create an event rule using the console.

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).

1. Using the following values, create an EventBridge rule that monitors finding events or access preview events:
   + For **Rule type**, choose **Rule with an event pattern**.
   + For **Event source**, choose **Other**.
   + For **Event pattern**, choose **Custom patterns (JSON editor)**, and paste one of the following event pattern examples into the text area:
     + To create a rule based on any IAM Access Analyzer event, use the following pattern example:

       ```
       {
         "source": [
           "aws.access-analyzer"
         ]
       }
       ```
     + To create a rule based on an external access, internal access, or unused access findings event, use the following pattern example:

       ```
       {
         "source": [
           "aws.access-analyzer"
         ],
         "detail-type": [
           "Access Analyzer Finding",
           "Internal Access Finding",
           "Unused Access Finding for IAM entities"
         ]
       }
       ```
     + To create a rule based only on an external access findings event, use the following pattern example:

       ```
       {
         "source": [
           "aws.access-analyzer"
         ],
         "detail-type": [
           "Access Analyzer Finding"
         ]
       }
       ```
     + To create a rule based only on an internal access findings event, use the following pattern example:

       ```
       {
         "source": [
           "aws.access-analyzer"
         ],
         "detail-type": [
           "Internal Access Finding"
         ]
       }
       ```
     + To create a rule based only on an unused access findings event, use the following pattern example:

       ```
       {
         "source": [
           "aws.access-analyzer"
         ],
         "detail-type": [
           "Unused Access Finding for IAM entities"
         ]
       }
       ```
     + To create a rule based on an access preview event, use the following pattern example:

       ```
       {
         "source": [
           "aws.access-analyzer"
         ],
         "detail-type": [
           "Access Preview State Change"
         ]
       }
       ```
   + For **Target types**, choose **AWS service**, and for **Select a target**, choose a target such as an Amazon SNS topic or AWS Lambda function. The target is triggered when an event is received that matches the event pattern defined in the rule.

   To learn more about creating rules, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*.

### Creating an event rule using the CLI
<a name="access-analyzer-create-rule-cli"></a>

1. Use the following to create a rule for Amazon EventBridge using the AWS CLI. Replace the rule name *TestRule* with the name for your rule.

   ```
   aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"]}"
   ```

1. You can customize the rule to trigger target actions only for a subset of generated findings, such as findings with specific attributes. The following example demonstrates how to create a rule that triggers a target action only for findings with a status of Active.

   ```
   aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"],\"detail-type\":[\"Access Analyzer Finding\"],\"detail\":{\"status\":[\"ACTIVE\"]}}"
   ```

   The following example demonstrates how to create a rule that triggers a target action only for access previews with a status from `Creating` to `Completed`.

   ```
   aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"],\"detail-type\":[\"Access Preview State Change\"],\"detail\":{\"status\":[\"COMPLETED\"]}}"
   ```

1. To define a Lambda function as a target for the rule you created, use the following example command. Replace the Region and the function name in the ARN as appropriate for your environment.

   ```
   aws events put-targets --rule TestRule --targets Id=1,Arn=arn:aws:lambda:us-east-1:111122223333:function:MyFunction
   ```

1. Add the permissions required to invoke the rule target. The following example demonstrates how to grant permissions to a Lambda function, following the preceding examples.

   ```
   aws lambda add-permission --function-name MyFunction --statement-id 1 --action 'lambda:InvokeFunction' --principal events.amazonaws.com
   ```

# Integrate IAM Access Analyzer with AWS Security Hub CSPM
<a name="access-analyzer-securityhub-integration"></a>

[AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state across AWS. It helps you assess your environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS accounts, services, and supported third-party partner products. It then analyzes your security trends and identify the highest priority security issues.

When you integrate IAM Access Analyzer with Security Hub CSPM, you can send findings from IAM Access Analyzer to Security Hub CSPM. Security Hub CSPM can then include those findings in its analysis of your overall security posture.

**Contents**
+ [

## How IAM Access Analyzer sends findings to Security Hub CSPM
](#access-analyzer-securityhub-integration-sending-findings)
  + [

### Types of findings that IAM Access Analyzer sends
](#access-analyzer-securityhub-integration-finding-types)
  + [

### Latency for sending findings
](#access-analyzer-securityhub-integration-finding-latency)
  + [

### Retrying when Security Hub CSPM is not available
](#access-analyzer-securityhub-integration-retry-send)
  + [

### Updating existing findings in Security Hub CSPM
](#access-analyzer-securityhub-integration-finding-updates)
+ [

## Viewing IAM Access Analyzer findings in Security Hub CSPM
](#access-analyzer-securityhub-integration-viewing-findings)
  + [

### Interpreting IAM Access Analyzer finding names in Security Hub CSPM
](#access-analyzer-securityhub-integration-intrepreting-finding-names)
+ [

## Typical findings from IAM Access Analyzer
](#access-analyzer-securityhub-integration-finding-example)
+ [

## Enabling and configuring the integration
](#access-analyzer-securityhub-integration-enable)
+ [

## How to stop sending findings
](#access-analyzer-securityhub-integration-disable)

## How IAM Access Analyzer sends findings to Security Hub CSPM
<a name="access-analyzer-securityhub-integration-sending-findings"></a>

In Security Hub CSPM, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub CSPM also has a set of rules that it uses to detect security issues and generate findings.

Security Hub CSPM provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view detailed information about each finding. For more information, see [Viewing findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) in the *AWS Security Hub User Guide*. You can also track the status of investigations into findings. For more information, see [Taking action on findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-taking-action.html) in the *AWS Security Hub User Guide*.

All findings in Security Hub CSPM use a standard JSON format called the AWS Security Finding Format (ASFF). The ASFF includes details about the source of the issue, the affected resources, and the current status of the finding. For more information, see [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) in the *AWS Security Hub User Guide*.

AWS Identity and Access Management Access Analyzer is one of the AWS services that sends findings to Security Hub CSPM. For unused access, IAM Access Analyzer detects unused access granted to IAM users or roles and generates a finding for each of them. IAM Access Analyzer then sends these findings to Security Hub CSPM.

For external access, IAM Access Analyzer detects policy statements that allow public access or cross-account access to external principals on [supported resources](access-analyzer-resources.md) in your organization or account. IAM Access Analyzer generates a finding for public access and sends it to Security Hub CSPM. For cross-account access, IAM Access Analyzer sends a single finding for one external principal at a time to Security Hub CSPM. If there are multiple cross-account findings in IAM Access Analyzer, you must resolve the Security Hub CSPM finding for the single external principal before IAM Access Analyzer provides the next cross-account finding. For a full list of external principals with cross-account access outside the zone of trust for the analyzer, you must view the findings in IAM Access Analyzer. Details about the resource control policy (RCP) are available in the resource detail section.

### Types of findings that IAM Access Analyzer sends
<a name="access-analyzer-securityhub-integration-finding-types"></a>

IAM Access Analyzer sends the findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html). In ASFF, the `Types` field provides the finding type. Findings from IAM Access Analyzer can have the following values for `Types`.
+ External access findings – Effects/Data Exposure/External Access Granted
+ External access findings – Software and Configuration Checks/AWS Security Best Practices/External Access Granted
+ Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused Permission
+ Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused IAM Role
+ Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Password
+ Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Access Key

### Latency for sending findings
<a name="access-analyzer-securityhub-integration-finding-latency"></a>

When IAM Access Analyzer creates a new finding, it is usually sent to Security Hub CSPM within 30 minutes. However, there are rare cases when IAM Access Analyzer may not be notified about a policy change. For example:
+ Changes to Amazon S3 account-level block public access settings can take up to 12 hours to be reflected in IAM Access Analyzer.
+ Changes to a resource control policy (RCP) without a change to the resource-based policy do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours.
+ If there is a delivery issue with AWS CloudTrail log delivery, a policy change may not trigger a rescan of the resource that was reported in the finding.

In these situations, IAM Access Analyzer analyzes the new or updated policy during the next periodic scan.

### Retrying when Security Hub CSPM is not available
<a name="access-analyzer-securityhub-integration-retry-send"></a>

If Security Hub CSPM is not available, IAM Access Analyzer retries sending the findings on a periodic basis.

### Updating existing findings in Security Hub CSPM
<a name="access-analyzer-securityhub-integration-finding-updates"></a>

After sending a finding to Security Hub CSPM, IAM Access Analyzer continues to send updates to reflect any additional observations of the finding activity to Security Hub CSPM. These updates are reflected within the same finding.

For external access findings IAM Access Analyzer groups them per resource. In Security Hub CSPM, the finding for a resource remains active if at least one of the findings for that resource is active in IAM Access Analyzer. If all findings in IAM Access Analyzer for a resource are archived or resolved, then the Security Hub CSPM finding is also archived. The Security Hub CSPM finding is updated when the policy access changes between public and cross-account access. This update can include changes to the type, title, description, and severity of the finding.

For unused access findings, IAM Access Analyzer does not group them by resource. Instead, if an unused access finding is resolved in IAM Access Analyzer, then the corresponding Security Hub CSPM finding is also resolved. The Security Hub CSPM finding is updated when you update the IAM user or role that generated the unused access finding.

## Viewing IAM Access Analyzer findings in Security Hub CSPM
<a name="access-analyzer-securityhub-integration-viewing-findings"></a>

To view your IAM Access Analyzer findings in Security Hub CSPM, choose **See findings** in the **AWS: IAM Access Analyzer** section of the summary page. Alternatively, you can choose **Findings** from the navigation panel. You can then filter the findings to display only AWS Identity and Access Management Access Analyzer findings by choosing the **Product name:** field with a value of **IAM Access Analyzer**.

### Interpreting IAM Access Analyzer finding names in Security Hub CSPM
<a name="access-analyzer-securityhub-integration-intrepreting-finding-names"></a>

AWS Identity and Access Management Access Analyzer sends the findings to Security Hub CSPM using the AWS Security Finding Format (ASFF). In ASFF, the **Types** field provides the finding type. ASFF types use a different naming scheme than AWS Identity and Access Management Access Analyzer. The following table includes details about all of the ASFF types associated with AWS Identity and Access Management Access Analyzer findings as they appear in Security Hub CSPM.


****  

| ASFF finding type | Security Hub CSPM finding title | Description | 
| --- | --- | --- | 
| Effects/Data Exposure/External Access Granted | <resource ARN> allows public access | A resource-based policy attached to the resource allows public access on the resource to all external principals. | 
| Software and Configuration Checks/AWS Security Best Practices/External Access Granted | <resource ARN> allows cross-account access | A resource-based policy attached to the resource allows cross-account access to external principals outside the zone of trust for the analyzer. | 
| Software and Configuration Checks/AWS Security Best Practices/Unused Permission | <resource ARN> contains unused permissions | A user or role contains unused service and action permissions. | 
| Software and Configuration Checks/AWS Security Best Practices/Unused IAM Role | <resource ARN> contains unused IAM role | A user or role contains an unused IAM role. | 
| Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Password | <resource ARN> contains unused IAM user password | A user or role contains an unused IAM user password. | 
| Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Access Key | <resource ARN> contains unused IAM user access key | A user or role contains an unused IAM user access key. | 

## Typical findings from IAM Access Analyzer
<a name="access-analyzer-securityhub-integration-finding-example"></a>

IAM Access Analyzer sends findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html).

Here is an example of a typical finding from IAM Access Analyzer for external access findings.

```
{
    "SchemaVersion": "2018-10-08",
    "Id": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/my-analyzer/arn:aws:s3:::amzn-s3-demo-bucket",
    "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/access-analyzer",
    "GeneratorId": "aws/access-analyzer",
    "AwsAccountId": "111122223333",
    "Types": ["Software and Configuration Checks/AWS Security Best Practices/External Access Granted"],
    "CreatedAt": "2020-11-10T16:17:47Z",
    "UpdatedAt": "2020-11-10T16:43:49Z",
    "Severity": {
        "Product": 1,
        "Label": "LOW",
        "Normalized": 1
    },
    "Title": "AwsS3Bucket/arn:aws:s3:::amzn-s3-demo-bucket/ allows cross-account access",
    "Description": "AWS::S3::Bucket/arn:aws:s3:::amzn-s3-demo-bucket/ allows cross-account access from AWS 444455556666",
    "Remediation": {
        "Recommendation": {"Text": "If the access isn't intended, it indicates a potential security risk. Use the console for the resource to modify or remove the policy that grants the unintended access. You can use the Rescan button on the Finding details page in the Access Analyzer console to confirm whether the change removed the access. If the access is removed, the status changes to Resolved."}
    },
    "SourceUrl": "https://console.aws.amazon.com/access-analyzer/home?region=us-west-2#/findings/details/dad90d5d-63b4-6575-b0fa-ef9c556ge798",
    "Resources": [
        {
            "Type": "AwsS3Bucket",
            "Id": "arn:aws:s3:::amzn-s3-demo-bucket",
            "Details": {
                "Other": {
                    "External Principal Type": "AWS",
                    "Condition": "none",
                    "Action Granted": "s3:GetObject,s3:GetObjectVersion",
                    "External Principal": "444455556666"
                }
            }
        }
    ],
    "WorkflowState": "NEW",
    "Workflow": {"Status": "NEW"},
    "RecordState": "ACTIVE"
}
```

Here is an example of a typical finding from IAM Access Analyzer for unused access findings.

```
{
    "Findings": [
    {
      "SchemaVersion": "2018-10-08",
      "Id": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/integTestAnalyzer-DO-NOT-DELETE/arn:aws:iam::111122223333:role/TestRole/UnusedPermissions",
      "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/access-analyzer",
      "ProductName": "IAM Access Analyzer",
      "CompanyName": "AWS",
      "Region": "us-west-2",
      "GeneratorId": "aws/access-analyzer",
      "AwsAccountId": "111122223333",
      "Types": [
        "Software and Configuration Checks/AWS Security Best Practices/Unused Permission"
      ],
      "CreatedAt": "2023-09-18T16:29:09.657Z",
      "UpdatedAt": "2023-09-21T20:39:16.651Z",
      "Severity": {
        "Product": 1,
        "Label": "LOW",
        "Normalized": 1
      },
      "Title": "AwsIamRole/arn:aws:iam::111122223333:role/IsengardRole-DO-NOT-DELETE/ contains unused permissions",
      "Description": "AWS::IAM::Role/arn:aws:iam::111122223333:role/IsengardRole-DO-NOT-DELETE/ contains unused service and action-level permissions",
      "Remediation": {
        "Recommendation": {
          "Text":"If the unused permissions aren’t required, delete the permissions to refine access to your account. Use the IAM console to modify or remove the policy that grants the unused permissions. If all the unused permissions are removed, the status of the finding changes to Resolved."
        }
      },
      "SourceUrl": "https://us-west-2.console.aws.amazon.com/access-analyzer/home?region=us-west-2#/unused-access-findings?resource=arn%3Aaws%3Aiam%3A%3A903798373645%3Arole%2FTestRole",
      "ProductFields": {
      "numberOfUnusedActions": "256",
      "numberOfUnusedServices": "15",
      "resourceOwnerAccount": "111122223333",
      "findingId": "DEMO24d8d-0d3f-4d3d-99f4-299fc8a62ee7",
      "findingType": "UnusedPermission",
      "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/access-analyzer/arn:aws:access-analyzer:us-west-2:111122223333:analyzer/integTestAnalyzer-DO-NOT-DELETE/arn:aws:iam::111122223333:role/TestRole/UnusedPermissions",
      "aws/securityhub/ProductName": "AM Access Analyzer",
      "aws/securityhub/CompanyName": "AWS"
    },
    "Resources": [
    {
      "Type": "AwsIamRole",
      "Id": "arn:aws:iam::111122223333:role/TestRole"
    }
  ],
  "WorkflowState": "NEW",
  "Workflow": {
    "Status": "NEW"
    },
  "RecordState": "ARCHIVED",
  "FindingProviderFields": {
    "Severity": {
      "Label": "LOW"
    },
    "Types": [
    "Software and Configuration Checks/AWS Security Best Practices/Unused Permission"
    ]
  }
  }
]
}
```

## Enabling and configuring the integration
<a name="access-analyzer-securityhub-integration-enable"></a>

To use the integration with Security Hub CSPM, you must enable Security Hub CSPM. For information on how to enable Security Hub CSPM, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the *AWS Security Hub User Guide*.

When you enable both IAM Access Analyzer and Security Hub CSPM, the integration is enabled automatically. IAM Access Analyzer immediately begins to send findings to Security Hub CSPM.

## How to stop sending findings
<a name="access-analyzer-securityhub-integration-disable"></a>

To stop sending findings to Security Hub CSPM, you can use either the Security Hub CSPM console or the API.

See [Disabling and enabling the flow of findings from an integration (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-console) or [Disabling the flow of findings from an integration (Security Hub API, AWS CLI)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-disable-api) in the *AWS Security Hub User Guide*.

# Logging IAM Access Analyzer API calls with AWS CloudTrail
<a name="logging-using-cloudtrail"></a>

IAM Access Analyzer is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in IAM Access Analyzer. CloudTrail captures all API calls for IAM Access Analyzer as events. The calls captured include calls from the IAM Access Analyzer console and code calls to the IAM Access Analyzer API operations. 

If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for IAM Access Analyzer. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. 

Using the information collected by CloudTrail, you can determine the request that was made to IAM Access Analyzer, the IP address from which the request was made, who made the request, when it was made, and additional details. 

To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).

## IAM Access Analyzer information in CloudTrail
<a name="service-name-info-in-cloudtrail"></a>

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM Access Analyzer, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html). 

For an ongoing record of events in your AWS account, including events for IAM Access Analyzer, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following: 
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)

All IAM Access Analyzer actions are logged by CloudTrail and are documented in the [IAM Access Analyzer API Reference](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/). For example, calls to the `CreateAnalyzer`, `CreateArchiveRule` and `ListFindings` actions generate entries in the CloudTrail log files.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following: 
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.

For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).

## Understanding IAM Access Analyzer log file entries
<a name="understanding-service-name-entries"></a>

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order. 

The following example shows a CloudTrail log entry that demonstrates the `CreateAnalyzer` operation made by an assumed-role session named `Alice-tempcreds` on "June 14, 2021". The role session was issued by the role named `admin-tempcreds`.

```
{
  "eventVersion": "1.05",
  "userIdentity":   {
    "type": "AssumedRole",
    "principalId": "AROAIBKEVSQ6C2EXAMPLE:Alice-tempcreds",
    "arn": "arn:aws:sts::111122223333:assumed-role/admin-tempcreds/Alice-tempcreds",
    "accountId": "111122223333",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "true",
        "creationDate": "2021-06-14T22:54:20Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AKIAI44QH8DHBEXAMPLE",
        "arn": "arn:aws:iam::111122223333:role/admin-tempcreds",
        "accountId": "111122223333",
        "userName": "admin-tempcreds"
      },
     "webIdFederationData": {},
    }
  },
  "eventTime": "2021-06-14T22:57:36Z",
  "eventSource": "access-analyzer.amazonaws.com",
  "eventName": "CreateAnalyzer",
  "awsRegion": "us-west-2",
  "sourceIPAddress": "198.51.100.179",
  "userAgent": "aws-sdk-java/1.12.79 Linux/5.4.141-78.230 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard",
  "requestParameters": {
    "analyzerName": "test",
    "type": "ACCOUNT",
    "clientToken": "11111111-abcd-2222-abcd-222222222222",
        "tags": {
            "tagkey1": "tagvalue1"
        }
  },
  "responseElements": {
    "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/test"
  },
  "requestID": "22222222-dcba-4444-dcba-333333333333",
  "eventID": "33333333-bcde-5555-bcde-444444444444",
  "readOnly": false,
  "eventType": "AwsApiCall",,
  "managementEvent": true,
  "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
```

# IAM Access Analyzer filter keys
<a name="access-analyzer-reference-filter-keys"></a>

You can use the filter keys below to define an archive rule ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html)), update an archive rule ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html)), retrieve a list of findings ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindings.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindings.html) and [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html)), or retrieve a list of access preview findings for a resource ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html)). There is no difference between using IAM API and CloudFormation for configuring archive rules.


| **Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings** | **Supported analyzer types** | 
| --- | --- | --- | --- | --- | --- | --- | --- | 
| resource | Resource | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | 
| resourceType `AWS::S3::Bucket` \$1 `AWS::IAM::Role` \$1 `AWS::SQS::Queue` \$1 `AWS::Lambda::Function` \$1 `AWS::Lambda::LayerVersion` \$1`AWS::KMS::Key` \$1 `AWS::SecretsManager::Secret` \$1 `AWS::EFS::FileSystem` \$1 `AWS::EC2::Snapshot` \$1 `AWS::ECR::Repository` \$1 `AWS::RDS::DBSnapshot` \$1 `AWS::RDS::DBClusterSnapshot` \$1 `AWS::SNS::Topic` \$1 `AWS::S3Express::DirectoryBucket` \$1 `AWS::DynamoDB::Table` \$1 `AWS::DynamoDB::Stream` \$1 `AWS::IAM::User`  | Resource Type | The type of resource that the external principal has access to.  Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [IAM Access Analyzer supported resource types for external and internal access](access-analyzer-resources.md).  | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | 
| resourceOwnerAccount | Resource Owner Account | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | 
| isPublic | Public access | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| findingType `ExternalAccess` \$1 `UnusedIAMRole` \$1 `UnusedIAMUserAccessKey` \$1 `UnusedIAMUserPassword` \$1 `UnusedPermission` \$1 `InternalAccess` | Findings type | The type of the finding. For external access analyzers, the type is ExternalAccess. For unused access analyzers, the type can be UnusedIAMRole, UnusedIAMUserAccessKey, UnusedIAMUserPassword, or UnusedPermission. For internal access analyzers, the type is InternalAccess. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External InternalUnused | 
| resourceControlPolicyRestriction `APPLIED` \$1 `APPLICABLE` \$1 `FAILED_TO_EVALUATE_RCP` \$1 `NOT_APPLICABLE` | Resource control policy (RCP) restriction | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). For more information about the values for this filter key, see [ExternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ExternalAccessDetails.html) and [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | 
| serviceControlPolicyRestriction `APPLIED` \$1 `APPLICABLE` \$1 `FAILED_TO_EVALUATE_SCP` \$1 `NOT_APPLICABLE` | Service control policy (SCP) restriction | The type of restriction applied by an Organizations service control policy (SCP). For more information about the values for this filter key, see [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | Internal | 
| status `ACTIVE` \$1 `ARCHIVED` \$1 `RESOLVED` | Status | The current status of the finding. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | 
| error | Error | Indicates the error reported for the finding. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | 
| principal.AWS | AWS Account | The account granted access to the resource in the Principal field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| principal.Federated | Federated User | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:PrincipalArn | Principal ARN | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:PrincipalOrgID | Principal OrgID | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:PrincipalOrgPaths | Principal OrgPaths | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:SourceIp | Source IP | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:SourceVpc | Source VPC | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:UserId | User ID | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:VpceAccount | VPCE Account | The account ID of the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | 
| condition.aws:SourceVpcArn | Source VPC Arn | The VPC ARN that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | ARN | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.aws:VpceOrgID | VPCE OrgID | The organizational ID for the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | 
| condition.aws:VpceOrgPaths | VPCE OrgPaths | The organizational unit (OU) for the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String (list) | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | 
| condition.cognito-identity.amazonaws.com:aud | Cognito Audience | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.graph.facebook.com:app\$1id | Facebook App ID | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.accounts.google.com:aud | Google Audience | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.kms:CallerAccount | KMS Key ID | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| condition.www.amazon.com:app\$1id | Amazon App ID | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| id | Finding ID | The ID of the finding. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | 
| changeType `CHANGED` \$1 `NEW` \$1 `UNCHANGED` |  | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| existingFindingId |  | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 
| existingFindingStatus |  | The existing status of the finding, provided only for existing findings in the access preview. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | 

# Using service-linked roles for AWS Identity and Access Management Access Analyzer
<a name="access-analyzer-using-service-linked-roles"></a>

AWS Identity and Access Management Access Analyzer uses an IAM [ service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role linked directly to IAM Access Analyzer. Service-linked roles are predefined by IAM Access Analyzer and include all the permissions that the feature requires to call other AWS services on your behalf.

A service-linked role makes setting up IAM Access Analyzer easier because you don’t have to manually add the necessary permissions. IAM Access Analyzer defines the permissions of its service-linked roles, and unless defined otherwise, only IAM Access Analyzer can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for AWS Identity and Access Management Access Analyzer
<a name="slr-permissions"></a>

AWS Identity and Access Management Access Analyzer uses the service-linked role named **AWSServiceRoleForAccessAnalyzer** – Allow Access Analyzer to analyze resource metadata for external access and to analyze activity to identify unused access.

The AWSServiceRoleForAccessAnalyzer service-linked role trusts the following services to assume the role:
+ `access-analyzer.amazonaws.com`

The role permissions policy named [`AccessAnalyzerServiceRolePolicy`](security-iam-awsmanpol.md#security-iam-aa-service-role-policy) allows IAM Access Analyzer to complete actions on specific resources.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.

## Creating a service-linked role for IAM Access Analyzer
<a name="create-slr"></a>

You don't need to manually create a service-linked role. When you enable Access Analyzer in the AWS Management Console or the AWS API, IAM Access Analyzer creates the service-linked role for you. The same service-linked role is used in all Regions in which you enable IAM Access Analyzer. Both external access and unused access findings use the same service-linked role.

**Note**  
IAM Access Analyzer is Regional. You must enable IAM Access Analyzer in each Region independently.

If you delete this service-linked role, IAM Access Analyzer recreates the role when you next create an analyzer.

You can also use the IAM console to create a service-linked role with the **Access Analyzer** use case. In the AWS CLI or the AWS API, create a service-linked role with the `access-analyzer.amazonaws.com` service name. For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.

## Editing a service-linked role for IAM Access Analyzer
<a name="edit-slr"></a>

IAM Access Analyzer does not allow you to edit the AWSServiceRoleForAccessAnalyzer service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Deleting a service-linked role for IAM Access Analyzer
<a name="delete-slr"></a>

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

If IAM Access Analyzer is enabled in one or more regions in your AWS Organizations, you must delete all analyzers in all regions for your organization before attempting to delete this role.

**Note**  
If IAM Access Analyzer is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete IAM Access Analyzer resources used by the AWSServiceRoleForAccessAnalyzer role**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the **Access reports** section, under **Access analyzer**, choose **Analyzers**.

1. Choose the analyzer from which you want to delete IAM Access Analyzer resources attached to the service-linked role.

1. Choose **Delete**.

1. To confirm that you want to delete the analyzers, enter **delete**, and then choose **Delete**.

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAccessAnalyzer service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Supported Regions for IAM Access Analyzer service-linked roles
<a name="slr-regions"></a>

IAM Access Analyzer supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).

# Preview access
<a name="access-analyzer-access-preview"></a>

In addition to helping you identify resources that are shared with an external entity, AWS IAM Access Analyzer also shows you a preview of IAM Access Analyzer findings before deploying resource permissions so you can validate that your policy changes grant only intended public and cross-account access to your resource. This helps you start with intended external access to your resources.

You can preview and validate public and cross-account access to your Amazon S3 buckets in the [Amazon S3 console](https://aws.amazon.com/s3/). You can also use IAM Access Analyzer APIs to preview public and cross-account access for your Amazon S3 buckets, AWS KMS keys, IAM roles, Amazon SQS queues and Secrets Manager secrets by providing proposed permissions for your resource.

**Topics**
+ [

# Previewing access in Amazon S3 console
](access-analyzer-preview-access-s3-console.md)
+ [

# Previewing access with IAM Access Analyzer APIs
](access-analyzer-preview-access-apis.md)

# Previewing access in Amazon S3 console
<a name="access-analyzer-preview-access-s3-console"></a>

After you complete your bucket policy in the Amazon S3 console you have the option to preview public and cross-account access to your Amazon S3 bucket. You can validate that your policy changes grant only intended external access before you choose **Save changes**. This optional step enables you to preview AWS Identity and Access Management Access Analyzer findings for your bucket. You can validate whether the policy change introduces new findings or resolves existing findings for external access. You can skip this validation step and save your Amazon S3 bucket policy at any time.

To preview external access to your bucket, you must have an active account analyzer in your bucket’s region with the account as the zone of trust. You must also have the permissions required to use IAM Access Analyzer and preview access. For more information on enabling IAM Access Analyzer and permissions required, see [Getting started with AWS Identity and Access Management Access Analyzer](access-analyzer-getting-started.md).

**To preview access to your Amazon S3 bucket when you create or edit your bucket policy**

1. Once you finish creating or editing your bucket policy, ensure your policy is a valid Amazon S3 bucket policy. The policy ARN must match the bucket ARN and the [policy elements](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) must be valid.

1. Below the policy, under **Preview external access**, choose an active account analyzer, then choose **Preview**. A preview of IAM Access Analyzer findings is generated for your bucket. The preview analyzes the displayed Amazon S3 bucket policy, together with the existing bucket permissions. This includes the bucket and account BPA settings, bucket ACL, the Amazon S3 access points and multi-region access points attached to the bucket, and their policies and BPA settings.

1. When the access preview completes, a preview of IAM Access Analyzer findings is displayed. Each finding reports an instance of a principal outside of the account with access to your bucket after you save the policy. You can validate access to your bucket by reviewing each finding. The finding header provides a summary of the access and you can expand the finding to review the [finding details](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html). Finding badges provide context on how saving the bucket policy would change access to the bucket. For example, they help you validate whether the policy change introduces new findings or resolves existing findings for external access:

   1. **New** – indicates a finding for new external access that the policy would introduce.

   1. **Resolved** – indicates a finding for existing external access that the policy would remove.

   1. **Archived** – indicates a finding for new external access that would be automatically archived, based on the archive rules for the analyzer that define when findings should be marked as intended.

   1. **Existing** – indicates an existing finding for external access that would remain unchanged.

   1. **Public** – if a finding is for public access to the resource, it will have a **Public** badge, in addition to one of the badges above.

1. If you identify external access you do not intend to introduce or remove, you can revise the policy and then choose **Preview** again until you have achieved the external access you intend. If you have a finding labeled **Public**, we recommend you revise the policy to remove public access before you choose **Save changes**. Previewing access is an optional step and you can choose **Save changes** at any time. 

# Previewing access with IAM Access Analyzer APIs
<a name="access-analyzer-preview-access-apis"></a>

You can use [IAM Access Analyzer APIs](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html) to preview public and cross-account access for your Amazon S3 buckets, AWS KMS keys, IAM roles, Amazon SQS queues and Secrets Manager secrets. You can preview access by providing proposed permissions for an existing resource you own or a new resource you want to deploy.

To preview external access to your resource, you must have an active account analyzer for the account and region of the resource. You must also have the permissions required to use IAM Access Analyzer and preview access. For more information on enabling IAM Access Analyzer and permissions required, see [Getting started with AWS Identity and Access Management Access Analyzer](access-analyzer-getting-started.md). 

To preview access for a resource, you can use the `CreateAccessPreview` operation and provide the analyzer ARN and the access control configuration for the resource. The service returns the unique ID for the access preview, which you can use to check the status of the access preview with the `GetAccessPreview` operation. When the status is `Completed`, you can use the `ListAccessPreviewFindings` operation to retrieve the findings generated for the access preview. The `GetAccessPreview` and `ListAccessPreviewFindings` operations will retrieve access previews and findings created within about 24 hours.

Each finding retrieved contains [finding details](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html) describing the access. A preview status of the finding describing whether the finding would be `Active`, `Archived`, or `Resolved` after permissions deployment, and a `changeType`. The `changeType` provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer:
+ **New** – the finding is for newly introduced access.
+ **Unchanged** – the preview finding is an existing finding that would remain unchanged.
+ **Changed** – the preview finding is an existing finding with a change in status.

The `status` and the `changeType` help you understand how the resource configuration would change existing resource access. If the `changeType` is `Unchanged` or Changed, the finding will also contain the existing ID and status of the finding in IAM Access Analyzer. For example, a `Changed` finding with preview status `Resolved` and existing status `Active` indicates the existing `Active` finding for the resource would become `Resolved` as a result of the proposed permissions change.

You can use the `ListAccessPreviews` operation to retrieve a list of access previews for the specified analyzer. This operation will retrieve information on access preview created within about one hour.

In general, if the access preview is for an existing resource and you leave a configuration option unspecified, the access preview will use the existing resource configuration by default. If the access preview is for a new resource and you leave a configuration option unspecified, the access preview will use the default value depending on the resource type. For configuration cases for each resource type, see below.

## Preview access to your Amazon S3 bucket
<a name="access-analyzer-preview-access-s3-bucket"></a>

To create an access preview for a new Amazon S3 bucket or an existing Amazon S3 bucket that you own, you can propose a bucket configuration by specifying the Amazon S3 bucket policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points, including multi-region access points, attached to the bucket.

**Note**  
Before attempting to create an access preview for a new bucket, we recommend you call the Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html) operation to check whether the named bucket already exists. This operation is useful to determine if a bucket exists and you have permission to access it.

**Bucket policy** – If the configuration is for an existing Amazon S3 bucket and you do not specify the Amazon S3 bucket policy, the access preview uses the existing policy attached to the bucket. If the access preview is for a new resource and you do not specify the Amazon S3 bucket policy, the access preview assumes a bucket without a policy. To propose deletion of an existing bucket policy, you can specify an empty string. For more information about supported bucket policy limits, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html).

**Bucket ACL grants** – You can propose up to 100 ACL grants per bucket. If the proposed grant configuration is for an existing bucket, the access preview uses the proposed list of grant configurations in place of the existing grants. Otherwise, the access preview uses the existing grants for the bucket.

**Bucket access points** – The analysis supports up to 100 access points,including multi-region access points, per bucket, including up to ten new access points you can propose per bucket. If the proposed Amazon S3 access point configuration is for an existing bucket, the access preview uses the proposed access point configuration in place of the existing access points. To propose an access point without a policy, you can provide an empty string as the access point policy. For more information about access point policy limits, see [Access points restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html).

**Block public access configuration** – If the proposed configuration is for an existing Amazon S3 bucket and you do not specify the configuration, the access preview uses the existing setting. If the proposed configuration is for a new bucket and you do not specify the bucket BPA configuration, the access preview uses `false`. If the proposed configuration is for a new access point or multi-region access point, and you do not specify the access point BPA configuration, the access preview uses `true`.

## Preview access to your AWS KMS key
<a name="access-analyzer-preview-access-kms-key"></a>

To create an access preview for a new AWS KMS key or an existing AWS KMS key that you own, you can propose a AWS KMS key configuration by specifying the key policy and the AWS KMS grant configuration.

**AWS KMS key policy** – If the configuration is for an existing key and you do not specify the key policy, the access preview uses the existing policy for the key. If the access preview is for a new resource and you do not specify the key policy, then the access preview uses the default key policy. The proposed key policy cannot be an empty string.

**AWS KMS grants** – The analysis supports up to 100 KMS grants per configuration\$1.\$1 If the proposed grant configuration is for an existing key, the access preview uses the proposed list of grant configurations in place of the existing grants. Otherwise, the access preview uses the existing grants for the key.

## Preview access to your IAM role
<a name="access-analyzer-preview-iam-role"></a>

To create an access preview for a new IAM role or an existing IAM role that you own, you can propose an IAM role configuration by specifying the trust policy.

**Role trust policy** – If the configuration is for a new IAM role, you must specify the trust policy. If the configuration is for an existing IAM role that you own and you do not propose the trust policy, the access preview uses the existing trust policy for the role. The proposed trust policy cannot be an empty string.

## Preview access to your Amazon SQS queue
<a name="access-analyzer-preview-sqs-queue"></a>

To create an access preview for a new Amazon SQS queue or an existing Amazon SQS queue that you own, you can propose an Amazon SQS queue configuration by specifying the Amazon SQS policy for the queue. 

**Amazon SQS queue policy** – If the configuration is for an existing Amazon SQS queue and you do not specify the Amazon SQS policy, the access preview uses the existing Amazon SQS policy for the queue. If the access preview is for a new resource and you do not specify the policy, the access preview assumes an Amazon SQS queue without a policy. To propose deletion of an existing Amazon SQS queue policy, you can specify an empty string for the Amazon SQS policy.

## Preview access to your Secrets Manager secret
<a name="access-analyzer-preview-secrets-manager-secret"></a>

To create an access preview for a new Secrets Manager secret or an existing Secrets Manager secret that you own, you can propose a Secrets Manager secret configuration by specifying the secret policy and optional AWS KMS encryption key.

**Secret policy** – If the configuration is for an existing secret and you do not specify the secret policy, the access preview uses the existing policy for the secret. If the access preview is for a new resource and you do not specify the policy, the access preview assumes a secret without a policy. To propose deletion of an existing policy, you can specify an empty string.

**AWS KMS encryption key** – If the proposed configuration is for a new secret and you do not specify the AWS KMS key ID, the access preview uses the default KMS key of the AWS account. If you specify an empty string for the AWS KMS key ID, the access preview uses the default KMS key of the AWS account.

# Checks for validating policies
<a name="access-analyzer-checks-validating-policies"></a>

IAM Access Analyzer provides policy checks that help validate your IAM policies before you attach them to an entity. These include basic policy checks provided by policy validation to validate your policy against [policy grammar](reference_policies_grammar.md) and [AWS best practices](best-practices.md). You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy.

You can use custom policy checks to check for new access based on your security standards. A charge is associated with each check for new access. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

## How custom policy checks work
<a name="access-analyzer-custom-policy-checks-overview"></a>

You can validate your policies against your specified security standards using AWS Identity and Access Management Access Analyzer custom policy checks. You can run the following types of custom policy checks:
+ **Check against a reference policy**: When editing a policy, you can check whether the updated policy grants new access compared to a reference policy, such as an existing version of the policy. You can run this check when you edit a policy using the AWS Command Line Interface (AWS CLI), IAM Access Analyzer API (API), or JSON policy editor in the IAM console.
**Note**  
IAM Access Analyzer custom policy checks allow wildcards in the `Principal` element for reference resource policies.
+ **Check against a list of IAM actions or resources**: You can check to ensure that specific IAM actions or resources are not allowed by your policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on all resources in the policy. If only resources are specified, then IAM Access Analyzer checks which actions have access to the specified resources. If both actions and resources are specified, then IAM Access Analyzer checks which of the specified actions have access to the specified resources. You can run this check when you create or edit a policy using the AWS CLI or the API.
+ **Check for public access**: You can check whether a resource policy can grant public access to a specified resource type. You can run this check when you create or edit a policy using the AWS CLI or the API. This type of custom policy check differs from [previewing access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-access-preview.html) because the check doesn't require any account or external access analyzer context. Access previews allow you to preview IAM Access Analyzer findings before deploying resource permissions, while the custom check determines whether public access might be granted by a policy.

A charge is associated with each custom policy check. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

You can run custom policy checks on identity and resource-based policies. Custom policy checks don't rely on pattern-matching techniques or examining access logs to determine whether new or a specified access is allowed by a policy. Similar to external access findings, custom policy checks are built on [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/). Zelkova translates IAM policies into equivalent logical statements, and runs a suite of general-purpose and specialized logical solvers (satisfiability modulo theories) against the problem. To check for new or specified access, IAM Access Analyzer applies Zelkova repeatedly to a policy. Queries become increasingly specific to characterize classes of behaviors that the policy allows based on the content of the policy. For more information about satisfiability modulo theories, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf). 

In rare cases, IAM Access Analyzer isn't able to fully determine whether a policy statement grants new or specified access. In those cases, it errs on the side of declaring a false positive by failing the custom policy check. IAM Access Analyzer is designed to provide a comprehensive policy evaluation and strives to minimize false negatives. This approach means that IAM Access Analyzer provides a high degree of assurance that a passed check means access wasn't granted by the policy. You can inspect failed checks manually by reviewing the policy statement that's reported in the response from IAM Access Analyzer.

## Examples of reference policies to check for new access
<a name="access-analyzer-custom-policy-checks-reference"></a>

You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the [IAM Access Analyzer custom policy checks samples](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples) repository on GitHub.

**Before using these examples**  
Before you use these sample reference policies, do the following:  
Carefully review and customize the reference policies for your unique requirements.
Thoroughly test the reference policies in your environment with the AWS services that you use.  
The reference policies demonstrate the implementation and use of custom policy checks. They're ***not*** intended to be interpreted as official AWS recommendations or best practices to be implemented exactly as shown. It is your responsibility to carefully test reference policies for their suitability to solve the security requirements for your environment. 
Custom policy checks are environment-agnostic in their analysis. Their analysis only considers information contained within the input policies. For example, custom policy checks can't check whether an account is a member of a specific AWS organization. Therefore, the custom policy checks can't compare new access based on condition key values for the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalaccount) condition keys.

## Inspect failed custom policy checks
<a name="access-analyzer-custom-policy-checks-failed-check"></a>

When a custom policy check fails, the response from IAM Access Analyzer includes the [statement ID (`Sid`)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the policy statement that caused the check to fail. Although the statement ID is an optional policy element, we recommend that you add a statement ID for every policy statement. The custom policy check also returns a statement index to help identify the reason for the check failure. The statement index follows zero-based numbering, where the first statement is referenced as 0. When there are multiple statements that cause a check to fail, the check returns only one statement ID at a time. We recommend that you fix the statement highlighted in the reason and rerun the check until it passes.

# Validate policies with IAM Access Analyzer
<a name="access-analyzer-policy-validation"></a>

You can validate your policies using AWS Identity and Access Management Access Analyzer policy validation. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. IAM Access Analyzer validates your policy against IAM [policy grammar](reference_policies_grammar.md) and [AWS best practices](best-practices.md). You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices. To view a list of the basic policy checks that are run by IAM Access Analyzer, see [IAM policy validation check reference](access-analyzer-reference-policy-checks.md).

## Validating policies in IAM (console)
<a name="access-analyzer-policy-validation-iam-console"></a>

You can view findings generated by IAM Access Analyzer policy validation when you create or edit a managed policy in the IAM console. You can also view these findings for inline user or role policies. IAM Access Analyzer does not generate these findings for inline group policies.

**To view findings generated by policy checks for IAM JSON policies**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Begin creating or editing a policy using one of the following methods:

   1. To create a new managed policy, go to the **Policies** page and create a new policy. For more information, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).

   1. To view policy checks for an existing customer managed policy, go the **Policies** page, choose the name of a policy, and then choose **Edit**. For more information, see [Editing customer managed policies (console)](access_policies_manage-edit-console.md#edit-customer-managed-policy-console).

   1. To view policy checks for an inline policy on a user or role, go the **Users** or **Roles** page, choose the name of a user or role, choose the name of the policy on the **Permissions** tab and then choose **Edit**. For more information, see [Editing inline policies (console)](access_policies_manage-edit-console.md#edit-inline-policy-console).

1. In the policy editor, choose the **JSON** tab.

1. In the policy validation pane below the policy, choose one or more of the following tabs. The tab names also indicate the number of each finding type for your policy.
   + **Security** – View warnings if your policy allows access that AWS considers a security risk because the access is overly permissive.
   + **Errors** – View errors if your policy includes lines that prevent the policy from functioning.
   + **Warnings** – View warnings if your policy doesn't conform to best practices, but the issues are not security risks.
   + **Suggestions** – View suggestions if AWS recommends improvements that don't impact the permissions of the policy.

1. Review the finding details provided by the IAM Access Analyzer policy check. Each finding indicates the location of the reported issue. To learn more about what causes the issue and how to resolve it, choose the **Learn more** link next to the finding. You can also search for the policy check associated with each finding in the [Access Analyzer policy checks](access-analyzer-reference-policy-checks.md) reference page.

1. Optional. If you are editing an existing policy, you can run a custom policy check to determine whether your updated policy grants new access compared to the existing version. In the policy validation pane below the policy, choose the **Check for new access** tab and then choose **Check policy**. If the modified permissions grant new access, the statement will be highlighted in the policy validation pane. If you do not intend to grant new access, update the policy statement and choose **Check policy** until no new access is detected. For more information, see [Validate policies with IAM Access Analyzer custom policy checks](access-analyzer-custom-policy-checks.md).
**Note**  
A charge is associated with each check for new access. For more details on pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

1. Update your policy to resolve the findings.
**Important**  
Test new or edited policies thoroughly before implementing them in your production workflow.

1. When you are finished, choose **Next**. The [Policy validator](access_policies_policy-validator.md) reports any syntax errors that are not reported by IAM Access Analyzer.
**Note**  
You can switch between the **Visual** and **JSON** tabs anytime. However, if you make changes or choose **Next** in the **Visual** tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).

1. For new policies, on the **Review and create** page, enter a **Policy name** and a **Description** (optional) for the policy that you are creating. Review the **Permissions defined in this policy** to see the permissions that are granted by your policy. Then choose **Create policy** to save your work.

   For existing policies, on the **Review and save** page, review the **Permissions defined in this policy** to see the permissions that are granted by your policy. Choose the **Set this new version as the default.** checkbox to save the updated version as the default version of the policy. Then choose **Save changes** to save your work.

## Validating policies using IAM Access Analyzer (AWS CLI or AWS API)
<a name="access-analyzer-policy-validation-cli"></a>

You can view findings generated by IAM Access Analyzer policy validation from the AWS Command Line Interface (AWS CLI).

**To view findings generated by IAM Access Analyzer policy validation (AWS CLI or AWS API)**  
Use one of the following:
+ AWS CLI: [aws accessanalyzer validate-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/validate-policy.html) 
+ AWS API: [ValidatePolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html) 

# IAM policy validation check reference
<a name="access-analyzer-reference-policy-checks"></a>

You can validate your policies using AWS Identity and Access Management Access Analyzer policy validation. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. IAM Access Analyzer validates your policy against IAM [policy grammar](reference_policies_grammar.md) and [AWS best practices](best-practices.md). You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices. The list of basic policy checks provided by IAM Access Analyzer are shared below. There is no additional charge associated with running the policy validation checks. To learn more about validating policies using policy validation, see [Validate policies with IAM Access Analyzer](access-analyzer-policy-validation.md).

## Error – ARN account not allowed
<a name="access-analyzer-reference-policy-checks-error-arn-account-not-allowed"></a>

**Issue code: **ARN\$1ACCOUNT\$1NOT\$1ALLOWED

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
ARN account not allowed: The service {{service}} does not support specifying an account ID in the resource ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The service {{service}} does not support specifying an account ID in the resource ARN."
```

**Resolving the error**

Remove the account ID from the resource ARN. The resource ARNs for some AWS services do not support specifying an account ID.

For example, Amazon S3 does not support an account ID as a namespace in bucket ARNs. An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. To view all of the resource types available in Amazon S3, see [ Resource types defined by Amazon S3](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies) in the *Service Authorization Reference*.

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Account Identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – ARN Region not allowed
<a name="access-analyzer-reference-policy-checks-error-arn-region-not-allowed"></a>

**Issue code: **ARN\$1REGION\$1NOT\$1ALLOWED

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
ARN Region not allowed: The service {{service}} does not support specifying a Region in the resource ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The service {{service}} does not support specifying a Region in the resource ARN."
```

**Resolving the error**

Remove the Region from the resource ARN. The resource ARNs for some AWS services do not support specifying a Region.

For example, IAM is a global service. The Region portion of an IAM resource ARN is always kept blank. IAM resources are global, like an AWS account is today. For example, after you sign in as an IAM user, you can access AWS services in any geographic region.
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Data type mismatch
<a name="access-analyzer-reference-policy-checks-error-data-type-mismatch"></a>

**Issue code: **DATA\$1TYPE\$1MISMATCH

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Data type mismatch: The text does not match the expected JSON data type {{data_type}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The text does not match the expected JSON data type {{data_type}}."
```

**Resolving the error**

Update the text to use the supported data type.

For example, the `Version` global condition key requires a `String` data type. If you provide a date or an integer, the data type won't match.

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## Error – Duplicate keys with different case
<a name="access-analyzer-reference-policy-checks-error-duplicate-keys-with-different-case"></a>

**Issue code: **DUPLICATE\$1KEYS\$1WITH\$1DIFFERENT\$1CASE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Duplicate keys with different case: The condition key {{key}} appears more than once with different capitalization in the same condition block. Remove the duplicate condition keys.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key {{key}} appears more than once with different capitalization in the same condition block. Remove the duplicate condition keys."
```

**Resolving the error**

Review the similar condition keys within the same condition block and use the same capitalization for all instances.

A *condition block* is the text within the `Condition` element of a policy statement. Condition key *names* are not case-sensitive. The case-sensitivity of condition key *values* depends on the condition operator that you use. For more information about case-sensitivity in condition keys, see [IAM JSON policy elements: Condition](reference_policies_elements_condition.md).

**Related terms**
+ [Conditions](reference_policies_elements_condition.md)
+ [Condition block](reference_policies_elements_condition.md#AccessPolicyLanguage_ConditionBlock)
+ [Global condition keys](reference_policies_condition-keys.md)
+ [AWS service condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid action
<a name="access-analyzer-reference-policy-checks-error-invalid-action"></a>

**Issue code: **INVALID\$1ACTION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid action: The action {{action}} does not exist. Did you mean {{valid_action}}?
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The action {{action}} does not exist. Did you mean {{valid_action}}?"
```

**Resolving the error**

The action that you specified is not valid. This can happen if you mis-type the service prefix or the action name. For some common issues, the policy check returns a suggested action.

**Related terms**
+ [Policy actions](reference_policies_elements_action.md)
+ [AWS service actions](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

### AWS managed policies with this error
<a name="accan-ref-policy-check-message-fix-error-invalid-action-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

The following AWS managed policies include invalid actions in their policy statements. Invalid actions do not affect the permissions granted by the policy. When using an AWS managed policy as a reference to create your managed policy, AWS recommends that you remove invalid actions from your policy.
+ [AmazonEMRFullAccessPolicy\$1v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2)
+ [CloudWatchSyntheticsFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/CloudWatchSyntheticsFullAccess)

## Error – Invalid ARN account
<a name="access-analyzer-reference-policy-checks-error-invalid-arn-account"></a>

**Issue code: **INVALID\$1ARN\$1ACCOUNT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid ARN account: The resource ARN account ID {{account}} is not valid. Provide a 12-digit account ID.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The resource ARN account ID {{account}} is not valid. Provide a 12-digit account ID."
```

**Resolving the error**

Update the account ID in the resource ARN. Account IDs are 12-digit integers. To learn how to view your account ID, see [Finding your AWS account ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingYourAccountIdentifiers).

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Account Identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid ARN prefix
<a name="access-analyzer-reference-policy-checks-error-invalid-arn-prefix"></a>

**Issue code: **INVALID\$1ARN\$1PREFIX

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid ARN prefix: Add the required prefix (arn) to the resource ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add the required prefix (arn) to the resource ARN."
```

**Resolving the error**

AWS resource ARNs must include the required `arn:` prefix.

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid ARN Region
<a name="access-analyzer-reference-policy-checks-error-invalid-arn-region"></a>

**Issue code: **INVALID\$1ARN\$1REGION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid ARN Region: The Region {{region}} is not valid for this resource. Update the resource ARN to include a supported Region.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Region {{region}} is not valid for this resource. Update the resource ARN to include a supported Region."
```

**Resolving the error**

The resource type is not supported in the specified Region. For a table of AWS services supported in each Region, see the [Region table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [Region names and codes](https://docs.aws.amazon.com/general/latest/gr/rande.html#region-names-codes)

## Error – Invalid ARN resource
<a name="access-analyzer-reference-policy-checks-error-invalid-arn-resource"></a>

**Issue code: **INVALID\$1ARN\$1RESOURCE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid ARN resource: Resource ARN does not match the expected ARN format. Update the resource portion of the ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Resource ARN does not match the expected ARN format. Update the resource portion of the ARN."
```

**Resolving the error**

The resource ARN must match the specifications for known resource types. To view the expected ARN format for a service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service to view its resource types and ARN formats.

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid ARN service case
<a name="access-analyzer-reference-policy-checks-error-invalid-arn-service-case"></a>

**Issue code: **INVALID\$1ARN\$1SERVICE\$1CASE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid ARN service case: Update the service name {{service}} in the resource ARN to use all lowercase letters.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Update the service name {{service}} in the resource ARN to use all lowercase letters."
```

**Resolving the error**

The service in the resource ARN must match the specifications (including capitalization) for service prefixes. To view the prefix for a service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service and locate its prefix in the first sentence.

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid condition data type
<a name="access-analyzer-reference-policy-checks-error-invalid-condition-data-type"></a>

**Issue code: **INVALID\$1CONDITION\$1DATA\$1TYPE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid condition data type: The condition value data types do not match. Use condition values of the same JSON data type.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition value data types do not match. Use condition values of the same JSON data type."
```

**Resolving the error**

The value in the condition key-value pair must match the data type of the condition key and condition operator. To view the condition key data type for a service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service to view the condition keys for that service.

For example, the [`CurrentTime`](reference_policies_condition-keys.md#condition-keys-currenttime) global condition key supports the `Date` condition operator. If you provide a string or an integer for the value in the condition block, the data type won't match.

**Related terms**
+ [Conditions](reference_policies_elements_condition.md)
+ [Condition block](reference_policies_elements_condition.md#AccessPolicyLanguage_ConditionBlock)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [Global condition keys](reference_policies_condition-keys.md)
+ [AWS service condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid condition key format
<a name="access-analyzer-reference-policy-checks-error-invalid-condition-key-format"></a>

**Issue code: **INVALID\$1CONDITION\$1KEY\$1FORMAT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid condition key format: The condition key format is not valid. Use the format service:keyname.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key format is not valid. Use the format service:keyname."
```

**Resolving the error**

The key in the condition key-value pair must match the specifications for the service. To view the condition keys for a service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service to view the condition keys for that service.

**Related terms**
+ [Conditions](reference_policies_elements_condition.md)
+ [Global condition keys](reference_policies_condition-keys.md)
+ [AWS service condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid condition multiple Boolean
<a name="access-analyzer-reference-policy-checks-error-invalid-condition-multiple-boolean"></a>

**Issue code: **INVALID\$1CONDITION\$1MULTIPLE\$1BOOLEAN

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid condition multiple Boolean: The condition key does not support multiple Boolean values. Use a single Boolean value.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key does not support multiple Boolean values. Use a single Boolean value."
```

**Resolving the error**

The key in the condition key-value pair expects a single Boolean value. When you provide multiple Boolean values, the condition match might not return the results that you expect.

To view the condition keys for a service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service to view the condition keys for that service.
+ [Conditions](reference_policies_elements_condition.md)
+ [Global condition keys](reference_policies_condition-keys.md)
+ [AWS service condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid condition operator
<a name="access-analyzer-reference-policy-checks-error-invalid-condition-operator"></a>

**Issue code: **INVALID\$1CONDITION\$1OPERATOR

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid condition operator: The condition operator {{operator}} is not valid. Use a valid condition operator.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition operator {{operator}} is not valid. Use a valid condition operator."
```

**Resolving the error**

Update the condition to use a supported condition operator.

**Related terms**
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [Condition element](reference_policies_elements_condition.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Invalid effect
<a name="access-analyzer-reference-policy-checks-error-invalid-effect"></a>

**Issue code: **INVALID\$1EFFECT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid effect: The effect {{effect}} is not valid. Use Allow or Deny.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The effect {{effect}} is not valid. Use Allow or Deny."
```

**Resolving the error**

Update the `Effect` element to use a valid effect. Valid values for `Effect` are **Allow** and **Deny**.

**Related terms**
+ [Effect element](reference_policies_elements_effect.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Invalid global condition key
<a name="access-analyzer-reference-policy-checks-error-invalid-global-condition-key"></a>

**Issue code: **INVALID\$1GLOBAL\$1CONDITION\$1KEY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid global condition key: The condition key {{key}} does not exist. Use a valid condition key.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key {{key}} does not exist. Use a valid condition key."
```

**Resolving the error**

Update the condition key in the condition key-value pair to use a supported global condition key.

Global condition keys are condition keys with an `aws:` prefix. AWS services can support global condition keys or provide service-specific keys that include their service prefix. For example, IAM condition keys include the `iam:` prefix. For more information, see  [Actions, Resources, and Condition Keys for AWS Services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)  and choose the service whose keys you want to view.

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)

## Error – Invalid partition
<a name="access-analyzer-reference-policy-checks-error-invalid-partition"></a>

**Issue code: **INVALID\$1PARTITION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid partition: The resource ARN for the service {{service}} does not support the partition {{partition}}. Use the supported values: {{partitions}}
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The resource ARN for the service {{service}} does not support the partition {{partition}}. Use the supported values: {{partitions}}"
```

**Resolving the error**

Update the resource ARN to include a supported partition. If you included a supported partition, then the service or resource might not support the partition that you included.

A *partition* is a group of AWS Regions. Each AWS account is scoped to one partition. In Classic Regions, use the `aws` partition. In China Regions, use `aws-cn`.

**Related terms**
+ [Amazon Resource Names (ARNs) - Partitions](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)

## Error – Invalid policy element
<a name="access-analyzer-reference-policy-checks-error-invalid-policy-element"></a>

**Issue code: **INVALID\$1POLICY\$1ELEMENT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid policy element: The policy element {{element}} is not valid.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The policy element {{element}} is not valid."
```

**Resolving the error**

Update the policy to include only supported JSON policy elements.

**Related terms**
+ [JSON policy elements](reference_policies_elements.md)

## Error – Invalid principal format
<a name="access-analyzer-reference-policy-checks-error-invalid-principal-format"></a>

**Issue code: **INVALID\$1PRINCIPAL\$1FORMAT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid principal format: The Principal element contents are not valid. Specify a key-value pair in the Principal element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Principal element contents are not valid. Specify a key-value pair in the Principal element."
```

**Resolving the error**

Update the principal to use a supported key-value pair format. 

You can specify a principal in a resource-based policy, but not an identity-based policy. 

For example, to define access for everyone in an AWS account, use the following principal in your policy:

```
"Principal": { "AWS": "123456789012" }
```

**Related terms**
+ [JSON policy elements: Principal](reference_policies_elements_principal.md)
+ [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md)

## Error – Invalid principal key
<a name="access-analyzer-reference-policy-checks-error-invalid-principal-key"></a>

**Issue code: **INVALID\$1PRINCIPAL\$1KEY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid principal key: The principal key {{principal-key}} is not valid.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The principal key {{principal-key}} is not valid."
```

**Resolving the error**

Update the key in the principal key-value pair to use a supported principal key. The following are supported principal keys:
+ AWS
+ CanonicalUser
+ Federated
+ Service

**Related terms**
+ [Principal element](reference_policies_elements_principal.md)

## Error – Invalid Region
<a name="access-analyzer-reference-policy-checks-error-invalid-region"></a>

**Issue code: **INVALID\$1REGION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid Region: The Region {{region}} is not valid. Update the condition value to a suported Region.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Region {{region}} is not valid. Update the condition value to a suported Region."
```

**Resolving the error**

Update the value of the condition key-value pair to include a supported Region. For a table of AWS services supported in each Region, see the [Region table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [Region names and codes](https://docs.aws.amazon.com/general/latest/gr/rande.html#region-names-codes)

## Error – Invalid service
<a name="access-analyzer-reference-policy-checks-error-invalid-service"></a>

**Issue code: **INVALID\$1SERVICE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid service: The service {{service}} does not exist. Use a valid service name.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The service {{service}} does not exist. Use a valid service name."
```

**Resolving the error**

The service prefix in the action or condition key must match the specifications (including capitalization) for service prefixes. To view the prefix for a service, see [ Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service and locate its prefix in the first sentence.

**Related terms**
+ [ Known services and their actions, resources, and condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid service condition key
<a name="access-analyzer-reference-policy-checks-error-invalid-service-condition-key"></a>

**Issue code: **INVALID\$1SERVICE\$1CONDITION\$1KEY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid service condition key: The condition key {{key}} does not exist in the service {{service}}. Use a valid condition key.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key {{key}} does not exist in the service {{service}}. Use a valid condition key."
```

**Resolving the error**

Update the key in the condition key-value pair to use a known condition key for the service. Global condition key names begin with the `aws` prefix. AWS services can provide service-specific keys that include their service prefix. To view the prefix for a service, see [ Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [ Known services and their actions, resources, and condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid service in action
<a name="access-analyzer-reference-policy-checks-error-invalid-service-in-action"></a>

**Issue code: **INVALID\$1SERVICE\$1IN\$1ACTION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid service in action: The service {{service}} specified in the action does not exist. Did you mean {{service2}}?
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The service {{service}} specified in the action does not exist. Did you mean {{service2}}?"
```

**Resolving the error**

The service prefix in the action must match the specifications (including capitalization) for service prefixes. To view the prefix for a service, see [ Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service and locate its prefix in the first sentence.

**Related terms**
+ [Action element](reference_policies_elements_action.md)
+ [ Known services and their actions](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid variable for operator
<a name="access-analyzer-reference-policy-checks-error-invalid-variable-for-operator"></a>

**Issue code: **INVALID\$1VARIABLE\$1FOR\$1OPERATOR

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid variable for operator: Policy variables can only be used with String and ARN operators.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Policy variables can only be used with String and ARN operators."
```

**Resolving the error**

You can use policy variables in the `Resource` element and in string comparisons in the `Condition` element. Conditions support variables when you use string operators or ARN operators. String operators include `StringEquals`, `StringLike`, and `StringNotLike`. ARN operators include `ArnEquals` and `ArnLike`. You can't use a policy variable with other operators, such as Numeric, Date, Boolean,  Binary, IP Address, or Null operators.

**Related terms**
+ [Using policy variables in the Condition element](reference_policies_variables.md#policy-vars-conditionelement)
+ [Condition element](reference_policies_elements_condition.md)

## Error – Invalid version
<a name="access-analyzer-reference-policy-checks-error-invalid-version"></a>

**Issue code: **INVALID\$1VERSION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid version: The version {{version}} is not valid. Use one of the following versions: {{versions}}
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The version {{version}} is not valid. Use one of the following versions: {{versions}}"
```

**Resolving the error**

The `Version` policy element specifies the language syntax rules that AWS uses to process a policy. To use all of the available policy features, include the latest `Version` element before the `Statement` element in all of your policies.

```
"Version": "2012-10-17"
```

**Related terms**
+ [Version element](reference_policies_elements_version.md)

## Error – Json syntax error
<a name="access-analyzer-reference-policy-checks-error-json-syntax-error"></a>

**Issue code: **JSON\$1SYNTAX\$1ERROR

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Json syntax error: Fix the JSON syntax error at index {{index}} line {{line}} column {{column}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Fix the JSON syntax error at index {{index}} line {{line}} column {{column}}."
```

**Resolving the error**

Your policy includes a syntax error. Check your JSON syntax.

**Related terms**
+ [JSON validator](https://json-validate.com/)
+ [IAM JSON policy elements reference](reference_policies_elements.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Json syntax error
<a name="access-analyzer-reference-policy-checks-error-json-syntax-error"></a>

**Issue code: **JSON\$1SYNTAX\$1ERROR

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Json syntax error: Fix the JSON syntax error.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Fix the JSON syntax error."
```

**Resolving the error**

Your policy includes a syntax error. Check your JSON syntax.

**Related terms**
+ [JSON validator](https://json-validate.com/)
+ [IAM JSON policy elements reference](reference_policies_elements.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Missing action
<a name="access-analyzer-reference-policy-checks-error-missing-action"></a>

**Issue code: **MISSING\$1ACTION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing action: Add an Action or NotAction element to the policy statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add an Action or NotAction element to the policy statement."
```

**Resolving the error**

AWS JSON policies must include an `Action` or `NotAction` element.

**Related terms**
+ [Action element](reference_policies_elements_action.md)
+ [NotAction element](reference_policies_elements_notaction.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Missing ARN field
<a name="access-analyzer-reference-policy-checks-error-missing-arn-field"></a>

**Issue code: **MISSING\$1ARN\$1FIELD

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing ARN field: Resource ARNs must include at least {{fields}} fields in the following structure: arn:partition:service:region:account:resource
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Resource ARNs must include at least {{fields}} fields in the following structure: arn:partition:service:region:account:resource"
```

**Resolving the error**

All of the fields in the resource ARN must match the specifications for a known resource type. To view the expected ARN format for a service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). Choose the name of the service to view its resource types and ARN formats.

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Missing ARN Region
<a name="access-analyzer-reference-policy-checks-error-missing-arn-region"></a>

**Issue code: **MISSING\$1ARN\$1REGION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing ARN Region: Add a Region to the {{service}} resource ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a Region to the {{service}} resource ARN."
```

**Resolving the error**

The resource ARNs for most AWS services require that you specify a Region. For a table of AWS services supported in each Region, see the [Region table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [Region names and codes](https://docs.aws.amazon.com/general/latest/gr/rande.html#region-names-codes)

## Error – Missing effect
<a name="access-analyzer-reference-policy-checks-error-missing-effect"></a>

**Issue code: **MISSING\$1EFFECT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing effect: Add an Effect element to the policy statement with a value of Allow or Deny.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add an Effect element to the policy statement with a value of Allow or Deny."
```

**Resolving the error**

AWS JSON policies must include an `Effect` element with a value of **Allow** and **Deny**.

**Related terms**
+ [Effect element](reference_policies_elements_effect.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Missing principal
<a name="access-analyzer-reference-policy-checks-error-missing-principal"></a>

**Issue code: **MISSING\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing principal: Add a Principal element to the policy statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a Principal element to the policy statement."
```

**Resolving the error**

Resource-based policies must include a `Principal` element.

For example, to define access for everyone in an AWS account, use the following principal in your policy:

```
"Principal": { "AWS": "123456789012" }
```

**Related terms**
+ [Principal element](reference_policies_elements_principal.md)
+ [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md)

## Error – Missing qualifier
<a name="access-analyzer-reference-policy-checks-error-missing-qualifier"></a>

**Issue code: **MISSING\$1QUALIFIER

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing qualifier: The request context key {{key}} has multiple values. Use the ForAllValues or ForAnyValue condition key qualifiers in your policy.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The request context key {{key}} has multiple values. Use the ForAllValues or ForAnyValue condition key qualifiers in your policy."
```

**Resolving the error**

In the `Condition` element, you build expressions in which you use condition operators like equal or less than to compare a condition in the policy against keys and values in the request context. For requests that include multiple values for a single condition key, you must enclose the conditions within brackets like an array ("Key2":["Value2A", "Value2B"]). You must also use the `ForAllValues` or `ForAnyValue`  set operators with the `StringLike` condition operator. These qualifiers add set-operation functionality to the condition operator so that you can test multiple request values against multiple condition values.

**Related terms**
+ [Multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys)
+ [Condition element](reference_policies_elements_condition.md)

### AWS managed policies with this error
<a name="accan-ref-policy-check-message-fix-error-missing-qualifier-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

The following AWS managed policies include a missing qualifier for condition keys in their policy statements. When using the AWS managed policy as a reference to create your customer managed policy, AWS recommends that you add the `ForAllValues` or `ForAnyValue` condition key qualifiers to your `Condition` element.
+ [AWSGlueConsoleSageMakerNotebookFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleSageMakerNotebookFullAccess)

## Error – Missing resource
<a name="access-analyzer-reference-policy-checks-error-missing-resource"></a>

**Issue code: **MISSING\$1RESOURCE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing resource: Add a Resource or NotResource element to the policy statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a Resource or NotResource element to the policy statement."
```

**Resolving the error**

All policies except role trust policies must include a `Resource` or `NotResource` element.

**Related terms**
+ [Resource element](reference_policies_elements_resource.md)
+ [NotResource element](reference_policies_elements_notresource.md)
+ [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Missing statement
<a name="access-analyzer-reference-policy-checks-error-missing-statement"></a>

**Issue code: **MISSING\$1STATEMENT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing statement: Add a statement to the policy
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a statement to the policy"
```

**Resolving the error**

A JSON policy must include a statement.

**Related terms**
+ [JSON policy elements](reference_policies_elements.md)

## Error – Null with if exists
<a name="access-analyzer-reference-policy-checks-error-null-with-if-exists"></a>

**Issue code: **NULL\$1WITH\$1IF\$1EXISTS

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Null with if exists: The Null condition operator cannot be used with the IfExists suffix. Update the operator or the suffix.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Null condition operator cannot be used with the IfExists suffix. Update the operator or the suffix."
```

**Resolving the error**

You can add `IfExists` to the end of any condition operator name except the `Null` condition operator. Use a `Null` condition operator to check if a condition key is present at the time of authorization. Use `...ifExists` to say "If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true."

**Related terms**
+ [...IfExists condition operators](reference_policies_elements_condition_operators.md#Conditions_IfExists)
+ [Null condition operator](reference_policies_elements_condition_operators.md#Conditions_Null)
+ [Condition element](reference_policies_elements_condition.md)

## Error – SCP syntax error action wildcard
<a name="access-analyzer-reference-policy-checks-error-scp-syntax-error-action-wildcard"></a>

**Issue code: **SCP\$1SYNTAX\$1ERROR\$1ACTION\$1WILDCARD

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
SCP syntax error action wildcard: SCP actions can include wildcards (*) only at the end of a string. Update {{action}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "SCP actions can include wildcards (*) only at the end of a string. Update {{action}}."
```

**Resolving the error**

AWS Organizations service control policies (SCPs) support specifying values in the `Action` or `NotAction` elements. However, these values can include wildcards (\$1) only at the end of the string. This means that you can specify `iam:Get*` but not `iam:*role`.

To specify multiple actions, AWS recommends that you list them individually.

**Related terms**
+ [SCP Action and NotAction elements](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-action)
+ [SCP evaluation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html)
+ [AWS Organizations service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)

## Error – SCP syntax error principal
<a name="access-analyzer-reference-policy-checks-error-scp-syntax-error-principal"></a>

**Issue code: **SCP\$1SYNTAX\$1ERROR\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
SCP syntax error principal: SCPs do not support specifying principals. Remove the Principal or NotPrincipal element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "SCPs do not support specifying principals. Remove the Principal or NotPrincipal element."
```

**Resolving the error**

AWS Organizations service control policies (SCPs) do not support the `Principal` or `NotPrincipal` elements.

You can specify the Amazon Resource Name (ARN) using the `aws:PrincipalArn` global condition key in the `Condition` element.

**Related terms**
+ [SCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html)
+ [Global condition keys for principals](reference_policies_condition-keys.md#condition-keys-principalarn)

## Error – Unique Sids required
<a name="access-analyzer-reference-policy-checks-error-unique-sids-required"></a>

**Issue code: **UNIQUE\$1SIDS\$1REQUIRED

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unique Sids required: Duplicate statement IDs are not supported for this policy type. Update the Sid value.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Duplicate statement IDs are not supported for this policy type. Update the Sid value."
```

**Resolving the error**

For some policy types, statement IDs must be unique. The `Sid` (statement ID) element allows you to enter an optional identifier that you provide for the policy statement. You can assign a statement ID value to each statement in a statement array using the `SID` element. In services that let you specify an ID element, such as SQS and SNS, the `Sid` value is just a sub-ID of the policy document's ID. For example, in IAM, the `Sid` value must be unique within a JSON policy.

**Related terms**
+ [IAM JSON policy elements: Sid](reference_policies_elements_sid.md)

## Error – Unsupported action in policy
<a name="access-analyzer-reference-policy-checks-error-unsupported-action-in-policy"></a>

**Issue code: **UNSUPPORTED\$1ACTION\$1IN\$1POLICY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported action in policy: The action {{action}} is not supported for the resource-based policy attached to the resource type {{resourceType}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The action {{action}} is not supported for the resource-based policy attached to the resource type {{resourceType}}."
```

**Resolving the error**

Some actions aren't supported in the `Action` element in the resource-based policy attached to a different resource type. For example, AWS Key Management Service actions aren't supported in Amazon S3 bucket policies. Specify an action that is supported by resource type attached to your resource-based policy.

**Related terms**
+ [JSON policy elements: Action](reference_policies_elements_action.md)

## Error – Unsupported element combination
<a name="access-analyzer-reference-policy-checks-error-unsupported-element-combination"></a>

**Issue code: **UNSUPPORTED\$1ELEMENT\$1COMBINATION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported element combination: The policy elements {{element1}} and {{element2}} can not be used in the same statement. Remove one of these elements.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The policy elements {{element1}} and {{element2}} can not be used in the same statement. Remove one of these elements."
```

**Resolving the error**

Some combinations of JSON policy elements can't be used together. For example, you cannot use both `Action` and `NotAction` in the same policy statement. Other pairs that are mutually exclusive include `Principal/NotPrincipal` and `Resource/NotResource`.

**Related terms**
+ [IAM JSON policy elements reference](reference_policies_elements.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Error – Unsupported global condition key
<a name="access-analyzer-reference-policy-checks-error-unsupported-global-condition-key"></a>

**Issue code: **UNSUPPORTED\$1GLOBAL\$1CONDITION\$1KEY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported global condition key: The condition key aws:ARN is not supported. Use aws:PrincipalArn or aws:SourceArn instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key aws:ARN is not supported. Use aws:PrincipalArn or aws:SourceArn instead."
```

**Resolving the error**

AWS does not support using the specified global condition key. Depending on your use case, you can use the `aws:PrincipalArn` or `aws:SourceArn` global condition keys. For example, instead of `aws:ARN`, use the `aws:PrincipalArn` to compare the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy. Alternatively, use the `aws:SourceArn` global condition key to compare the Amazon Resource Name (ARN) of the resource making a service-to-service request with the ARN that you specify in the policy.

**Related terms**
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Error – Unsupported principal
<a name="access-analyzer-reference-policy-checks-error-unsupported-principal"></a>

**Issue code: **UNSUPPORTED\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported principal: The policy type {{policy_type}} does not support the Principal element. Remove the Principal element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The policy type {{policy_type}} does not support the Principal element. Remove the Principal element."
```

**Resolving the error**

The `Principal` element specifies the principal that is allowed or denied access to a resource. You cannot use the `Principal` element in an IAM identity-based policy. You can use it in the trust policies for IAM roles and in resource-based policies. Resource-based policies are policies that you embed directly in a resource. For example, you can embed policies in an Amazon S3 bucket or an AWS KMS key.

**Related terms**
+ [AWS JSON policy elements: Principal](reference_policies_elements_principal.md)
+ [Cross account resource access in IAM](access_policies-cross-account-resource-access.md)

## Error – Unsupported resource ARN in policy
<a name="access-analyzer-reference-policy-checks-error-unsupported-resource-arn-in-policy"></a>

**Issue code: **UNSUPPORTED\$1RESOURCE\$1ARN\$1IN\$1POLICY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported resource ARN in policy: The resource ARN is not supported for the resource-based policy attached to the resource type {{resourceType}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The resource ARN is not supported for the resource-based policy attached to the resource type {{resourceType}}."
```

**Resolving the error**

Some resource ARNs aren't supported in the `Resource` element of the resource-based policy when the policy is attached to a different resource type. For example, AWS KMS ARNs aren't supported in the `Resource` element for Amazon S3 bucket policies. Specify a resource ARN that is supported by a resource type attached to your resource-based policy.

**Related terms**
+ [JSON policy elements: Action](reference_policies_elements_action.md)

## Error – Unsupported Sid
<a name="access-analyzer-reference-policy-checks-error-unsupported-sid"></a>

**Issue code: **UNSUPPORTED\$1SID

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported Sid: Update the characters in the Sid element to use one of the following character types: [a-z, A-Z, 0-9]
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Update the characters in the Sid element to use one of the following character types: [a-z, A-Z, 0-9]"
```

**Resolving the error**

The `Sid` element supports uppercase letters, lowercase letters, and numbers.

**Related terms**
+ [IAM JSON policy elements: Sid](reference_policies_elements_sid.md)

## Error – Unsupported wildcard in principal
<a name="access-analyzer-reference-policy-checks-error-unsupported-wildcard-in-principal"></a>

**Issue code: **UNSUPPORTED\$1WILDCARD\$1IN\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported wildcard in principal: Wildcards (*, ?) are not supported with the principal key {{principal_key}}. Replace the wildcard with a valid principal value.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Wildcards (*, ?) are not supported with the principal key {{principal_key}}. Replace the wildcard with a valid principal value."
```

**Resolving the error**

The `Principal` element structure supports using a key-value pair. The principal value specified in the policy includes a wildcard (\$1). You can't include a wildcard with the principal key that you specified. For example, when you specify users in a `Principal` element, you cannot use a wildcard to mean "all users". You must name a specific user or users. Similarly, when you specify an assumed-role session, you cannot use a wildcard to mean "all sessions". You must name a specific session. You also cannot use a wildcard to match part of a name or an ARN.

To resolve this finding, remove the wildcard and provide a more specific principal.

**Related terms**
+ [AWS JSON policy elements: Principal](reference_policies_elements_principal.md)

## Error – Missing brace in variable
<a name="access-analyzer-reference-policy-checks-error-missing-brace-in-variable"></a>

**Issue code: **MISSING\$1BRACE\$1IN\$1VARIABLE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing brace in variable: The policy variable is missing a closing curly brace. Add } after the variable text.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The policy variable is missing a closing curly brace. Add } after the variable text."
```

**Resolving the error**

Policy variable structure supports using a `$` prefix followed by a pair of curly braces (`{ }`). Inside the `${ }` characters, include the name of the value from the request that you want to use in the policy.

To resolve this finding, add the missing brace to make sure the full opening and closing set of braces is present.

**Related terms**
+ [IAM policy elements: Variables](reference_policies_variables.md)

## Error – Missing quote in variable
<a name="access-analyzer-reference-policy-checks-error-missing-quote-in-variable"></a>

**Issue code: **MISSING\$1QUOTE\$1IN\$1VARIABLE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing quote in variable: The policy variable default value must begin and end with a single quote. Add the missing quote.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The policy variable default value must begin and end with a single quote. Add the missing quote."
```

**Resolving the error**

When you add a variable to your policy, you can specify a default value for the variable. If a variable is not present, AWS uses the default text that you provide.

To add a default value to a variable, surround the default value with single quotes (`' '`), and separate the variable text and the default value with a comma and space (`, `).

For example, if a principal is tagged with `team=yellow`, they can access the `amzn-s3-demo-bucket` Amazon S3 bucket with the name `amzn-s3-demo-bucket-yellow`. A policy with this resource might allow team members to access their own resources, but not those of other teams. For users without team tags, you might set a default value of `company-wide`. These users can access only the `amzn-s3-demo-bucket-company-wide` bucket where they can view broad information, such as instructions for joining a team.

```
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket-${aws:PrincipalTag/team, 'company-wide'}"
```

**Related terms**
+ [IAM policy elements: Variables](reference_policies_variables.md)

## Error – Unsupported space in variable
<a name="access-analyzer-reference-policy-checks-error-unsupported-space-in-variable"></a>

**Issue code: **UNSUPPORTED\$1SPACE\$1IN\$1VARIABLE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported space in variable: A space is not supported within the policy variable text. Remove the space.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "A space is not supported within the policy variable text. Remove the space."
```

**Resolving the error**

Policy variable structure supports using a `$` prefix followed by a pair of curly braces (`{ }`). Inside the `${ }` characters, include the name of the value from the request that you want to use in the policy. Although you can include a space when you specify a default variable, you cannot include a space in the variable name.

**Related terms**
+ [IAM policy elements: Variables](reference_policies_variables.md)

## Error – Empty variable
<a name="access-analyzer-reference-policy-checks-error-empty-variable"></a>

**Issue code: **EMPTY\$1VARIABLE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty variable: Empty policy variable. Remove the ${ } variable structure or provide a variable within the structure.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Empty policy variable. Remove the ${ } variable structure or provide a variable within the structure."
```

**Resolving the error**

Policy variable structure supports using a `$` prefix followed by a pair of curly braces (`{ }`). Inside the `${ }` characters, include the name of the value from the request that you want to use in the policy.

**Related terms**
+ [IAM policy elements: Variables](reference_policies_variables.md)

## Error – Variable unsupported in element
<a name="access-analyzer-reference-policy-checks-error-variable-unsupported-in-element"></a>

**Issue code: **VARIABLE\$1UNSUPPORTED\$1IN\$1ELEMENT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Variable unsupported in element: Policy variables are supported in the Resource and Condition elements. Remove the policy variable {{variable}} from this element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Policy variables are supported in the Resource and Condition elements. Remove the policy variable {{variable}} from this element."
```

**Resolving the error**

You can use policy variables in the `Resource` element and in string comparisons in the `Condition` element.

**Related terms**
+ [IAM policy elements: Variables](reference_policies_variables.md)

## Error – Variable unsupported in version
<a name="access-analyzer-reference-policy-checks-error-variable-unsupported-in-version"></a>

**Issue code: **VARIABLE\$1UNSUPPORTED\$1IN\$1VERSION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Variable unsupported in version: To include variables in your policy, use the policy version 2012-10-17 or later.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "To include variables in your policy, use the policy version 2012-10-17 or later."
```

**Resolving the error**

To use policy variables, you must include the `Version` element and set it to a version that supports policy variables. Variables were introduced in version `2012-10-17`. Earlier versions of the policy language don't support policy variables. If you don't set the `Version` to `2012-10-17` or later, variables like `${aws:username}` are treated as literal strings in the policy.

A `Version` policy element is different from a policy version. The `Version` policy element is used within a policy and defines the version of the policy language. A policy version, is created when you change a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy.

**Related terms**
+ [IAM policy elements: Variables](reference_policies_variables.md)
+ [IAM JSON policy elements: Version](reference_policies_elements_version.md)

## Error – Private IP address
<a name="access-analyzer-reference-policy-checks-error-private-ip-address"></a>

**Issue code: **PRIVATE\$1IP\$1ADDRESS

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Private IP address: aws:SourceIp works only for public IP address ranges. The values for condition key aws:SourceIp include only private IP addresses and will not have the desired effect. Update the value to include only public IP addresses.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "aws:SourceIp works only for public IP address ranges. The values for condition key aws:SourceIp include only private IP addresses and will not have the desired effect. Update the value to include only public IP addresses."
```

**Resolving the error**

The global condition key `aws:SourceIp` works only for public IP address ranges. You receive this error when your policy allows only private IP addresses. In this case, the condition would never match.
+ [aws:SourceIp global condition key](reference_policies_condition-keys.md#condition-keys-sourceip)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Error – Private NotIpAddress
<a name="access-analyzer-reference-policy-checks-error-private-not-ip-address"></a>

**Issue code: **PRIVATE\$1NOT\$1IP\$1ADDRESS

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Private NotIpAddress: The values for condition key aws:SourceIp include only private IP addresses and has no effect. aws:SourceIp works only for public IP address ranges. Update the value to include only public IP addresses.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The values for condition key aws:SourceIp include only private IP addresses and has no effect. aws:SourceIp works only for public IP address ranges. Update the value to include only public IP addresses."
```

**Resolving the error**

The global condition key `aws:SourceIp` works only for public IP address ranges. You receive this error when you use the `NotIpAddress` condition operator and list only private IP addresses. In this case, the condition would always match and would be ineffective.
+ [aws:SourceIp global condition key](reference_policies_condition-keys.md#condition-keys-sourceip)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Error – Policy size exceeds SCP quota
<a name="access-analyzer-reference-policy-checks-error-policy-size-exceeds-scp-quota"></a>

**Issue code: **POLICY\$1SIZE\$1EXCEEDS\$1SCP\$1QUOTA

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Policy size exceeds SCP quota: The {{policySize}} characters in the service control policy (SCP) exceed the {{policySizeQuota}} character maximum for SCPs. We recommend that you use multiple granular policies.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{policySize}} characters in the service control policy (SCP) exceed the {{policySizeQuota}} character maximum for SCPs. We recommend that you use multiple granular policies."
```

**Resolving the error**

AWS Organizations service control policies (SCPs) support specifying values in the `Action` or `NotAction` elements. However, these values can include wildcards (\$1) only at the end of the string. This means that you can specify `iam:Get*` but not `iam:*role`.

To specify multiple actions, AWS recommends that you list them individually.

**Related terms**
+ [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html)
+ [AWS Organizations service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)

## Error – Invalid service principal format
<a name="access-analyzer-reference-policy-checks-error-invalid-service-principal-format"></a>

**Issue code: **INVALID\$1SERVICE\$1PRINCIPAL\$1FORMAT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid service principal format: The service principal does not match the expected format. Use the format {{expectedFormat}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The service principal does not match the expected format. Use the format {{expectedFormat}}."
```

**Resolving the error**

The value in the condition key-value pair must match a defined service principal format.

A *service principal* is an identifier that is used to grant permissions to a service. You can specify a service principal in the `Principal` element or as a value for some global condition keys and service-specific keys. The service principal is defined by each service.

The identifier for a service principal includes the service name, and is usually in the following format in all lowercase letters:

`service-name.amazonaws.com`

Some service-specific keys may use a different format for service principals. For example, the `kms:ViaService` condition key requires the following format for service principals in all lowercase letters:

`service-name.AWS_region.amazonaws.com`

**Related terms**
+ [Service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)
+ [AWS global condition keys](reference_policies_condition-keys.md)
+ [`kms:ViaService` condition key](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service)

## Error – Missing tag key in condition
<a name="access-analyzer-reference-policy-checks-error-missing-tag-key-in-condition"></a>

**Issue code: **MISSING\$1TAG\$1KEY\$1IN\$1CONDITION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing tag key in condition: The condition key {{conditionKeyName}} must include a tag key to control access based on tags. Use the format {{conditionKeyName}}tag-key and specify a key name for tag-key.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key {{conditionKeyName}} must include a tag key to control access based on tags. Use the format {{conditionKeyName}}tag-key and specify a key name for tag-key."
```

**Resolving the error**

To control access based on tags, you provide tag information in the [condition element](reference_policies_elements_condition.md) of a policy.

For example, to [control access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources), you include the `aws:ResourceTag` condition key. This key requires the format `aws:ResourceTag/tag-key`. To specify the tag key `owner` and the tag value `JaneDoe` in a condition, use the following format.

```
"Condition": {
    "StringEquals": {"aws:ResourceTag/owner": "JaneDoe"}
}
```

**Related terms**
+ [Controlling access using tags](access_iam-tags.md)
+ [Conditions](reference_policies_elements_condition.md)
+ [Global condition keys](reference_policies_condition-keys.md)
+ [AWS service condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid vpc format
<a name="access-analyzer-reference-policy-checks-error-invalid-vpc-format"></a>

**Issue code: **INVALID\$1VPC\$1FORMAT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid vpc format: The VPC identifier in the condition key value is not valid. Use the prefix 'vpc-' followed by 8 or 17 alphanumeric characters.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The VPC identifier in the condition key value is not valid. Use the prefix 'vpc-' followed by 8 or 17 alphanumeric characters."
```

**Resolving the error**

The `aws:SourceVpc` condition key must use the prefix `vpc-` followed by either 8 or 17 alphanumeric characters, for example, `vpc-11223344556677889` or `vpc-12345678`.

**Related terms**
+ [AWS global condition keys: aws:SourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)

## Error – Invalid vpce format
<a name="access-analyzer-reference-policy-checks-error-invalid-vpce-format"></a>

**Issue code: **INVALID\$1VPCE\$1FORMAT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid vpce format: The VPCE identifier in the condition key value is not valid.  Use the prefix 'vpce-' followed by 8 or 17 alphanumeric characters.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The VPCE identifier in the condition key value is not valid.  Use the prefix 'vpce-' followed by 8 or 17 alphanumeric characters."
```

**Resolving the error**

The `aws:SourceVpce` condition key must use the prefix `vpce-` followed by either 8 or 17 alphanumeric characters, for example, `vpce-11223344556677889` or `vpce-12345678`.

**Related terms**
+ [AWS global condition keys: aws:SourceVpce](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce)

## Error – Federated principal not supported
<a name="access-analyzer-reference-policy-checks-error-federated-principal-not-supported"></a>

**Issue code: **FEDERATED\$1PRINCIPAL\$1NOT\$1SUPPORTED

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Federated principal not supported: The policy type does not support a federated identity provider in the principal element. Use a supported principal.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The policy type does not support a federated identity provider in the principal element. Use a supported principal."
```

**Resolving the error**

The `Principal` element uses federated principals for trust policies attached to IAM roles to provide access through identity federation. Identity policies and other resource-based policies don't support a federated identity provider in the `Principal` element. For example, you can't use a SAML principal in an Amazon S3 bucket policy. Change the `Principal` element to a supported principal type.

**Related terms**
+ [Creating a role for identity federation](id_roles_create_for-idp.md)
+ [JSON policy elements: Principal](reference_policies_elements_principal.md)

## Error – Unsupported action for condition key
<a name="access-analyzer-reference-policy-checks-error-unsupported-action-for-condition-key"></a>

**Issue code: **UNSUPPORTED\$1ACTION\$1FOR\$1CONDITION\$1KEY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported action for condition key: The following actions: {{actions}} are not supported by the condition key {{key}}. The condition will not be evaluated for these actions. We recommend that you move these actions to a different statement without this condition key.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The following actions: {{actions}} are not supported by the condition key {{key}}. The condition will not be evaluated for these actions. We recommend that you move these actions to a different statement without this condition key."
```

**Resolving the error**

Make sure that the condition key in the `Condition` element of the policy statement applies to every action in the `Action` element. To ensure that the actions you specify are effectively allowed or denied by your policy, you should move the unsupported actions to a different statement without the condition key.

**Note**  
If the `Action` element has actions with wildcards, IAM Access Analyzer doesn't evaluate those actions for this error.

**Related terms**
+ [JSON policy elements: Action](reference_policies_elements_action.md)

## Error – Unsupported action in policy
<a name="access-analyzer-reference-policy-checks-error-unsupported-action-in-policy"></a>

**Issue code: **UNSUPPORTED\$1ACTION\$1IN\$1POLICY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported action in policy: The action {{action}} is not supported for the resource-based policy attached to the resource type {{resourceType}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The action {{action}} is not supported for the resource-based policy attached to the resource type {{resourceType}}."
```

**Resolving the error**

Some actions aren't supported in the `Action` element in the resource-based policy attached to a different resource type. For example, AWS Key Management Service actions aren't supported in Amazon S3 bucket policies. Specify an action that is supported by resource type attached to your resource-based policy.

**Related terms**
+ [JSON policy elements: Action](reference_policies_elements_action.md)

## Error – Unsupported resource ARN in policy
<a name="access-analyzer-reference-policy-checks-error-unsupported-resource-arn-in-policy"></a>

**Issue code: **UNSUPPORTED\$1RESOURCE\$1ARN\$1IN\$1POLICY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported resource ARN in policy: The resource ARN is not supported for the resource-based policy attached to the resource type {{resourceType}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The resource ARN is not supported for the resource-based policy attached to the resource type {{resourceType}}."
```

**Resolving the error**

Some resource ARNs aren't supported in the `Resource` element of the resource-based policy when the policy is attached to a different resource type. For example, AWS KMS ARNs aren't supported in the `Resource` element for Amazon S3 bucket policies. Specify a resource ARN that is supported by a resource type attached to your resource-based policy.

**Related terms**
+ [JSON policy elements: Action](reference_policies_elements_action.md)

## Error – Unsupported condition key for service principal
<a name="access-analyzer-reference-policy-checks-error-unsupported-condition-key-for-service-principal"></a>

**Issue code: **UNSUPPORTED\$1CONDITION\$1KEY\$1FOR\$1SERVICE\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unsupported condition key for service principal: The following condition keys are not supported when used with the service principal: {{conditionKeys}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The following condition keys are not supported when used with the service principal: {{conditionKeys}}."
```

**Resolving the error**

You can specify AWS services in the `Principal` element of a resource-based policy using a *service principal*, which is an identifier for the service. You can't use some condition keys with certain service principals. For example, you can't use the `aws:PrincipalOrgID` condition key with the service principal `cloudfront.amazonaws.com`. You should remove condition keys that do not apply to the service principal in the `Principal` element.

**Related terms**
+ [Service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)
+ [JSON policy elements: Principal](reference_policies_elements_principal.md)

## Error – Role trust policy syntax error notprincipal
<a name="access-analyzer-reference-policy-checks-error-role-trust-policy-syntax-error-notprincipal"></a>

**Issue code: **ROLE\$1TRUST\$1POLICY\$1SYNTAX\$1ERROR\$1NOTPRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Role trust policy syntax error notprincipal: Role trust policies do not support NotPrincipal. Update the policy to use a Principal element instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Role trust policies do not support NotPrincipal. Update the policy to use a Principal element instead."
```

**Resolving the error**

A role trust policy is a resource-based policy that is attached to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. Role trust policies do not support `NotPrincipal`. Update the policy to use a `Principal` element instead.

**Related terms**
+ [JSON policy elements: Principal](reference_policies_elements_principal.md)
+ [JSON policy elements: NotPrincipal](reference_policies_elements_notprincipal.md)

## Error – Role trust policy unsupported wildcard in principal
<a name="access-analyzer-reference-policy-checks-error-role-trust-policy-unsupported-wildcard-in-principal"></a>

**Issue code: **ROLE\$1TRUST\$1POLICY\$1UNSUPPORTED\$1WILDCARD\$1IN\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Role trust policy unsupported wildcard in principal: "Principal:" "*" is not supported in the principal element of a role trust policy. Replace the wildcard with a valid principal value.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": ""Principal:" "*" is not supported in the principal element of a role trust policy. Replace the wildcard with a valid principal value."
```

**Resolving the error**

A role trust policy is a resource-based policy that is attached to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. `"Principal:" "*"` is not supported in the `Principal` element of a role trust policy. Replace the wildcard with a valid principal value.

**Related terms**
+ [JSON policy elements: Principal](reference_policies_elements_principal.md)

## Error – Role trust policy syntax error resource
<a name="access-analyzer-reference-policy-checks-error-role-trust-policy-syntax-error-resource"></a>

**Issue code: **ROLE\$1TRUST\$1POLICY\$1SYNTAX\$1ERROR\$1RESOURCE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Role trust policy syntax error resource: Role trust policies apply to the role that they are attached to. You cannot specify a resource. Remove the Resource or NotResource element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Role trust policies apply to the role that they are attached to. You cannot specify a resource. Remove the Resource or NotResource element."
```

**Resolving the error**

A role trust policy is a resource-based policy that is attached to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. Role trust policies apply to the role that they are attached to. You cannot specify a `Resource` or `NotResource` element in a role trust policy. Remove the `Resource` or `NotResource` element.
+ [JSON policy elements: Resource](reference_policies_elements_resource.md)
+ [JSON policy elements: NotResource](reference_policies_elements_notresource.md)

## Error – Type mismatch IP range
<a name="access-analyzer-reference-policy-checks-error-type-mismatch-ip-range"></a>

**Issue code: **TYPE\$1MISMATCH\$1IP\$1RANGE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Type mismatch IP range: The condition operator {{operator}} is used with an invalid IP range value. Specify the IP range in standard CIDR format.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition operator {{operator}} is used with an invalid IP range value. Specify the IP range in standard CIDR format."
```

**Resolving the error**

Update the text to use the IP address condition operator data type, in a CIDR format.

**Related terms**
+ [IP address condition operators](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## Error – Missing action for condition key
<a name="access-analyzer-reference-policy-checks-error-missing-action-for-condition-key"></a>

**Issue code: **MISSING\$1ACTION\$1FOR\$1CONDITION\$1KEY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing action for condition key: The {{actionName}} action must be in the action block to allow setting values for the condition key {{keyName}}. Add {{actionName}} to the action block.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{actionName}} action must be in the action block to allow setting values for the condition key {{keyName}}. Add {{actionName}} to the action block."
```

**Resolving the error**

The condition key in the `Condition` element of the policy statement is not evaluated unless the specified action is in the `Action` element. To ensure that the condition keys you specify are effectively allowed or denied by your policy, add the action to the `Action` element.

**Related terms**
+ [JSON policy elements: Action](reference_policies_elements_action.md)

## Error – Invalid federated principal syntax in role trust policy
<a name="access-analyzer-reference-policy-checks-error-invalid-federated-principal-syntax-in-role-trust-policy"></a>

**Issue code: **INVALID\$1FEDERATED\$1PRINCIPAL\$1SYNTAX\$1IN\$1ROLE\$1TRUST\$1POLICY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid federated principal syntax in role trust policy: The principal value specifies a federated principal that does not match the expected format. Update the federated principal to a domain name or a SAML metadata ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The principal value specifies a federated principal that does not match the expected format. Update the federated principal to a domain name or a SAML metadata ARN."
```

**Resolving the error**

The principal value specifies a federated principal that does not match the expected format. Update the format of the federated principal to a valid domain name or a SAML metadata ARN.

**Related terms**
+ [Federated users and roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html#intro-access-roles)

## Error – Mismatched action for principal
<a name="access-analyzer-reference-policy-checks-error-mismatched-action-for-principal"></a>

**Issue code: **MISMATCHED\$1ACTION\$1FOR\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Mismatched action for principal: The {{actionName}} action is invalid with the following principal(s): {{principalNames}}. Use a SAML provider principal with the sts:AssumeRoleWithSAML action or use an OIDC provider principal with the sts:AssumeRoleWithWebIdentity action. Ensure the provider is Federated if you use either of the two options.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{actionName}} action is invalid with the following principal(s): {{principalNames}}. Use a SAML provider principal with the sts:AssumeRoleWithSAML action or use an OIDC provider principal with the sts:AssumeRoleWithWebIdentity action. Ensure the provider is Federated if you use either of the two options."
```

**Resolving the error**

The action specified in the `Action` element of the policy statement is invalid with the principal specified in the `Principal` element. For example, you can't use a SAML provider principal with the `sts:AssumeRoleWithWebIdentity` action. You should use a SAML provider principal with the `sts:AssumeRoleWithSAML` action or use an OIDC provider principal with the `sts:AssumeRoleWithWebIdentity` action.

**Related terms**
+ [AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html)
+ [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)

## Error – Missing action for roles anywhere trust policy
<a name="access-analyzer-reference-policy-checks-error-missing-action-for-roles-anywhere-trust-policy"></a>

**Issue code: **MISSING\$1ACTION\$1FOR\$1ROLES\$1ANYWHERE\$1TRUST\$1POLICY

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing action for roles anywhere trust policy: The rolesanywhere.amazonaws.com service principal requires the sts:AssumeRole, sts:SetSourceIdentity, and sts:TagSession permissions to assume a role. Add the missing permissions to the policy.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The rolesanywhere.amazonaws.com service principal requires the sts:AssumeRole, sts:SetSourceIdentity, and sts:TagSession permissions to assume a role. Add the missing permissions to the policy."
```

**Resolving the error**

For IAM Roles Anywhere to be able to assume a role and deliver temporary AWS credentials, the role must trust the IAM Roles Anywhere service principal. The IAM Roles Anywhere service principal requires the `sts:AssumeRole`, `sts:SetSourceIdentity`, and `sts:TagSession` permissions to assume a role. If any of the permissions are missing, you must add them to your policy.

**Related terms**
+ [Trust model in AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html)

## Error – Policy size exceeds RCP quota
<a name="access-analyzer-reference-policy-checks-error-policy-size-exceeds-rcp-quota"></a>

**Issue code: **POLICY\$1SIZE\$1EXCEEDS\$1RCP\$1QUOTA

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Policy size exceeds RCP quota: The {{policySize}} characters in the resource control policy (RCP) exceed the {{policySizeQuota}} character maximum for RCPs. We recommend that you use multiple granular policies.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{policySize}} characters in the resource control policy (RCP) exceed the {{policySizeQuota}} character maximum for RCPs. We recommend that you use multiple granular policies."
```

**Resolving the error**

AWS Organizations resource control policies (RCPs) support specifying values in the `Action` element. However, these values can include wildcards (\$1) only at the end of the string. This means that you can specify `s3:Get*` but not `s3:*Object`.

To specify multiple actions, AWS recommends that you list them individually.

**Related terms**
+ [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html)
+ [AWS Organizations resource control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html)

## Error – RCP syntax error principal
<a name="access-analyzer-reference-policy-checks-error-rcp-syntax-error-principal"></a>

**Issue code: **RCP\$1SYNTAX\$1ERROR\$1PRINCIPAL

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP syntax error principal: The Principal element contents are not valid. RCPs only support specifying all principals ("*") in the Principal element. The NotPrincipal element is not supported for RCPs.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Principal element contents are not valid. RCPs only support specifying all principals ("*") in the Principal element. The NotPrincipal element is not supported for RCPs."
```

**Resolving the error**

AWS Organizations resource control policies (RCPs) only support specifying all principals ("`*`") in the `Principal` element. The `NotPrincipal` element is not supported for RCPs.

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [Properties of the principal](reference_policies_condition-keys.md#condition-keys-principal-properties)

## Error – RCP syntax error allow
<a name="access-analyzer-reference-policy-checks-error-rcp-syntax-error-allow"></a>

**Issue code: **RCP\$1SYNTAX\$1ERROR\$1ALLOW

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP syntax error allow: RCPs only support specifying all principals ("*") in the Principal element, all resources ("*") in the Resource element, and no Condition element with an effect of Allow.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "RCPs only support specifying all principals ("*") in the Principal element, all resources ("*") in the Resource element, and no Condition element with an effect of Allow."
```

**Resolving the error**

AWS Organizations resource control policies (RCPs) only support specifying all principals ("`*`") in the `Principal` element and all resources ("`*`") in the `Resource` element. The `Condition` element with an effect of `Allow` is not supported for RCPs.

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [Properties of the principal](reference_policies_condition-keys.md#condition-keys-principal-properties)
+ [Properties of the resource](reference_policies_condition-keys.md#condition-keys-resource-properties)

## Error – RCP syntax error NotAction
<a name="access-analyzer-reference-policy-checks-error-rcp-syntax-error-notaction"></a>

**Issue code: **RCP\$1SYNTAX\$1ERROR\$1NOTACTION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP syntax error NotAction: RCPs do not support the NotAction element. Update to use the Action element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "RCPs do not support the NotAction element. Update to use the Action element."
```

**Resolving the error**

AWS Organizations resource control policies (RCPs) do not support the `NotAction` element. Use the `Action` element.

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: NotAction](reference_policies_elements_notaction.md)

## Error – RCP syntax error action
<a name="access-analyzer-reference-policy-checks-error-rcp-syntax-error-action"></a>

**Issue code: **RCP\$1SYNTAX\$1ERROR\$1ACTION

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP syntax error action: RCPs only support specifying select service prefixes in the Action element. Learn more here.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "RCPs only support specifying select service prefixes in the Action element. Learn more here."
```

**Resolving the error**

AWS Organizations resource control policies (RCPs) only support specifying select service prefixes in the `Action` element.

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [List of AWS services that support RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services)

## Error – Missing ARN account
<a name="access-analyzer-reference-policy-checks-error-missing-arn-account"></a>

**Issue code: **MISSING\$1ARN\$1ACCOUNT

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing ARN account: The resource {{resourceName}} in the arn is missing an account id. Please provide a 12 digit account id.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The resource {{resourceName}} in the arn is missing an account id. Please provide a 12 digit account id."
```

**Resolving the error**

Include an account ID in the resource ARN. Account IDs are 12-digit integers. To learn how to view your account ID, see [Finding your AWS account ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingYourAccountIdentifiers).

**Related terms**
+ [Policy resources](reference_policies_elements_resource.md)
+ [Account Identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html)
+ [Resource ARNs](reference_identifiers.md#identifiers-arns)
+ [AWS service resources with ARN formats](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Error – Invalid kms key value
<a name="access-analyzer-reference-policy-checks-error-invalid-kms-key-value"></a>

**Issue code: **INVALID\$1KMS\$1KEY\$1VALUE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid kms key value: The {{key}} condition key value must be valid a KMS key ARN.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{key}} condition key value must be valid a KMS key ARN."
```

**Resolving the error**

An AWS KMS key ARN (Amazon Resource Name) is a unique, fully qualified identifier for a KMS key. A key ARN includes the AWS account, Region, and the key ID. A key ARN follows this format:

`arn:aws:kms:region:account-id:key/key-id`

**Related terms**
+ [Find the key ID and key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html)
+ [Key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)
+ [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)

## Error – Variable usage too permissive
<a name="access-analyzer-reference-policy-checks-error-variable-usage-too-permissive"></a>

**Issue code: **VARIABLE\$1USAGE\$1TOO\$1PERMISSIVE

**Finding type: **ERROR

**Finding details** 

In the AWS Management Console, the finding for this check includes the following message:

```
Variable usage too permissive: Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable preceded by 6 consecutive characters.
```

```
The policy variable is not allowed in the condition key {{key}}. We consider the key to be sensitive and policy variables can be evaluated as effective wildcards. Therefore policy variables are not allowed to be used with sensitive keys. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html for the list of sensitive keys.
```

```
Overly permissive use of policy variable with aws:userID. Use the policy variable on the right side of colon or as the only character on the left side of a colon.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable preceded by 6 consecutive characters."
```

```
"findingDetails": "The policy variable is not allowed in the condition key {{key}}. We consider the key to be sensitive and policy variables can be evaluated as effective wildcards. Therefore policy variables are not allowed to be used with sensitive keys. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html for the list of sensitive keys."
```

```
"findingDetails": "Overly permissive use of policy variable with aws:userID. Use the policy variable on the right side of colon or as the only character on the left side of a colon."
```

**Resolving the error**

There are three possible finding messages for this error.
+ For the first error message, modify your policy variable usage to be more specific. Add at least 6 consecutive characters before the policy variable to reduce the scope of permissions. For example, instead of using `${aws:username}`, use `prefix-${aws:username}` or `myapp-${aws:username}`. This ensures that the policy variable doesn't grant overly broad access.
+ For the second error message, remove the policy variable from the specified condition key. Policy variables can act as effective wildcards and are not permitted with sensitive condition keys for security reasons. Instead, use specific static values or consider restructuring your policy to use non-sensitive condition keys that support policy variables.
+ For the third error message, modify your `aws:userID` policy variable usage to be more restrictive. Place the policy variable on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:${aws:userid}` or `${aws:userid}:*` instead of `${aws:userid}`.

**Related terms**
+ [IAM policy elements: Variables and tags](reference_policies_variables.md)
+ [IAM policy elements: Condition](reference_policies_elements_condition.md)
+ [Conditions with multiple context keys or values](reference_policies_condition-logic-multiple-context-keys-or-values.md)
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Error – Wildcard usage too permissive
<a name="access-analyzer-reference-policy-checks-error-wildcard-usage-too-permissive"></a>

**Issue code: **WILDCARD\$1USAGE\$1TOO\$1PERMISSIVE

**Finding type: **ERROR

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Wildcard usage too permissive: Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard preceded by 6 consecutive characters.
```

```
The wildcard is not allowed in the condition key {{key}}. We consider the key to be sensitive and wildcards are not allowed to be used with sensitive keys. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html for the list of sensitive keys.
```

```
Overly permissive use of wildcard with aws:userID. Use the wildcard on the right side of colon or as the only character on the left side of a colon.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard preceded by 6 consecutive characters."
```

```
"findingDetails": "The wildcard is not allowed in the condition key {{key}}. We consider the key to be sensitive and wildcards are not allowed to be used with sensitive keys. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html for the list of sensitive keys."
```

```
"findingDetails": "Overly permissive use of wildcard with aws:userID. Use the wildcard on the right side of colon or as the only character on the left side of a colon."
```

**Resolving the error**

There are three possible finding messages for this error.
+ For the first error message, make your wildcard usage more specific by adding at least 6 consecutive characters before the wildcard. For example, instead of using `*`, use `prefix-*` or `prefix-*-suffix`. This reduces the scope of the condition and follows the principle of least privilege.
+ For the second error message, remove the wildcard from the specified condition key. Wildcards are not permitted with sensitive condition keys for security reasons. Replace the wildcard with specific values that match your intended access pattern, or consider using a different, non-sensitive condition key that supports wildcards.
+ For the third error message, modify your `aws:userID` wildcard usage to be more restrictive. Place the wildcard on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:*` or `*:*` instead of `*`. 

**Related terms**
+ [IAM policy elements: Condition](reference_policies_elements_condition.md)
+ [Conditions with multiple context keys or values](reference_policies_condition-logic-multiple-context-keys-or-values.md)
+ [AWS global condition context keys](reference_policies_condition-keys.md)
+ [IAM identifiers](reference_identifiers.md)

## General Warning – Create SLR with NotResource
<a name="access-analyzer-reference-policy-checks-general-warning-create-slr-with-not-resource"></a>

**Issue code: **CREATE\$1SLR\$1WITH\$1NOT\$1RESOURCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Create SLR with NotResource: Using the iam:CreateServiceLinkedRole action with NotResource can allow creation of unintended service-linked roles for multiple resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the iam:CreateServiceLinkedRole action with NotResource can allow creation of unintended service-linked roles for multiple resources. We recommend that you specify resource ARNs instead."
```

**Resolving the general warning**

The action `iam:CreateServiceLinkedRole` grants permission to create an IAM role that allows an AWS service to perform actions on your behalf. Using `iam:CreateServiceLinkedRole` in a policy with the `NotResource` element can allow creating unintended service-linked roles for multiple resources. AWS recommends that you specify allowed ARNs in the `Resource` element instead.
+ [CreateServiceLinkedRole operation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## General Warning – Create SLR with star in action and NotResource
<a name="access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-action-and-not-resource"></a>

**Issue code: **CREATE\$1SLR\$1WITH\$1STAR\$1IN\$1ACTION\$1AND\$1NOT\$1RESOURCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Create SLR with star in action and NotResource: Using an action with a wildcard(*) and NotResource can allow creation of unintended service-linked roles because it can allow iam:CreateServiceLinkedRole permissions on multiple resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using an action with a wildcard(*) and NotResource can allow creation of unintended service-linked roles because it can allow iam:CreateServiceLinkedRole permissions on multiple resources. We recommend that you specify resource ARNs instead."
```

**Resolving the general warning**

The action `iam:CreateServiceLinkedRole` grants permission to create an IAM role that allows an AWS service to perform actions on your behalf. Policies with a wildcard (\$1) in the `Action` and that include the `NotResource` element can allow creation of unintended service-linked roles for multiple resources. AWS recommends that you specify allowed ARNs in the `Resource` element instead.
+ [CreateServiceLinkedRole operation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## General Warning – Create SLR with NotAction and NotResource
<a name="access-analyzer-reference-policy-checks-general-warning-create-slr-with-not-action-and-not-resource"></a>

**Issue code: **CREATE\$1SLR\$1WITH\$1NOT\$1ACTION\$1AND\$1NOT\$1RESOURCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Create SLR with NotAction and NotResource: Using NotAction with NotResource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on multiple resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using NotAction with NotResource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on multiple resources. We recommend that you specify resource ARNs instead."
```

**Resolving the general warning**

The action `iam:CreateServiceLinkedRole` grants permission to create an IAM role that allows an AWS service to perform actions on your behalf. Using the `NotAction` element with the `NotResource` element can allow creating unintended service-linked roles for multiple resources. AWS recommends that you rewrite the policy to allow `iam:CreateServiceLinkedRole` on a limited list of ARNs in the `Resource` element instead. You can also add `iam:CreateServiceLinkedRole` to the `NotAction` element.
+ [CreateServiceLinkedRole operation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html)
+ [IAM JSON policy elements: NotAction](reference_policies_elements_notaction.md)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## General Warning – Create SLR with star in resource
<a name="access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-resource"></a>

**Issue code: **CREATE\$1SLR\$1WITH\$1STAR\$1IN\$1RESOURCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Create SLR with star in resource: Using the iam:CreateServiceLinkedRole action with wildcards (*) in the resource can allow creation of unintended service-linked roles. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the iam:CreateServiceLinkedRole action with wildcards (*) in the resource can allow creation of unintended service-linked roles. We recommend that you specify resource ARNs instead."
```

**Resolving the general warning**

The action `iam:CreateServiceLinkedRole` grants permission to create an IAM role that allows an AWS service to perform actions on your behalf. Using `iam:CreateServiceLinkedRole` in a policy with a wildcard (\$1) in the `Resource` element can allow creating unintended service-linked roles for multiple resources. AWS recommends that you specify allowed ARNs in the `Resource` element instead.
+ [CreateServiceLinkedRole operation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

### AWS managed policies with this general warning
<a name="accan-ref-policy-check-message-fix-general-warning-create-slr-with-star-in-resource-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

Some of those use cases are for power users within your account. The following AWS managed policies provide power user access and grant permissions to create [service-linked roles](id_roles_create-service-linked-role.md) for any AWS service. AWS recommends that you attach the following AWS managed policies to only IAM identities that you consider power users.
+ [PowerUserAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/PowerUserAccess)
+ [AlexaForBusinessFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AlexaForBusinessFullAccess)
+ [AWSOrganizationsServiceTrustPolicy](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSOrganizationsServiceTrustPolicy) – This AWS managed policy provides permissions for use by the AWS Organizations service-linked role. This role allows Organizations to create additional service-linked roles for other services in your AWS organization.

## General Warning – Create SLR with star in action and resource
<a name="access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-action-and-resource"></a>

**Issue code: **CREATE\$1SLR\$1WITH\$1STAR\$1IN\$1ACTION\$1AND\$1RESOURCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Create SLR with star in action and resource: Using wildcards (*) in the action and the resource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using wildcards (*) in the action and the resource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead."
```

**Resolving the general warning**

The action `iam:CreateServiceLinkedRole` grants permission to create an IAM role that allows an AWS service to perform actions on your behalf. Policies with a wildcard (\$1) in the `Action` and `Resource` elements can allow creating unintended service-linked roles for multiple resources. This allows creating a service-linked role when you specify `"Action": "*"`, `"Action": "iam:*"`, or `"Action": "iam:Create*"`. AWS recommends that you specify allowed ARNs in the `Resource` element instead.
+ [CreateServiceLinkedRole operation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

### AWS managed policies with this general warning
<a name="accan-ref-policy-check-message-fix-general-warning-create-slr-with-star-in-action-and-resource-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

Some of those use cases are for administrators within your account. The following AWS managed policies provide administrator access and grant permissions to create [service-linked roles](id_roles_create-service-linked-role.md) for any AWS service. AWS recommends that you attach the following AWS managed policies to only the IAM identities that you consider administrators.
+ [AdministratorAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess)
+ [IAMFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/IAMFullAccess)

## General Warning – Create SLR with star in resource and NotAction
<a name="access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-resource-and-not-action"></a>

**Issue code: **CREATE\$1SLR\$1WITH\$1STAR\$1IN\$1RESOURCE\$1AND\$1NOT\$1ACTION

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Create SLR with star in resource and NotAction: Using a resource with wildcards (*) and NotAction can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using a resource with wildcards (*) and NotAction can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead."
```

**Resolving the general warning**

The action `iam:CreateServiceLinkedRole` grants permission to create an IAM role that allows an AWS service to perform actions on your behalf. Using the `NotAction` element in a policy with a wildcard (\$1) in the `Resource` element can allow creating unintended service-linked roles for multiple resources. AWS recommends that you specify allowed ARNs in the `Resource` element instead. You can also add `iam:CreateServiceLinkedRole` to the `NotAction` element.
+ [CreateServiceLinkedRole operation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html)
+ [IAM JSON policy elements: NotAction](reference_policies_elements_notaction.md)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## General Warning – Deprecated global condition key
<a name="access-analyzer-reference-policy-checks-general-warning-deprecated-global-condition-key"></a>

**Issue code: **DEPRECATED\$1GLOBAL\$1CONDITION\$1KEY

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Deprecated global condition key: We recommend that you update aws:ARN to use the newer condition key aws:PrincipalArn.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "We recommend that you update aws:ARN to use the newer condition key aws:PrincipalArn."
```

**Resolving the general warning**

The policy includes a deprecated global condition key. Update the condition key in the condition key-value pair to use a supported global condition key.
+ [Global condition keys](reference_policies_condition-keys.md)

## General Warning – Invalid date value
<a name="access-analyzer-reference-policy-checks-general-warning-invalid-date-value"></a>

**Issue code: **INVALID\$1DATE\$1VALUE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid date value: The date {{date}} might not resolve as expected. We recommend that you use the YYYY-MM-DD format.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The date {{date}} might not resolve as expected. We recommend that you use the YYYY-MM-DD format."
```

**Resolving the general warning**

Unix Epoch time describes a point in time that has elapsed since January 1, 1970, minus leap seconds. Epoch time might not resolve to the precise time that you expect. AWS recommends that you use the W3C standard for date and time formats. For example, you could specify a complete date, such as YYYY-MM-DD (1997-07-16), or you could also append the time to the second, such as YYYY-MM-DDThh:mm:ssTZD (1997-07-16T19:20:30\$101:00).
+ [W3C Date and Time Formats](https://www.w3.org/TR/NOTE-datetime)
+ [IAM JSON policy elements: Version](reference_policies_elements_version.md)
+ [aws:CurrentTime global condition key](reference_policies_condition-keys.md#condition-keys-currenttime)

## General Warning – Invalid role reference
<a name="access-analyzer-reference-policy-checks-general-warning-invalid-role-reference"></a>

**Issue code: **INVALID\$1ROLE\$1REFERENCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid role reference: The Principal element includes the IAM role ID {{roleid}}. We recommend that you use a role ARN instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Principal element includes the IAM role ID {{roleid}}. We recommend that you use a role ARN instead."
```

**Resolving the general warning**

AWS recommends that you specify the Amazon Resource Name (ARN) for an IAM role instead of its principal ID. When IAM saves the policy, it will transform the ARN into the principal ID for the existing role. AWS includes a safety precaution. If someone deletes and recreates the role, it will have a new ID, and the policy won't match the new role's ID. 
+ [Specifying a principal: IAM roles](reference_policies_elements_principal.md#principal-roles)
+ [IAM ARNs](reference_identifiers.md#identifiers-arns)
+ [IAM unique IDs](reference_identifiers.md#identifiers-unique-ids)

## General Warning – Invalid user reference
<a name="access-analyzer-reference-policy-checks-general-warning-invalid-user-reference"></a>

**Issue code: **INVALID\$1USER\$1REFERENCE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Invalid user reference: The Principal element includes the IAM user ID {{userid}}. We recommend that you use a user ARN instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The Principal element includes the IAM user ID {{userid}}. We recommend that you use a user ARN instead."
```

**Resolving the general warning**

AWS recommends that you specify the Amazon Resource Name (ARN) for an IAM user instead of its principal ID. When IAM saves the policy, it will transform the ARN into the principal ID for the existing user. AWS includes a safety precaution. If someone deletes and recreates the user, it will have a new ID, and the policy won't match the new user's ID. 
+ [Specifying a principal: IAM users](reference_policies_elements_principal.md#principal-users)
+ [IAM ARNs](reference_identifiers.md#identifiers-arns)
+ [IAM unique IDs](reference_identifiers.md#identifiers-unique-ids)

## General Warning – Missing version
<a name="access-analyzer-reference-policy-checks-general-warning-missing-version"></a>

**Issue code: **MISSING\$1VERSION

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing version: We recommend that you specify the Version element to help you with debugging permission issues.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "We recommend that you specify the Version element to help you with debugging permission issues."
```

**Resolving the general warning**

AWS recommends that you include the optional `Version` parameter in your policy. If you do not include a Version element, the value defaults to `2012-10-17`, but newer features, such as policy variables, will not work with your policy. For example, variables such as `${aws:username}` aren't recognized as variables and are instead treated as literal strings in the policy.
+ [IAM JSON policy elements: Version](reference_policies_elements_version.md)

## General Warning – Unique Sids recommended
<a name="access-analyzer-reference-policy-checks-general-warning-unique-sids-recommended"></a>

**Issue code: **UNIQUE\$1SIDS\$1RECOMMENDED

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Unique Sids recommended: We recommend that you use statement IDs that are unique to your policy. Update the Sid value.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "We recommend that you use statement IDs that are unique to your policy. Update the Sid value."
```

**Resolving the general warning**

AWS recommends that you use unique statement IDs. The `Sid` (statement ID) element allows you to enter an optional identifier that you provide for the policy statement. You can assign a statement ID value to each statement in a statement array using the `SID` element.

**Related terms**
+ [IAM JSON policy elements: Sid](reference_policies_elements_sid.md)

## General Warning – Wildcard without like operator
<a name="access-analyzer-reference-policy-checks-general-warning-wildcard-without-like-operator"></a>

**Issue code: **WILDCARD\$1WITHOUT\$1LIKE\$1OPERATOR

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Wildcard without like operator: Your condition value includes a * or ? character. If you meant to use a wildcard (*, ?), update the condition operator to include Like.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Your condition value includes a * or ? character. If you meant to use a wildcard (*, ?), update the condition operator to include Like."
```

**Resolving the general warning**

The `Condition` element structure requires that you use a condition operator and a key-value pair. When you specify a condition value that uses a wildcard (\$1, ?), you must use the `Like` version of the condition operator. For example, instead of the `StringEquals` string condition operator, use `StringLike`.

```
"Condition": {"StringLike": {"aws:PrincipalTag/job-category": "admin-*"}}
```
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

### AWS managed policies with this general warning
<a name="accan-ref-policy-check-message-fix-general-warning-wildcard-without-like-operator-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

The following AWS managed policies include wildcards in their condition value without a condition operator that includes `Like` for pattern-matching. When using the AWS managed policy as a reference to create your customer managed policy, AWS recommends that you use a condition operator that supports pattern-matching with wildcards (\$1, ?), such as `StringLike`.
+ [AWSGlueConsoleSageMakerNotebookFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleSageMakerNotebookFullAccess)

## General Warning – Policy size exceeds identity policy quota
<a name="access-analyzer-reference-policy-checks-general-warning-policy-size-exceeds-identity-policy-quota"></a>

**Issue code: **POLICY\$1SIZE\$1EXCEEDS\$1IDENTITY\$1POLICY\$1QUOTA

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Policy size exceeds identity policy quota: The {{policySize}} characters in the identity policy, excluding whitespace, exceed the {{policySizeQuota}} character maximum for inline and managed policies. We recommend that you use multiple granular policies.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{policySize}} characters in the identity policy, excluding whitespace, exceed the {{policySizeQuota}} character maximum for inline and managed policies. We recommend that you use multiple granular policies."
```

**Resolving the general warning**

You can attach up to 10 managed policies to an IAM identity (user, group of users, or role). However, the size of each managed policy cannot exceed the default quota of 6,144 characters. IAM does not count white space when calculating the size of a policy against this quota. Quotas, also referred to as limits in AWS, are the maximum values for the resources, actions, and items in your AWS account.

Additionally, you can add as many inline policies as you want to an IAM identity. However, the sum size of all inline policies per identity cannot exceed the specified quota.

If your policy is larger than the quota, you can organize your policy into multiple statements and group the statements into multiple policies.

**Related terms**
+ [IAM and AWS STS character quotas](reference_iam-quotas.md)
+ [Multiple statements and multiple policies](access_policies.md#policies-syntax-multiples)
+ [IAM customer managed policies](access_policies_managed-vs-inline.md#customer-managed-policies)
+ [Overview of JSON policies](access_policies.md#access_policies-json)
+ [IAM JSON policy grammar](reference_policies_grammar.md)

### AWS managed policies with this general warning
<a name="accan-ref-policy-check-message-fix-general-warning-policy-size-exceeds-identity-policy-quota-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

The following AWS managed policies grant permissions to actions across many AWS services and exceed the maximum policy size. When using the AWS managed policy as a reference to create your managed policy, you must split the policy into multiple policies.
+ [ReadOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+ [AWSSupportServiceRolePolicy](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSSupportServiceRolePolicy)

## General Warning – Policy size exceeds resource policy quota
<a name="access-analyzer-reference-policy-checks-general-warning-policy-size-exceeds-resource-policy-quota"></a>

**Issue code: **POLICY\$1SIZE\$1EXCEEDS\$1RESOURCE\$1POLICY\$1QUOTA

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Policy size exceeds resource policy quota: The {{policySize}} characters in the resource policy exceed the {{policySizeQuota}} character maximum for resource policies. We recommend that you use multiple granular policies.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{policySize}} characters in the resource policy exceed the {{policySizeQuota}} character maximum for resource policies. We recommend that you use multiple granular policies."
```

**Resolving the general warning**

Resource-based policies are JSON policy documents that you attach to a resource, such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and define under what conditions this applies. The size of resource-based policies cannot exceed the quota set for that resource. Quotas, also referred to as limits in AWS, are the maximum values for the resources, actions, and items in your AWS account.

If your policy is larger than the quota, you can organize your policy into multiple statements and group the statements into multiple policies.

**Related terms**
+ [Resource-based policies](access_policies.md#policies_resource-based)
+ [Amazon S3 bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
+ [Multiple statements and multiple policies](access_policies.md#policies-syntax-multiples)
+ [Overview of JSON policies](access_policies.md#access_policies-json)
+ [IAM JSON policy grammar](reference_policies_grammar.md)

## General Warning – Type mismatch
<a name="access-analyzer-reference-policy-checks-general-warning-type-mismatch"></a>

**Issue code: **TYPE\$1MISMATCH

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Type mismatch: Use the operator type {{allowed}} instead of operator {{operator}} for the condition key {{key}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Use the operator type {{allowed}} instead of operator {{operator}} for the condition key {{key}}."
```

**Resolving the general warning**

Update the text to use the supported condition operator data type.

For example, the `aws:MultiFactorAuthPresent` global condition key requires a condition operator with the `Boolean` data type. If you provide a date or an integer, the data type won't match.

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## General Warning – Type mismatch Boolean
<a name="access-analyzer-reference-policy-checks-general-warning-type-mismatch-boolean"></a>

**Issue code: **TYPE\$1MISMATCH\$1BOOLEAN

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Type mismatch Boolean: Add a valid Boolean value (true or false) for the condition operator {{operator}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a valid Boolean value (true or false) for the condition operator {{operator}}."
```

**Resolving the general warning**

Update the text to use a Boolean condition operator data type, such as `true` or `false`.

For example, the `aws:MultiFactorAuthPresent` global condition key requires a condition operator with the `Boolean` data type. If you provide a date or an integer, the data type won't match.

**Related terms**
+ [Boolean condition operators](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## General Warning – Type mismatch date
<a name="access-analyzer-reference-policy-checks-general-warning-type-mismatch-date"></a>

**Issue code: **TYPE\$1MISMATCH\$1DATE

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Type mismatch date: The date condition operator is used with an invalid value. Specify a valid date using YYYY-MM-DD or other ISO 8601 date/time format.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The date condition operator is used with an invalid value. Specify a valid date using YYYY-MM-DD or other ISO 8601 date/time format."
```

**Resolving the general warning**

Update the text to use the date condition operator data type, in a `YYYY-MM-DD` or other ISO 8601 date time format.

**Related terms**
+ [Date condition operators](reference_policies_elements_condition_operators.md#Conditions_Date)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## General Warning – Type mismatch number
<a name="access-analyzer-reference-policy-checks-general-warning-type-mismatch-number"></a>

**Issue code: **TYPE\$1MISMATCH\$1NUMBER

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Type mismatch number: Add a valid numeric value for the condition operator {{operator}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a valid numeric value for the condition operator {{operator}}."
```

**Resolving the general warning**

Update the text to use the numeric condition operator data type.

**Related terms**
+ [Numeric condition operators](reference_policies_elements_condition_operators.md#Conditions_Numeric)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## General Warning – Type mismatch string
<a name="access-analyzer-reference-policy-checks-general-warning-type-mismatch-string"></a>

**Issue code: **TYPE\$1MISMATCH\$1STRING

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Type mismatch string: Add a valid base64-encoded string value for the condition operator {{operator}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a valid base64-encoded string value for the condition operator {{operator}}."
```

**Resolving the general warning**

Update the text to use the string condition operator data type.

**Related terms**
+ [String condition operators](reference_policies_elements_condition_operators.md#Conditions_String)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)

## General Warning – Specific github repo and branch recommended
<a name="access-analyzer-reference-policy-checks-general-warning-specific-github-repo-and-branch-recommended"></a>

**Issue code: **SPECIFIC\$1GITHUB\$1REPO\$1AND\$1BRANCH\$1RECOMMENDED

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Specific github repo and branch recommended: Using a wildcard (*) in token.actions.githubusercontent.com:sub can allow requests from more sources than you intended. Specify the value of token.actions.githubusercontent.com:sub with the repository and branch name.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using a wildcard (*) in token.actions.githubusercontent.com:sub can allow requests from more sources than you intended. Specify the value of token.actions.githubusercontent.com:sub with the repository and branch name."
```

**Resolving the general warning**

If you use GitHub as an OIDC IdP, best practice is to limit the entities that can assume the role associated with the IAM IdP. When you include a `Condition` statement in a role trust policy, you can limit the role to a specific GitHub organization, repository, or branch. You can use the condition key `token.actions.githubusercontent.com:sub` to limit access. We recommend that you limit the condition to a specific set of repositories or branches. If you use a wildcard (`*`) in `token.actions.githubusercontent.com:sub`, then GitHub Actions from organizations or repositories outside of your control are able to assume roles associated with the GitHub IAM IdP in your AWS account.

**Related terms**
+ [Configuring a role for GitHub OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub)

## General Warning – Policy size exceeds role trust policy quota
<a name="access-analyzer-reference-policy-checks-general-warning-policy-size-exceeds-role-trust-policy-quota"></a>

**Issue code: **POLICY\$1SIZE\$1EXCEEDS\$1ROLE\$1TRUST\$1POLICY\$1QUOTA

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Policy size exceeds role trust policy quota: The characters in the role trust policy, excluding whitespace, exceed the character maximum. We recommend that you request a role trust policy length quota increase using Service Quotas and AWS Support Center. If the quotas have already been increased, then you can ignore this warning.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The characters in the role trust policy, excluding whitespace, exceed the character maximum. We recommend that you request a role trust policy length quota increase using Service Quotas and AWS Support Center. If the quotas have already been increased, then you can ignore this warning."
```

**Resolving the general warning**

IAM and AWS STS have quotas that limit the size of role trust policies. The characters in the role trust policy, excluding whitespace, exceed the character maximum. We recommend that you request a role trust policy length quota increase using Service Quotas and the AWS Support Center Console.

**Related terms**
+ [IAM and AWS STS quotas, name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html)

## General Warning – RCP missing related principal condition key
<a name="access-analyzer-reference-policy-checks-general-warning-rcp-missing-related-principal-condition-key"></a>

**Issue code: **RCP\$1MISSING\$1RELATED\$1PRINCIPAL\$1CONDITION\$1KEY

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP missing related principal condition key: RCPs impact IAM roles, users, and AWS service principals. To prevent unintended impact to services acting on your behalf using a service principal, an additional statement should be added to the Condition block "BoolIfExists": { "aws:PrincipalIsAWSService": "false"} whenever a principal key {{conditionKeyName}} is used.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "RCPs impact IAM roles, users, and AWS service principals. To prevent unintended impact to services acting on your behalf using a service principal, an additional statement should be added to the Condition block "BoolIfExists": { "aws:PrincipalIsAWSService": "false"} whenever a principal key {{conditionKeyName}} is used."
```

**Resolving the general warning**

AWS Organizations resource control policies (RCPs) can impact IAM roles, users, and AWS service principals. To prevent unintended impact to services acting on your behalf using a service principal, add the following statement to your `Condition` element:

```
"BoolIfExists": { "aws:PrincipalIsAWSService": "false"}
```

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [Properties of the principal](reference_policies_condition-keys.md#condition-keys-principal-properties)

## General Warning – RCP missing related service principal condition key
<a name="access-analyzer-reference-policy-checks-general-warning-rcp-missing-related-service-principal-condition-key"></a>

**Issue code: **RCP\$1MISSING\$1RELATED\$1SERVICE\$1PRINCIPAL\$1CONDITION\$1KEY

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP missing related service principal condition key: RCPs impact IAM roles, users, and AWS service principals. To prevent unintended impact to your principals, an additional statement should be added to the Condition block "BoolIfExists": { "aws:PrincipalIsAWSService": "true"} whenever the key {{conditionKeyName}} is used.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "RCPs impact IAM roles, users, and AWS service principals. To prevent unintended impact to your principals, an additional statement should be added to the Condition block "BoolIfExists": { "aws:PrincipalIsAWSService": "true"} whenever the key {{conditionKeyName}} is used."
```

**Resolving the general warning**

AWS Organizations resource control policies (RCPs) can impact IAM roles, users, and AWS service principals. To prevent unintended impact to your principals, add the following statement to your `Condition` element:

```
"BoolIfExists": { "aws:PrincipalIsAWSService": "true"}
```

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [Properties of the principal](reference_policies_condition-keys.md#condition-keys-principal-properties)

## General Warning – RCP missing service condition key null check
<a name="access-analyzer-reference-policy-checks-general-warning-rcp-missing-service-condition-key-null-check"></a>

**Issue code: **RCP\$1MISSING\$1SERVICE\$1CONDITION\$1KEY\$1NULL\$1CHECK

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
RCP missing service condition key null check: The specified service may have a service integration that does not require the use of the the {{conditionKeyName}} condition key. To prevent unintended impact to services acting on your behalf using a service principal, an additional statement should be added to the Condition block "Null": { "aws:SourceAccount": "false"} or "Null": { "aws:SourceArn": "false"} whenever the key {{conditionKeyName}} is used.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The specified service may have a service integration that does not require the use of the the {{conditionKeyName}} condition key. To prevent unintended impact to services acting on your behalf using a service principal, an additional statement should be added to the Condition block "Null": { "aws:SourceAccount": "false"} or "Null": { "aws:SourceArn": "false"} whenever the key {{conditionKeyName}} is used."
```

**Resolving the general warning**

AWS Organizations resource control policies (RCPs) can impact IAM roles, users, and AWS service principals. To prevent unintended impact to services acting on your behalf using a service principal, add one of the following statements to your `Condition` element whenever the specified key is used:

```
"Null": { "aws:SourceAccount": "false"}
```

or

```
"Null": { "aws:SourceArn": "false"}
```

**Related terms**
+ [RCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html)
+ [Properties of the principal](reference_policies_condition-keys.md#condition-keys-principal-properties)

## General Warning – Use condition key only with supported services
<a name="access-analyzer-reference-policy-checks-general-warning-use-condition-key-only-with-supported-services"></a>

**Issue code: **USE\$1CONDITION\$1KEY\$1ONLY\$1WITH\$1SUPPORTED\$1SERVICES

**Finding type: **GENERAL\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Use condition key only with supported services: The condition key {{key}} works only with specific AWS services and must be scoped to supported services in your policies.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key {{key}} works only with specific AWS services and must be scoped to supported services in your policies.
```

**Resolving the general warning**

Review the AWS documentation to identify which AWS services support this condition key. If any services in your policy don't support the condition key, modify your policy to scope the condition key to only the AWS services that support it.

**Related terms**
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpceaccount)
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpceorgid](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpceorgid)
+ [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpceorgpaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpceorgpaths)
+ [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)

## Security Warning – Untrustworthy condition key
<a name="access-analyzer-reference-policy-checks-security-warning-untrustworthy-condition-key"></a>

**Issue code: **UNTRUSTWORTHY\$1CONDITION\$1KEY

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Untrustworthy condition key: The {{key}} condition key is not recommended for access control as it can be spoofed/manipulated by the caller.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{key}} condition key is not recommended for access control as it can be spoofed/manipulated by the caller."
```

**Resolving the security warning**

Do not use this condition key for access control. The caller can potentially manipulate or spoof the key value, which creates a security risk.

**Related terms**
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Security Warning – Allow with NotPrincipal
<a name="access-analyzer-reference-policy-checks-security-warning-allow-with-not-principal"></a>

**Issue code: **ALLOW\$1WITH\$1NOT\$1PRINCIPAL

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Allow with NotPrincipal: Using Allow with NotPrincipal can be overly permissive. We recommend that you use Principal instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using Allow with NotPrincipal can be overly permissive. We recommend that you use Principal instead."
```

**Resolving the security warning**

Using `"Effect": "Allow"` with the `NotPrincipal` can be overly permissive. For example, this can grant permissions to anonymous principals. AWS recommends that you specify principals that need access using the `Principal` element. Alternatively, you can allow broad access and then add another statement that uses the `NotPrincipal` element with `“Effect”: “Deny”`.
+ [AWS JSON policy elements: Principal](reference_policies_elements_principal.md)
+ [AWS JSON policy elements: NotPrincipal](reference_policies_elements_notprincipal.md)

## Security Warning – ForAllValues with single valued key
<a name="access-analyzer-reference-policy-checks-security-warning-forallvalues-with-single-valued-key"></a>

**Issue code: **FORALLVALUES\$1WITH\$1SINGLE\$1VALUED\$1KEY

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
ForAllValues with single valued key: Using ForAllValues qualifier with the single-valued condition key {{key}} can be overly permissive. We recommend that you remove ForAllValues:.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using ForAllValues qualifier with the single-valued condition key {{key}} can be overly permissive. We recommend that you remove ForAllValues:."
```

**Resolving the security warning**

AWS recommends that you use the `ForAllValues` only with multivalued conditions. The `ForAllValues` set operator tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy. It also returns true if there are no keys in the request, or if the key values resolve to a null data set, such as an empty string.

To learn whether a condition supports a single value or multiple values, review the [Actions, resources, and condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) page for the service. Condition keys with the `ArrayOf` data type prefix are multivalued condition keys. For example, Amazon SES supports keys with single values (`String`) and the `ArrayOfString` multivalued data type.
+ [Multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys)

## Security Warning – Pass role with NotResource
<a name="access-analyzer-reference-policy-checks-security-warning-pass-role-with-not-resource"></a>

**Issue code: **PASS\$1ROLE\$1WITH\$1NOT\$1RESOURCE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Pass role with NotResource: Using the iam:PassRole action with NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the iam:PassRole action with NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs instead."
```

**Resolving the security warning**

To configure many AWS services, you must pass an IAM role to the service. To allow this you must grant the `iam:PassRole` permission to an identity (user, group of users, or role). Using `iam:PassRole` in a policy with the `NotResource` element can allow your principals to access more services or features than you intended. AWS recommends that you specify allowed ARNs in the `Resource` element instead. Additionally, you can reduce permissions to a single service by using the `iam:PassedToService` condition key.
+ [Passing a role to a service](id_roles_use_passrole.md)
+ [iam:PassedToService](reference_policies_iam-condition-keys.md#ck_PassedToService)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## Security Warning – Pass role with star in action and NotResource
<a name="access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-action-and-not-resource"></a>

**Issue code: **PASS\$1ROLE\$1WITH\$1STAR\$1IN\$1ACTION\$1AND\$1NOT\$1RESOURCE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Pass role with star in action and NotResource: Using an action with a wildcard (*) and NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using an action with a wildcard (*) and NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs instead."
```

**Resolving the security warning**

To configure many AWS services, you must pass an IAM role to the service. To allow this you must grant the `iam:PassRole` permission to an identity (user, group of users, or role). Policies with a wildcard (\$1) in the `Action` and that include the `NotResource` element can allow your principals to access more services or features than you intended. AWS recommends that you specify allowed ARNs in the `Resource` element instead. Additionally, you can reduce permissions to a single service by using the `iam:PassedToService` condition key.
+ [Passing a role to a service](id_roles_use_passrole.md)
+ [iam:PassedToService](reference_policies_iam-condition-keys.md#ck_PassedToService)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## Security Warning – Pass role with NotAction and NotResource
<a name="access-analyzer-reference-policy-checks-security-warning-pass-role-with-not-action-and-not-resource"></a>

**Issue code: **PASS\$1ROLE\$1WITH\$1NOT\$1ACTION\$1AND\$1NOT\$1RESOURCE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Pass role with NotAction and NotResource: Using NotAction with NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources.. We recommend that you specify resource ARNs instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using NotAction with NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources.. We recommend that you specify resource ARNs instead."
```

**Resolving the security warning**

To configure many AWS services, you must pass an IAM role to the service. To allow this you must grant the `iam:PassRole` permission to an identity (user, group of users, or role). Using the `NotAction` element and listing some resources in the `NotResource` element can allow your principals to access more services or features than you intended. AWS recommends that you specify allowed ARNs in the `Resource` element instead. Additionally, you can reduce permissions to a single service by using the `iam:PassedToService` condition key.
+ [Passing a role to a service](id_roles_use_passrole.md)
+ [iam:PassedToService](reference_policies_iam-condition-keys.md#ck_PassedToService)
+ [IAM JSON policy elements: NotAction](reference_policies_elements_notaction.md)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## Security Warning – Pass role with star in resource
<a name="access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource"></a>

**Issue code: **PASS\$1ROLE\$1WITH\$1STAR\$1IN\$1RESOURCE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Pass role with star in resource: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement."
```

**Resolving the security warning**

To configure many AWS services, you must pass an IAM role to the service. To allow this you must grant the `iam:PassRole` permission to an identity (user, group of users, or role). Policies that allow `iam:PassRole` and that include a wildcard (\$1) in the `Resource` element can allow your principals to access more services or features than you intended. AWS recommends that you specify allowed ARNs in the `Resource` element instead. Additionally, you can reduce permissions to a single service by using the `iam:PassedToService` condition key.

Some AWS services include their service namespace in the name of their role. This policy check takes these conventions into account while analyzing the policy to generate findings. For example, the following resource ARN might not generate a finding:

```
arn:aws:iam::*:role/Service*
```
+ [Passing a role to a service](id_roles_use_passrole.md)
+ [iam:PassedToService](reference_policies_iam-condition-keys.md#ck_PassedToService)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

### AWS managed policies with this security warning
<a name="accan-ref-policy-check-message-fix-security-warning-pass-role-with-star-in-resource-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

One of those use cases is for administrators within your account. The following AWS managed policies provide administrator access and grant permissions to pass any IAM role to any service. AWS recommends that you attach the following AWS managed policies only to IAM identities that you consider administrators.
+ [AdministratorAccess-Amplify](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AdministratorAccess-Amplify)

The following AWS managed policies include permissions to `iam:PassRole` with a wildcard (\$1) in the resource and are on a [deprecation path](access_policies_managed-deprecated.md). For each of these policies, we updated the permission guidance, such as recommending a new AWS managed policy that supports the use case. To view alternatives to these policies, see the guides for [each service](reference_aws-services-that-work-with-iam.md).
+ AWSElasticBeanstalkFullAccess
+ AWSElasticBeanstalkService
+ AWSLambdaFullAccess
+ AWSLambdaReadOnlyAccess
+ AWSOpsWorksFullAccess
+ AWSOpsWorksRole
+ AWSDataPipelineRole
+ AmazonDynamoDBFullAccesswithDataPipeline
+ AmazonElasticMapReduceFullAccess
+ AmazonDynamoDBFullAccesswithDataPipeline
+ AmazonEC2ContainerServiceFullAccess

The following AWS managed policies provide permissions for only [service-linked roles](id_roles_create-service-linked-role.md), which allow AWS services to perform actions on your behalf. You cannot attach these policies to your IAM identities.
+ [AWSServiceRoleForAmazonEKSNodegroup](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonEKSNodegroup)

## Security Warning – Pass role with star in action and resource
<a name="access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-action-and-resource"></a>

**Issue code: **PASS\$1ROLE\$1WITH\$1STAR\$1IN\$1ACTION\$1AND\$1RESOURCE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Pass role with star in action and resource: Using wildcards (*) in the action and the resource can be overly permissive because it allows iam:PassRole permissions on all resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using wildcards (*) in the action and the resource can be overly permissive because it allows iam:PassRole permissions on all resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement."
```

**Resolving the security warning**

To configure many AWS services, you must pass an IAM role to the service. To allow this you must grant the `iam:PassRole` permission to an identity (user, group of users, or role). Policies with a wildcard (\$1) in the `Action` and `Resource` elements can allow your principals to access more services or features than you intended. AWS recommends that you specify allowed ARNs in the `Resource` element instead. Additionally, you can reduce permissions to a single service by using the `iam:PassedToService` condition key.
+ [Passing a role to a service](id_roles_use_passrole.md)
+ [iam:PassedToService](reference_policies_iam-condition-keys.md#ck_PassedToService)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

### AWS managed policies with this security warning
<a name="accan-ref-policy-check-message-fix-security-warning-pass-role-with-star-in-action-and-resource-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

Some of those use cases are for administrators within your account. The following AWS managed policies provide administrator access and grant permissions to pass any IAM role to any AWS service. AWS recommends that you attach the following AWS managed policies to only the IAM identities that you consider administrators.
+ [AdministratorAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess)
+ [IAMFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/IAMFullAccess)

## Security Warning – Pass role with star in resource and NotAction
<a name="access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource-and-not-action"></a>

**Issue code: **PASS\$1ROLE\$1WITH\$1STAR\$1IN\$1RESOURCE\$1AND\$1NOT\$1ACTION

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Pass role with star in resource and NotAction: Using a resource with wildcards (*) and NotAction can be overly permissive because it allows iam:PassRole permissions on all resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using a resource with wildcards (*) and NotAction can be overly permissive because it allows iam:PassRole permissions on all resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement."
```

**Resolving the security warning**

To configure many AWS services, you must pass an IAM role to the service. To allow this you must grant the `iam:PassRole` permission to an identity (user, group of users, or role). Using the `NotAction` element in a policy with a wildcard (\$1) in the `Resource` element can allow your principals to access more services or features than you intended. AWS recommends that you specify allowed ARNs in the `Resource` element instead. Additionally, you can reduce permissions to a single service by using the `iam:PassedToService` condition key.
+ [Passing a role to a service](id_roles_use_passrole.md)
+ [iam:PassedToService](reference_policies_iam-condition-keys.md#ck_PassedToService)
+ [IAM JSON policy elements: NotAction](reference_policies_elements_notaction.md)
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## Security Warning – Missing paired condition keys
<a name="access-analyzer-reference-policy-checks-security-warning-missing-paired-condition-keys"></a>

**Issue code: **MISSING\$1PAIRED\$1CONDITION\$1KEYS

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing paired condition keys: Using the condition key {{conditionKeyName}} can be overly permissive without also using the following condition keys: {{recommendedKeys}}. Condition keys like this one are more secure when paired with a related key. We recommend that you add the related condition keys to the same condition block.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the condition key {{conditionKeyName}} can be overly permissive without also using the following condition keys: {{recommendedKeys}}. Condition keys like this one are more secure when paired with a related key. We recommend that you add the related condition keys to the same condition block."
```

**Resolving the security warning**

Some condition keys are more secure when paired with other related condition keys. AWS recommends that you include the related condition keys in the same condition block as the existing condition key. This makes the permissions granted through the policy more secure.

For example, you can use the `aws:VpcSourceIp` condition key to compare the IP address from which a request was made with the IP address that you specify in the policy. AWS recommends that you add the related `aws:SourceVPC` condition key. This checks whether the request comes from the VPC that you specify in the policy *and* the IP address that you specify.

**Related terms**
+ [`aws:VpcSourceIp` global condition key](reference_policies_condition-keys.md#condition-keys-vpcsourceip)
+ [`aws:SourceVPC` global condition key](reference_policies_condition-keys.md#condition-keys-sourcevpc)
+ [Global condition keys](reference_policies_condition-keys.md)
+ [Condition element](reference_policies_elements_condition.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Security Warning – Deny with unsupported tag condition key for service
<a name="access-analyzer-reference-policy-checks-security-warning-deny-with-unsupported-tag-condition-key-for-service"></a>

**Issue code: **DENY\$1WITH\$1UNSUPPORTED\$1TAG\$1CONDITION\$1KEY\$1FOR\$1SERVICE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Deny with unsupported tag condition key for service: Using the effect Deny with the tag condition key {{conditionKeyName}} and actions for services with the following prefixes can be overly permissive: {{serviceNames}}. Actions for the listed services are not denied by this statement. We recommend that you move these actions to a different statement without this condition key.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the effect Deny with the tag condition key {{conditionKeyName}} and actions for services with the following prefixes can be overly permissive: {{serviceNames}}. Actions for the listed services are not denied by this statement. We recommend that you move these actions to a different statement without this condition key."
```

**Resolving the security warning**

Using unsupported tag condition keys in the `Condition` element of a policy with `"Effect": "Deny"` can be overly permissive, because the condition is ignored for that service. AWS recommends that you remove the service actions that don’t support the condition key and create another statement to deny access to specific resources for those actions.

If you use the `aws:ResourceTag` condition key and it’s not supported by a service action, then the key is not included in the request context. In this case, the condition in the `Deny` statement always returns `false` and the action is never denied. This happens even if the resource is tagged correctly.

When a service supports the `aws:ResourceTag` condition key, you can use tags to control access to that service’s resources. This is known as [attribute-based access control (ABAC)](introduction_attribute-based-access-control.md). Services that don’t support these keys require you to control access to resources using [resource-based access control (RBAC)](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac).

**Note**  
Some services allow support for the `aws:ResourceTag` condition key for a subset of their resources and actions. IAM Access Analyzer returns findings for the service actions that are not supported. For example, Amazon S3 supports `aws:ResourceTag` for a subset of its resources. To view all of the resource types available in Amazon S3 that support the `aws:ResourceTag` condition key, see [Resource types defined by Amazon S3](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies) in the Service Authorization Reference.

For example, assume that you want to deny access to untag delete specific resources that are tagged with the key-value pair `status=Confidential`. Also assume that AWS Lambda allows you to tag and untag resources, but doesn’t support the `aws:ResourceTag` condition key. To deny the delete actions for AWS App Mesh and AWS Backup if this tag is present, use the `aws:ResourceTag` condition key. For Lambda, use a resource naming convention that includes the `"Confidential"` prefix. Then include a separate statement that prevents deleting resources with that naming convention.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyDeleteSupported",
            "Effect": "Deny",
            "Action": [
                "appmesh:DeleteMesh", 
                "backup:DeleteBackupPlan"
                ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/status": "Confidential"
                }
            }
        },
        {
            "Sid": "DenyDeleteUnsupported",
            "Effect": "Deny",
            "Action": "lambda:DeleteFunction",
            "Resource": "arn:aws:lambda:*:123456789012:function:status-Confidential*"
        }
    ]
}
```

**Warning**  
Do not use the …[IfExists](reference_policies_elements_condition_operators.md#Conditions_IfExists) version of the condition operator as a workaround for this finding. This means "Deny the action if the key is present in the request context and the values match. Otherwise, deny the action." In the previous example, including the `lambda:DeleteFunction` action in the `DenyDeleteSupported` statement with the `StringEqualsIfExists` operator always denies the action. For that action, the key is not present in the context, and every attempt to delete that resource type is denied, regardless of whether the resource is tagged.

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [Comparing ABAC to RBAC](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [Condition element](reference_policies_elements_condition.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Security Warning – Deny NotAction with unsupported tag condition key for service
<a name="access-analyzer-reference-policy-checks-security-warning-deny-notaction-with-unsupported-tag-condition-key-for-service"></a>

**Issue code: **DENY\$1NOTACTION\$1WITH\$1UNSUPPORTED\$1TAG\$1CONDITION\$1KEY\$1FOR\$1SERVICE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Deny NotAction with unsupported tag condition key for service: Using the effect Deny with NotAction and the tag condition key {{conditionKeyName}} can be overly permissive because some service actions are not denied by this statement. This is because the condition key doesn't apply to some service actions. We recommend that you use Action instead of NotAction.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the effect Deny with NotAction and the tag condition key {{conditionKeyName}} can be overly permissive because some service actions are not denied by this statement. This is because the condition key doesn't apply to some service actions. We recommend that you use Action instead of NotAction."
```

**Resolving the security warning**

Using tag condition keys in the `Condition` element of a policy with the element `NotAction` and `"Effect": "Deny"` can be overly permissive. The condition is ignored for service actions that don’t support the condition key. AWS recommends that you rewrite the logic to deny a list of actions.

If you use the `aws:ResourceTag` condition key with `NotAction`, any new or existing service actions that don’t support the key are not denied. AWS recommends that you explicitly list the actions that you want to deny. IAM Access Analyzer returns a separate finding for listed actions that don’t support the `aws:ResourceTag` condition key. For more information, see [Security Warning – Deny with unsupported tag condition key for service](#access-analyzer-reference-policy-checks-security-warning-deny-with-unsupported-tag-condition-key-for-service). 

When a service supports the `aws:ResourceTag` condition key, you can use tags to control access to that service’s resources. This is known as [attribute-based access control (ABAC)](introduction_attribute-based-access-control.md). Services that don’t support these keys require you to control access to resources using [resource-based access control (RBAC)](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac).

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [Comparing ABAC to RBAC](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [Condition element](reference_policies_elements_condition.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Security Warning – Restrict access to service principal
<a name="access-analyzer-reference-policy-checks-security-warning-restrict-access-to-service-principal"></a>

**Issue code: **RESTRICT\$1ACCESS\$1TO\$1SERVICE\$1PRINCIPAL

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Restrict access to service principal: Granting access to a service principal without specifying a source is overly permissive. Use aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths condition key to grant fine-grained access.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Granting access to a service principal without specifying a source is overly permissive. Use aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths condition key to grant fine-grained access."
```

**Resolving the security warning**

You can specify AWS services in the `Principal` element of a resource-based policy using a service principal, which is an identifier for the service. When granting access to a service principal to act on your behalf, restrict access. You can prevent overly permissive policies by using the `aws:SourceArn`, `aws:SourceAccount`, `aws:SourceOrgID`, or `aws:SourceOrgPaths` condition keys to restrict access to a specific source, such as a specific resource ARN, AWS account, organization ID, or organization paths. Restricting access helps you prevent a security issue called *the confused deputy problem*.

**Related terms**
+ [AWS service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)
+ [AWS global condition keys: aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount)
+ [AWS global condition keys: aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)
+ [AWS global condition keys: aws:SourceOrgId](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgid)
+ [AWS global condition keys: aws:SourceOrgPaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgpaths)
+ [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)

## Security Warning – Missing condition key for oidc principal
<a name="access-analyzer-reference-policy-checks-security-warning-missing-condition-key-for-oidc-principal"></a>

**Issue code: **MISSING\$1CONDITION\$1KEY\$1FOR\$1OIDC\$1PRINCIPAL

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing condition key for oidc principal: Using an Open ID Connect principal without a condition can be overly permissive. Add condition keys with a prefix that matches your federated OIDC principals to ensure that only the intended identity provider assumes the role.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using an Open ID Connect principal without a condition can be overly permissive. Add condition keys with a prefix that matches your federated OIDC principals to ensure that only the intended identity provider assumes the role."
```

**Resolving the security warning**

Using an Open ID Connect principal without a condition can be overly permissive. Add condition keys with a prefix that matches your federated OIDC principals to ensure that only the intended identity provider assumes the role.

**Related terms**
+ [Creating a role for web identity or OpenID Connect Federation (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html)

## Security Warning – Missing github repo condition key
<a name="access-analyzer-reference-policy-checks-security-warning-missing-github-repo-condition-key"></a>

**Issue code: **MISSING\$1GITHUB\$1REPO\$1CONDITION\$1KEY

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Missing github repo condition key: Granting a federated GitHub principal permissions without a condition key can allow more sources to assume the role than you intended. Add the token.actions.githubusercontent.com:sub condition key and specify the branch and repository name in the value.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Granting a federated GitHub principal permissions without a condition key can allow more sources to assume the role than you intended. Add the token.actions.githubusercontent.com:sub condition key and specify the branch and repository name in the value."
```

**Resolving the security warning**

If you use GitHub as an OIDC IdP, best practice is to limit the entities that can assume the role associated with the IAM IdP. When you include a `Condition` statement in a role trust policy, you can limit the role to a specific GitHub organization, repository, or branch. You can use the condition key `token.actions.githubusercontent.com:sub` to limit access. We recommend that you limit the condition to a specific set of repositories or branches. If you do not include this condition, then GitHub Actions from organizations or repositories outside of your control are able to assume roles associated with the GitHub IAM IdP in your AWS account.

**Related terms**
+ [Configuring a role for GitHub OIDC identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub)

## Security Warning – String like operator with ARN condition keys
<a name="access-analyzer-reference-policy-checks-security-warning-string-like-operator-with-arn-condition-keys"></a>

**Issue code: **STRING\$1LIKE\$1OPERATOR\$1WITH\$1ARN\$1CONDITION\$1KEYS

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
String like operator with ARN condition keys: Use the operator type {{allowed}} instead of operator {{operator}} for the condition key {{key}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Use the operator type {{allowed}} instead of operator {{operator}} for the condition key {{key}}."
```

**Resolving the security warning**

AWS recommends that you use ARN operators instead of string operators when comparing ARNs to ensure proper access restriction based on ARN condition values. Update the `StringLike` operator to the `ArnLike` operator in your `Condition` element whenever the specified key is used.

These AWS managed policies are exceptions to this security warning:
+ [AmazonSecurityLakeAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSecurityLakeAdministrator.html)
+ [AWSCodePipeline\$1FullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodePipeline_FullAccess.html)
+ [AWSCodePipeline\$1ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodePipeline_ReadOnlyAccess.html)
+ [S3UnlockBucketPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/S3UnlockBucketPolicy.html)
+ [SQSUnlockQueuePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SQSUnlockQueuePolicy.html)

**Related terms**
+ [Amazon Resource Name (ARN) condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN)
+ [String condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)
+ [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)

## Security Warning – ForAnyValue with audience claim type
<a name="access-analyzer-reference-policy-checks-security-warning-foranyvalue-with-audience-claim-type"></a>

**Issue code: **FORANYVALUE\$1WITH\$1AUDIENCE\$1CLAIM\$1TYPE

**Finding type: **SECURITY\$1WARNING

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
ForAnyValue with audience claim type: Using ForAnyValue qualifier with the single-valued condition key {{key}} can be overly permissive. We recommend that you remove ForAnyValue:.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using ForAnyValue qualifier with the single-valued condition key {{key}} can be overly permissive. We recommend that you remove ForAnyValue:."
```

**Resolving the security warning**

AWS recommends that you do not use the `ForAnyValue` set operator with single-valued condition keys. Use set operators only with multivalued condition keys. Remove the `ForAnyValue` set operator.

**Related terms**
+ [Single-valued vs. multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md)
+ [Single-valued context key policy examples](reference_policies_condition_examples-single-valued-context-keys.md)

## Suggestion – Empty array action
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-action"></a>

**Issue code: **EMPTY\$1ARRAY\$1ACTION

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array action: This statement includes no actions and does not affect the policy. Specify actions.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "This statement includes no actions and does not affect the policy. Specify actions."
```

**Resolving the suggestion**

Statements must include either an `Action` or `NotAction` element that includes a set of actions. When the element is empty, the policy statement provides no permissions. Specify actions in the `Action` element.
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)

## Suggestion – Empty array condition
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-condition"></a>

**Issue code: **EMPTY\$1ARRAY\$1CONDITION

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array condition: There are no values for the condition key {{key}} and it does not affect the policy. Specify conditions.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "There are no values for the condition key {{key}} and it does not affect the policy. Specify conditions."
```

**Resolving the suggestion**

The optional `Condition` element structure requires that you use a condition operator and a key-value pair. When the condition value is empty, the condition returns `true` and the policy statement provides no permissions. Specify a condition value.
+ [IAM JSON policy elements: Condition ](reference_policies_elements_condition.md)

## Suggestion – Empty array condition ForAllValues
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-condition-forallvalues"></a>

**Issue code: **EMPTY\$1ARRAY\$1CONDITION\$1FORALLVALUES

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array condition ForAllValues: The ForAllValues prefix with an empty condition key matches only if the key {{key}} is missing from the request context. To determine if the request context is empty, we recommend that you use the Null condition operator with the value of true instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The ForAllValues prefix with an empty condition key matches only if the key {{key}} is missing from the request context. To determine if the request context is empty, we recommend that you use the Null condition operator with the value of true instead."
```

**Resolving the suggestion**

The `Condition` element structure requires that you use a condition operator and a key-value pair. The `ForAllValues` set operator tests whether the value of every member of the request set is a subset of the condition key set. 

When you use `ForAllValues` with an empty condition key, the condition matches only if there are no keys in the request. AWS recommends that if you want to test whether a request context is empty, use the `Null` condition operator instead.
+ [Multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys)
+ [Null condition operator](reference_policies_elements_condition_operators.md#Conditions_Null)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Empty array condition ForAnyValue
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-condition-foranyvalue"></a>

**Issue code: **EMPTY\$1ARRAY\$1CONDITION\$1FORANYVALUE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array condition ForAnyValue: The ForAnyValue prefix with an empty condition key {{key}} never matches the request context and it does not affect the policy. Specify conditions.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The ForAnyValue prefix with an empty condition key {{key}} never matches the request context and it does not affect the policy. Specify conditions."
```

**Resolving the suggestion**

The `Condition` element structure requires that you use a condition operator and a key-value pair. The `ForAnyValues` set operator tests whether at least one member of the set of request values matches at least one member of the set of condition key values.

When you use `ForAnyValues` with an empty condition key, the condition never matches. This means that the statement has no effect on the policy. AWS recommends that you rewrite the condition.
+ [Multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Empty array condition IfExists
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-condition-ifexists"></a>

**Issue code: **EMPTY\$1ARRAY\$1CONDITION\$1IFEXISTS

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array condition IfExists: The IfExists suffix with an empty condition key matches only if the key {{key}} is missing from the request context. To determine if the request context is empty, we recommend that you use the Null condition operator with the value of true instead.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The IfExists suffix with an empty condition key matches only if the key {{key}} is missing from the request context. To determine if the request context is empty, we recommend that you use the Null condition operator with the value of true instead."
```

**Resolving the suggestion**

The `...IfExists` suffix edits a condition operator. It means that if the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true.

When you use `...IfExists` with an empty condition key, the condition matches only if there are no keys in the request. AWS recommends that if you want to test whether a request context is empty, use the `Null` condition operator instead.
+ [...IfExists condition operators](reference_policies_elements_condition_operators.md#Conditions_IfExists)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Empty array principal
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-principal"></a>

**Issue code: **EMPTY\$1ARRAY\$1PRINCIPAL

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array principal: This statement includes no principals and does not affect the policy. Specify principals.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "This statement includes no principals and does not affect the policy. Specify principals."
```

**Resolving the suggestion**

You must use the `Principal` or `NotPrincipal` element in the trust policies for IAM roles and in resource-based policies. Resource-based policies are policies that you embed directly in a resource.

When you provide an empty array in a statement's `Principal` element, the statement has no effect on the policy. AWS recommends that you specify the principals that should have access to the resource.
+ [IAM JSON policy elements: Principal](reference_policies_elements_principal.md)
+ [IAM JSON policy elements: NotPrincipal](reference_policies_elements_notprincipal.md)

## Suggestion – Empty array resource
<a name="access-analyzer-reference-policy-checks-suggestion-empty-array-resource"></a>

**Issue code: **EMPTY\$1ARRAY\$1RESOURCE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty array resource: This statement includes no resources and does not affect the policy. Specify resources.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "This statement includes no resources and does not affect the policy. Specify resources."
```

**Resolving the suggestion**

Statements must include either a `Resource` or a `NotResource` element.

When you provide an empty array in a statement's resource element, the statement has no effect on the policy. AWS recommends that you specify Amazon Resource Names (ARNs) for resources.
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)
+ [IAM JSON policy elements: NotResource](reference_policies_elements_notresource.md)

## Suggestion – Empty object condition
<a name="access-analyzer-reference-policy-checks-suggestion-empty-object-condition"></a>

**Issue code: **EMPTY\$1OBJECT\$1CONDITION

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty object condition: This condition block is empty and it does not affect the policy. Specify conditions.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "This condition block is empty and it does not affect the policy. Specify conditions."
```

**Resolving the suggestion**

The `Condition` element structure requires that you use a condition operator and a key-value pair.

When you provide an empty object in a statement's condition element, the statement has no effect on the policy. Remove the optional element or specify conditions.
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Empty object principal
<a name="access-analyzer-reference-policy-checks-suggestion-empty-object-principal"></a>

**Issue code: **EMPTY\$1OBJECT\$1PRINCIPAL

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty object principal: This statement includes no principals and does not affect the policy. Specify principals.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "This statement includes no principals and does not affect the policy. Specify principals."
```

**Resolving the suggestion**

You must use the `Principal` or `NotPrincipal` element in the trust policies for IAM roles and in resource-based policies. Resource-based policies are policies that you embed directly in a resource.

When you provide an empty object in a statement's `Principal` element, the statement has no effect on the policy. AWS recommends that you specify the principals that should have access to the resource.
+ [IAM JSON policy elements: Principal](reference_policies_elements_principal.md)
+ [IAM JSON policy elements: NotPrincipal](reference_policies_elements_notprincipal.md)

## Suggestion – Empty Sid value
<a name="access-analyzer-reference-policy-checks-suggestion-empty-sid-value"></a>

**Issue code: **EMPTY\$1SID\$1VALUE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Empty Sid value: Add a value to the empty string in the Sid element.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Add a value to the empty string in the Sid element."
```

**Resolving the suggestion**

The optional `Sid` (statement ID) element allows you to enter an identifier that you provide for the policy statement. You can assign an `Sid` value to each statement in a statement array. If you choose to use the `Sid` element, you must provide a string value.

**Related terms**
+ [IAM JSON policy elements: Sid](reference_policies_elements_sid.md)

## Suggestion – Equivalent to null false
<a name="access-analyzer-reference-policy-checks-suggestion-equivalent-to-null-false"></a>

**Issue code: **EQUIVALENT\$1TO\$1NULL\$1FALSE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Equivalent to null false: We recommend replacing the key {{key}} in the condition block of {{operator}} with {{{recommendedKey}}: false} to ensure better enforcement of the condition.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "We recommend replacing the key {{key}} in the condition block of {{operator}} with {{{recommendedKey}}: false} to ensure better enforcement of the condition."
```

**Resolving the suggestion**

Replace the current condition key with the recommended key set to `false`. This change improves policy clarity and ensures more reliable condition evaluation. Update your condition block to use `{recommendedKey}: false` instead of the current key-operator combination.

**Related terms**
+ [IAM policy elements: Condition](reference_policies_elements_condition.md)
+ [Conditions with multiple context keys or values](reference_policies_condition-logic-multiple-context-keys-or-values.md)
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Suggestion – Equivalent to null true
<a name="access-analyzer-reference-policy-checks-suggestion-equivalent-to-null-true"></a>

**Issue code: **EQUIVALENT\$1TO\$1NULL\$1TRUE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Equivalent to null true: We recommend replacing the key {{key}} in the condition block of {{operator}} with {{{recommendedKey}}: true} to ensure better enforcement of the condition.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "We recommend replacing the key {{key}} in the condition block of {{operator}} with {{{recommendedKey}}: true} to ensure better enforcement of the condition."
```

**Resolving the suggestion**

Replace the current condition key with the recommended key set to `true`. This change improves policy clarity and ensures more reliable condition evaluation. Update your condition block to use `{recommendedKey}: true` instead of the current key-operator combination.

**Related terms**
+ [IAM policy elements: Condition](reference_policies_elements_condition.md)
+ [Conditions with multiple context keys or values](reference_policies_condition-logic-multiple-context-keys-or-values.md)
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Suggestion – Improve IP range
<a name="access-analyzer-reference-policy-checks-suggestion-improve-ip-range"></a>

**Issue code: **IMPROVE\$1IP\$1RANGE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Improve IP range: The non-zero bits in the IP address after the masked bits are ignored. Replace address with {{addr}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The non-zero bits in the IP address after the masked bits are ignored. Replace address with {{addr}}."
```

**Resolving the suggestion**

IP address conditions must be in the standard CIDR format, such as 203.0.113.0/24 or 2001:DB8:1234:5678::/64. When you include non-zero bits after the masked bits, they are not considered for the condition. AWS recommends that you use the new address included in the message.
+ [IP address condition operators](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Null with qualifier
<a name="access-analyzer-reference-policy-checks-suggestion-null-with-qualifier"></a>

**Issue code: **NULL\$1WITH\$1QUALIFIER

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Null with qualifier: Avoid using the Null condition operator with the ForAllValues or ForAnyValue qualifiers because they always return a true or false respectively.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Avoid using the Null condition operator with the ForAllValues or ForAnyValue qualifiers because they always return a true or false respectively."
```

**Resolving the suggestion**

In the `Condition` element, you build expressions in which you use condition operators like equal or less than to compare a condition in the policy against keys and values in the request context. For requests that include multiple values for a single condition key, you must use the  `ForAllValues` or `ForAnyValue` set operators.

When you use the `Null` condition operator with `ForAllValues`, the statement always returns `true`. When you use the `Null` condition operator with `ForAnyValue`, the statement always returns `false`. AWS recommends that you use the `StringLike` condition operator with these set operators.

**Related terms**
+ [Multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys)
+ [Null condition operator](reference_policies_elements_condition_operators.md#Conditions_Null)
+ [Condition element](reference_policies_elements_condition.md)

## Suggestion – Private IP address subset
<a name="access-analyzer-reference-policy-checks-suggestion-private-ip-address-subset"></a>

**Issue code: **PRIVATE\$1IP\$1ADDRESS\$1SUBSET

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Private IP address subset: The values for condition key aws:SourceIp include a mix of private and public IP addresses. The private addresses will not have the desired effect. aws:SourceIp works only for public IP address ranges. To define permissions for private IP ranges, use aws:VpcSourceIp.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The values for condition key aws:SourceIp include a mix of private and public IP addresses. The private addresses will not have the desired effect. aws:SourceIp works only for public IP address ranges. To define permissions for private IP ranges, use aws:VpcSourceIp."
```

**Resolving the suggestion**

The global condition key `aws:SourceIp` works only for public IP address ranges.

When your `Condition` element includes a mix of private and public IP addresses, the statement might not have the desired effect. You can specify private IP addresses using `aws:VpcSourceIP`.

**Note**  
The global condition key `aws:VpcSourceIP` matches only if the request originates from the specified IP address and it goes through a VPC endpoint.
+ [aws:SourceIp global condition key](reference_policies_condition-keys.md#condition-keys-sourceip)
+ [aws:VpcSourceIp global condition key](reference_policies_condition-keys.md#condition-keys-vpcsourceip)
+ [IP address condition operators](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Private NotIpAddress subset
<a name="access-analyzer-reference-policy-checks-suggestion-private-not-ip-address-subset"></a>

**Issue code: **PRIVATE\$1NOT\$1IP\$1ADDRESS\$1SUBSET

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Private NotIpAddress subset: The values for condition key aws:SourceIp include a mix of private and public IP addresses. The private addresses have no effect. aws:SourceIp works only for public IP address ranges. To define permissions for private IP ranges, use aws:VpcSourceIp.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The values for condition key aws:SourceIp include a mix of private and public IP addresses. The private addresses have no effect. aws:SourceIp works only for public IP address ranges. To define permissions for private IP ranges, use aws:VpcSourceIp."
```

**Resolving the suggestion**

The global condition key `aws:SourceIp` works only for public IP address ranges.

When your `Condition` element includes the `NotIpAddress` condition operator and a mix of private and public IP addresses, the statement might not have the desired effect. Every public IP addresses that is not specified in the policy will match. No private IP addresses will match. To achieve this effect, you can use `NotIpAddress` with `aws:VpcSourceIP` and specify the private IP addresses that should not match.
+ [aws:SourceIp global condition key](reference_policies_condition-keys.md#condition-keys-sourceip)
+ [aws:VpcSourceIp global condition key](reference_policies_condition-keys.md#condition-keys-vpcsourceip)
+ [IP address condition operators](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Redundant action
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-action"></a>

**Issue code: **REDUNDANT\$1ACTION

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant action: The {{redundantActionCount}} action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: {{redundantAction}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{redundantActionCount}} action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: {{redundantAction}}."
```

**Resolving the suggestion**

When you use wildcards (\$1) in the `Action` element, you can include redundant permissions. AWS recommends that you review your policy and include only the permissions that you need. This can help you remove redundant actions.

For example, the following actions include the `iam:GetCredentialReport` action twice.

```
"Action": [
        "iam:Get*",
        "iam:List*",
        "iam:GetCredentialReport"
    ],
```

In this example, permissions are defined for every IAM action that begins with `Get` or `List`. When IAM adds additional get or list operations, this policy will allow them. You might want to allow all of these read-only actions. The `iam:GetCredentialReport` action is already included as part of `iam:Get*`. To remove the duplicate permissions, you could remove `iam:GetCredentialReport`.

You receive a finding for this policy check when all of the contents of an action are redundant. In this example, if the element included `iam:*CredentialReport`, it is not considered redundant. That includes `iam:GetCredentialReport`, which is redundant, and `iam:GenerateCredentialReport`, which is not. Removing either `iam:Get*` or `iam:*CredentialReport` would change the policy's permissions.
+ [IAM JSON policy elements: Action](reference_policies_elements_action.md)

### AWS managed policies with this suggestion
<a name="accan-ref-policy-check-message-fix-suggestion-redundant-action-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

Redundant actions do not affect the permissions granted by the policy. When using an AWS managed policy as a reference to create your customer managed policy, AWS recommends that you remove redundant actions from your policy.

## Suggestion – Redundant condition value num
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-condition-value-num"></a>

**Issue code: **REDUNDANT\$1CONDITION\$1VALUE\$1NUM

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant condition value num: Multiple values in {{operator}} are redundant. Replace with the {{greatest/least}} single value for {{key}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Multiple values in {{operator}} are redundant. Replace with the {{greatest/least}} single value for {{key}}."
```

**Resolving the suggestion**

When you use numeric condition operators for similar values in a condition key, you can create an overlap that results in redundant permissions.

For example, the following `Condition` element includes multiple `aws:MultiFactorAuthAge` conditions that have an age overlap of 1200 seconds.

```
"Condition": {
        "NumericLessThan": {
          "aws:MultiFactorAuthAge": [
            "2700",
            "3600"
          ]
        }
      }
```

In this example, the permissions are defined if multi-factor authentication (MFA) was completed less than 3600 seconds (1 hour) ago. You could remove the redundant `2700` value.
+ [Numeric condition operators](reference_policies_elements_condition_operators.md#Conditions_Numeric)
+ [IAM JSON policy elements: Condition](reference_policies_elements_condition.md)

## Suggestion – Redundant resource
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-resource"></a>

**Issue code: **REDUNDANT\$1RESOURCE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant resource: The {{redundantResourceCount}} resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*)
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The {{redundantResourceCount}} resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*)"
```

**Resolving the suggestion**

When you use wildcards (\$1) in Amazon Resource Names (ARNs), you can create redundant resource permissions.

For example, the following `Resource` element includes multiple ARNs with redundant permissions.

```
"Resource": [
            "arn:aws:iam::111122223333:role/jane-admin",
            "arn:aws:iam::111122223333:role/jane-s3only",
            "arn:aws:iam::111122223333:role/jane*"
        ],
```

In this example, the permissions are defined for any role with a name starting with `jane`. You could remove the redundant `jane-admin` and `jane-s3only` ARNs without changing the resulting permissions. This does make the policy dynamic. It will define permissions for any future roles that begin with `jane`. If the intention of the policy is to allow access to a static number of roles, then remove the last ARN and list only the ARNs that should be defined.
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

### AWS managed policies with this suggestion
<a name="accan-ref-policy-check-message-fix-suggestion-redundant-resource-awsmanpol"></a>

[AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) enable you to get started with AWS by assigning permissions based on general AWS use cases.

Redundant resources do not affect the permissions granted by the policy. When using an AWS managed policy as a reference to create your customer managed policy, AWS recommends that you remove redundant resources from your policy.

## Suggestion – Redundant statement
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-statement"></a>

**Issue code: **REDUNDANT\$1STATEMENT

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant statement: The statements are redundant because they provide identical permissions. Update the policy to remove the redundant statement.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The statements are redundant because they provide identical permissions. Update the policy to remove the redundant statement."
```

**Resolving the suggestion**

The `Statement` element is the main element for a policy. This element is required. The `Statement` element can contain a single statement or an array of individual statements.

When you include the same statement more than once in a long policy, the statements are is redundant. You can remove one of the statements without affecting the permissions granted by the policy. When someone edits a policy, they might change one of the statements without updating the duplicate. This might result in more permissions than intended.
+ [IAM JSON policy elements: Statement](reference_policies_elements_statement.md)

## Suggestion – Wildcard in service name
<a name="access-analyzer-reference-policy-checks-suggestion-wildcard-in-service-name"></a>

**Issue code: **WILDCARD\$1IN\$1SERVICE\$1NAME

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Wildcard in service name: Avoid using wildcards (*, ?) in the service name because it might grant unintended access to other AWS services with similar names.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Avoid using wildcards (*, ?) in the service name because it might grant unintended access to other AWS services with similar names."
```

**Resolving the suggestion**

When you include the name of an AWS service in a policy, AWS recommends that you do not include wildcards (\$1, ?). This might add permissions for future services that you do not intend. For example, there are more than a dozen AWS services with the word `*code*` in their name.

```
"Resource": "arn:aws:*code*::111122223333:*"
```
+ [IAM JSON policy elements: Resource](reference_policies_elements_resource.md)

## Suggestion – Allow with unsupported tag condition key for service
<a name="access-analyzer-reference-policy-checks-suggestion-allow-with-unsupported-tag-condition-key-for-service"></a>

**Issue code: **ALLOW\$1WITH\$1UNSUPPORTED\$1TAG\$1CONDITION\$1KEY\$1FOR\$1SERVICE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Allow with unsupported tag condition key for service: Using the effect Allow with the tag condition key {{conditionKeyName}} and actions for services with the following prefixes does not affect the policy: {{serviceNames}}. Actions for the listed service are not allowed by this statement. We recommend that you move these actions to a different statement without this condition key.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the effect Allow with the tag condition key {{conditionKeyName}} and actions for services with the following prefixes does not affect the policy: {{serviceNames}}. Actions for the listed service are not allowed by this statement. We recommend that you move these actions to a different statement without this condition key."
```

**Resolving the suggestion**

Using unsupported tag condition keys in the `Condition` element of a policy with `"Effect": "Allow"` does not affect the permissions granted by the policy, because the condition is ignored for that service action. AWS recommends that you remove the actions for services that don’t support the condition key and create another statement to allow access to specific resources in that service.

If you use the `aws:ResourceTag` condition key and it’s not supported by a service action, then the key is not included in the request context. In this case, the condition in the `Allow` statement always returns `false` and the action is never allowed. This happens even if the resource is tagged correctly. 

When a service supports the `aws:ResourceTag` condition key, you can use tags to control access to that service’s resources. This is known as [attribute-based access control (ABAC)](introduction_attribute-based-access-control.md). Services that don’t support these keys require you to control access to resources using [resource-based access control (RBAC)](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac).

**Note**  
Some services allow support for the `aws:ResourceTag` condition key for a subset of their resources and actions. IAM Access Analyzer returns findings for the service actions that are not supported. For example, Amazon S3 supports `aws:ResourceTag` for a subset of its resources. To view all of the resource types available in Amazon S3 that support the `aws:ResourceTag` condition key, see [Resource types defined by Amazon S3](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies) in the Service Authorization Reference.

For example, assume that you want to allow team members to view details for specific resources that are tagged with the key-value pair `team=BumbleBee`. Also assume that AWS Lambda allows you to tag resources, but doesn’t support the `aws:ResourceTag` condition key. To allow view actions for AWS App Mesh and AWS Backup if this tag is present, use the `aws:ResourceTag` condition key. For Lambda, use a resource naming convention that includes the team name as a prefix. Then include a separate statement that allows viewing resources with that naming convention.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewSupported",
            "Effect": "Allow",
            "Action": [
                "appmesh:DescribeMesh", 
                "backup:GetBackupPlan"
                ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/team": "BumbleBee"
                }
            }
        },
        {
            "Sid": "AllowViewUnsupported",
            "Effect": "Allow",
            "Action": "lambda:GetFunction",
            "Resource": "arn:aws:lambda:*:123456789012:function:team-BumbleBee*"
        }
    ]
}
```

**Warning**  
Do not use the `Not` [version of the condition operator](reference_policies_elements_condition_operators.md) with `"Effect": "Allow"` as a workaround for this finding. These condition operators provide negated matching. This means that after the condition is evaluated, the result is negated. In the previous example, including the `lambda:GetFunction` action in the `AllowViewSupported` statement with the `StringNotEquals` operator always allows the action, regardless of whether the resource is tagged.  
Do not use the …[IfExists](reference_policies_elements_condition_operators.md#Conditions_IfExists) version of the condition operator as a workaround for this finding. This means "Allow the action if the key is present in the request context and the values match. Otherwise, allow the action." In the previous example, including the `lambda:GetFunction` action in the `AllowViewSupported` statement with the `StringEqualsIfExists` operator always allows the action. For that action, the key is not present in the context, and every attempt to view that resource type is allowed, regardless of whether the resource is tagged.

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [Condition element](reference_policies_elements_condition.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Suggestion – Allow NotAction with unsupported tag condition key for service
<a name="access-analyzer-reference-policy-checks-suggestion-allow-notaction-with-unsupported-tag-condition-key-for-service"></a>

**Issue code: **ALLOW\$1NOTACTION\$1WITH\$1UNSUPPORTED\$1TAG\$1CONDITION\$1KEY\$1FOR\$1SERVICE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Allow NotAction with unsupported tag condition key for service: Using the effect Allow with NotAction and the tag condition key {{conditionKeyName}} allows only service actions that support the condition key. The condition key doesn't apply to some service actions. We recommend that you use Action instead of NotAction.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "Using the effect Allow with NotAction and the tag condition key {{conditionKeyName}} allows only service actions that support the condition key. The condition key doesn't apply to some service actions. We recommend that you use Action instead of NotAction."
```

**Resolving the suggestion**

Using unsupported tag condition keys in the `Condition` element of a policy with the element `NotAction` and `"Effect": "Allow"` does not affect the permissions granted by the policy. The condition is ignored for service actions that don’t support the condition key. AWS recommends that you rewrite the logic to allow a list of actions.

If you use the `aws:ResourceTag` condition key with `NotAction`, any new or existing service actions that don’t support the key are not allowed. AWS recommends that you explicitly list the actions that you want to allow. IAM Access Analyzer returns a separate finding for listed actions that don’t support the `aws:ResourceTag` condition key. For more information, see [Suggestion – Allow with unsupported tag condition key for service](#access-analyzer-reference-policy-checks-suggestion-allow-with-unsupported-tag-condition-key-for-service).

When a service supports the `aws:ResourceTag` condition key, you can use tags to control access to that service’s resources. This is known as [attribute-based access control (ABAC)](introduction_attribute-based-access-control.md). Services that don’t support these keys require you to control access to resources using [resource-based access control (RBAC)](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac).

**Related terms**
+ [Global condition keys](reference_policies_condition-keys.md)
+ [Comparing ABAC to RBAC](introduction_attribute-based-access-control.md#introduction_attribute-based-access-control_compare-rbac)
+ [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md)
+ [Condition element](reference_policies_elements_condition.md)
+ [Overview of JSON policies](access_policies.md#access_policies-json)

## Suggestion – Recommended condition key for service principal
<a name="access-analyzer-reference-policy-checks-suggestion-recommended-condition-key-for-service-principal"></a>

**Issue code: **RECOMMENDED\$1CONDITION\$1KEY\$1FOR\$1SERVICE\$1PRINCIPAL

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Recommended condition key for service principal: To restrict access to the service principal {{servicePrincipalPrefix}} operating on your behalf, we recommend aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths instead of {{key}}.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "To restrict access to the service principal {{servicePrincipalPrefix}} operating on your behalf, we recommend aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths instead of {{key}}."
```

**Resolving the suggestion**

You can specify AWS services in the `Principal` element of a resource-based policy using a *service principal*, which is an identifier for the service. You should use the `aws:SourceArn`, `aws:SourceAccount`, `aws:SourceOrgID`, or `aws:SourceOrgPaths` condition keys when granting access to service principals instead of other condition keys, such as `aws:Referer`. This helps you prevent a security issue called *the confused deputy problem*.

**Related terms**
+ [AWS service principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)
+ [AWS global condition keys: aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount)
+ [AWS global condition keys: aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)
+ [AWS global condition keys: aws:SourceOrgId](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgid)
+ [AWS global condition keys: aws:SourceOrgPaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgpaths)
+ [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)

## Suggestion – Irrelevant condition key in policy
<a name="access-analyzer-reference-policy-checks-suggestion-irrelevant-condition-key-in-policy"></a>

**Issue code: **IRRELEVANT\$1CONDITION\$1KEY\$1IN\$1POLICY

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Irrelevant condition key in policy: The condition key {{condition-key}} is not relevant for the {{resource-type}} policy.  Use this key in an identity-based policy to govern access to this resource.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The condition key {{condition-key}} is not relevant for the {{resource-type}} policy.  Use this key in an identity-based policy to govern access to this resource."
```

**Resolving the suggestion**

Some condition keys aren't relevant for resource-based policies. For example, the `s3:ResourceAccount` condition key isn't relevant for the resource-based policy attached to an Amazon S3 bucket or Amazon S3 access point resource type.

You should use the condition key in an identity-based policy to control access to the resource.

**Related terms**
+ [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md)

## Suggestion – Redundant key due to wildcard in condition
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-key-due-to-wildcard-in-condition"></a>

**Issue code: **REDUNDANT\$1KEY\$1DUE\$1TO\$1WILDCARD\$1IN\$1CONDITION

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant key due to wildcard in condition: The key {{key}} in the condition block of {{operator}} is redundant because it is always matched. Remove this key to simplify the condition.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The key {{key}} in the condition block of {{operator}} is redundant because it is always matched. Remove this key to simplify the condition."
```

**Resolving the suggestion**

Remove the redundant condition key from your policy. The key is always matched due to the wildcard pattern, making it unnecessary. Simplify your condition block by removing this key while maintaining the same effective permissions. 

**Related terms**
+ [IAM policy elements: Condition](reference_policies_elements_condition.md)
+ [Conditions with multiple context keys or values](reference_policies_condition-logic-multiple-context-keys-or-values.md)
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Suggestion – Redundant principal in role trust policy
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-principal-in-role-trust-policy"></a>

**Issue code: **REDUNDANT\$1PRINCIPAL\$1IN\$1ROLE\$1TRUST\$1POLICY

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant principal in role trust policy: The assumed-role principal {{redundant_principal}} is redundant with its parent role {{parent_role}}. Remove the assumed-role principal.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The assumed-role principal {{redundant_principal}} is redundant with its parent role {{parent_role}}. Remove the assumed-role principal."
```

**Resolving the suggestion**

If you specify both an assumed-role principal and its parent role in the `Principal` element of a policy, it does not allow or deny any different permissions. For example, it is redundant if you specify the `Principal` element using the following format:

```
"Principal": {
            "AWS": [
            "arn:aws:iam::AWS-account-ID:role/rolename",
            "arn:aws:iam::AWS-account-ID:assumed-role/rolename/rolesessionname"
        ]
```

We recommend removing the assumed-role principal.

**Related terms**
+ [Role session principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-role-session)

## Suggestion – Redundant statement due to wildcard in condition
<a name="access-analyzer-reference-policy-checks-suggestion-redundant-statement-due-to-wildcard-in-condition"></a>

**Issue code: **REDUNDANT\$1STATEMENT\$1DUE\$1TO\$1WILDCARD\$1IN\$1CONDITION

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Redundant statement due to wildcard in condition: The key {{key}} in the condition block of {{operator}} does not match any values. Remove this key to simplify the condition.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The key {{key}} in the condition block of {{operator}} does not match any values. Remove this key to simplify the condition."
```

**Resolving the suggestion**

Remove the condition key that doesn't match any values. This key creates an unreachable condition that will never be satisfied, making it redundant. Clean up your policy by removing this key to improve readability and performance.

**Related terms**
+ [IAM policy elements: Condition](reference_policies_elements_condition.md)
+ [Conditions with multiple context keys or values](reference_policies_condition-logic-multiple-context-keys-or-values.md)
+ [AWS global condition context keys](reference_policies_condition-keys.md)

## Suggestion – Confirm audience claim type
<a name="access-analyzer-reference-policy-checks-suggestion-confirm-audience-claim-type"></a>

**Issue code: **CONFIRM\$1AUDIENCE\$1CLAIM\$1TYPE

**Finding type: **SUGGESTION

**Finding details**

In the AWS Management Console, the finding for this check includes the following message:

```
Confirm audience claim type: The "{{key}}" ({{audienceType}}) claim key identifies the recipients that the JSON web token is intended for. Because this claim is single-valued, do not use a qualifier.
```

In programmatic calls to the AWS CLI or AWS API, the finding for this check includes the following message:

```
"findingDetails": "The "{{key}}" ({{audienceType}}) claim key identifies the recipients that the JSON web token is intended for. Because this claim is single-valued, do not use a qualifier."
```

**Resolving the suggestion**

The `aud` (audience) claim key is a unique identifier for your app that is issued to you when you register your app with the IdP and identifies the recipients that the JSON web token is intended for. Audience claims can be multivalued or single-valued. If the claim is multivalued, use a `ForAllValues` or `ForAnyValue` condition set operator. If the claim is single-valued, do not use a condition set operator.

**Related terms**
+ [Creating a role for web identity or OpenID Connect Federation (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html)
+ [Multivalued context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys)
+ [Single-valued vs. multivalued condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_single-vs-multi-valued-condition-keys.html)

# Validate policies with IAM Access Analyzer custom policy checks
<a name="access-analyzer-custom-policy-checks"></a>

You can use custom policy checks to check for new access based on your security standards. A charge is associated with each check for new access. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

## Validating policies with custom policy checks (console)
<a name="access-analyzer-custom-policy-checks-console"></a>

As an optional step, you can run a custom policy check when editing a policy in the JSON policy editor in the IAM console. You can check whether the updated policy grants new access compared to the existing version.

**To check for new access when editing IAM JSON policies**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane on the left, choose **Policies**. 

1. In the list of policies, choose the policy name of the policy that you want to edit. You can use the search box to filter the list of policies.

1. Choose the **Permissions** tab, and then choose **Edit**. 

1. Choose the **JSON** option and make updates to your policy.

1. In the policy validation pane below the policy, choose the **Check for new access** tab and then choose **Check policy**. If the modified permissions grant new access, the statement will be highlighted in the policy validation pane.

1. If you don't intend to grant new access, update the policy statement and choose **Check policy** until no new access is detected.
**Note**  
A charge is associated with each check for new access. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).

1. Choose **Next**.

1. On the **Review and save** page, review **Permissions defined in this policy** and then choose **Save changes**.

## Validating policies with custom policy checks (AWS CLI or API)
<a name="access-analyzer-custom-policy-checks-cli-api"></a>

You can run IAM Access Analyzer custom policy checks from the AWS CLI or the IAM Access Analyzer API.

### To run IAM Access Analyzer custom policy checks (AWS CLI)
<a name="access-analyzer-custom-policy-checks-cli"></a>
+ To check whether new access is allowed for an updated policy when compared to the existing policy, run the following command: [https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/check-no-new-access.html](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/check-no-new-access.html)
+ To check whether the specified access isn't allowed by a policy, run the following command: [https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/check-access-not-granted.html](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/check-access-not-granted.html)
+ To check whether a resource policy can grant public access to a specified resource type, run the following command: [https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/check-no-public-access.html](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/check-no-public-access.html)

### To run IAM Access Analyzer custom policy checks (API)
<a name="access-analyzer-custom-policy-checks-api"></a>
+ To check whether new access is allowed for an updated policy when compared to the existing policy, use the [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckNoNewAccess.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckNoNewAccess.html) API operation.
+ To check whether the specified access isn't allowed by a policy, use the [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckAccessNotGranted.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckAccessNotGranted.html) API operation.
+ To check whether a resource policy can grant public access to a specified resource type, use the [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckNoPublicAccess.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckNoPublicAccess.html) API operation.

# IAM Access Analyzer policy generation
<a name="access-analyzer-policy-generation"></a>

As an administrator or developer, you might grant permissions to IAM entities (users or roles) beyond what they require. IAM provides several options to help you refine the permissions that you grant. One option is to generate an IAM policy that is based on access activity for an entity. IAM Access Analyzer reviews your AWS CloudTrail logs and generates a policy template that contains the permissions that the entity used in your specified date range. You can use the template to create a policy with fine-grained permissions that grant only the permissions that are required to support your specific use case. 

**Topics**
+ [

## How policy generation works
](#access-analyzer-policy-generation-howitworks)
+ [

## Service and action-level information
](#access-analyzer-policy-generation-service-action)
+ [

## Things to know about generating policies
](#access-analyzer-policy-generation-know)
+ [

## Permissions required to generate a policy
](#access-analyzer-policy-generation-perms)
+ [

## Generate a policy based on CloudTrail activity (console)
](#access-analyzer-policy-generation-console)
+ [

## Generate a policy using AWS CloudTrail data in another account
](#access-analyzer-policy-generation-cross-account)
+ [

## Generate a policy based on CloudTrail activity (AWS CLI)
](#access-analyzer-policy-generation-cli)
+ [

## Generate a policy based on CloudTrail activity (AWS API)
](#access-analyzer-policy-generation-api)
+ [

# IAM Access Analyzer policy generation services
](access-analyzer-policy-generation-action-last-accessed-support.md)

## How policy generation works
<a name="access-analyzer-policy-generation-howitworks"></a>

IAM Access Analyzer analyzes your CloudTrail events to identify actions and services that have been used by an IAM entity (user or role). It then generates an IAM policy that is based on that activity. You can refine an entity's permissions when you replace a broad permissions policy attached to the entity with the generated policy. The following is a high-level overview of the policy generation process.
+ **Set up for policy template generation** – You specify a time period of up to 90 days for IAM Access Analyzer to analyze your historical AWS CloudTrail events. You must specify an existing service role or create a new one. The service role gives IAM Access Analyzer access to your CloudTrail trail and service last accessed information to identify the services and actions that were used. You must specify the CloudTrail trail that is logging events for the account before you can generate a policy. For more information about IAM Access Analyzer quotas for CloudTrail data, see [IAM Access Analyzer quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_access-analyzer-quotas).
+ **Generate policy** – IAM Access Analyzer generates a policy based on the access activity in your CloudTrail events. 
+ **Review and customize policy** – After the policy is generated, you can review the services and actions that were used by the entity during the specified date range. You can further customize the policy by adding or removing permissions, specifying resources, and adding conditions to the policy template.
+ **Create and attach policy** – You have the option to save the generated policy by creating a managed policy. You can attach the policy that you create to the user or role whose activity was used to generate the policy.

## Service and action-level information
<a name="access-analyzer-policy-generation-service-action"></a>

When IAM Access Analyzer generates an IAM policy, information is returned to help you to further customize the policy. Two categories of information can be returned when a policy is generated:
+ **Policy with action-level information –** For some AWS services, such as Amazon EC2, IAM Access Analyzer can identify the actions found in your CloudTrail events and lists the actions used in the policy it generates. For a list of supported services, see [IAM Access Analyzer policy generation services](access-analyzer-policy-generation-action-last-accessed-support.md). For some services, IAM Access Analyzer prompts you to add actions for the services to the generated policy.
+ **Policy with service-level information –** IAM Access Analyzer uses [last accessed](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed.html) information to create a policy template with all of the recently used services. When using the AWS Management Console, we prompt you to review the services and add actions to complete the policy.

For a list of actions in each service, see [Actions, Resources, and Condition Keys for AWS Services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the Service Authorization Reference.

## Things to know about generating policies
<a name="access-analyzer-policy-generation-know"></a>

Before you generate a policy, review the following important details.
+ **Enable a CloudTrail trail** – You must have a CloudTrail trail enabled for your account to generate a policy based on access activity. When you create a CloudTrail trail, CloudTrail sends events related to your trail to an Amazon S3 bucket that you specify. To learn how to create a CloudTrail trail, see [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) in the *AWS CloudTrail User Guide*.
+ **Data events not available** – IAM Access Analyzer does not identify action-level activity for data events, such as Amazon S3 data events, in generated policies.
+ **PassRole** – The `iam:PassRole` action is not tracked by CloudTrail and is not included in generated policies.
+ **Reduce policy generation time** – To generate a policy faster, reduce the date range that you specify during setup for policy generation.
+ **Use CloudTrail for auditing** – Do not use policy generation for auditing purposes; use CloudTrail instead. For more information about using CloudTrail, see [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html).
+ **Denied actions** – Policy generation reviews all CloudTrail events, including denied actions.
+ **One policy IAM console** – You can have one generated policy at a time in the IAM console.
+ **Generated policy availability IAM console** – You can review a generated policy in the IAM console for up to 7 days after it is generated. After 7 days, you must generate a new policy.
+ **Policy generation quotas** – For additional information about IAM Access Analyzer policy generation quotas, see [IAM Access Analyzer quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_access-analyzer-quotas).
+ **Amazon S3 standard rates apply** – When you use the policy generation feature, IAM Access Analyzer reviews CloudTrail logs in your S3 bucket. There are no additional storage charges to access your CloudTrail logs for policy generation. AWS charges standard Amazon S3 rates for requests and data transfer of CloudTrail logs stored in your S3 bucket.
+ **AWS Control Tower support** – Policy generation does not support using AWS CloudTrail trails that AWS Control Tower creates when generating policies, for these reasons:
  + The CloudTrail data from the organization is logged in another account, the AWS Control Tower Log Archive account. 
  + Permissions for the S3 bucket where these logs are stored cannot be reconfigured due to the restrictions on the S3 logging bucket set by AWS Control Tower's service control policies (SCPs).

## Permissions required to generate a policy
<a name="access-analyzer-policy-generation-perms"></a>

The permissions that you need to generate a policy for the first time differ from those that you need to generate a policy for subsequent uses. For more information, see [Getting started with AWS Identity and Access Management Access Analyzer](access-analyzer-getting-started.md).

**First-time setup**  
When you generate a policy for the first time, you must choose a suitable existing [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) in your account or create a new service role. The service role gives IAM Access Analyzer access to CloudTrail and service last accessed information in your account. Only administrators should have the permissions necessary to create and configure roles. Therefore, we recommend that an administrator creates the service role during the first-time setup. To learn more about the permissions required to create service roles, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).

### Permissions required for service role
<a name="collapsible-section-1"></a>

When you create a service role, you configure two policies for the role. You attach an IAM *permissions policy* to the role that specifies what the role can do. You also attach a *role trust policy* to the role that specifies the principal who can use the role.

The first example policy shows the permissions policy for the service role that is required to generate a policy. The second example policy shows the role trust policy that is required for the service role. You can use these policies to help you create a service role when you use the AWS API or AWS CLI to generate a policy. When you use the IAM console to create a service role as part of the policy generation process, we generate these policies for you.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudtrail:GetTrail",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetServiceLastAccessedDetails",
                "iam:GenerateServiceLastAccessedDetails"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ]
        }
    ]
}
```

------

The following example policy shows the role trust policy with the permissions that allows IAM Access Analyzer to assume the role.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "access-analyzer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

------

**Subsequent uses**  
To generate policies in the AWS Management Console, an IAM user must have a permissions policy that allows them to pass the service role that is used for policy generation to IAM Access Analyzer. `iam:PassRole` is usually accompanied by `iam:GetRole` so that the user can get the details of the role to be passed. In this example, the user can pass only roles that exist in the specified account with names that begin with `AccessAnalyzerMonitorServiceRole*`. To learn more about passing IAM roles to AWS services, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html).

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "AllowUserToPassRole",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::123456789012:role/service-role/AccessAnalyzerMonitorServiceRole*"
    }
  ]
}
```

------

You must also have the following IAM Access Analyzer permissions to generate policies in the AWS Management Console, AWS API, or AWS CLI as shown in the following policy statement.

```
{
  "Sid": "AllowUserToGeneratePolicy",
  "Effect": "Allow",
  "Action": [
    "access-analyzer:CancelPolicyGeneration",
    "access-analyzer:GetGeneratedPolicy",
    "access-analyzer:ListPolicyGenerations",
    "access-analyzer:StartPolicyGeneration"
  ],
  "Resource": "*"
}
```

**For both first-time and subsequent uses**  
When you use the AWS Management Console to generate a policy, you must have `cloudtrail:ListTrails` permission to list the CloudTrail trails in your account as shown in the following policy statement.

```
{
  "Sid": "AllowUserToListTrails",
  "Effect": "Allow",
  "Action": [
    "CloudTrail:ListTrails"
  ],
  "Resource": "*"
}
```

## Generate a policy based on CloudTrail activity (console)
<a name="access-analyzer-policy-generation-console"></a>

You can generate a policy for an IAM user or role.

### Step 1: Generate a policy based on CloudTrail activity
<a name="access-analyzer-policy-generation-generate"></a>

The following procedure explains how to generate a policy for a role using the AWS Management Console. 

**Generate a policy for an IAM role**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane on the left, choose **Roles**.
**Note**  
The steps to generate a policy based on activity for an IAM user are almost identical. To do this, choose **Users** instead of **Roles**.

1. In the list of roles in your account, choose the name of the role whose activity you want to use to generate a policy.

1. On the **Permissions** tab, in the **Generate policy based on CloudTrail events** section, choose **Generate policy**.

1. On the **Generate policy** page, specify the time period that you want IAM Access Analyzer to analyze your CloudTrail events for actions taken with the role. You can choose a range of up to 90 days. We recommend that you choose the shortest time period possible to reduce the policy generation time.

1. In the **CloudTrail access** section, choose a suitable existing role or create a new role if a suitable role does not exist. The role gives IAM Access Analyzer permissions to access your CloudTrail data on your behalf to review access activity to identify the services and actions that have been used. To learn more about the permissions required for this role, see [Permissions required to generate a policy](#access-analyzer-policy-generation-perms).

1. In the **CloudTrail trail to be analyzed** section, specify the CloudTrail trail that logs events for the account.

   If you choose a CloudTrail trail that stores logs in a different account, an information box about cross-account access is displayed. Cross-account access requires additional set up. To learn more, see [Choose a role for cross-account access](#chooserole) later in this topic.

1. Choose **Generate policy**.

1. While policy generation is in progress, you are returned to the **Roles** **Summary** page on the **Permissions** tab. Wait until the status in the **Policy request details** section displays **Success**, and then choose **View generated policy**. You can view the generated policy for up to seven days. If you generate another policy, the existing policy is replaced with the new one that you generate.

### Step 2: Review permissions and add actions for services used
<a name="access-analyzer-policy-generation-console-review"></a>

Review the services and actions that IAM Access Analyzer identified that the role used. You can add actions for any services that were used to the generated policy template.

1. Review the following sections:
   + On the **Review permissions** page, review the list of **Actions included in the generated policy**. The list displays the services *and* actions that IAM Access Analyzer identified were used by the role in the specified date range.
   + The **Services used** section displays additional services that IAM Access Analyzer identified that were used by the role in the specified date range. Information about which actions were used might not be available for the services listed in this section. Use the menus for each service listed to manually choose the actions that you want to include in the policy.

1. When you are done adding actions, choose **Next**.

### Step 3: Further customize the generated policy
<a name="access-analyzer-policy-generation-customize"></a>

You can further customize the policy by adding or removing permissions or specifying resources.

**To customize the generated policy**

1. Update the policy template. The policy template contains resource ARN placeholders for actions that support resource-level permissions, as shown in the following image. *Resource-level permissions* refers to the ability to specify which resources users are allowed to perform actions on. We recommend that you use [ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) to specify your individual resources in the policy for actions that support resource-level permissions. You can replace the placeholder resource ARNs with valid resource ARNs for your use case.

   If an action does not support resource-level permissions, you must use a wildcard (`*`) to specify that all resources can be affected by the action. To learn which AWS services support resource-level permissions, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). For a list of actions in each service, and to learn which actions support resource-level permissions, see [Actions, Resources, and Condition Keys for AWS Services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).  
![\[Resource ARN placeholder in policy template\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/res_plc_lg.png)

1. (Optional) Add, modify, or remove JSON policy statements in the template. To learn more about writing JSON policies, see [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).

1. When you are done customizing the policy template, you have the following options:
   + (Optional) You can copy the JSON in the template to use separately outside of the **Generated policy** page. For example, if you want to use the JSON to create a policy in a different account. If the policy in your template exceeds the 6,144 character limit for JSON policies, the policy is split into multiple policies.
   + Choose **Next** to review and create a managed policy in the same account.

### Step 4: Review and create a managed policy
<a name="access-analyzer-policy-generation-console-create"></a>

If you have permissions to create and attach IAM policies, you can create a managed policy from the policy that was generated. You can then attach the policy to a user or role in your account.

**To review and create a policy**

1. On the **Review and create managed policy** page, enter a **Name** and **Description** (optional) for the policy that you are creating.

1. (Optional) In the **Summary** section, you can review the permissions that will be included in the policy.

1. (Optional) Add metadata to the policy by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html).

1. When you are finished, do one of the following:
   + You can attach the new policy directly to the role that was used to generate the policy. To do this, near the bottom of the page, select the checkbox next to the **Attach policy to *YourRoleName***. Then choose **Create and attach policy**.
   + Otherwise, choose **Create policy**. You can find the policy that you created in the list of policies in the **Policies** navigation pane of the IAM console.

1. You can attach the policy that you created to an entity in your account. After you attach the policy, you can remove any other overly broad policies that might be attached to the entity. To learn how to attach a managed policy, see [Adding IAM identity permissions (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console).

## Generate a policy using AWS CloudTrail data in another account
<a name="access-analyzer-policy-generation-cross-account"></a>

You might create CloudTrail trails that store data in central accounts to streamline governing activities. For example, you can use AWS Organizations to create a trail that logs all events for all of the AWS accounts in that organization. The trail belongs to a central account. If you want to generate a policy for a user or role in an account that is different from the account where your CloudTrail log data is stored, you must grant cross-account access. To do this, you need both a role and a bucket policy that grant IAM Access Analyzer permissions to your CloudTrail logs. For more information about creating Organizations trails, see [Creating a trail for an organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html).

In this example, assume that you want to generate a policy for a user or role in account A. The CloudTrail trail in account A stores CloudTrail logs in a bucket in account B. Before you can generate a policy, you must make the following updates:

1. Choose an existing role, or create a new service role that grants IAM Access Analyzer access to the bucket in account B (where your CloudTrail logs are stored).

1. Verify your Amazon S3 bucket object ownership and bucket permissions policy in account B so that IAM Access Analyzer can access objects in the bucket.

**Step 1: Choose or create a role for cross-account access**
+ On the **Generate policy** screen, the option to **Use an existing role** is pre-selected for you if a role with the required permissions exists in your account. Otherwise, choose **Create and use a new service role**. The new role is used to grant IAM Access Analyzer access to your CloudTrail logs in account B.

**Step 2: Verify or update your Amazon S3 bucket configuration in account B**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the **Buckets** list, choose the name of the bucket where your CloudTrail trail logs are stored.

1. Choose the **Permissions** tab and go to the **Object Ownership** section.

   Use Amazon S3 Object Ownership bucket settings to control ownership of objects that you upload to your buckets. By default, when other AWS accounts upload objects to your bucket, the uploading account owns the objects. To generate a policy, the bucket owner must own all of the objects in the bucket. Depending on your ACL use case, you might need to change the **Object Ownership** setting for your bucket. Set **Object Ownership** to one of the following options.
   + **Bucket owner enforced** (recommended)
   + **Bucket owner preferred**
**Important**  
To successfully generate a policy, the objects in the bucket must be owned by the bucket owner. If you choose to use **Bucket owner preferred**, you can only generate a policy for the time period after the object ownership change was made.

   To learn more about object ownership in Amazon S3, see [Controlling ownership of objects and disabling ACLs for your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide*.

1. Add permissions to your Amazon S3 bucket policy in account B to allow access for the role in account A.

   The following example policy allows `ListBucket` and `GetObject` for the bucket named `amzn-s3-demo-bucket`. It allows access if the role accessing the bucket belongs to an account in your organization and has a name that starts with `AccessAnalyzerMonitorServiceRole`. Using [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn) as a `Condition` in the `Resource` element ensures that the role can only access activity for the account if it belongs to account A. You can replace `amzn-s3-demo-bucket` with your bucket name, `optional-prefix` with an optional prefix for the bucket, and `organization-id` with your organization ID.

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Sid": "PolicyGenerationBucketPolicy",
         "Effect": "Allow",
         "Principal": {
           "AWS": "*"
         },
         "Action": [
           "s3:GetObject",
           "s3:ListBucket"
         ],
         "Resource": [
           "arn:aws:s3:::amzn-s3-demo-bucket",
           "arn:aws:s3:::amzn-s3-demo-bucket/optional-prefix/AWSLogs/organization-id/${aws:PrincipalAccount}/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:PrincipalOrgID": "organization-id"
           },
           "ArnLike": {
             "aws:PrincipalArn": "arn:aws:iam:::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
           }
         }
       }
     ]
   }
   ```

------

1. If you encrypt your logs using AWS KMS, update your AWS KMS key policy in the account where you store the CloudTrail logs to grant IAM Access Analyzer access to use your key, as shown in the following policy example. Replace `CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN` with the ARN for your trail and `organization-id` with your organization ID.

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "*"
         },
         "Action": "kms:Decrypt",
         "Resource": "*",
         "Condition": {
           "StringEquals": {
             "kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN",
             "aws:PrincipalOrgID": "organization-id"
           },
           "StringLike": {
             "kms:ViaService": [
               "access-analyzer.*.amazonaws.com",
               "s3.*.amazonaws.com"
               ]
           },
           "ArnLike": {
             "aws:PrincipalArn": "arn:aws:iam:::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
           }
         }
        }
       ]
   }
   ```

------

## Generate a policy based on CloudTrail activity (AWS CLI)
<a name="access-analyzer-policy-generation-cli"></a>

You can use the following commands to generate a policy using the AWS CLI. 

**To generate a policy**
+ [aws accessanalyzer start-policy-generation](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/start-policy-generation.html)

**To view a generated policy**
+ [aws accessanalyzer get-generated-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/get-generated-policy.html)

**To cancel a policy generation request**
+ [aws accessanalyzer cancel-policy-generation](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/cancel-policy-generation.html)

**To view a list of policy generation requests**
+ [aws accessanalyzer list-policy-generations](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/list-policy-generations.html)

## Generate a policy based on CloudTrail activity (AWS API)
<a name="access-analyzer-policy-generation-api"></a>

You can use the following operations to generate a policy using the AWS API.

**To generate a policy**
+ [StartPolicyGeneration](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_StartPolicyGeneration.html)

**To view a generated policy**
+ [GetGeneratedPolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetGeneratedPolicy.html)

**To cancel a policy generation request**
+ [CancelPolicyGeneration](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CancelPolicyGeneration.html)

**To view a list of policy generation requests**
+ [ListPolicyGenerations](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListPolicyGenerations.html)

# IAM Access Analyzer policy generation services
<a name="access-analyzer-policy-generation-action-last-accessed-support"></a>

The following table lists the AWS services for which IAM Access Analyzer generates policies with action-level information. For a list of actions in each service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the Service Authorization Reference.

AWS provides policy generation information in JSON format to streamline the automation of policy management workflows. With the service reference information, you can access policy generation information across AWS services from machine-readable files. For more information, see [Simplified AWS service information for programmatic access](https://docs.aws.amazon.com/service-authorization/latest/reference/service-reference.html) in the Service Authorization Reference.


|  **Service**  |  **Service prefix**  | 
| --- | --- | 
|  [AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html)  | access-analyzer | 
|  [AWS Account Management](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaccountmanagement.html)  | account | 
|  [AWS Certificate Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html)  | acm | 
|  [Amazon Managed Workflows for Apache Airflow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html)  | airflow | 
|  [AWS Amplify](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html)  | amplify | 
|  [AWS Amplify UI Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyuibuilder.html)  | amplifyuibuilder | 
|  [Amazon AppIntegrations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html)  | app-integrations | 
|  [AWS AppConfig](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html)  | appconfig | 
|  [Amazon AppFlow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html)  | appflow | 
|  [AWS Application Cost Profiler](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationcostprofilerservice.html)  | application-cost-profiler | 
|  [Amazon CloudWatch Application Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html)  | applicationinsights | 
|  [AWS App Mesh](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html)  | appmesh | 
|  [Amazon WorkSpaces Applications](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream2.0.html)  | appstream | 
|  [AWS AppSync](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html)  | appsync | 
|  [Amazon Managed Service for Prometheus](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html)  | aps | 
|  [Amazon Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html)  | athena | 
|  [AWS Audit Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html)  | auditmanager | 
|  [AWS Auto Scaling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsautoscaling.html)  | autoscaling | 
|  [AWS Marketplace](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html)  | aws-marketplace | 
|  [AWS Backup](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html)  | backup | 
|  [AWS Batch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html)  | batch | 
|  [Amazon Braket](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html)  | braket | 
|  [AWS Budgets](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html)  | budgets | 
|  [AWS Cloud9](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html)  | cloud9 | 
|  [AWS CloudFormation](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html)  | cloudformation | 
|  [Amazon CloudFront](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html)  | cloudfront | 
|  [AWS CloudHSM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudhsm.html)  | cloudhsm | 
|  [Amazon CloudSearch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudsearch.html)  | cloudsearch | 
|  [AWS CloudTrail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html)  | cloudtrail | 
|  [Amazon CloudWatch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html)  | cloudwatch | 
|  [AWS CodeArtifact](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html)  | codeartifact | 
|  [AWS CodeDeploy](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html)  | codedeploy | 
|  [Amazon CodeGuru Profiler](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html)  | codeguru-profiler | 
|  [Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html)  | codeguru-reviewer | 
|  [AWS CodePipeline](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html)  | codepipeline | 
|  [AWS CodeStar](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html)  | codestar | 
|  [AWS CodeStar Notifications](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html)  | codestar-notifications | 
|  [Amazon Cognito Identity](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html)  | cognito-identity | 
|  [Amazon Cognito user pools](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html)  | cognito-idp | 
|  [Amazon Cognito Sync](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitosync.html)  | cognito-sync | 
|  [Amazon Comprehend Medical](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html)  | comprehendmedical | 
|  [AWS Compute Optimizer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html)  | compute-optimizer | 
|  [AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html)  | config | 
|  [Amazon Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html)  | connect | 
|  [AWS Cost and Usage Report](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html)  | cur | 
|  [AWS Glue DataBrew](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html)  | databrew | 
|  [AWS Data Exchange](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdataexchange.html)  | dataexchange | 
|  [AWS Data Pipeline](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html)  | datapipeline | 
|  [DynamoDB Accelerator](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html)  | dax | 
|  [AWS Device Farm](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html)  | devicefarm | 
|  [Amazon DevOps Guru](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html)  | devops-guru | 
|  [AWS Direct Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectconnect.html)  | directconnect | 
|  [Amazon Data Lifecycle Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html)  | dlm | 
|  [AWS Database Migration Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html)  | dms | 
|  [Amazon DocumentDB Elastic Clusters](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocumentdbelasticclusters.html)  | docdb-elastic | 
|  [Amazon DynamoDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html)  | dynamodb | 
|  [Amazon Elastic Block Store](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html)  | ebs | 
|  [Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html)  | ec2 | 
|  [Amazon Elastic Container Registry](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html)  | ecr | 
|  [Amazon Elastic Container Registry Public](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html)  | ecr-public | 
|  [Amazon Elastic Container Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html)  | ecs | 
|  [Amazon Elastic Kubernetes Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html)  | eks | 
|  [Amazon ElastiCache](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html)  | elasticache | 
|  [AWS Elastic Beanstalk](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html)  | elasticbeanstalk | 
|  [Amazon Elastic File System](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html)  | elasticfilesystem | 
|  [Elastic Load Balancing](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html)  | elasticloadbalancing | 
|  [Amazon Elastic Transcoder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html)  | elastictranscoder | 
|  [Amazon EMR on EKS (EMR Containers)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html)  | emr-containers | 
|  [Amazon EMR Serverless](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrserverless.html)  | emr-serverless | 
|  [Amazon OpenSearch Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html)  | es | 
|  [Amazon EventBridge](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html)  | events | 
|  [Amazon CloudWatch Evidently](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchevidently.html)  | evidently | 
|  [Amazon FinSpace](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfinspace.html)  | finspace | 
|  [Amazon Data Firehose](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html)  | firehose | 
|  [AWS Fault Injection Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionsimulator.html)  | fis | 
|  [AWS Firewall Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html)  | fms | 
|  [Amazon Fraud Detector](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector)  | frauddetector | 
|  [Amazon FSx](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx)  | fsx | 
|  [Amazon GameLift Servers](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift)  | gamelift | 
|  [Amazon Location Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html)  | geo | 
|  [Amazon Glacier](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3glacier.html)  | glacier | 
|  [Amazon Managed Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html)  | grafana | 
|  [AWS IoT Greengrass](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrass.html)  | greengrass | 
|  [AWS Ground Station](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html)  | groundstation | 
|  [Amazon GuardDuty](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html)  | guardduty | 
|  [AWS HealthLake](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html)  | healthlake | 
|  [Amazon Honeycode](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhoneycode.html)  | honeycode | 
|  [AWS Identity and Access Management](https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html)  | iam | 
|  [AWS Identity Store](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html)  | identitystore | 
|  [EC2 Image Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html)  | imagebuilder | 
|  [Amazon Inspector Classic](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html)  | inspector | 
|  [Amazon Inspector](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html)  | inspector2 | 
|  [AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html)  | iot | 
|  [AWS IoT Analytics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html)  | iotanalytics | 
|  [AWS IoT Core Device Advisor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html)  | iotdeviceadvisor | 
|  [AWS IoT Events](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html)  | iotevents | 
|  [AWS IoT Fleet Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleethubfordevicemanagement.html)  | iotfleethub | 
|  [AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html)  | iotsitewise | 
|  [AWS IoT TwinMaker](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html)  | iottwinmaker | 
|  [AWS IoT Wireless](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html)  | iotwireless | 
|  [Amazon Interactive Video Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html)  | ivs | 
|  [Amazon Interactive Video Service Chat](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservicechat.html)  | ivschat | 
|  [Amazon Managed Streaming for Apache Kafka](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforapachekafka.html)  | kafka | 
|  [Amazon Managed Streaming for Kafka Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforkafkaconnect.html)  | kafkaconnect | 
|  [Amazon Kendra](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html)  | kendra | 
|  [Amazon Kinesis](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesis.html)  | kinesis | 
|  [Amazon Kinesis Analytics V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html)  | kinesisanalytics | 
|  [AWS Key Management Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html)  | kms | 
|  [AWS Lambda](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html)  | lambda | 
|  [Amazon Lex](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html)  | lex | 
|  [AWS License Manager Linux Subscriptions Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanagerlinuxsubscriptionsmanager.html)  | license-manager-linux-subscriptions | 
|  [Amazon Lightsail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html)  | lightsail | 
|  [Amazon CloudWatch Logs](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html)  | logs | 
|  [Amazon Lookout for Equipment](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html)  | lookoutequipment | 
|  [Amazon Lookout for Metrics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html)  | lookoutmetrics | 
|  [Amazon Lookout for Vision](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html)  | lookoutvision | 
|  [AWS Mainframe Modernization](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmainframemodernizationservice.html)  | m2 | 
|  [Amazon Managed Blockchain](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html)  | managedblockchain | 
|  [AWS Elemental MediaConnect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconnect.html)  | mediaconnect | 
|  [AWS Elemental MediaConvert](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconvert.html)  | mediaconvert | 
|  [AWS Elemental MediaLive](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmedialive.html)  | medialive | 
|  [AWS Elemental MediaStore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html)  | mediastore | 
|  [AWS Elemental MediaTailor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html)  | mediatailor | 
|  [Amazon MemoryDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmemorydb.html)  | memorydb | 
|  [AWS Application Migration Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationmigrationservice.html)  | mgn | 
|  [AWS Migration Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html)  | mgh | 
|  [AWS Migration Hub Strategy Recommendations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhubstrategyrecommendations.html)  | migrationhub-strategy | 
|  [Amazon Pinpoint](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html)  | mobiletargeting | 
|  [Amazon MQ](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html)  | mq | 
|  [AWS Network Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkmanager.html)  | networkmanager | 
|  [Amazon Nimble Studio](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnimblestudio.html)  | nimble | 
|  [AWS HealthOmics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html)  | omics | 
|  [AWS OpsWorks](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworks.html)  | opsworks | 
|  [AWS OpsWorks CM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworksconfigurationmanagement)  | opsworks-cm | 
|  [AWS Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoutposts.html)  | outposts | 
|  [AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html)  | organizations | 
|  [AWS Panorama](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html)  | panorama | 
|  [AWS Performance Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html)  | pi | 
|  [Amazon EventBridge Pipes](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgepipes.html)  | pipes | 
|  [Amazon Polly](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html)  | polly | 
|  [Amazon Connect Customer Profiles](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html)  | profile | 
|  [Amazon QLDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html)  | qldb | 
|  [AWS Resource Access Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanager.html)  | ram | 
|  [AWS Recycle Bin](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html)  | rbin | 
|  [Amazon Relational Database Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html)  | rds | 
|  [Amazon Redshift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html)  | redshift | 
|  [Amazon Redshift Data API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html)  | redshift-data | 
|  [AWS Migration Hub Refactor Spaces](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhubrefactorspaces.html)  | refactor-spaces | 
|  [Amazon Rekognition](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html)  | rekognition | 
|  [AWS Resilience Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresiliencehub.html)  | resiliencehub | 
|  [AWS Resource Explorer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer.html)  | resource-explorer-2 | 
|  [AWS Resource Groups](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html)  | resource-groups | 
|  [AWS RoboMaker](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrobomaker.html)  | robomaker | 
|  [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementrolesanywhere.html)  | rolesanywhere | 
|  [Amazon Route 53](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html)  | route53 | 
|  [Amazon Route 53 Recovery Controls](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoverycontrols.html)  | route53-recovery-control-config | 
|  [Amazon Route 53 Recovery Readiness](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoveryreadiness.html)  | route53-recovery-readiness | 
|  [Amazon Route 53 Resolver](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html)  | route53resolver | 
|  [AWS CloudWatch RUM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudwatchrum.html)  | rum | 
|  [Amazon Simple Storage Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html)  | s3 | 
|  [Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html)  | s3-outposts | 
|  [Amazon SageMaker AI geospatial capabilities](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemakergeospatialcapabilities.html)  | sagemaker-geospatial | 
|  [Savings Plans](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html)  | savingsplans | 
|  [Amazon EventBridge Schemas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html)  | schemas | 
|  [Amazon SimpleDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpledb.html)  | sdb | 
|  [AWS Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html)  | secretsmanager | 
|  [AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html)  | securityhub | 
|  [Amazon Security Lake](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecuritylake.html)  | securitylake | 
|  [AWS Serverless Application Repository](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsserverlessapplicationrepository.html)  | serverlessrepo | 
|  [AWS Service Catalog](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html)  | servicecatalog | 
|  [AWS Cloud Map](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html)  | servicediscovery | 
|  [Service Quotas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html)  | servicequotas | 
|  [Amazon Simple Email Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html)  | ses | 
|  [AWS Shield](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html)  | shield | 
|  [AWS Signer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html)  | signer | 
|  [AWS SimSpace Weaver](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssimspaceweaver.html)  | simspaceweaver | 
|  [AWS Server Migration Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservermigrationservice.html)  | sms | 
|  [Amazon Pinpoint SMS and Voice Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html)  | sms-voice | 
|  [AWS Snowball Edge](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssnowball.html)  | snowball | 
|  [Amazon Simple Queue Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html)  | sqs | 
|  [AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html)  | ssm | 
|  [AWS Systems Manager Incident Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanager.html)  | ssm-incidents | 
|  [AWS Systems Manager for SAP](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerforsap.html)  | ssm-sap | 
|  [AWS Step Functions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html)  | states | 
|  [AWS Security Token Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html)  | sts | 
|  [Amazon Simple Workflow Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleworkflowservice.html)  | swf | 
|  [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html)  | synthetics | 
|  [AWS Resource Groups Tagging API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegrouptaggingapi.html)  | tag | 
|  [Amazon Textract](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html)  | textract | 
|  [Amazon Timestream](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontimestream.html)  | timestream | 
|  [AWS Telco Network Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstelconetworkbuilder.html)  | tnb | 
|  [Amazon Transcribe](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html)  | transcribe | 
|  [AWS Transfer Family](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html)  | transfer | 
|  [Amazon Translate](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranslate.html)  | translate | 
|  [Amazon Connect Voice ID](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectvoiceid.html)  | voiceid | 
|  [Amazon VPC Lattice](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvpclattice.html)  | vpc-lattice | 
|  [AWS WAFV2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html)  | wafv2 | 
|  [AWS Well-Architected Tool](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html)  | wellarchitected | 
|  [Amazon Connect Wisdom](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectwisdom.html)  | wisdom | 
|  [Amazon WorkLink](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworklink.html)  | worklink | 
|  [Amazon WorkSpaces](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html)  | workspaces | 
|  [AWS X-Ray](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html)  | xray | 

## Actions for policy generation information
<a name="access-analyzer-policy-generation-action-last-accessed-support-supported-actions"></a>

The following table lists the actions for which IAM Access Analyzer generates policies with action-level information.

**Important**  
The `iam:UpdateAccountName` action will be deprecated on April 22, 2026. After April 22, 2026, only the `[account:PutAccountName](https://docs.aws.amazon.com/accounts/latest/reference/API_PutAccountName.html)` permission will control account name update access. We strongly recommend that you update any [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) that control account name updates to use the `account:PutAccountName` permission.


|  **Service prefix**  |  **Actions**  | 
| --- | --- | 
| access-analyzer |  access-analyzer:ApplyArchiveRule access-analyzer:CancelPolicyGeneration access-analyzer:CheckAccessNotGranted access-analyzer:CheckNoNewAccess access-analyzer:CheckNoPublicAccess access-analyzer:CreateAccessPreview access-analyzer:CreateAnalyzer access-analyzer:CreateArchiveRule access-analyzer:DeleteAnalyzer access-analyzer:DeleteArchiveRule access-analyzer:GenerateFindingRecommendation access-analyzer:GetAccessPreview access-analyzer:GetAnalyzedResource access-analyzer:GetAnalyzer access-analyzer:GetArchiveRule access-analyzer:GetFinding access-analyzer:GetFindingRecommendation access-analyzer:GetFindingsStatistics access-analyzer:GetGeneratedPolicy access-analyzer:ListAccessPreviewFindings access-analyzer:ListAccessPreviews access-analyzer:ListAnalyzedResources access-analyzer:ListAnalyzers access-analyzer:ListArchiveRules access-analyzer:ListFindings access-analyzer:ListPolicyGenerations access-analyzer:StartPolicyGeneration access-analyzer:StartResourceScan access-analyzer:UpdateAnalyzer access-analyzer:UpdateArchiveRule access-analyzer:UpdateFindings access-analyzer:ValidatePolicy  | 
| account |  account:AcceptPrimaryEmailUpdate account:DeleteAlternateContact account:DisableRegion account:EnableRegion account:GetAccountInformation account:GetAlternateContact account:GetContactInformation account:GetGovCloudAccountInformation account:GetPrimaryEmail account:GetRegionOptStatus account:ListRegions account:PutAccountName account:PutAlternateContact account:PutContactInformation account:StartPrimaryEmailUpdate  | 
| acm |  acm:DeleteCertificate acm:DescribeCertificate acm:ExportCertificate acm:GetAccountConfiguration acm:GetCertificate acm:ImportCertificate acm:ListCertificates acm:PutAccountConfiguration acm:RenewCertificate acm:RequestCertificate acm:ResendValidationEmail acm:UpdateCertificateOptions  | 
| airflow |  airflow:CreateCliToken airflow:CreateEnvironment airflow:CreateWebLoginToken airflow:DeleteEnvironment airflow:GetEnvironment airflow:ListEnvironments airflow:PublishMetrics airflow:UpdateEnvironment  | 
| amplify |  amplify:CreateApp amplify:CreateBackendEnvironment amplify:CreateBranch amplify:CreateDeployment amplify:CreateDomainAssociation amplify:CreateWebHook amplify:DeleteApp amplify:DeleteBackendEnvironment amplify:DeleteBranch amplify:DeleteDomainAssociation amplify:DeleteJob amplify:DeleteWebHook amplify:GenerateAccessLogs amplify:GetApp amplify:GetArtifactUrl amplify:GetBackendEnvironment amplify:GetBranch amplify:GetDomainAssociation amplify:GetJob amplify:GetWebHook amplify:ListApps amplify:ListArtifacts amplify:ListBackendEnvironments amplify:ListBranches amplify:ListDomainAssociations amplify:ListJobs amplify:ListWebHooks amplify:StartDeployment amplify:StartJob amplify:StopJob amplify:UpdateApp amplify:UpdateBranch amplify:UpdateDomainAssociation amplify:UpdateWebHook  | 
| amplifyuibuilder |  amplifyuibuilder:CreateComponent amplifyuibuilder:CreateForm amplifyuibuilder:CreateTheme amplifyuibuilder:DeleteComponent amplifyuibuilder:DeleteForm amplifyuibuilder:DeleteTheme amplifyuibuilder:ExportComponents amplifyuibuilder:ExportThemes amplifyuibuilder:GetCodegenJob amplifyuibuilder:ListCodegenJobs amplifyuibuilder:ListComponents amplifyuibuilder:ListForms amplifyuibuilder:ListThemes amplifyuibuilder:ResetMetadataFlag amplifyuibuilder:StartCodegenJob amplifyuibuilder:UpdateComponent amplifyuibuilder:UpdateForm amplifyuibuilder:UpdateTheme  | 
| app-integrations |  app-integrations:CreateApplication app-integrations:CreateDataIntegration app-integrations:CreateDataIntegrationAssociation app-integrations:CreateEventIntegration app-integrations:DeleteApplication app-integrations:DeleteDataIntegration app-integrations:DeleteEventIntegration app-integrations:GetApplication app-integrations:GetDataIntegration app-integrations:GetEventIntegration app-integrations:ListApplicationAssociations app-integrations:ListApplications app-integrations:ListDataIntegrationAssociations app-integrations:ListDataIntegrations app-integrations:ListEventIntegrationAssociations app-integrations:ListEventIntegrations app-integrations:UpdateApplication app-integrations:UpdateDataIntegration app-integrations:UpdateDataIntegrationAssociation app-integrations:UpdateEventIntegration  | 
| appconfig |  appconfig:CreateApplication appconfig:CreateConfigurationProfile appconfig:CreateDeploymentStrategy appconfig:CreateEnvironment appconfig:CreateExtension appconfig:CreateExtensionAssociation appconfig:CreateHostedConfigurationVersion appconfig:DeleteApplication appconfig:DeleteConfigurationProfile appconfig:DeleteDeploymentStrategy appconfig:DeleteEnvironment appconfig:DeleteExtension appconfig:DeleteExtensionAssociation appconfig:DeleteHostedConfigurationVersion appconfig:GetAccountSettings appconfig:GetApplication appconfig:GetConfiguration appconfig:GetConfigurationProfile appconfig:GetDeployment appconfig:GetDeploymentStrategy appconfig:GetEnvironment appconfig:GetExtension appconfig:GetExtensionAssociation appconfig:GetHostedConfigurationVersion appconfig:ListApplications appconfig:ListConfigurationProfiles appconfig:ListDeploymentStrategies appconfig:ListDeployments appconfig:ListEnvironments appconfig:ListExtensionAssociations appconfig:ListExtensions appconfig:ListHostedConfigurationVersions appconfig:StartDeployment appconfig:StopDeployment appconfig:UpdateAccountSettings appconfig:UpdateApplication appconfig:UpdateConfigurationProfile appconfig:UpdateDeploymentStrategy appconfig:UpdateEnvironment appconfig:UpdateExtension appconfig:UpdateExtensionAssociation appconfig:ValidateConfiguration  | 
| appflow |  appflow:CancelFlowExecutions appflow:CreateConnectorProfile appflow:CreateFlow appflow:DeleteConnectorProfile appflow:DeleteFlow appflow:DescribeConnector appflow:DescribeConnectorEntity appflow:DescribeConnectorProfiles appflow:DescribeConnectors appflow:DescribeFlow appflow:DescribeFlowExecutionRecords appflow:ListConnectorEntities appflow:ListConnectors appflow:ListFlows appflow:RegisterConnector appflow:ResetConnectorMetadataCache appflow:StartFlow appflow:StopFlow appflow:UnRegisterConnector appflow:UpdateConnectorProfile appflow:UpdateConnectorRegistration appflow:UpdateFlow  | 
| applicationinsights |  applicationinsights:AddWorkload applicationinsights:CreateApplication applicationinsights:CreateComponent applicationinsights:CreateLogPattern applicationinsights:DeleteApplication applicationinsights:DeleteComponent applicationinsights:DeleteLogPattern applicationinsights:DescribeApplication applicationinsights:DescribeComponent applicationinsights:DescribeComponentConfiguration applicationinsights:DescribeComponentConfigurationRecommendation applicationinsights:DescribeLogPattern applicationinsights:DescribeObservation applicationinsights:DescribeProblem applicationinsights:DescribeProblemObservations applicationinsights:DescribeWorkload applicationinsights:ListApplications applicationinsights:ListComponents applicationinsights:ListConfigurationHistory applicationinsights:ListLogPatternSets applicationinsights:ListLogPatterns applicationinsights:ListProblems applicationinsights:ListWorkloads applicationinsights:RemoveWorkload applicationinsights:UpdateApplication applicationinsights:UpdateComponent applicationinsights:UpdateComponentConfiguration applicationinsights:UpdateLogPattern applicationinsights:UpdateWorkload  | 
| appmesh |  appmesh:CreateGatewayRoute appmesh:CreateMesh appmesh:CreateRoute appmesh:CreateVirtualGateway appmesh:CreateVirtualNode appmesh:CreateVirtualRouter appmesh:CreateVirtualService appmesh:DeleteGatewayRoute appmesh:DeleteMesh appmesh:DeleteRoute appmesh:DeleteVirtualGateway appmesh:DeleteVirtualNode appmesh:DeleteVirtualRouter appmesh:DeleteVirtualService appmesh:DescribeGatewayRoute appmesh:DescribeMesh appmesh:DescribeRoute appmesh:DescribeVirtualGateway appmesh:DescribeVirtualNode appmesh:DescribeVirtualRouter appmesh:DescribeVirtualService appmesh:ListGatewayRoutes appmesh:ListMeshes appmesh:ListRoutes appmesh:ListVirtualGateways appmesh:ListVirtualNodes appmesh:ListVirtualRouters appmesh:ListVirtualServices appmesh:StreamAggregatedResources appmesh:UpdateGatewayRoute appmesh:UpdateMesh appmesh:UpdateRoute appmesh:UpdateVirtualGateway appmesh:UpdateVirtualNode appmesh:UpdateVirtualRouter appmesh:UpdateVirtualService  | 
| appstream |  appstream:AssociateAppBlockBuilderAppBlock appstream:AssociateApplicationFleet appstream:AssociateApplicationToEntitlement appstream:AssociateFleet appstream:AssociateSoftwareToImageBuilder appstream:BatchAssociateUserStack appstream:BatchDisassociateUserStack appstream:CopyImage appstream:CreateAppBlock appstream:CreateAppBlockBuilder appstream:CreateAppBlockBuilderStreamingURL appstream:CreateApplication appstream:CreateDirectoryConfig appstream:CreateEntitlement appstream:CreateFleet appstream:CreateImageBuilder appstream:CreateImageBuilderStreamingURL appstream:CreateStack appstream:CreateStreamingURL appstream:CreateThemeForStack appstream:CreateUpdatedImage appstream:CreateUsageReportSubscription appstream:CreateUser appstream:DeleteAppBlock appstream:DeleteAppBlockBuilder appstream:DeleteApplication appstream:DeleteDirectoryConfig appstream:DeleteEntitlement appstream:DeleteFleet appstream:DeleteImage appstream:DeleteImageBuilder appstream:DeleteImagePermissions appstream:DeleteStack appstream:DeleteThemeForStack appstream:DeleteUsageReportSubscription appstream:DeleteUser appstream:DescribeAppBlockBuilderAppBlockAssociations appstream:DescribeAppBlockBuilders appstream:DescribeAppBlocks appstream:DescribeAppLicenseUsage appstream:DescribeApplicationFleetAssociations appstream:DescribeApplications appstream:DescribeDirectoryConfigs appstream:DescribeEntitlements appstream:DescribeFleets appstream:DescribeImageBuilders appstream:DescribeImagePermissions appstream:DescribeImages appstream:DescribeSessions appstream:DescribeStacks appstream:DescribeThemeForStack appstream:DescribeUsageReportSubscriptions appstream:DescribeUserStackAssociations appstream:DescribeUsers appstream:DisableUser appstream:DisassociateAppBlockBuilderAppBlock appstream:DisassociateApplicationFleet appstream:DisassociateApplicationFromEntitlement appstream:DisassociateFleet appstream:DisassociateSoftwareFromImageBuilder appstream:EnableUser appstream:ExpireSession appstream:GetExportImageTask appstream:ListAssociatedFleets appstream:ListAssociatedStacks appstream:ListEntitledApplications appstream:ListExportImageTasks appstream:StartAppBlockBuilder appstream:StartFleet appstream:StartImageBuilder appstream:StartSoftwareDeploymentToImageBuilder appstream:StopAppBlockBuilder appstream:StopFleet appstream:StopImageBuilder appstream:UpdateAppBlockBuilder appstream:UpdateApplication appstream:UpdateDirectoryConfig appstream:UpdateEntitlement appstream:UpdateFleet appstream:UpdateImagePermissions appstream:UpdateStack appstream:UpdateThemeForStack  | 
| appsync |  appsync:AssociateApi appsync:AssociateMergedGraphqlApi appsync:AssociateSourceGraphqlApi appsync:AssociateWebACL appsync:CreateApi appsync:CreateApiCache appsync:CreateApiKey appsync:CreateChannelNamespace appsync:CreateDataSource appsync:CreateDomainName appsync:CreateFunction appsync:CreateGraphqlApi appsync:CreateResolver appsync:CreateType appsync:DeleteApi appsync:DeleteApiCache appsync:DeleteApiKey appsync:DeleteChannelNamespace appsync:DeleteDataSource appsync:DeleteDomainName appsync:DeleteFunction appsync:DeleteGraphqlApi appsync:DeleteResolver appsync:DeleteType appsync:DisassociateApi appsync:DisassociateMergedGraphqlApi appsync:DisassociateSourceGraphqlApi appsync:DisassociateWebACL appsync:EvaluateCode appsync:EvaluateMappingTemplate appsync:FlushApiCache appsync:GetApi appsync:GetApiAssociation appsync:GetApiCache appsync:GetChannelNamespace appsync:GetDataSource appsync:GetDataSourceIntrospection appsync:GetDomainName appsync:GetFunction appsync:GetGraphqlApi appsync:GetGraphqlApiEnvironmentVariables appsync:GetIntrospectionSchema appsync:GetResolver appsync:GetSchemaCreationStatus appsync:GetSourceApiAssociation appsync:GetType appsync:GetWebACLForResource appsync:ListApiKeys appsync:ListApis appsync:ListChannelNamespaces appsync:ListDataSources appsync:ListDomainNames appsync:ListFunctions appsync:ListGraphqlApis appsync:ListResolvers appsync:ListResolversByFunction appsync:ListResourcesForWebACL appsync:ListSourceApiAssociations appsync:ListTypes appsync:ListTypesByAssociation appsync:PutGraphqlApiEnvironmentVariables appsync:StartDataSourceIntrospection appsync:StartSchemaCreation appsync:StartSchemaMerge appsync:UpdateApi appsync:UpdateApiCache appsync:UpdateApiKey appsync:UpdateChannelNamespace appsync:UpdateDataSource appsync:UpdateDomainName appsync:UpdateFunction appsync:UpdateGraphqlApi appsync:UpdateResolver appsync:UpdateSourceApiAssociation appsync:UpdateType  | 
| aps |  aps:CreateAlertManagerDefinition aps:CreateAnomalyDetector aps:CreateLoggingConfiguration aps:CreateQueryLoggingConfiguration aps:CreateRuleGroupsNamespace aps:CreateWorkspace aps:DeleteAlertManagerDefinition aps:DeleteAnomalyDetector aps:DeleteLoggingConfiguration aps:DeleteQueryLoggingConfiguration aps:DeleteResourcePolicy aps:DeleteRuleGroupsNamespace aps:DeleteScraper aps:DeleteScraperLoggingConfiguration aps:DeleteWorkspace aps:DescribeAlertManagerDefinition aps:DescribeAnomalyDetector aps:DescribeLoggingConfiguration aps:DescribeQueryLoggingConfiguration aps:DescribeResourcePolicy aps:DescribeRuleGroupsNamespace aps:DescribeScraper aps:DescribeScraperLoggingConfiguration aps:DescribeWorkspace aps:DescribeWorkspaceConfiguration aps:GetDefaultScraperConfiguration aps:ListAnomalyDetectors aps:ListRuleGroupsNamespaces aps:ListScrapers aps:ListWorkspaces aps:PutAlertManagerDefinition aps:PutAnomalyDetector aps:PutResourcePolicy aps:PutRuleGroupsNamespace aps:UpdateLoggingConfiguration aps:UpdateQueryLoggingConfiguration aps:UpdateScraper aps:UpdateScraperLoggingConfiguration aps:UpdateWorkspaceAlias aps:UpdateWorkspaceConfiguration  | 
| athena |  athena:BatchGetNamedQuery athena:BatchGetPreparedStatement athena:BatchGetQueryExecution athena:CancelCapacityReservation athena:CreateCapacityReservation athena:CreateDataCatalog athena:CreateNamedQuery athena:CreateNotebook athena:CreatePreparedStatement athena:CreatePresignedNotebookUrl athena:CreateWorkGroup athena:DeleteCapacityReservation athena:DeleteDataCatalog athena:DeleteNamedQuery athena:DeleteNotebook athena:DeletePreparedStatement athena:DeleteWorkGroup athena:ExportNotebook athena:GetCalculationExecution athena:GetCalculationExecutionCode athena:GetCalculationExecutionStatus athena:GetCapacityAssignmentConfiguration athena:GetCapacityReservation athena:GetDataCatalog athena:GetDatabase athena:GetNamedQuery athena:GetNotebookMetadata athena:GetPreparedStatement athena:GetQueryExecution athena:GetQueryResults athena:GetQueryResultsStream athena:GetQueryRuntimeStatistics athena:GetResourceDashboard athena:GetSession athena:GetSessionEndpoint athena:GetSessionStatus athena:GetTableMetadata athena:GetWorkGroup athena:ImportNotebook athena:ListApplicationDPUSizes athena:ListCalculationExecutions athena:ListCapacityReservations athena:ListDataCatalogs athena:ListDatabases athena:ListEngineVersions athena:ListExecutors athena:ListNamedQueries athena:ListNotebookMetadata athena:ListNotebookSessions athena:ListPreparedStatements athena:ListQueryExecutions athena:ListSessions athena:ListTableMetadata athena:ListWorkGroups athena:PutCapacityAssignmentConfiguration athena:StartCalculationExecution athena:StartQueryExecution athena:StartSession athena:StopCalculationExecution athena:StopQueryExecution athena:TerminateSession athena:UpdateCapacityReservation athena:UpdateDataCatalog athena:UpdateNamedQuery athena:UpdateNotebook athena:UpdateNotebookMetadata athena:UpdatePreparedStatement athena:UpdateWorkGroup  | 
| auditmanager |  auditmanager:AssociateAssessmentReportEvidenceFolder auditmanager:BatchAssociateAssessmentReportEvidence auditmanager:BatchCreateDelegationByAssessment auditmanager:BatchDeleteDelegationByAssessment auditmanager:BatchDisassociateAssessmentReportEvidence auditmanager:BatchImportEvidenceToAssessmentControl auditmanager:CreateAssessment auditmanager:CreateAssessmentFramework auditmanager:CreateAssessmentReport auditmanager:CreateControl auditmanager:DeleteAssessment auditmanager:DeleteAssessmentFramework auditmanager:DeleteAssessmentFrameworkShare auditmanager:DeleteAssessmentReport auditmanager:DeleteControl auditmanager:DeregisterAccount auditmanager:DeregisterOrganizationAdminAccount auditmanager:DisassociateAssessmentReportEvidenceFolder auditmanager:GetAccountStatus auditmanager:GetAssessment auditmanager:GetAssessmentFramework auditmanager:GetAssessmentReportUrl auditmanager:GetChangeLogs auditmanager:GetControl auditmanager:GetDelegations auditmanager:GetEvidence auditmanager:GetEvidenceByEvidenceFolder auditmanager:GetEvidenceFileUploadUrl auditmanager:GetEvidenceFolder auditmanager:GetEvidenceFoldersByAssessment auditmanager:GetEvidenceFoldersByAssessmentControl auditmanager:GetInsights auditmanager:GetInsightsByAssessment auditmanager:GetOrganizationAdminAccount auditmanager:GetServicesInScope auditmanager:GetSettings auditmanager:ListAssessmentControlInsightsByControlDomain auditmanager:ListAssessmentFrameworkShareRequests auditmanager:ListAssessmentFrameworks auditmanager:ListAssessmentReports auditmanager:ListAssessments auditmanager:ListControlDomainInsights auditmanager:ListControlDomainInsightsByAssessment auditmanager:ListControlInsightsByControlDomain auditmanager:ListControls auditmanager:ListKeywordsForDataSource auditmanager:ListNotifications auditmanager:RegisterAccount auditmanager:RegisterOrganizationAdminAccount auditmanager:StartAssessmentFrameworkShare auditmanager:UpdateAssessment auditmanager:UpdateAssessmentControl auditmanager:UpdateAssessmentControlSetStatus auditmanager:UpdateAssessmentFramework auditmanager:UpdateAssessmentFrameworkShare auditmanager:UpdateAssessmentStatus auditmanager:UpdateControl auditmanager:UpdateSettings auditmanager:ValidateAssessmentReportIntegrity  | 
| autoscaling |  autoscaling:AttachInstances autoscaling:AttachLoadBalancerTargetGroups autoscaling:AttachLoadBalancers autoscaling:AttachTrafficSources autoscaling:BatchDeleteScheduledAction autoscaling:BatchPutScheduledUpdateGroupAction autoscaling:CancelInstanceRefresh autoscaling:CompleteLifecycleAction autoscaling:CreateAutoScalingGroup autoscaling:CreateLaunchConfiguration autoscaling:DeleteAutoScalingGroup autoscaling:DeleteLaunchConfiguration autoscaling:DeleteLifecycleHook autoscaling:DeleteNotificationConfiguration autoscaling:DeletePolicy autoscaling:DeleteScheduledAction autoscaling:DeleteWarmPool autoscaling:DescribeAccountLimits autoscaling:DescribeAdjustmentTypes autoscaling:DescribeAutoScalingGroups autoscaling:DescribeAutoScalingInstances autoscaling:DescribeAutoScalingNotificationTypes autoscaling:DescribeInstanceRefreshes autoscaling:DescribeLaunchConfigurations autoscaling:DescribeLifecycleHookTypes autoscaling:DescribeLifecycleHooks autoscaling:DescribeLoadBalancerTargetGroups autoscaling:DescribeLoadBalancers autoscaling:DescribeMetricCollectionTypes autoscaling:DescribeNotificationConfigurations autoscaling:DescribePolicies autoscaling:DescribeScalingActivities autoscaling:DescribeScalingProcessTypes autoscaling:DescribeScheduledActions autoscaling:DescribeTerminationPolicyTypes autoscaling:DescribeTrafficSources autoscaling:DescribeWarmPool autoscaling:DetachInstances autoscaling:DetachLoadBalancerTargetGroups autoscaling:DetachLoadBalancers autoscaling:DetachTrafficSources autoscaling:DisableMetricsCollection autoscaling:EnableMetricsCollection autoscaling:EnterStandby autoscaling:ExecutePolicy autoscaling:ExitStandby autoscaling:GetPredictiveScalingForecast autoscaling:PutLifecycleHook autoscaling:PutNotificationConfiguration autoscaling:PutScalingPolicy autoscaling:PutScheduledUpdateGroupAction autoscaling:PutWarmPool autoscaling:RecordLifecycleActionHeartbeat autoscaling:ResumeProcesses autoscaling:RollbackInstanceRefresh autoscaling:SetDesiredCapacity autoscaling:SetInstanceHealth autoscaling:SetInstanceProtection autoscaling:StartInstanceRefresh autoscaling:SuspendProcesses autoscaling:TerminateInstanceInAutoScalingGroup autoscaling:UpdateAutoScalingGroup  | 
| aws-marketplace |  aws-marketplace:GetEntitlements  | 
| backup |  backup:CancelLegalHold backup:CreateBackupPlan backup:CreateBackupSelection backup:CreateBackupVault backup:CreateFramework backup:CreateLegalHold backup:CreateLogicallyAirGappedBackupVault backup:CreateReportPlan backup:CreateRestoreAccessBackupVault backup:CreateRestoreTestingPlan backup:CreateRestoreTestingSelection backup:CreateTieringConfiguration backup:DeleteBackupPlan backup:DeleteBackupSelection backup:DeleteBackupVault backup:DeleteBackupVaultAccessPolicy backup:DeleteBackupVaultLockConfiguration backup:DeleteBackupVaultNotifications backup:DeleteFramework backup:DeleteRecoveryPoint backup:DeleteReportPlan backup:DeleteRestoreTestingPlan backup:DeleteRestoreTestingSelection backup:DeleteTieringConfiguration backup:DescribeBackupJob backup:DescribeBackupVault backup:DescribeCopyJob backup:DescribeFramework backup:DescribeGlobalSettings backup:DescribeProtectedResource backup:DescribeRecoveryPoint backup:DescribeRegionSettings backup:DescribeReportJob backup:DescribeReportPlan backup:DescribeRestoreJob backup:DescribeScanJob backup:DisassociateRecoveryPoint backup:DisassociateRecoveryPointFromParent backup:ExportBackupPlanTemplate backup:GetBackupPlan backup:GetBackupPlanFromJSON backup:GetBackupPlanFromTemplate backup:GetBackupSelection backup:GetBackupVaultAccessPolicy backup:GetBackupVaultNotifications backup:GetLegalHold backup:GetRecoveryPointRestoreMetadata backup:GetRestoreJobMetadata backup:GetRestoreTestingInferredMetadata backup:GetRestoreTestingPlan backup:GetRestoreTestingSelection backup:GetSupportedResourceTypes backup:GetTieringConfiguration backup:ListBackupJobSummaries backup:ListBackupJobs backup:ListBackupPlanTemplates backup:ListBackupPlanVersions backup:ListBackupPlans backup:ListBackupSelections backup:ListBackupVaults backup:ListCopyJobSummaries backup:ListCopyJobs backup:ListFrameworks backup:ListIndexedRecoveryPoints backup:ListLegalHolds backup:ListProtectedResources backup:ListRecoveryPointsByBackupVault backup:ListRecoveryPointsByLegalHold backup:ListRecoveryPointsByResource backup:ListReportJobs backup:ListReportPlans backup:ListRestoreAccessBackupVaults backup:ListRestoreJobSummaries backup:ListRestoreJobs backup:ListRestoreJobsByProtectedResource backup:ListRestoreTestingPlans backup:ListRestoreTestingSelections backup:ListScanJobSummaries backup:ListScanJobs backup:ListTieringConfigurations backup:PutBackupVaultAccessPolicy backup:PutBackupVaultLockConfiguration backup:PutBackupVaultNotifications backup:PutRestoreValidationResult backup:StartBackupJob backup:StartCopyJob backup:StartReportJob backup:StartRestoreJob backup:StopBackupJob backup:UpdateBackupPlan backup:UpdateFramework backup:UpdateGlobalSettings backup:UpdateRecoveryPointLifecycle backup:UpdateRegionSettings backup:UpdateReportPlan backup:UpdateRestoreTestingPlan backup:UpdateRestoreTestingSelection backup:UpdateTieringConfiguration  | 
| batch |  batch:CancelJob batch:CreateComputeEnvironment batch:CreateConsumableResource batch:CreateJobQueue batch:CreateSchedulingPolicy batch:CreateServiceEnvironment batch:DeleteComputeEnvironment batch:DeleteConsumableResource batch:DeleteJobQueue batch:DeleteSchedulingPolicy batch:DeleteServiceEnvironment batch:DeregisterJobDefinition batch:DescribeComputeEnvironments batch:DescribeConsumableResource batch:DescribeJobDefinitions batch:DescribeJobQueues batch:DescribeJobs batch:DescribeSchedulingPolicies batch:DescribeServiceEnvironments batch:DescribeServiceJob batch:GetJobQueueSnapshot batch:ListConsumableResources batch:ListJobs batch:ListJobsByConsumableResource batch:ListSchedulingPolicies batch:ListServiceJobs batch:RegisterJobDefinition batch:SubmitJob batch:SubmitServiceJob batch:TerminateJob batch:TerminateServiceJob batch:UpdateComputeEnvironment batch:UpdateConsumableResource batch:UpdateJobQueue batch:UpdateSchedulingPolicy batch:UpdateServiceEnvironment  | 
| braket |  braket:CancelJob braket:CancelQuantumTask braket:CreateJob braket:CreateQuantumTask braket:CreateSpendingLimit braket:GetDevice braket:GetJob braket:GetQuantumTask braket:SearchDevices braket:SearchJobs braket:SearchQuantumTasks braket:SearchSpendingLimits  | 
| budgets |  budgets:CreateBudgetAction budgets:DeleteBudgetAction budgets:DescribeBudgetAction budgets:DescribeBudgetActionHistories budgets:DescribeBudgetActionsForAccount budgets:DescribeBudgetActionsForBudget budgets:ExecuteBudgetAction budgets:ModifyBudget budgets:UpdateBudgetAction budgets:ViewBudget  | 
| cloud9 |  cloud9:CreateEnvironmentEC2 cloud9:CreateEnvironmentMembership cloud9:DeleteEnvironment cloud9:DeleteEnvironmentMembership cloud9:DescribeEnvironmentMemberships cloud9:DescribeEnvironmentStatus cloud9:DescribeEnvironments cloud9:ListEnvironments cloud9:UpdateEnvironment cloud9:UpdateEnvironmentMembership  | 
| cloudformation |  cloudformation:BatchDescribeTypeConfigurations cloudformation:CancelUpdateStack cloudformation:ContinueUpdateRollback cloudformation:CreateChangeSet cloudformation:CreateGeneratedTemplate cloudformation:CreateStack cloudformation:CreateStackInstances cloudformation:CreateStackSet cloudformation:DeactivateType cloudformation:DeleteChangeSet cloudformation:DeleteGeneratedTemplate cloudformation:DeleteStack cloudformation:DeleteStackInstances cloudformation:DeleteStackSet cloudformation:DeregisterType cloudformation:DescribeAccountLimits cloudformation:DescribeChangeSet cloudformation:DescribeChangeSetHooks cloudformation:DescribeEvents cloudformation:DescribeGeneratedTemplate cloudformation:DescribeOrganizationsAccess cloudformation:DescribePublisher cloudformation:DescribeResourceScan cloudformation:DescribeStackDriftDetectionStatus cloudformation:DescribeStackEvents cloudformation:DescribeStackInstance cloudformation:DescribeStackResource cloudformation:DescribeStackResourceDrifts cloudformation:DescribeStackResources cloudformation:DescribeStackSet cloudformation:DescribeStackSetOperation cloudformation:DescribeStacks cloudformation:DescribeType cloudformation:DescribeTypeRegistration cloudformation:DetectStackDrift cloudformation:DetectStackResourceDrift cloudformation:DetectStackSetDrift cloudformation:EstimateTemplateCost cloudformation:ExecuteChangeSet cloudformation:GetGeneratedTemplate cloudformation:GetHookResult cloudformation:GetStackPolicy cloudformation:GetTemplate cloudformation:GetTemplateSummary cloudformation:ImportStacksToStackSet cloudformation:ListChangeSets cloudformation:ListExports cloudformation:ListGeneratedTemplates cloudformation:ListHookResults cloudformation:ListImports cloudformation:ListResourceScanRelatedResources cloudformation:ListResourceScanResources cloudformation:ListResourceScans cloudformation:ListStackInstanceResourceDrifts cloudformation:ListStackInstances cloudformation:ListStackRefactors cloudformation:ListStackResources cloudformation:ListStackSetAutoDeploymentTargets cloudformation:ListStackSetOperationResults cloudformation:ListStackSetOperations cloudformation:ListStackSets cloudformation:ListTypeRegistrations cloudformation:ListTypeVersions cloudformation:ListTypes cloudformation:PublishType cloudformation:RecordHandlerProgress cloudformation:RegisterPublisher cloudformation:RegisterType cloudformation:RollbackStack cloudformation:SetStackPolicy cloudformation:SetTypeConfiguration cloudformation:SetTypeDefaultVersion cloudformation:SignalResource cloudformation:StartResourceScan cloudformation:StopStackSetOperation cloudformation:TestType cloudformation:UpdateGeneratedTemplate cloudformation:UpdateStack cloudformation:UpdateStackInstances cloudformation:UpdateStackSet cloudformation:UpdateTerminationProtection cloudformation:ValidateTemplate  | 
| cloudfront |  cloudfront:AssociateAlias cloudfront:AssociateDistributionTenantWebACL cloudfront:AssociateDistributionWebACL cloudfront:CreateCachePolicy cloudfront:CreateCloudFrontOriginAccessIdentity cloudfront:CreateConnectionFunction cloudfront:CreateContinuousDeploymentPolicy cloudfront:CreateDistributionTenant cloudfront:CreateFieldLevelEncryptionConfig cloudfront:CreateFieldLevelEncryptionProfile cloudfront:CreateFunction cloudfront:CreateInvalidation cloudfront:CreateKeyGroup cloudfront:CreateKeyValueStore cloudfront:CreateMonitoringSubscription cloudfront:CreateOriginAccessControl cloudfront:CreateOriginRequestPolicy cloudfront:CreatePublicKey cloudfront:CreateRealtimeLogConfig cloudfront:CreateResponseHeadersPolicy cloudfront:CreateTrustStore cloudfront:DeleteAnycastIpList cloudfront:DeleteCachePolicy cloudfront:DeleteCloudFrontOriginAccessIdentity cloudfront:DeleteConnectionFunction cloudfront:DeleteConnectionGroup cloudfront:DeleteContinuousDeploymentPolicy cloudfront:DeleteDistribution cloudfront:DeleteDistributionTenant cloudfront:DeleteFieldLevelEncryptionConfig cloudfront:DeleteFieldLevelEncryptionProfile cloudfront:DeleteFunction cloudfront:DeleteKeyGroup cloudfront:DeleteKeyValueStore cloudfront:DeleteMonitoringSubscription cloudfront:DeleteOriginAccessControl cloudfront:DeleteOriginRequestPolicy cloudfront:DeletePublicKey cloudfront:DeleteRealtimeLogConfig cloudfront:DeleteResponseHeadersPolicy cloudfront:DeleteStreamingDistribution cloudfront:DeleteTrustStore cloudfront:DeleteVpcOrigin cloudfront:DescribeFunction cloudfront:DescribeKeyValueStore cloudfront:DisassociateDistributionTenantWebACL cloudfront:DisassociateDistributionWebACL cloudfront:GetAnycastIpList cloudfront:GetCachePolicy cloudfront:GetCachePolicyConfig cloudfront:GetCloudFrontOriginAccessIdentity cloudfront:GetCloudFrontOriginAccessIdentityConfig cloudfront:GetContinuousDeploymentPolicy cloudfront:GetContinuousDeploymentPolicyConfig cloudfront:GetDistributionConfig cloudfront:GetFieldLevelEncryption cloudfront:GetFieldLevelEncryptionConfig cloudfront:GetFieldLevelEncryptionProfile cloudfront:GetFieldLevelEncryptionProfileConfig cloudfront:GetFunction cloudfront:GetInvalidation cloudfront:GetInvalidationForDistributionTenant cloudfront:GetKeyGroup cloudfront:GetKeyGroupConfig cloudfront:GetMonitoringSubscription cloudfront:GetOriginAccessControl cloudfront:GetOriginAccessControlConfig cloudfront:GetOriginRequestPolicy cloudfront:GetOriginRequestPolicyConfig cloudfront:GetPublicKey cloudfront:GetPublicKeyConfig cloudfront:GetRealtimeLogConfig cloudfront:GetResponseHeadersPolicy cloudfront:GetResponseHeadersPolicyConfig cloudfront:GetStreamingDistribution cloudfront:GetStreamingDistributionConfig cloudfront:GetVpcOrigin cloudfront:ListAnycastIpLists cloudfront:ListCachePolicies cloudfront:ListCloudFrontOriginAccessIdentities cloudfront:ListConflictingAliases cloudfront:ListConnectionFunctions cloudfront:ListConnectionGroups cloudfront:ListContinuousDeploymentPolicies cloudfront:ListDistributionTenants cloudfront:ListDistributionTenantsByCustomization cloudfront:ListDistributions cloudfront:ListDistributionsByAnycastIpListId cloudfront:ListDistributionsByCachePolicyId cloudfront:ListDistributionsByConnectionMode cloudfront:ListDistributionsByKeyGroup cloudfront:ListDistributionsByOriginRequestPolicyId cloudfront:ListDistributionsByRealtimeLogConfig cloudfront:ListDistributionsByResponseHeadersPolicyId cloudfront:ListDistributionsByVpcOriginId cloudfront:ListDistributionsByWebACLId cloudfront:ListFieldLevelEncryptionConfigs cloudfront:ListFieldLevelEncryptionProfiles cloudfront:ListFunctions cloudfront:ListInvalidations cloudfront:ListInvalidationsForDistributionTenant cloudfront:ListKeyGroups cloudfront:ListKeyValueStores cloudfront:ListOriginAccessControls cloudfront:ListOriginRequestPolicies cloudfront:ListPublicKeys cloudfront:ListRealtimeLogConfigs cloudfront:ListResponseHeadersPolicies cloudfront:ListStreamingDistributions cloudfront:ListTrustStores cloudfront:PublishConnectionFunction cloudfront:PublishFunction cloudfront:TestConnectionFunction cloudfront:TestFunction cloudfront:UpdateAnycastIpList cloudfront:UpdateCachePolicy cloudfront:UpdateCloudFrontOriginAccessIdentity cloudfront:UpdateConnectionFunction cloudfront:UpdateConnectionGroup cloudfront:UpdateContinuousDeploymentPolicy cloudfront:UpdateDistribution cloudfront:UpdateDistributionTenant cloudfront:UpdateFieldLevelEncryptionConfig cloudfront:UpdateFieldLevelEncryptionProfile cloudfront:UpdateFunction cloudfront:UpdateKeyGroup cloudfront:UpdateKeyValueStore cloudfront:UpdateOriginAccessControl cloudfront:UpdateOriginRequestPolicy cloudfront:UpdatePublicKey cloudfront:UpdateRealtimeLogConfig cloudfront:UpdateResponseHeadersPolicy cloudfront:UpdateTrustStore  | 
| cloudhsm |  cloudhsm:CreateHsm cloudhsm:DeleteBackup cloudhsm:DeleteHsm cloudhsm:DeleteResourcePolicy cloudhsm:DescribeBackups cloudhsm:DescribeClusters cloudhsm:GetResourcePolicy cloudhsm:InitializeCluster cloudhsm:ModifyBackupAttributes cloudhsm:ModifyCluster cloudhsm:PutResourcePolicy cloudhsm:RestoreBackup  | 
| cloudsearch |  cloudsearch:BuildSuggesters cloudsearch:CreateDomain cloudsearch:DefineAnalysisScheme cloudsearch:DefineExpression cloudsearch:DefineIndexField cloudsearch:DefineSuggester cloudsearch:DeleteAnalysisScheme cloudsearch:DeleteDomain cloudsearch:DeleteExpression cloudsearch:DeleteIndexField cloudsearch:DeleteSuggester cloudsearch:DescribeAnalysisSchemes cloudsearch:DescribeAvailabilityOptions cloudsearch:DescribeDomainEndpointOptions cloudsearch:DescribeDomains cloudsearch:DescribeExpressions cloudsearch:DescribeIndexFields cloudsearch:DescribeScalingParameters cloudsearch:DescribeServiceAccessPolicies cloudsearch:DescribeSuggesters cloudsearch:IndexDocuments cloudsearch:ListDomainNames cloudsearch:UpdateAvailabilityOptions cloudsearch:UpdateDomainEndpointOptions cloudsearch:UpdateScalingParameters cloudsearch:UpdateServiceAccessPolicies  | 
| cloudtrail |  cloudtrail:CancelQuery cloudtrail:CreateChannel cloudtrail:CreateDashboard cloudtrail:CreateEventDataStore cloudtrail:CreateTrail cloudtrail:DeleteChannel cloudtrail:DeleteDashboard cloudtrail:DeleteEventDataStore cloudtrail:DeleteResourcePolicy cloudtrail:DeleteTrail cloudtrail:DeregisterOrganizationDelegatedAdmin cloudtrail:DescribeQuery cloudtrail:DescribeTrails cloudtrail:DisableFederation cloudtrail:GenerateQuery cloudtrail:GetChannel cloudtrail:GetDashboard cloudtrail:GetEventConfiguration cloudtrail:GetEventDataStore cloudtrail:GetEventDataStoreData cloudtrail:GetEventSelectors cloudtrail:GetImport cloudtrail:GetInsightSelectors cloudtrail:GetResourcePolicy cloudtrail:GetTrail cloudtrail:GetTrailStatus cloudtrail:ListChannels cloudtrail:ListDashboards cloudtrail:ListEventDataStores cloudtrail:ListImportFailures cloudtrail:ListImports cloudtrail:ListInsightsData cloudtrail:ListPublicKeys cloudtrail:ListQueries cloudtrail:ListTrails cloudtrail:LookupEvents cloudtrail:PutEventConfiguration cloudtrail:PutEventSelectors cloudtrail:PutInsightSelectors cloudtrail:PutResourcePolicy cloudtrail:RegisterOrganizationDelegatedAdmin cloudtrail:RestoreEventDataStore cloudtrail:SearchSampleQueries cloudtrail:StartEventDataStoreIngestion cloudtrail:StartImport cloudtrail:StartLogging cloudtrail:StartQuery cloudtrail:StopEventDataStoreIngestion cloudtrail:StopImport cloudtrail:StopLogging cloudtrail:UpdateChannel cloudtrail:UpdateDashboard cloudtrail:UpdateEventDataStore cloudtrail:UpdateTrail  | 
| cloudwatch |  cloudwatch:DeleteAlarms cloudwatch:DeleteAnomalyDetector cloudwatch:DeleteDashboards cloudwatch:DeleteInsightRules cloudwatch:DeleteMetricStream cloudwatch:DescribeAlarmHistory cloudwatch:DescribeAlarms cloudwatch:DescribeAlarmsForMetric cloudwatch:DescribeAnomalyDetectors cloudwatch:DescribeInsightRules cloudwatch:DisableAlarmActions cloudwatch:DisableInsightRules cloudwatch:EnableAlarmActions cloudwatch:EnableInsightRules cloudwatch:GetDashboard cloudwatch:GetInsightRuleReport cloudwatch:GetMetricStatistics cloudwatch:GetMetricStream cloudwatch:ListDashboards cloudwatch:ListManagedInsightRules cloudwatch:ListMetricStreams cloudwatch:PutAnomalyDetector cloudwatch:PutCompositeAlarm cloudwatch:PutDashboard cloudwatch:PutInsightRule cloudwatch:PutManagedInsightRules cloudwatch:PutMetricAlarm cloudwatch:PutMetricStream cloudwatch:SetAlarmState cloudwatch:StartMetricStreams cloudwatch:StopMetricStreams  | 
| codeartifact |  codeartifact:AssociateExternalConnection codeartifact:CopyPackageVersions codeartifact:CreateDomain codeartifact:CreateRepository codeartifact:DeleteDomain codeartifact:DeleteDomainPermissionsPolicy codeartifact:DeletePackage codeartifact:DeletePackageVersions codeartifact:DeleteRepository codeartifact:DeleteRepositoryPermissionsPolicy codeartifact:DescribeDomain codeartifact:DescribePackage codeartifact:DescribePackageVersion codeartifact:DescribeRepository codeartifact:DisassociateExternalConnection codeartifact:DisposePackageVersions codeartifact:GetAssociatedPackageGroup codeartifact:GetAuthorizationToken codeartifact:GetDomainPermissionsPolicy codeartifact:GetPackageVersionAsset codeartifact:GetPackageVersionReadme codeartifact:GetRepositoryEndpoint codeartifact:GetRepositoryPermissionsPolicy codeartifact:ListDomains codeartifact:ListPackageGroups codeartifact:ListPackageVersionAssets codeartifact:ListPackageVersionDependencies codeartifact:ListPackageVersions codeartifact:ListPackages codeartifact:ListRepositories codeartifact:ListRepositoriesInDomain codeartifact:PublishPackageVersion codeartifact:PutDomainPermissionsPolicy codeartifact:PutPackageMetadata codeartifact:PutPackageOriginConfiguration codeartifact:PutRepositoryPermissionsPolicy codeartifact:ReadFromRepository codeartifact:UpdatePackageVersionsStatus codeartifact:UpdateRepository  | 
| codedeploy |  codedeploy:BatchGetApplicationRevisions codedeploy:BatchGetApplications codedeploy:BatchGetDeploymentGroups codedeploy:BatchGetDeploymentInstances codedeploy:BatchGetDeploymentTargets codedeploy:BatchGetDeployments codedeploy:BatchGetOnPremisesInstances codedeploy:ContinueDeployment codedeploy:CreateApplication codedeploy:CreateDeployment codedeploy:CreateDeploymentConfig codedeploy:CreateDeploymentGroup codedeploy:DeleteApplication codedeploy:DeleteDeploymentConfig codedeploy:DeleteDeploymentGroup codedeploy:DeleteGitHubAccountToken codedeploy:DeleteResourcesByExternalId codedeploy:DeregisterOnPremisesInstance codedeploy:GetApplication codedeploy:GetApplicationRevision codedeploy:GetDeployment codedeploy:GetDeploymentConfig codedeploy:GetDeploymentGroup codedeploy:GetDeploymentInstance codedeploy:GetDeploymentTarget codedeploy:GetOnPremisesInstance codedeploy:ListApplicationRevisions codedeploy:ListApplications codedeploy:ListDeploymentConfigs codedeploy:ListDeploymentGroups codedeploy:ListDeploymentInstances codedeploy:ListDeploymentTargets codedeploy:ListDeployments codedeploy:ListGitHubAccountTokenNames codedeploy:ListOnPremisesInstances codedeploy:PutLifecycleEventHookExecutionStatus codedeploy:RegisterApplicationRevision codedeploy:RegisterOnPremisesInstance codedeploy:SkipWaitTimeForInstanceTermination codedeploy:StopDeployment codedeploy:UpdateApplication codedeploy:UpdateDeploymentGroup  | 
| codeguru-profiler |  codeguru-profiler:AddNotificationChannels codeguru-profiler:BatchGetFrameMetricData codeguru-profiler:CreateProfilingGroup codeguru-profiler:DeleteProfilingGroup codeguru-profiler:DescribeProfilingGroup codeguru-profiler:GetFindingsReportAccountSummary codeguru-profiler:GetNotificationConfiguration codeguru-profiler:GetPolicy codeguru-profiler:GetProfile codeguru-profiler:GetRecommendations codeguru-profiler:ListFindingsReports codeguru-profiler:ListProfileTimes codeguru-profiler:ListProfilingGroups codeguru-profiler:PutPermission codeguru-profiler:RemoveNotificationChannel codeguru-profiler:RemovePermission codeguru-profiler:SubmitFeedback codeguru-profiler:UpdateProfilingGroup  | 
| codeguru-reviewer |  codeguru-reviewer:AssociateRepository codeguru-reviewer:CreateCodeReview codeguru-reviewer:DescribeCodeReview codeguru-reviewer:DescribeRecommendationFeedback codeguru-reviewer:DescribeRepositoryAssociation codeguru-reviewer:DisassociateRepository codeguru-reviewer:ListCodeReviews codeguru-reviewer:ListRecommendationFeedback codeguru-reviewer:ListRecommendations codeguru-reviewer:ListRepositoryAssociations codeguru-reviewer:PutRecommendationFeedback  | 
| codepipeline |  codepipeline:AcknowledgeJob codepipeline:AcknowledgeThirdPartyJob codepipeline:CreateCustomActionType codepipeline:CreatePipeline codepipeline:DeleteCustomActionType codepipeline:DeletePipeline codepipeline:DeleteWebhook codepipeline:DeregisterWebhookWithThirdParty codepipeline:GetActionType codepipeline:GetJobDetails codepipeline:GetPipeline codepipeline:GetPipelineExecution codepipeline:GetPipelineState codepipeline:GetThirdPartyJobDetails codepipeline:ListActionExecutions codepipeline:ListActionTypes codepipeline:ListPipelineExecutions codepipeline:ListPipelines codepipeline:ListRuleExecutions codepipeline:ListRuleTypes codepipeline:ListWebhooks codepipeline:OverrideStageCondition codepipeline:PollForJobs codepipeline:PollForThirdPartyJobs codepipeline:PutActionRevision codepipeline:PutApprovalResult codepipeline:PutJobFailureResult codepipeline:PutJobSuccessResult codepipeline:PutThirdPartyJobFailureResult codepipeline:PutThirdPartyJobSuccessResult codepipeline:PutWebhook codepipeline:RegisterWebhookWithThirdParty codepipeline:RollbackStage codepipeline:StartPipelineExecution codepipeline:StopPipelineExecution codepipeline:UpdateActionType codepipeline:UpdatePipeline  | 
| codestar |  codestar:AssociateTeamMember codestar:CreateProject codestar:CreateUserProfile codestar:DeleteProject codestar:DeleteUserProfile codestar:DescribeProject codestar:DescribeUserProfile codestar:DisassociateTeamMember codestar:ListProjects codestar:ListResources codestar:ListTeamMembers codestar:ListUserProfiles codestar:UpdateProject codestar:UpdateTeamMember codestar:UpdateUserProfile  | 
| codestar-notifications |  codestar-notifications:CreateNotificationRule codestar-notifications:DeleteNotificationRule codestar-notifications:DeleteTarget codestar-notifications:DescribeNotificationRule codestar-notifications:ListEventTypes codestar-notifications:ListNotificationRules codestar-notifications:ListTargets codestar-notifications:Subscribe codestar-notifications:Unsubscribe codestar-notifications:UpdateNotificationRule  | 
| cognito-identity |  cognito-identity:CreateIdentityPool cognito-identity:DeleteIdentities cognito-identity:DeleteIdentityPool cognito-identity:DescribeIdentity cognito-identity:DescribeIdentityPool cognito-identity:GetIdentityPoolRoles cognito-identity:ListIdentities cognito-identity:ListIdentityPools cognito-identity:LookupDeveloperIdentity cognito-identity:MergeDeveloperIdentities cognito-identity:SetIdentityPoolRoles cognito-identity:UnlinkDeveloperIdentity cognito-identity:UpdateIdentityPool  | 
| cognito-idp |  cognito-idp:AddCustomAttributes cognito-idp:AdminAddUserToGroup cognito-idp:AdminConfirmSignUp cognito-idp:AdminCreateUser cognito-idp:AdminDeleteUser cognito-idp:AdminDeleteUserAttributes cognito-idp:AdminDisableProviderForUser cognito-idp:AdminDisableUser cognito-idp:AdminEnableUser cognito-idp:AdminForgetDevice cognito-idp:AdminGetDevice cognito-idp:AdminGetUser cognito-idp:AdminInitiateAuth cognito-idp:AdminLinkProviderForUser cognito-idp:AdminListDevices cognito-idp:AdminListGroupsForUser cognito-idp:AdminListUserAuthEvents cognito-idp:AdminRemoveUserFromGroup cognito-idp:AdminResetUserPassword cognito-idp:AdminRespondToAuthChallenge cognito-idp:AdminSetUserMFAPreference cognito-idp:AdminSetUserPassword cognito-idp:AdminSetUserSettings cognito-idp:AdminUpdateAuthEventFeedback cognito-idp:AdminUpdateDeviceStatus cognito-idp:AdminUpdateUserAttributes cognito-idp:AdminUserGlobalSignOut cognito-idp:AssociateSoftwareToken cognito-idp:ChangePassword cognito-idp:ConfirmDevice cognito-idp:ConfirmForgotPassword cognito-idp:ConfirmSignUp cognito-idp:CreateGroup cognito-idp:CreateIdentityProvider cognito-idp:CreateManagedLoginBranding cognito-idp:CreateResourceServer cognito-idp:CreateTerms cognito-idp:CreateUserImportJob cognito-idp:CreateUserPool cognito-idp:CreateUserPoolClient cognito-idp:CreateUserPoolDomain cognito-idp:DeleteGroup cognito-idp:DeleteIdentityProvider cognito-idp:DeleteManagedLoginBranding cognito-idp:DeleteResourceServer cognito-idp:DeleteTerms cognito-idp:DeleteUser cognito-idp:DeleteUserAttributes cognito-idp:DeleteUserPool cognito-idp:DeleteUserPoolClient cognito-idp:DeleteUserPoolDomain cognito-idp:DescribeIdentityProvider cognito-idp:DescribeManagedLoginBranding cognito-idp:DescribeManagedLoginBrandingByClient cognito-idp:DescribeResourceServer cognito-idp:DescribeRiskConfiguration cognito-idp:DescribeTerms cognito-idp:DescribeUserImportJob cognito-idp:DescribeUserPool cognito-idp:DescribeUserPoolClient cognito-idp:DescribeUserPoolDomain cognito-idp:ForgetDevice cognito-idp:ForgotPassword cognito-idp:GetCSVHeader cognito-idp:GetDevice cognito-idp:GetGroup cognito-idp:GetIdentityProviderByIdentifier cognito-idp:GetLogDeliveryConfiguration cognito-idp:GetSigningCertificate cognito-idp:GetUICustomization cognito-idp:GetUser cognito-idp:GetUserAttributeVerificationCode cognito-idp:GetUserPoolMfaConfig cognito-idp:GlobalSignOut cognito-idp:InitiateAuth cognito-idp:ListDevices cognito-idp:ListGroups cognito-idp:ListIdentityProviders cognito-idp:ListResourceServers cognito-idp:ListTerms cognito-idp:ListUserImportJobs cognito-idp:ListUserPoolClients cognito-idp:ListUserPools cognito-idp:ListUsers cognito-idp:ListUsersInGroup cognito-idp:ResendConfirmationCode cognito-idp:RespondToAuthChallenge cognito-idp:RevokeToken cognito-idp:SetLogDeliveryConfiguration cognito-idp:SetRiskConfiguration cognito-idp:SetUICustomization cognito-idp:SetUserMFAPreference cognito-idp:SetUserPoolMfaConfig cognito-idp:SetUserSettings cognito-idp:SignUp cognito-idp:StartUserImportJob cognito-idp:StopUserImportJob cognito-idp:UpdateAuthEventFeedback cognito-idp:UpdateDeviceStatus cognito-idp:UpdateGroup cognito-idp:UpdateIdentityProvider cognito-idp:UpdateResourceServer cognito-idp:UpdateTerms cognito-idp:UpdateUserAttributes cognito-idp:UpdateUserPool cognito-idp:UpdateUserPoolClient cognito-idp:UpdateUserPoolDomain cognito-idp:VerifySoftwareToken cognito-idp:VerifyUserAttribute  | 
| cognito-sync |  cognito-sync:BulkPublish cognito-sync:DeleteDataset cognito-sync:DescribeDataset cognito-sync:DescribeIdentityPoolUsage cognito-sync:DescribeIdentityUsage cognito-sync:GetBulkPublishDetails cognito-sync:GetCognitoEvents cognito-sync:GetIdentityPoolConfiguration cognito-sync:ListDatasets cognito-sync:ListIdentityPoolUsage cognito-sync:ListRecords cognito-sync:RegisterDevice cognito-sync:SetCognitoEvents cognito-sync:SetIdentityPoolConfiguration cognito-sync:SubscribeToDataset cognito-sync:UnsubscribeFromDataset cognito-sync:UpdateRecords  | 
| comprehendmedical |  comprehendmedical:DescribeEntitiesDetectionV2Job comprehendmedical:DescribeICD10CMInferenceJob comprehendmedical:DescribePHIDetectionJob comprehendmedical:DescribeRxNormInferenceJob comprehendmedical:DescribeSNOMEDCTInferenceJob comprehendmedical:DetectEntitiesV2 comprehendmedical:DetectPHI comprehendmedical:InferICD10CM comprehendmedical:InferRxNorm comprehendmedical:InferSNOMEDCT comprehendmedical:ListEntitiesDetectionV2Jobs comprehendmedical:ListICD10CMInferenceJobs comprehendmedical:ListPHIDetectionJobs comprehendmedical:ListRxNormInferenceJobs comprehendmedical:ListSNOMEDCTInferenceJobs comprehendmedical:StartEntitiesDetectionV2Job comprehendmedical:StartICD10CMInferenceJob comprehendmedical:StartPHIDetectionJob comprehendmedical:StartRxNormInferenceJob comprehendmedical:StartSNOMEDCTInferenceJob comprehendmedical:StopEntitiesDetectionV2Job comprehendmedical:StopICD10CMInferenceJob comprehendmedical:StopPHIDetectionJob comprehendmedical:StopRxNormInferenceJob comprehendmedical:StopSNOMEDCTInferenceJob  | 
| compute-optimizer |  compute-optimizer:DeleteRecommendationPreferences compute-optimizer:DescribeRecommendationExportJobs compute-optimizer:ExportAutoScalingGroupRecommendations compute-optimizer:ExportEBSVolumeRecommendations compute-optimizer:ExportEC2InstanceRecommendations compute-optimizer:ExportECSServiceRecommendations compute-optimizer:ExportIdleRecommendations compute-optimizer:ExportLambdaFunctionRecommendations compute-optimizer:ExportLicenseRecommendations compute-optimizer:ExportRDSDatabaseRecommendations compute-optimizer:GetEC2RecommendationProjectedMetrics compute-optimizer:GetECSServiceRecommendationProjectedMetrics compute-optimizer:GetEffectiveRecommendationPreferences compute-optimizer:GetEnrollmentStatus compute-optimizer:GetEnrollmentStatusesForOrganization compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics compute-optimizer:GetRecommendationPreferences compute-optimizer:GetRecommendationSummaries compute-optimizer:PutRecommendationPreferences compute-optimizer:UpdateEnrollmentStatus  | 
| config |  config:BatchGetResourceConfig config:DeleteAggregationAuthorization config:DeleteConfigRule config:DeleteConfigurationAggregator config:DeleteConfigurationRecorder config:DeleteConformancePack config:DeleteDeliveryChannel config:DeleteEvaluationResults config:DeleteOrganizationConfigRule config:DeleteOrganizationConformancePack config:DeletePendingAggregationRequest config:DeleteRemediationConfiguration config:DeleteRemediationExceptions config:DeleteResourceConfig config:DeleteRetentionConfiguration config:DeleteStoredQuery config:DeliverConfigSnapshot config:DescribeAggregateComplianceByConfigRules config:DescribeAggregateComplianceByConformancePacks config:DescribeAggregationAuthorizations config:DescribeComplianceByConfigRule config:DescribeComplianceByResource config:DescribeConfigRuleEvaluationStatus config:DescribeConfigRules config:DescribeConfigurationAggregatorSourcesStatus config:DescribeConfigurationAggregators config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders config:DescribeConformancePackCompliance config:DescribeConformancePackStatus config:DescribeConformancePacks config:DescribeDeliveryChannelStatus config:DescribeDeliveryChannels config:DescribeOrganizationConfigRuleStatuses config:DescribeOrganizationConfigRules config:DescribeOrganizationConformancePackStatuses config:DescribeOrganizationConformancePacks config:DescribePendingAggregationRequests config:DescribeRemediationConfigurations config:DescribeRemediationExceptions config:DescribeRemediationExecutionStatus config:DescribeRetentionConfigurations config:GetComplianceDetailsByConfigRule config:GetComplianceDetailsByResource config:GetComplianceSummaryByConfigRule config:GetComplianceSummaryByResourceType config:GetConformancePackComplianceDetails config:GetConformancePackComplianceSummary config:GetCustomRulePolicy config:GetDiscoveredResourceCounts config:GetOrganizationConfigRuleDetailedStatus config:GetOrganizationConformancePackDetailedStatus config:GetOrganizationCustomRulePolicy config:GetResourceConfigHistory config:GetResourceEvaluationSummary config:GetStoredQuery config:ListConfigurationRecorders config:ListConformancePackComplianceScores config:ListDiscoveredResources config:ListResourceEvaluations config:ListStoredQueries config:PutConfigRule config:PutConfigurationAggregator config:PutConfigurationRecorder config:PutConformancePack config:PutDeliveryChannel config:PutEvaluations config:PutExternalEvaluation config:PutOrganizationConfigRule config:PutOrganizationConformancePack config:PutRemediationConfigurations config:PutRemediationExceptions config:PutResourceConfig config:PutRetentionConfiguration config:PutStoredQuery config:SelectResourceConfig config:StartConfigRulesEvaluation config:StartConfigurationRecorder config:StartRemediationExecution config:StartResourceEvaluation config:StopConfigurationRecorder  | 
| connect |  connect:ActivateEvaluationForm connect:AssociateAnalyticsDataSet connect:AssociateApprovedOrigin connect:AssociateBot connect:AssociateContactWithUser connect:AssociateDefaultVocabulary connect:AssociateEmailAddressAlias connect:AssociateFlow connect:AssociateInstanceStorageConfig connect:AssociateLambdaFunction connect:AssociateLexBot connect:AssociatePhoneNumberContactFlow connect:AssociateQueueQuickConnects connect:AssociateRoutingProfileQueues connect:AssociateSecurityKey connect:AssociateUserProficiencies connect:BatchAssociateAnalyticsDataSet connect:BatchCreateDataTableValue connect:BatchDeleteDataTableValue connect:BatchDescribeDataTableValue connect:BatchDisassociateAnalyticsDataSet connect:BatchGetFlowAssociation connect:BatchPutContact connect:BatchUpdateDataTableValue connect:ClaimPhoneNumber connect:CreateAgentStatus connect:CreateContact connect:CreateContactFlow connect:CreateContactFlowModule connect:CreateContactFlowModuleAlias connect:CreateContactFlowModuleVersion connect:CreateContactFlowVersion connect:CreateDataTable connect:CreateDataTableAttribute connect:CreateEmailAddress connect:CreateEvaluationForm connect:CreateHoursOfOperation connect:CreateInstance connect:CreateIntegrationAssociation connect:CreateParticipant connect:CreatePersistentContactAssociation connect:CreatePredefinedAttribute connect:CreatePrompt connect:CreatePushNotificationRegistration connect:CreateQueue connect:CreateQuickConnect connect:CreateRoutingProfile connect:CreateRule connect:CreateSecurityProfile connect:CreateTaskTemplate connect:CreateTrafficDistributionGroup connect:CreateUseCase connect:CreateUser connect:CreateUserHierarchyGroup connect:CreateView connect:CreateViewVersion connect:CreateVocabulary connect:CreateWorkspace connect:DeactivateEvaluationForm connect:DeleteContactEvaluation connect:DeleteContactFlow connect:DeleteContactFlowModule connect:DeleteContactFlowModuleAlias connect:DeleteContactFlowModuleVersion connect:DeleteContactFlowVersion connect:DeleteDataTable connect:DeleteDataTableAttribute connect:DeleteEmailAddress connect:DeleteEvaluationForm connect:DeleteHoursOfOperation connect:DeleteHoursOfOperationOverride connect:DeleteInstance connect:DeleteIntegrationAssociation connect:DeletePredefinedAttribute connect:DeletePrompt connect:DeletePushNotificationRegistration connect:DeleteQueue connect:DeleteQuickConnect connect:DeleteRoutingProfile connect:DeleteRule connect:DeleteSecurityProfile connect:DeleteTaskTemplate connect:DeleteTrafficDistributionGroup connect:DeleteUseCase connect:DeleteUser connect:DeleteUserHierarchyGroup connect:DeleteView connect:DeleteVocabulary connect:DeleteWorkspace connect:DeleteWorkspaceMedia connect:DescribeAuthenticationProfile connect:DescribeContactFlowModuleAlias connect:DescribeDataTableAttribute connect:DescribeHoursOfOperationOverride connect:DescribeInstanceAttribute connect:DescribeInstanceStorageConfig connect:DescribePhoneNumber connect:DescribeRule connect:DescribeTrafficDistributionGroup connect:DescribeUserHierarchyStructure connect:DescribeVocabulary connect:DisassociateAnalyticsDataSet connect:DisassociateApprovedOrigin connect:DisassociateBot connect:DisassociateEmailAddressAlias connect:DisassociateFlow connect:DisassociateInstanceStorageConfig connect:DisassociateLambdaFunction connect:DisassociateLexBot connect:DisassociatePhoneNumberContactFlow connect:DisassociateQueueQuickConnects connect:DisassociateRoutingProfileQueues connect:DisassociateSecurityKey connect:DisassociateUserProficiencies connect:DismissUserContact connect:EvaluateDataTableValues connect:GetContactAttributes connect:GetContactMetrics connect:GetCurrentMetricData connect:GetCurrentUserData connect:GetEffectiveHoursOfOperations connect:GetFederationToken connect:GetFlowAssociation connect:GetMetricData connect:GetMetricDataV2 connect:GetPromptFile connect:GetTaskTemplate connect:GetTrafficDistribution connect:ImportPhoneNumber connect:ImportWorkspaceMedia connect:ListAnalyticsDataAssociations connect:ListAnalyticsDataLakeDataSets connect:ListApprovedOrigins connect:ListAssociatedContacts connect:ListAuthenticationProfiles connect:ListBots connect:ListContactEvaluations connect:ListContactFlowModuleAliases connect:ListContactFlowModuleVersions connect:ListContactFlowModules connect:ListContactFlowVersions connect:ListContactFlows connect:ListContactReferences connect:ListDataTableAttributes connect:ListDataTablePrimaryValues connect:ListDataTableValues connect:ListDataTables connect:ListDefaultVocabularies connect:ListEvaluationFormVersions connect:ListEvaluationForms connect:ListFlowAssociations connect:ListHoursOfOperations connect:ListInstanceAttributes connect:ListInstanceStorageConfigs connect:ListIntegrationAssociations connect:ListLambdaFunctions connect:ListLexBots connect:ListPhoneNumbers connect:ListPhoneNumbersV2 connect:ListPredefinedAttributes connect:ListPrompts connect:ListQueueQuickConnects connect:ListQueues connect:ListQuickConnects connect:ListRealtimeContactAnalysisSegmentsV2 connect:ListRoutingProfileManualAssignmentQueues connect:ListRoutingProfileQueues connect:ListRoutingProfiles connect:ListRules connect:ListSecurityKeys connect:ListSecurityProfileApplications connect:ListSecurityProfileFlowModules connect:ListSecurityProfilePermissions connect:ListSecurityProfiles connect:ListTaskTemplates connect:ListTrafficDistributionGroups connect:ListUseCases connect:ListUserHierarchyGroups connect:ListUsers connect:ListViewVersions connect:ListViews connect:ListWorkspaceMedia connect:ListWorkspacePages connect:ListWorkspaces connect:MonitorContact connect:PauseContact connect:PutUserStatus connect:ReleasePhoneNumber connect:ReplicateInstance connect:ResumeContact connect:ResumeContactRecording connect:SearchAgentStatuses connect:SearchAvailablePhoneNumbers connect:SearchContactEvaluations connect:SearchContactFlowModules connect:SearchContactFlows connect:SearchContacts connect:SearchDataTables connect:SearchEmailAddresses connect:SearchEvaluationForms connect:SearchHoursOfOperations connect:SearchPredefinedAttributes connect:SearchPrompts connect:SearchQueues connect:SearchQuickConnects connect:SearchRoutingProfiles connect:SearchSecurityProfiles connect:SearchUserHierarchyGroups connect:SearchViews connect:SearchVocabularies connect:SearchWorkspaceAssociations connect:SearchWorkspaces connect:SendChatIntegrationEvent connect:SendOutboundEmail connect:StartChatContact connect:StartContactEvaluation connect:StartContactMediaProcessing connect:StartContactRecording connect:StartContactStreaming connect:StartEmailContact connect:StartOutboundChatContact connect:StartOutboundEmailContact connect:StartOutboundVoiceContact connect:StartScreenSharing connect:StartTaskContact connect:StartWebRTCContact connect:StopContact connect:StopContactMediaProcessing connect:StopContactRecording connect:StopContactStreaming connect:SubmitContactEvaluation connect:SuspendContactRecording connect:TransferContact connect:UpdateAgentStatus connect:UpdateAuthenticationProfile connect:UpdateContact connect:UpdateContactAttributes connect:UpdateContactEvaluation connect:UpdateContactFlowContent connect:UpdateContactFlowMetadata connect:UpdateContactFlowModuleAlias connect:UpdateContactFlowModuleContent connect:UpdateContactFlowModuleMetadata connect:UpdateContactFlowName connect:UpdateContactRoutingData connect:UpdateContactSchedule connect:UpdateDataTableAttribute connect:UpdateDataTableMetadata connect:UpdateDataTablePrimaryValues connect:UpdateEmailAddressMetadata connect:UpdateEvaluationForm connect:UpdateHoursOfOperation connect:UpdateHoursOfOperationOverride connect:UpdateInstanceAttribute connect:UpdateInstanceStorageConfig connect:UpdateParticipantAuthentication connect:UpdateParticipantRoleConfig connect:UpdatePhoneNumber connect:UpdatePhoneNumberMetadata connect:UpdatePredefinedAttribute connect:UpdatePrompt connect:UpdateQueueHoursOfOperation connect:UpdateQueueMaxContacts connect:UpdateQueueName connect:UpdateQueueOutboundCallerConfig connect:UpdateQueueOutboundEmailConfig connect:UpdateQueueStatus connect:UpdateQuickConnectConfig connect:UpdateQuickConnectName connect:UpdateRoutingProfileAgentAvailabilityTimer connect:UpdateRoutingProfileConcurrency connect:UpdateRoutingProfileDefaultOutboundQueue connect:UpdateRoutingProfileName connect:UpdateRoutingProfileQueues connect:UpdateRule connect:UpdateSecurityProfile connect:UpdateTaskTemplate connect:UpdateTrafficDistribution connect:UpdateUserHierarchy connect:UpdateUserHierarchyGroupName connect:UpdateUserHierarchyStructure connect:UpdateUserIdentityInfo connect:UpdateUserPhoneConfig connect:UpdateUserProficiencies connect:UpdateUserRoutingProfile connect:UpdateUserSecurityProfiles connect:UpdateViewContent connect:UpdateViewMetadata connect:UpdateWorkspaceMetadata connect:UpdateWorkspaceTheme connect:UpdateWorkspaceVisibility  | 
| cur |  cur:DeleteReportDefinition cur:DescribeReportDefinitions cur:ModifyReportDefinition cur:PutReportDefinition  | 
| databrew |  databrew:BatchDeleteRecipeVersion databrew:CreateDataset databrew:CreateProfileJob databrew:CreateProject databrew:CreateRecipe databrew:CreateRecipeJob databrew:CreateRuleset databrew:CreateSchedule databrew:DeleteDataset databrew:DeleteJob databrew:DeleteProject databrew:DeleteRecipeVersion databrew:DeleteRuleset databrew:DeleteSchedule databrew:DescribeDataset databrew:DescribeJob databrew:DescribeJobRun databrew:DescribeProject databrew:DescribeRecipe databrew:DescribeRuleset databrew:DescribeSchedule databrew:ListDatasets databrew:ListJobRuns databrew:ListJobs databrew:ListProjects databrew:ListRecipeVersions databrew:ListRecipes databrew:ListRulesets databrew:ListSchedules databrew:PublishRecipe databrew:SendProjectSessionAction databrew:StartJobRun databrew:StartProjectSession databrew:StopJobRun databrew:UpdateDataset databrew:UpdateProfileJob databrew:UpdateProject databrew:UpdateRecipe databrew:UpdateRecipeJob databrew:UpdateRuleset databrew:UpdateSchedule  | 
| dataexchange |  dataexchange:AcceptDataGrant dataexchange:CancelJob dataexchange:CreateDataGrant dataexchange:CreateDataSet dataexchange:CreateEventAction dataexchange:CreateJob dataexchange:CreateRevision dataexchange:DeleteAsset dataexchange:DeleteDataGrant dataexchange:DeleteEventAction dataexchange:DeleteRevision dataexchange:GetDataGrant dataexchange:GetEventAction dataexchange:GetJob dataexchange:GetReceivedDataGrant dataexchange:ListDataGrants dataexchange:ListDataSetRevisions dataexchange:ListDataSets dataexchange:ListEventActions dataexchange:ListJobs dataexchange:ListReceivedDataGrants dataexchange:ListRevisionAssets dataexchange:RevokeRevision dataexchange:SendDataSetNotification dataexchange:StartJob dataexchange:UpdateAsset dataexchange:UpdateDataSet dataexchange:UpdateEventAction dataexchange:UpdateRevision  | 
| datapipeline |  datapipeline:ActivatePipeline datapipeline:CreatePipeline datapipeline:DeactivatePipeline datapipeline:DeletePipeline datapipeline:DescribeObjects datapipeline:DescribePipelines datapipeline:EvaluateExpression datapipeline:GetPipelineDefinition datapipeline:ListPipelines datapipeline:PollForTask datapipeline:PutPipelineDefinition datapipeline:QueryObjects datapipeline:ReportTaskProgress datapipeline:ReportTaskRunnerHeartbeat datapipeline:SetStatus datapipeline:SetTaskStatus datapipeline:ValidatePipelineDefinition  | 
| dax |  dax:CreateCluster dax:DecreaseReplicationFactor dax:DeleteCluster dax:DeleteParameterGroup dax:DeleteSubnetGroup dax:DescribeClusters dax:DescribeDefaultParameters dax:DescribeEvents dax:DescribeParameterGroups dax:DescribeParameters dax:DescribeSubnetGroups dax:IncreaseReplicationFactor dax:RebootNode dax:UpdateCluster dax:UpdateParameterGroup dax:UpdateSubnetGroup  | 
| devicefarm |  devicefarm:CreateDevicePool devicefarm:CreateInstanceProfile devicefarm:CreateNetworkProfile devicefarm:CreateProject devicefarm:CreateRemoteAccessSession devicefarm:CreateTestGridProject devicefarm:CreateTestGridUrl devicefarm:CreateUpload devicefarm:CreateVPCEConfiguration devicefarm:DeleteDevicePool devicefarm:DeleteInstanceProfile devicefarm:DeleteNetworkProfile devicefarm:DeleteProject devicefarm:DeleteRemoteAccessSession devicefarm:DeleteRun devicefarm:DeleteTestGridProject devicefarm:DeleteUpload devicefarm:DeleteVPCEConfiguration devicefarm:GetAccountSettings devicefarm:GetDevice devicefarm:GetDeviceInstance devicefarm:GetDevicePool devicefarm:GetDevicePoolCompatibility devicefarm:GetInstanceProfile devicefarm:GetJob devicefarm:GetNetworkProfile devicefarm:GetOfferingStatus devicefarm:GetProject devicefarm:GetRemoteAccessSession devicefarm:GetRun devicefarm:GetSuite devicefarm:GetTest devicefarm:GetTestGridProject devicefarm:GetTestGridSession devicefarm:GetUpload devicefarm:GetVPCEConfiguration devicefarm:ListArtifacts devicefarm:ListDeviceInstances devicefarm:ListDevicePools devicefarm:ListDevices devicefarm:ListInstanceProfiles devicefarm:ListJobs devicefarm:ListNetworkProfiles devicefarm:ListOfferingPromotions devicefarm:ListOfferingTransactions devicefarm:ListOfferings devicefarm:ListProjects devicefarm:ListRemoteAccessSessions devicefarm:ListRuns devicefarm:ListSamples devicefarm:ListSuites devicefarm:ListTestGridProjects devicefarm:ListTestGridSessionActions devicefarm:ListTestGridSessionArtifacts devicefarm:ListTestGridSessions devicefarm:ListTests devicefarm:ListUniqueProblems devicefarm:ListUploads devicefarm:ListVPCEConfigurations devicefarm:PurchaseOffering devicefarm:RenewOffering devicefarm:ScheduleRun devicefarm:StopJob devicefarm:StopRemoteAccessSession devicefarm:StopRun devicefarm:UpdateDeviceInstance devicefarm:UpdateDevicePool devicefarm:UpdateInstanceProfile devicefarm:UpdateNetworkProfile devicefarm:UpdateProject devicefarm:UpdateTestGridProject devicefarm:UpdateUpload devicefarm:UpdateVPCEConfiguration  | 
| devops-guru |  devops-guru:AddNotificationChannel devops-guru:DeleteInsight devops-guru:DescribeAccountHealth devops-guru:DescribeAccountOverview devops-guru:DescribeAnomaly devops-guru:DescribeEventSourcesConfig devops-guru:DescribeFeedback devops-guru:DescribeInsight devops-guru:DescribeOrganizationHealth devops-guru:DescribeOrganizationOverview devops-guru:DescribeOrganizationResourceCollectionHealth devops-guru:DescribeResourceCollectionHealth devops-guru:DescribeServiceIntegration devops-guru:GetCostEstimation devops-guru:GetResourceCollection devops-guru:ListAnomaliesForInsight devops-guru:ListAnomalousLogGroups devops-guru:ListEvents devops-guru:ListInsights devops-guru:ListMonitoredResources devops-guru:ListNotificationChannels devops-guru:ListOrganizationInsights devops-guru:ListRecommendations devops-guru:PutFeedback devops-guru:RemoveNotificationChannel devops-guru:SearchInsights devops-guru:SearchOrganizationInsights devops-guru:StartCostEstimation devops-guru:UpdateEventSourcesConfig devops-guru:UpdateResourceCollection devops-guru:UpdateServiceIntegration  | 
| directconnect |  directconnect:AcceptDirectConnectGatewayAssociationProposal directconnect:AllocateConnectionOnInterconnect directconnect:AllocateHostedConnection directconnect:AllocatePrivateVirtualInterface directconnect:AllocatePublicVirtualInterface directconnect:AllocateTransitVirtualInterface directconnect:AssociateConnectionWithLag directconnect:AssociateHostedConnection directconnect:AssociateMacSecKey directconnect:AssociateVirtualInterface directconnect:ConfirmConnection directconnect:ConfirmCustomerAgreement directconnect:ConfirmPrivateVirtualInterface directconnect:ConfirmPublicVirtualInterface directconnect:ConfirmTransitVirtualInterface directconnect:CreateBGPPeer directconnect:CreateConnection directconnect:CreateDirectConnectGateway directconnect:CreateDirectConnectGatewayAssociation directconnect:CreateDirectConnectGatewayAssociationProposal directconnect:CreateInterconnect directconnect:CreateLag directconnect:CreatePrivateVirtualInterface directconnect:CreatePublicVirtualInterface directconnect:CreateTransitVirtualInterface directconnect:DeleteBGPPeer directconnect:DeleteConnection directconnect:DeleteDirectConnectGateway directconnect:DeleteDirectConnectGatewayAssociation directconnect:DeleteDirectConnectGatewayAssociationProposal directconnect:DeleteInterconnect directconnect:DeleteLag directconnect:DeleteVirtualInterface directconnect:DescribeConnectionLoa directconnect:DescribeConnections directconnect:DescribeConnectionsOnInterconnect directconnect:DescribeCustomerMetadata directconnect:DescribeDirectConnectGatewayAssociationProposals directconnect:DescribeDirectConnectGatewayAssociations directconnect:DescribeDirectConnectGatewayAttachments directconnect:DescribeDirectConnectGateways directconnect:DescribeHostedConnections directconnect:DescribeInterconnectLoa directconnect:DescribeInterconnects directconnect:DescribeLags directconnect:DescribeLoa directconnect:DescribeLocations directconnect:DescribeRouterConfiguration directconnect:DescribeVirtualGateways directconnect:DescribeVirtualInterfaces directconnect:DisassociateConnectionFromLag directconnect:DisassociateMacSecKey directconnect:ListVirtualInterfaceTestHistory directconnect:StartBgpFailoverTest directconnect:StopBgpFailoverTest directconnect:UpdateConnection directconnect:UpdateDirectConnectGateway directconnect:UpdateDirectConnectGatewayAssociation directconnect:UpdateLag directconnect:UpdateVirtualInterfaceAttributes  | 
| dlm |  dlm:CreateLifecyclePolicy dlm:DeleteLifecyclePolicy dlm:GetLifecyclePolicies dlm:GetLifecyclePolicy dlm:UpdateLifecyclePolicy  | 
| dms |  dms:ApplyPendingMaintenanceAction dms:AssociateExtensionPack dms:BatchStartRecommendations dms:CancelMetadataModelCreation dms:CancelReplicationTaskAssessmentRun dms:CreateDataProvider dms:CreateEndpoint dms:CreateEventSubscription dms:CreateInstanceProfile dms:CreateMigrationProject dms:CreateReplicationConfig dms:CreateReplicationInstance dms:CreateReplicationSubnetGroup dms:CreateReplicationTask dms:DeleteCertificate dms:DeleteConnection dms:DeleteDataMigration dms:DeleteDataProvider dms:DeleteEndpoint dms:DeleteEventSubscription dms:DeleteFleetAdvisorCollector dms:DeleteFleetAdvisorDatabases dms:DeleteInstanceProfile dms:DeleteMigrationProject dms:DeleteReplicationConfig dms:DeleteReplicationInstance dms:DeleteReplicationSubnetGroup dms:DeleteReplicationTask dms:DeleteReplicationTaskAssessmentRun dms:DescribeAccountAttributes dms:DescribeApplicableIndividualAssessments dms:DescribeCertificates dms:DescribeConnections dms:DescribeDataMigrations dms:DescribeEndpointSettings dms:DescribeEndpointTypes dms:DescribeEndpoints dms:DescribeEngineVersions dms:DescribeEventCategories dms:DescribeEventSubscriptions dms:DescribeEvents dms:DescribeFleetAdvisorCollectors dms:DescribeFleetAdvisorDatabases dms:DescribeFleetAdvisorLsaAnalysis dms:DescribeFleetAdvisorSchemaObjectSummary dms:DescribeFleetAdvisorSchemas dms:DescribeMetadataModel dms:DescribeMetadataModelChildren dms:DescribeMetadataModelCreations dms:DescribeMetadataModelImports dms:DescribeOrderableReplicationInstances dms:DescribePendingMaintenanceActions dms:DescribeRecommendationLimitations dms:DescribeRecommendations dms:DescribeRefreshSchemasStatus dms:DescribeReplicationConfigs dms:DescribeReplicationInstanceTaskLogs dms:DescribeReplicationInstances dms:DescribeReplicationSubnetGroups dms:DescribeReplicationTableStatistics dms:DescribeReplicationTaskAssessmentResults dms:DescribeReplicationTaskAssessmentRuns dms:DescribeReplicationTaskIndividualAssessments dms:DescribeReplicationTasks dms:DescribeReplications dms:DescribeSchemas dms:DescribeTableStatistics dms:ExportMetadataModelAssessment dms:ImportCertificate dms:ListDataProviders dms:ListExtensionPacks dms:ListInstanceProfiles dms:ListMetadataModelAssessments dms:ListMetadataModelConversions dms:ListMetadataModelExports dms:ListMigrationProjects dms:ModifyDataMigration dms:ModifyEndpoint dms:ModifyEventSubscription dms:ModifyReplicationConfig dms:ModifyReplicationInstance dms:ModifyReplicationSubnetGroup dms:ModifyReplicationTask dms:MoveReplicationTask dms:RebootReplicationInstance dms:RefreshSchemas dms:ReloadReplicationTables dms:ReloadTables dms:RunFleetAdvisorLsaAnalysis dms:StartMetadataModelAssessment dms:StartMetadataModelConversion dms:StartMetadataModelCreation dms:StartMetadataModelExportAsScripts dms:StartMetadataModelExportToTarget dms:StartRecommendations dms:StartReplication dms:StartReplicationTask dms:StartReplicationTaskAssessment dms:StopDataMigration dms:StopReplicationTask dms:TestConnection dms:UpdateConversionConfiguration dms:UpdateDataProvider dms:UpdateInstanceProfile dms:UpdateMigrationProject dms:UpdateSubscriptionsToEventBridge  | 
| docdb-elastic |  docdb-elastic:ApplyPendingMaintenanceAction docdb-elastic:CopyClusterSnapshot docdb-elastic:DeleteCluster docdb-elastic:DeleteClusterSnapshot docdb-elastic:GetCluster docdb-elastic:GetClusterSnapshot docdb-elastic:GetPendingMaintenanceAction docdb-elastic:ListClusterSnapshots docdb-elastic:ListClusters docdb-elastic:ListPendingMaintenanceActions docdb-elastic:RestoreClusterFromSnapshot docdb-elastic:StartCluster docdb-elastic:StopCluster docdb-elastic:UpdateCluster  | 
| dynamodb |  dynamodb:AssociateTableReplica dynamodb:CreateBackup dynamodb:CreateGlobalTable dynamodb:CreateTable dynamodb:DeleteBackup dynamodb:DeleteTable dynamodb:DescribeBackup dynamodb:DescribeContinuousBackups dynamodb:DescribeContributorInsights dynamodb:DescribeEndpoints dynamodb:DescribeExport dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:DescribeImport dynamodb:DescribeKinesisStreamingDestination dynamodb:DescribeLimits dynamodb:DescribeStream dynamodb:DescribeTable dynamodb:DescribeTableReplicaAutoScaling dynamodb:DescribeTimeToLive dynamodb:DisableKinesisStreamingDestination dynamodb:EnableKinesisStreamingDestination dynamodb:ExportTableToPointInTime dynamodb:GetResourcePolicy dynamodb:ImportTable dynamodb:ListBackups dynamodb:ListContributorInsights dynamodb:ListExports dynamodb:ListGlobalTables dynamodb:ListImports dynamodb:ListStreams dynamodb:ListTables dynamodb:ReadDataForReplication dynamodb:ReplicateSettings dynamodb:RestoreTableFromBackup dynamodb:RestoreTableToPointInTime dynamodb:UpdateContinuousBackups dynamodb:UpdateContributorInsights dynamodb:UpdateGlobalTable dynamodb:UpdateGlobalTableSettings dynamodb:UpdateKinesisStreamingDestination dynamodb:UpdateTable dynamodb:UpdateTableReplicaAutoScaling dynamodb:UpdateTimeToLive dynamodb:WriteDataForReplication  | 
| ebs |  ebs:CompleteSnapshot ebs:StartSnapshot  | 
| ec2 |  ec2:AcceptAddressTransfer ec2:AcceptCapacityReservationBillingOwnership ec2:AcceptReservedInstancesExchangeQuote ec2:AcceptTransitGatewayMulticastDomainAssociations ec2:AcceptTransitGatewayPeeringAttachment ec2:AcceptTransitGatewayVpcAttachment ec2:AcceptVpcEndpointConnections ec2:AcceptVpcPeeringConnection ec2:AdvertiseByoipCidr ec2:AllocateAddress ec2:AllocateHosts ec2:AllocateIpamPoolCidr ec2:ApplySecurityGroupsToClientVpnTargetNetwork ec2:AssignIpv6Addresses ec2:AssignPrivateIpAddresses ec2:AssignPrivateNatGatewayAddress ec2:AssociateAddress ec2:AssociateCapacityReservationBillingOwner ec2:AssociateClientVpnTargetNetwork ec2:AssociateDhcpOptions ec2:AssociateEnclaveCertificateIamRole ec2:AssociateIamInstanceProfile ec2:AssociateInstanceEventWindow ec2:AssociateIpamByoasn ec2:AssociateIpamResourceDiscovery ec2:AssociateNatGatewayAddress ec2:AssociateRouteServer ec2:AssociateRouteTable ec2:AssociateSecurityGroupVpc ec2:AssociateSubnetCidrBlock ec2:AssociateTransitGatewayMulticastDomain ec2:AssociateTransitGatewayPolicyTable ec2:AssociateTransitGatewayRouteTable ec2:AssociateTrunkInterface ec2:AssociateVpcCidrBlock ec2:AttachClassicLinkVpc ec2:AttachInternetGateway ec2:AttachNetworkInterface ec2:AttachVerifiedAccessTrustProvider ec2:AttachVolume ec2:AttachVpnGateway ec2:AuthorizeClientVpnIngress ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:BundleInstance ec2:CancelBundleTask ec2:CancelCapacityReservation ec2:CancelCapacityReservationFleets ec2:CancelConversionTask ec2:CancelDeclarativePoliciesReport ec2:CancelExportTask ec2:CancelImageLaunchPermission ec2:CancelImportTask ec2:CancelReservedInstancesListing ec2:CancelSpotFleetRequests ec2:CancelSpotInstanceRequests ec2:ConfirmProductInstance ec2:CopyFpgaImage ec2:CopyImage ec2:CopySnapshot ec2:CopyVolumes ec2:CreateCapacityManagerDataExport ec2:CreateCapacityReservation ec2:CreateCapacityReservationBySplitting ec2:CreateCapacityReservationFleet ec2:CreateCarrierGateway ec2:CreateClientVpnEndpoint ec2:CreateClientVpnRoute ec2:CreateCoipCidr ec2:CreateCoipPool ec2:CreateCustomerGateway ec2:CreateDefaultSubnet ec2:CreateDefaultVpc ec2:CreateDelegateMacVolumeOwnershipTask ec2:CreateDhcpOptions ec2:CreateEgressOnlyInternetGateway ec2:CreateFleet ec2:CreateFlowLogs ec2:CreateFpgaImage ec2:CreateImage ec2:CreateImageUsageReport ec2:CreateInstanceConnectEndpoint ec2:CreateInstanceEventWindow ec2:CreateInstanceExportTask ec2:CreateInternetGateway ec2:CreateInterruptibleCapacityReservationAllocation ec2:CreateIpam ec2:CreateIpamExternalResourceVerificationToken ec2:CreateIpamPolicy ec2:CreateIpamPool ec2:CreateIpamPrefixListResolver ec2:CreateIpamPrefixListResolverTarget ec2:CreateIpamResourceDiscovery ec2:CreateIpamScope ec2:CreateKeyPair ec2:CreateLaunchTemplateVersion ec2:CreateLocalGatewayRoute ec2:CreateLocalGatewayRouteTable ec2:CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation ec2:CreateLocalGatewayRouteTableVpcAssociation ec2:CreateLocalGatewayVirtualInterface ec2:CreateLocalGatewayVirtualInterfaceGroup ec2:CreateMacSystemIntegrityProtectionModificationTask ec2:CreateManagedPrefixList ec2:CreateNatGateway ec2:CreateNetworkAcl ec2:CreateNetworkAclEntry ec2:CreateNetworkInsightsAccessScope ec2:CreateNetworkInsightsPath ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission ec2:CreatePlacementGroup ec2:CreatePublicIpv4Pool ec2:CreateReplaceRootVolumeTask ec2:CreateReservedInstancesListing ec2:CreateRestoreImageTask ec2:CreateRoute ec2:CreateRouteServer ec2:CreateRouteServerEndpoint ec2:CreateRouteServerPeer ec2:CreateRouteTable ec2:CreateSecurityGroup ec2:CreateSnapshots ec2:CreateSpotDatafeedSubscription ec2:CreateStoreImageTask ec2:CreateSubnet ec2:CreateSubnetCidrReservation ec2:CreateTrafficMirrorFilter ec2:CreateTrafficMirrorFilterRule ec2:CreateTrafficMirrorSession ec2:CreateTrafficMirrorTarget ec2:CreateTransitGateway ec2:CreateTransitGatewayConnect ec2:CreateTransitGatewayConnectPeer ec2:CreateTransitGatewayMeteringPolicy ec2:CreateTransitGatewayMeteringPolicyEntry ec2:CreateTransitGatewayMulticastDomain ec2:CreateTransitGatewayPeeringAttachment ec2:CreateTransitGatewayPolicyTable ec2:CreateTransitGatewayPrefixListReference ec2:CreateTransitGatewayRoute ec2:CreateTransitGatewayRouteTable ec2:CreateTransitGatewayRouteTableAnnouncement ec2:CreateTransitGatewayVpcAttachment ec2:CreateVerifiedAccessEndpoint ec2:CreateVerifiedAccessGroup ec2:CreateVerifiedAccessInstance ec2:CreateVerifiedAccessTrustProvider ec2:CreateVolume ec2:CreateVpc ec2:CreateVpcBlockPublicAccessExclusion ec2:CreateVpcEncryptionControl ec2:CreateVpcEndpoint ec2:CreateVpcEndpointConnectionNotification ec2:CreateVpcEndpointServiceConfiguration ec2:CreateVpcPeeringConnection ec2:CreateVpnConcentrator ec2:CreateVpnConnection ec2:CreateVpnConnectionRoute ec2:CreateVpnGateway ec2:DeleteCapacityManagerDataExport ec2:DeleteCarrierGateway ec2:DeleteClientVpnEndpoint ec2:DeleteClientVpnRoute ec2:DeleteCoipCidr ec2:DeleteCoipPool ec2:DeleteCustomerGateway ec2:DeleteDhcpOptions ec2:DeleteEgressOnlyInternetGateway ec2:DeleteFleets ec2:DeleteFlowLogs ec2:DeleteFpgaImage ec2:DeleteImageUsageReport ec2:DeleteInstanceConnectEndpoint ec2:DeleteInstanceEventWindow ec2:DeleteInternetGateway ec2:DeleteIpam ec2:DeleteIpamExternalResourceVerificationToken ec2:DeleteIpamPolicy ec2:DeleteIpamPool ec2:DeleteIpamPrefixListResolver ec2:DeleteIpamPrefixListResolverTarget ec2:DeleteIpamResourceDiscovery ec2:DeleteIpamScope ec2:DeleteKeyPair ec2:DeleteLaunchTemplate ec2:DeleteLaunchTemplateVersions ec2:DeleteLocalGatewayRoute ec2:DeleteLocalGatewayRouteTable ec2:DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation ec2:DeleteLocalGatewayRouteTableVpcAssociation ec2:DeleteLocalGatewayVirtualInterface ec2:DeleteLocalGatewayVirtualInterfaceGroup ec2:DeleteManagedPrefixList ec2:DeleteNatGateway ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:DeleteNetworkInsightsAccessScope ec2:DeleteNetworkInsightsAccessScopeAnalysis ec2:DeleteNetworkInsightsAnalysis ec2:DeleteNetworkInsightsPath ec2:DeleteNetworkInterface ec2:DeleteNetworkInterfacePermission ec2:DeletePlacementGroup ec2:DeletePublicIpv4Pool ec2:DeleteQueuedReservedInstances ec2:DeleteRoute ec2:DeleteRouteServer ec2:DeleteRouteServerEndpoint ec2:DeleteRouteServerPeer ec2:DeleteRouteTable ec2:DeleteSecurityGroup ec2:DeleteSpotDatafeedSubscription ec2:DeleteSubnet ec2:DeleteSubnetCidrReservation ec2:DeleteTrafficMirrorFilter ec2:DeleteTrafficMirrorFilterRule ec2:DeleteTrafficMirrorSession ec2:DeleteTrafficMirrorTarget ec2:DeleteTransitGateway ec2:DeleteTransitGatewayConnect ec2:DeleteTransitGatewayConnectPeer ec2:DeleteTransitGatewayMeteringPolicy ec2:DeleteTransitGatewayMeteringPolicyEntry ec2:DeleteTransitGatewayMulticastDomain ec2:DeleteTransitGatewayPeeringAttachment ec2:DeleteTransitGatewayPolicyTable ec2:DeleteTransitGatewayPrefixListReference ec2:DeleteTransitGatewayRoute ec2:DeleteTransitGatewayRouteTable ec2:DeleteTransitGatewayRouteTableAnnouncement ec2:DeleteTransitGatewayVpcAttachment ec2:DeleteVerifiedAccessEndpoint ec2:DeleteVerifiedAccessGroup ec2:DeleteVerifiedAccessInstance ec2:DeleteVerifiedAccessTrustProvider ec2:DeleteVolume ec2:DeleteVpc ec2:DeleteVpcBlockPublicAccessExclusion ec2:DeleteVpcEncryptionControl ec2:DeleteVpcEndpointConnectionNotifications ec2:DeleteVpcEndpointServiceConfigurations ec2:DeleteVpcEndpoints ec2:DeleteVpcPeeringConnection ec2:DeleteVpnConcentrator ec2:DeleteVpnConnection ec2:DeleteVpnConnectionRoute ec2:DeleteVpnGateway ec2:DeprovisionByoipCidr ec2:DeprovisionIpamByoasn ec2:DeprovisionIpamPoolCidr ec2:DeprovisionPublicIpv4PoolCidr ec2:DeregisterImage ec2:DeregisterInstanceEventNotificationAttributes ec2:DeregisterTransitGatewayMulticastGroupMembers ec2:DeregisterTransitGatewayMulticastGroupSources ec2:DescribeAccountAttributes ec2:DescribeAddressTransfers ec2:DescribeAddresses ec2:DescribeAddressesAttribute ec2:DescribeAggregateIdFormat ec2:DescribeAvailabilityZones ec2:DescribeAwsNetworkPerformanceMetricSubscriptions ec2:DescribeBundleTasks ec2:DescribeByoipCidrs ec2:DescribeCapacityBlockExtensionHistory ec2:DescribeCapacityBlockExtensionOfferings ec2:DescribeCapacityBlockStatus ec2:DescribeCapacityBlocks ec2:DescribeCapacityManagerDataExports ec2:DescribeCapacityReservationBillingRequests ec2:DescribeCapacityReservationFleets ec2:DescribeCapacityReservationTopology ec2:DescribeCapacityReservations ec2:DescribeCarrierGateways ec2:DescribeClassicLinkInstances ec2:DescribeClientVpnAuthorizationRules ec2:DescribeClientVpnConnections ec2:DescribeClientVpnEndpoints ec2:DescribeClientVpnRoutes ec2:DescribeClientVpnTargetNetworks ec2:DescribeCoipPools ec2:DescribeConversionTasks ec2:DescribeCustomerGateways ec2:DescribeDeclarativePoliciesReports ec2:DescribeDhcpOptions ec2:DescribeEgressOnlyInternetGateways ec2:DescribeElasticGpus ec2:DescribeExportImageTasks ec2:DescribeExportTasks ec2:DescribeFastLaunchImages ec2:DescribeFastSnapshotRestores ec2:DescribeFleetHistory ec2:DescribeFleetInstances ec2:DescribeFleets ec2:DescribeFlowLogs ec2:DescribeFpgaImageAttribute ec2:DescribeFpgaImages ec2:DescribeHostReservationOfferings ec2:DescribeHostReservations ec2:DescribeHosts ec2:DescribeIamInstanceProfileAssociations ec2:DescribeIdFormat ec2:DescribeIdentityIdFormat ec2:DescribeImageAttribute ec2:DescribeImageReferences ec2:DescribeImageUsageReportEntries ec2:DescribeImageUsageReports ec2:DescribeImportImageTasks ec2:DescribeImportSnapshotTasks ec2:DescribeInstanceConnectEndpoints ec2:DescribeInstanceCreditSpecifications ec2:DescribeInstanceEventNotificationAttributes ec2:DescribeInstanceEventWindows ec2:DescribeInstanceImageMetadata ec2:DescribeInstanceSqlHaHistoryStates ec2:DescribeInstanceSqlHaStates ec2:DescribeInstanceTopology ec2:DescribeInstanceTypes ec2:DescribeInternetGateways ec2:DescribeIpamByoasn ec2:DescribeIpamExternalResourceVerificationTokens ec2:DescribeIpamPolicies ec2:DescribeIpamPools ec2:DescribeIpamPrefixListResolverTargets ec2:DescribeIpamPrefixListResolvers ec2:DescribeIpamResourceDiscoveries ec2:DescribeIpamResourceDiscoveryAssociations ec2:DescribeIpamScopes ec2:DescribeIpams ec2:DescribeIpv6Pools ec2:DescribeKeyPairs ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations ec2:DescribeLocalGatewayRouteTableVpcAssociations ec2:DescribeLocalGatewayRouteTables ec2:DescribeLocalGatewayVirtualInterfaceGroups ec2:DescribeLocalGatewayVirtualInterfaces ec2:DescribeLocalGateways ec2:DescribeLockedSnapshots ec2:DescribeMacHosts ec2:DescribeMacModificationTasks ec2:DescribeManagedPrefixLists ec2:DescribeMovingAddresses ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInsightsAccessScopeAnalyses ec2:DescribeNetworkInsightsAccessScopes ec2:DescribeNetworkInsightsAnalyses ec2:DescribeNetworkInsightsPaths ec2:DescribeNetworkInterfaceAttribute ec2:DescribeNetworkInterfacePermissions ec2:DescribeNetworkInterfaces ec2:DescribeOutpostLags ec2:DescribePlacementGroups ec2:DescribePrefixLists ec2:DescribePrincipalIdFormat ec2:DescribePublicIpv4Pools ec2:DescribeRegions ec2:DescribeReplaceRootVolumeTasks ec2:DescribeReservedInstances ec2:DescribeReservedInstancesListings ec2:DescribeReservedInstancesModifications ec2:DescribeReservedInstancesOfferings ec2:DescribeRouteServerEndpoints ec2:DescribeRouteServerPeers ec2:DescribeRouteServers ec2:DescribeRouteTables ec2:DescribeScheduledInstanceAvailability ec2:DescribeScheduledInstances ec2:DescribeSecurityGroupReferences ec2:DescribeSecurityGroupRules ec2:DescribeSecurityGroupVpcAssociations ec2:DescribeSecurityGroups ec2:DescribeServiceLinkVirtualInterfaces ec2:DescribeSnapshotAttribute ec2:DescribeSnapshotTierStatus ec2:DescribeSpotDatafeedSubscription ec2:DescribeSpotFleetInstances ec2:DescribeSpotFleetRequestHistory ec2:DescribeSpotFleetRequests ec2:DescribeSpotInstanceRequests ec2:DescribeSpotPriceHistory ec2:DescribeStaleSecurityGroups ec2:DescribeStoreImageTasks ec2:DescribeTrafficMirrorFilterRules ec2:DescribeTrafficMirrorFilters ec2:DescribeTrafficMirrorSessions ec2:DescribeTrafficMirrorTargets ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayConnectPeers ec2:DescribeTransitGatewayConnects ec2:DescribeTransitGatewayMeteringPolicies ec2:DescribeTransitGatewayMulticastDomains ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayPolicyTables ec2:DescribeTransitGatewayRouteTableAnnouncements ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeTransitGateways ec2:DescribeTrunkInterfaceAssociations ec2:DescribeVerifiedAccessEndpoints ec2:DescribeVerifiedAccessGroups ec2:DescribeVerifiedAccessInstanceLoggingConfigurations ec2:DescribeVerifiedAccessInstances ec2:DescribeVerifiedAccessTrustProviders ec2:DescribeVolumeAttribute ec2:DescribeVolumeStatus ec2:DescribeVolumes ec2:DescribeVolumesModifications ec2:DescribeVpcAttribute ec2:DescribeVpcBlockPublicAccessExclusions ec2:DescribeVpcBlockPublicAccessOptions ec2:DescribeVpcClassicLink ec2:DescribeVpcClassicLinkDnsSupport ec2:DescribeVpcEncryptionControls ec2:DescribeVpcEndpointAssociations ec2:DescribeVpcEndpointConnectionNotifications ec2:DescribeVpcEndpointConnections ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcEndpointServicePermissions ec2:DescribeVpcEndpointServices ec2:DescribeVpcEndpoints ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConcentrators ec2:DescribeVpnConnections ec2:DescribeVpnGateways ec2:DetachClassicLinkVpc ec2:DetachInternetGateway ec2:DetachNetworkInterface ec2:DetachVerifiedAccessTrustProvider ec2:DetachVolume ec2:DetachVpnGateway ec2:DisableAddressTransfer ec2:DisableAllowedImagesSettings ec2:DisableAwsNetworkPerformanceMetricSubscription ec2:DisableCapacityManager ec2:DisableEbsEncryptionByDefault ec2:DisableFastLaunch ec2:DisableFastSnapshotRestores ec2:DisableImage ec2:DisableImageBlockPublicAccess ec2:DisableImageDeprecation ec2:DisableImageDeregistrationProtection ec2:DisableInstanceSqlHaStandbyDetections ec2:DisableIpamOrganizationAdminAccount ec2:DisableIpamPolicy ec2:DisableRouteServerPropagation ec2:DisableSerialConsoleAccess ec2:DisableSnapshotBlockPublicAccess ec2:DisableTransitGatewayRouteTablePropagation ec2:DisableVgwRoutePropagation ec2:DisableVpcClassicLink ec2:DisableVpcClassicLinkDnsSupport ec2:DisassociateAddress ec2:DisassociateCapacityReservationBillingOwner ec2:DisassociateClientVpnTargetNetwork ec2:DisassociateEnclaveCertificateIamRole ec2:DisassociateIamInstanceProfile ec2:DisassociateInstanceEventWindow ec2:DisassociateIpamByoasn ec2:DisassociateIpamResourceDiscovery ec2:DisassociateNatGatewayAddress ec2:DisassociateRouteServer ec2:DisassociateRouteTable ec2:DisassociateSecurityGroupVpc ec2:DisassociateSubnetCidrBlock ec2:DisassociateTransitGatewayMulticastDomain ec2:DisassociateTransitGatewayPolicyTable ec2:DisassociateTransitGatewayRouteTable ec2:DisassociateTrunkInterface ec2:DisassociateVpcCidrBlock ec2:EnableAddressTransfer ec2:EnableAllowedImagesSettings ec2:EnableAwsNetworkPerformanceMetricSubscription ec2:EnableCapacityManager ec2:EnableEbsEncryptionByDefault ec2:EnableFastLaunch ec2:EnableFastSnapshotRestores ec2:EnableImage ec2:EnableImageBlockPublicAccess ec2:EnableImageDeprecation ec2:EnableImageDeregistrationProtection ec2:EnableInstanceSqlHaStandbyDetections ec2:EnableIpamOrganizationAdminAccount ec2:EnableIpamPolicy ec2:EnableReachabilityAnalyzerOrganizationSharing ec2:EnableRouteServerPropagation ec2:EnableSerialConsoleAccess ec2:EnableSnapshotBlockPublicAccess ec2:EnableTransitGatewayRouteTablePropagation ec2:EnableVgwRoutePropagation ec2:EnableVolumeIO ec2:EnableVpcClassicLink ec2:EnableVpcClassicLinkDnsSupport ec2:ExportClientVpnClientCertificateRevocationList ec2:ExportClientVpnClientConfiguration ec2:ExportImage ec2:ExportTransitGatewayRoutes ec2:ExportVerifiedAccessInstanceClientConfiguration ec2:GetActiveVpnTunnelStatus ec2:GetAllowedImagesSettings ec2:GetAssociatedEnclaveCertificateIamRoles ec2:GetAssociatedIpv6PoolCidrs ec2:GetAwsNetworkPerformanceData ec2:GetCapacityManagerAttributes ec2:GetCapacityManagerMetricData ec2:GetCapacityManagerMetricDimensions ec2:GetCapacityReservationUsage ec2:GetCoipPoolUsage ec2:GetConsoleOutput ec2:GetConsoleScreenshot ec2:GetDeclarativePoliciesReportSummary ec2:GetDefaultCreditSpecification ec2:GetEbsDefaultKmsKeyId ec2:GetEbsEncryptionByDefault ec2:GetEnabledIpamPolicy ec2:GetFlowLogsIntegrationTemplate ec2:GetGroupsForCapacityReservation ec2:GetHostReservationPurchasePreview ec2:GetImageAncestry ec2:GetImageBlockPublicAccessState ec2:GetInstanceMetadataDefaults ec2:GetInstanceTpmEkPub ec2:GetInstanceTypesFromInstanceRequirements ec2:GetInstanceUefiData ec2:GetIpamAddressHistory ec2:GetIpamDiscoveredAccounts ec2:GetIpamDiscoveredPublicAddresses ec2:GetIpamDiscoveredResourceCidrs ec2:GetIpamPolicyAllocationRules ec2:GetIpamPolicyOrganizationTargets ec2:GetIpamPoolAllocations ec2:GetIpamPoolCidrs ec2:GetIpamPrefixListResolverRules ec2:GetIpamPrefixListResolverVersionEntries ec2:GetIpamPrefixListResolverVersions ec2:GetIpamResourceCidrs ec2:GetLaunchTemplateData ec2:GetManagedPrefixListAssociations ec2:GetManagedPrefixListEntries ec2:GetNetworkInsightsAccessScopeAnalysisFindings ec2:GetNetworkInsightsAccessScopeContent ec2:GetPasswordData ec2:GetReservedInstancesExchangeQuote ec2:GetRouteServerAssociations ec2:GetRouteServerPropagations ec2:GetRouteServerRoutingDatabase ec2:GetSecurityGroupsForVpc ec2:GetSerialConsoleAccessStatus ec2:GetSnapshotBlockPublicAccessState ec2:GetSpotPlacementScores ec2:GetSubnetCidrReservations ec2:GetTransitGatewayAttachmentPropagations ec2:GetTransitGatewayMeteringPolicyEntries ec2:GetTransitGatewayMulticastDomainAssociations ec2:GetTransitGatewayPolicyTableAssociations ec2:GetTransitGatewayPolicyTableEntries ec2:GetTransitGatewayPrefixListReferences ec2:GetTransitGatewayRouteTableAssociations ec2:GetTransitGatewayRouteTablePropagations ec2:GetVerifiedAccessEndpointPolicy ec2:GetVerifiedAccessEndpointTargets ec2:GetVerifiedAccessGroupPolicy ec2:GetVpcResourcesBlockingEncryptionEnforcement ec2:GetVpnConnectionDeviceSampleConfiguration ec2:GetVpnConnectionDeviceTypes ec2:GetVpnTunnelReplacementStatus ec2:ImportClientVpnClientCertificateRevocationList ec2:ImportImage ec2:ImportInstance ec2:ImportKeyPair ec2:ImportSnapshot ec2:ImportVolume ec2:InjectVolumeIOLatency ec2:ListImagesInRecycleBin ec2:ListSnapshotsInRecycleBin ec2:ListVolumesInRecycleBin ec2:LockSnapshot ec2:ModifyAddressAttribute ec2:ModifyAvailabilityZoneGroup ec2:ModifyCapacityReservation ec2:ModifyCapacityReservationFleet ec2:ModifyClientVpnEndpoint ec2:ModifyDefaultCreditSpecification ec2:ModifyEbsDefaultKmsKeyId ec2:ModifyFleet ec2:ModifyFpgaImageAttribute ec2:ModifyHosts ec2:ModifyIdFormat ec2:ModifyIdentityIdFormat ec2:ModifyImageAttribute ec2:ModifyInstanceAttribute ec2:ModifyInstanceCapacityReservationAttributes ec2:ModifyInstanceConnectEndpoint ec2:ModifyInstanceCpuOptions ec2:ModifyInstanceCreditSpecification ec2:ModifyInstanceEventStartTime ec2:ModifyInstanceEventWindow ec2:ModifyInstanceMaintenanceOptions ec2:ModifyInstanceMetadataDefaults ec2:ModifyInstanceMetadataOptions ec2:ModifyInstanceNetworkPerformanceOptions ec2:ModifyInstancePlacement ec2:ModifyIpam ec2:ModifyIpamPolicyAllocationRules ec2:ModifyIpamPool ec2:ModifyIpamPrefixListResolver ec2:ModifyIpamPrefixListResolverTarget ec2:ModifyIpamResourceCidr ec2:ModifyIpamResourceDiscovery ec2:ModifyIpamScope ec2:ModifyLaunchTemplate ec2:ModifyLocalGatewayRoute ec2:ModifyManagedPrefixList ec2:ModifyNetworkInterfaceAttribute ec2:ModifyPrivateDnsNameOptions ec2:ModifyPublicIpDnsNameOptions ec2:ModifyReservedInstances ec2:ModifyRouteServer ec2:ModifySecurityGroupRules ec2:ModifySnapshotAttribute ec2:ModifySnapshotTier ec2:ModifySpotFleetRequest ec2:ModifySubnetAttribute ec2:ModifyTrafficMirrorFilterNetworkServices ec2:ModifyTrafficMirrorFilterRule ec2:ModifyTrafficMirrorSession ec2:ModifyTransitGateway ec2:ModifyTransitGatewayMeteringPolicy ec2:ModifyTransitGatewayPrefixListReference ec2:ModifyTransitGatewayVpcAttachment ec2:ModifyVerifiedAccessEndpoint ec2:ModifyVerifiedAccessEndpointPolicy ec2:ModifyVerifiedAccessGroup ec2:ModifyVerifiedAccessGroupPolicy ec2:ModifyVerifiedAccessInstance ec2:ModifyVerifiedAccessInstanceLoggingConfiguration ec2:ModifyVerifiedAccessTrustProvider ec2:ModifyVolume ec2:ModifyVolumeAttribute ec2:ModifyVpcAttribute ec2:ModifyVpcBlockPublicAccessExclusion ec2:ModifyVpcBlockPublicAccessOptions ec2:ModifyVpcEncryptionControl ec2:ModifyVpcEndpoint ec2:ModifyVpcEndpointConnectionNotification ec2:ModifyVpcEndpointServiceConfiguration ec2:ModifyVpcEndpointServicePayerResponsibility ec2:ModifyVpcEndpointServicePermissions ec2:ModifyVpcPeeringConnectionOptions ec2:ModifyVpcTenancy ec2:ModifyVpnConnection ec2:ModifyVpnConnectionOptions ec2:ModifyVpnTunnelCertificate ec2:ModifyVpnTunnelOptions ec2:MonitorInstances ec2:MoveAddressToVpc ec2:MoveByoipCidrToIpam ec2:MoveCapacityReservationInstances ec2:ProvisionByoipCidr ec2:ProvisionIpamByoasn ec2:ProvisionIpamPoolCidr ec2:ProvisionPublicIpv4PoolCidr ec2:PurchaseCapacityBlockExtension ec2:PurchaseHostReservation ec2:PurchaseReservedInstancesOffering ec2:PurchaseScheduledInstances ec2:RebootInstances ec2:RegisterImage ec2:RegisterInstanceEventNotificationAttributes ec2:RegisterTransitGatewayMulticastGroupMembers ec2:RegisterTransitGatewayMulticastGroupSources ec2:RejectCapacityReservationBillingOwnership ec2:RejectTransitGatewayMulticastDomainAssociations ec2:RejectTransitGatewayPeeringAttachment ec2:RejectTransitGatewayVpcAttachment ec2:RejectVpcEndpointConnections ec2:RejectVpcPeeringConnection ec2:ReleaseAddress ec2:ReleaseHosts ec2:ReleaseIpamPoolAllocation ec2:ReplaceIamInstanceProfileAssociation ec2:ReplaceImageCriteriaInAllowedImagesSettings ec2:ReplaceNetworkAclAssociation ec2:ReplaceNetworkAclEntry ec2:ReplaceRoute ec2:ReplaceRouteTableAssociation ec2:ReplaceTransitGatewayRoute ec2:ReplaceVpnTunnel ec2:ReportInstanceStatus ec2:RequestSpotFleet ec2:RequestSpotInstances ec2:ResetAddressAttribute ec2:ResetEbsDefaultKmsKeyId ec2:ResetFpgaImageAttribute ec2:ResetImageAttribute ec2:ResetInstanceAttribute ec2:ResetNetworkInterfaceAttribute ec2:ResetSnapshotAttribute ec2:RestoreAddressToClassic ec2:RestoreImageFromRecycleBin ec2:RestoreManagedPrefixListVersion ec2:RestoreSnapshotFromRecycleBin ec2:RestoreSnapshotTier ec2:RestoreVolumeFromRecycleBin ec2:RevokeClientVpnIngress ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:RunInstances ec2:RunScheduledInstances ec2:SearchLocalGatewayRoutes ec2:SearchTransitGatewayMulticastGroups ec2:SearchTransitGatewayRoutes ec2:SendDiagnosticInterrupt ec2:StartDeclarativePoliciesReport ec2:StartInstances ec2:StartNetworkInsightsAccessScopeAnalysis ec2:StartNetworkInsightsAnalysis ec2:StartVpcEndpointServicePrivateDnsVerification ec2:TerminateClientVpnConnections ec2:UnassignIpv6Addresses ec2:UnassignPrivateIpAddresses ec2:UnassignPrivateNatGatewayAddress ec2:UnlockSnapshot ec2:UnmonitorInstances ec2:UpdateCapacityManagerOrganizationsAccess ec2:UpdateInterruptibleCapacityReservationAllocation ec2:UpdateSecurityGroupRuleDescriptionsEgress ec2:UpdateSecurityGroupRuleDescriptionsIngress ec2:WithdrawByoipCidr  | 
| ecr |  ecr:BatchCheckLayerAvailability ecr:BatchDeleteImage ecr:BatchGetImage ecr:BatchGetRepositoryScanningConfiguration ecr:CompleteLayerUpload ecr:CreatePullThroughCacheRule ecr:CreateRepositoryCreationTemplate ecr:DeleteLifecyclePolicy ecr:DeletePullThroughCacheRule ecr:DeleteRegistryPolicy ecr:DeleteRepository ecr:DeleteRepositoryCreationTemplate ecr:DeleteRepositoryPolicy ecr:DeleteSigningConfiguration ecr:DescribeImageReplicationStatus ecr:DescribeImageScanFindings ecr:DescribeImages ecr:DescribePullThroughCacheRules ecr:DescribeRegistry ecr:DescribeRepositories ecr:DescribeRepositoryCreationTemplates ecr:GetAccountSetting ecr:GetAuthorizationToken ecr:GetDownloadUrlForLayer ecr:GetLifecyclePolicy ecr:GetLifecyclePolicyPreview ecr:GetRegistryPolicy ecr:GetRegistryScanningConfiguration ecr:GetRepositoryPolicy ecr:GetSigningConfiguration ecr:InitiateLayerUpload ecr:ListImages ecr:ListPullTimeUpdateExclusions ecr:PutAccountSetting ecr:PutImage ecr:PutImageScanningConfiguration ecr:PutRegistryPolicy ecr:PutRegistryScanningConfiguration ecr:PutReplicationConfiguration ecr:StartImageScan ecr:StartLifecyclePolicyPreview ecr:UpdatePullThroughCacheRule ecr:UpdateRepositoryCreationTemplate ecr:UploadLayerPart ecr:ValidatePullThroughCacheRule  | 
| ecr-public |  ecr-public:BatchCheckLayerAvailability ecr-public:BatchDeleteImage ecr-public:CompleteLayerUpload ecr-public:CreateRepository ecr-public:DeleteRepository ecr-public:DeleteRepositoryPolicy ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories ecr-public:GetAuthorizationToken ecr-public:GetRegistryCatalogData ecr-public:GetRepositoryCatalogData ecr-public:GetRepositoryPolicy ecr-public:InitiateLayerUpload ecr-public:PutImage ecr-public:PutRegistryCatalogData ecr-public:PutRepositoryCatalogData ecr-public:SetRepositoryPolicy ecr-public:UploadLayerPart  | 
| ecs |  ecs:CreateCapacityProvider ecs:CreateCluster ecs:CreateService ecs:CreateTaskSet ecs:DeleteAccountSetting ecs:DeleteAttributes ecs:DeleteCapacityProvider ecs:DeleteCluster ecs:DeleteExpressGatewayService ecs:DeleteService ecs:DeleteTaskDefinitions ecs:DeleteTaskSet ecs:DeregisterContainerInstance ecs:DeregisterTaskDefinition ecs:DescribeCapacityProviders ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeExpressGatewayService ecs:DescribeServiceDeployments ecs:DescribeServiceRevisions ecs:DescribeServices ecs:DescribeTaskDefinition ecs:DescribeTaskSets ecs:DescribeTasks ecs:DiscoverPollEndpoint ecs:ExecuteCommand ecs:GetTaskProtection ecs:ListAccountSettings ecs:ListAttributes ecs:ListClusters ecs:ListContainerInstances ecs:ListServiceDeployments ecs:ListServices ecs:ListServicesByNamespace ecs:ListTaskDefinitionFamilies ecs:ListTaskDefinitions ecs:ListTasks ecs:PutAccountSetting ecs:PutAccountSettingDefault ecs:PutAttributes ecs:PutClusterCapacityProviders ecs:RegisterContainerInstance ecs:RunTask ecs:StartTask ecs:StopServiceDeployment ecs:StopTask ecs:SubmitAttachmentStateChanges ecs:SubmitContainerStateChange ecs:SubmitTaskStateChange ecs:UpdateCapacityProvider ecs:UpdateCluster ecs:UpdateClusterSettings ecs:UpdateContainerAgent ecs:UpdateContainerInstancesState ecs:UpdateExpressGatewayService ecs:UpdateService ecs:UpdateServicePrimaryTaskSet ecs:UpdateTaskProtection ecs:UpdateTaskSet  | 
| eks |  eks:AssociateAccessPolicy eks:AssociateEncryptionConfig eks:AssociateIdentityProviderConfig eks:CreateAccessEntry eks:CreateAddon eks:CreateCluster eks:CreateEksAnywhereSubscription eks:CreateFargateProfile eks:CreateNodegroup eks:DeleteAccessEntry eks:DeleteAddon eks:DeleteCapability eks:DeleteCluster eks:DeleteEksAnywhereSubscription eks:DeleteFargateProfile eks:DeleteNodegroup eks:DeletePodIdentityAssociation eks:DeregisterCluster eks:DescribeAccessEntry eks:DescribeAddon eks:DescribeAddonConfiguration eks:DescribeAddonVersions eks:DescribeCapability eks:DescribeCluster eks:DescribeClusterVersions eks:DescribeEksAnywhereSubscription eks:DescribeFargateProfile eks:DescribeIdentityProviderConfig eks:DescribeInsight eks:DescribeInsightsRefresh eks:DescribeNodegroup eks:DescribePodIdentityAssociation eks:DescribeUpdate eks:DisassociateAccessPolicy eks:DisassociateIdentityProviderConfig eks:ListAccessEntries eks:ListAccessPolicies eks:ListAddons eks:ListAssociatedAccessPolicies eks:ListCapabilities eks:ListClusters eks:ListEksAnywhereSubscriptions eks:ListFargateProfiles eks:ListIdentityProviderConfigs eks:ListInsights eks:ListNodegroups eks:ListPodIdentityAssociations eks:ListUpdates eks:RegisterCluster eks:StartInsightsRefresh eks:UpdateAccessEntry eks:UpdateAddon eks:UpdateCapability eks:UpdateClusterConfig eks:UpdateClusterVersion eks:UpdateEksAnywhereSubscription eks:UpdateNodegroupConfig eks:UpdateNodegroupVersion eks:UpdatePodIdentityAssociation  | 
| elasticache |  elasticache:AuthorizeCacheSecurityGroupIngress elasticache:BatchApplyUpdateAction elasticache:BatchStopUpdateAction elasticache:CompleteMigration elasticache:CopyServerlessCacheSnapshot elasticache:CopySnapshot elasticache:CreateCacheCluster elasticache:CreateCacheParameterGroup elasticache:CreateCacheSecurityGroup elasticache:CreateCacheSubnetGroup elasticache:CreateGlobalReplicationGroup elasticache:CreateReplicationGroup elasticache:CreateServerlessCache elasticache:CreateServerlessCacheSnapshot elasticache:CreateSnapshot elasticache:CreateUser elasticache:CreateUserGroup elasticache:DecreaseNodeGroupsInGlobalReplicationGroup elasticache:DecreaseReplicaCount elasticache:DeleteCacheCluster elasticache:DeleteCacheParameterGroup elasticache:DeleteCacheSecurityGroup elasticache:DeleteCacheSubnetGroup elasticache:DeleteGlobalReplicationGroup elasticache:DeleteReplicationGroup elasticache:DeleteServerlessCache elasticache:DeleteServerlessCacheSnapshot elasticache:DeleteSnapshot elasticache:DeleteUser elasticache:DeleteUserGroup elasticache:DescribeCacheClusters elasticache:DescribeCacheEngineVersions elasticache:DescribeCacheParameterGroups elasticache:DescribeCacheParameters elasticache:DescribeCacheSecurityGroups elasticache:DescribeCacheSubnetGroups elasticache:DescribeEngineDefaultParameters elasticache:DescribeEvents elasticache:DescribeGlobalReplicationGroups elasticache:DescribeReplicationGroups elasticache:DescribeReservedCacheNodes elasticache:DescribeReservedCacheNodesOfferings elasticache:DescribeServerlessCacheSnapshots elasticache:DescribeServerlessCaches elasticache:DescribeServiceUpdates elasticache:DescribeSnapshots elasticache:DescribeUpdateActions elasticache:DescribeUserGroups elasticache:DescribeUsers elasticache:DisassociateGlobalReplicationGroup elasticache:ExportServerlessCacheSnapshot elasticache:FailoverGlobalReplicationGroup elasticache:IncreaseNodeGroupsInGlobalReplicationGroup elasticache:IncreaseReplicaCount elasticache:ListAllowedNodeTypeModifications elasticache:ModifyCacheCluster elasticache:ModifyCacheParameterGroup elasticache:ModifyCacheSubnetGroup elasticache:ModifyGlobalReplicationGroup elasticache:ModifyReplicationGroup elasticache:ModifyReplicationGroupShardConfiguration elasticache:ModifyServerlessCache elasticache:ModifyUser elasticache:ModifyUserGroup elasticache:PurchaseReservedCacheNodesOffering elasticache:RebalanceSlotsInGlobalReplicationGroup elasticache:RebootCacheCluster elasticache:ResetCacheParameterGroup elasticache:RevokeCacheSecurityGroupIngress elasticache:StartMigration elasticache:TestFailover elasticache:TestMigration  | 
| elasticbeanstalk |  elasticbeanstalk:AbortEnvironmentUpdate elasticbeanstalk:ApplyEnvironmentManagedAction elasticbeanstalk:AssociateEnvironmentOperationsRole elasticbeanstalk:CheckDNSAvailability elasticbeanstalk:ComposeEnvironments elasticbeanstalk:CreateApplication elasticbeanstalk:CreateApplicationVersion elasticbeanstalk:CreateConfigurationTemplate elasticbeanstalk:CreateEnvironment elasticbeanstalk:CreatePlatformVersion elasticbeanstalk:CreateStorageLocation elasticbeanstalk:DeleteApplication elasticbeanstalk:DeleteApplicationVersion elasticbeanstalk:DeleteConfigurationTemplate elasticbeanstalk:DeleteEnvironmentConfiguration elasticbeanstalk:DeletePlatformVersion elasticbeanstalk:DescribeAccountAttributes elasticbeanstalk:DescribeApplicationVersions elasticbeanstalk:DescribeApplications elasticbeanstalk:DescribeConfigurationOptions elasticbeanstalk:DescribeConfigurationSettings elasticbeanstalk:DescribeEnvironmentHealth elasticbeanstalk:DescribeEnvironmentManagedActionHistory elasticbeanstalk:DescribeEnvironmentManagedActions elasticbeanstalk:DescribeEnvironmentResources elasticbeanstalk:DescribeEnvironments elasticbeanstalk:DescribeEvents elasticbeanstalk:DescribeInstancesHealth elasticbeanstalk:DescribePlatformVersion elasticbeanstalk:DisassociateEnvironmentOperationsRole elasticbeanstalk:ListAvailableSolutionStacks elasticbeanstalk:ListPlatformBranches elasticbeanstalk:ListPlatformVersions elasticbeanstalk:RebuildEnvironment elasticbeanstalk:RequestEnvironmentInfo elasticbeanstalk:RestartAppServer elasticbeanstalk:RetrieveEnvironmentInfo elasticbeanstalk:SwapEnvironmentCNAMEs elasticbeanstalk:TerminateEnvironment elasticbeanstalk:UpdateApplication elasticbeanstalk:UpdateApplicationResourceLifecycle elasticbeanstalk:UpdateApplicationVersion elasticbeanstalk:UpdateConfigurationTemplate elasticbeanstalk:UpdateEnvironment elasticbeanstalk:ValidateConfigurationSettings  | 
| elasticfilesystem |  elasticfilesystem:CreateAccessPoint elasticfilesystem:CreateFileSystem elasticfilesystem:CreateMountTarget elasticfilesystem:CreateReplicationConfiguration elasticfilesystem:DeleteAccessPoint elasticfilesystem:DeleteFileSystem elasticfilesystem:DeleteFileSystemPolicy elasticfilesystem:DeleteMountTarget elasticfilesystem:DeleteReplicationConfiguration elasticfilesystem:DescribeAccessPoints elasticfilesystem:DescribeAccountPreferences elasticfilesystem:DescribeBackupPolicy elasticfilesystem:DescribeFileSystemPolicy elasticfilesystem:DescribeFileSystems elasticfilesystem:DescribeLifecycleConfiguration elasticfilesystem:DescribeMountTargetSecurityGroups elasticfilesystem:DescribeMountTargets elasticfilesystem:DescribeReplicationConfigurations elasticfilesystem:ModifyMountTargetSecurityGroups elasticfilesystem:PutAccountPreferences elasticfilesystem:PutBackupPolicy elasticfilesystem:PutFileSystemPolicy elasticfilesystem:PutLifecycleConfiguration elasticfilesystem:UpdateFileSystem elasticfilesystem:UpdateFileSystemProtection  | 
| elasticloadbalancing |  elasticloadbalancing:AddListenerCertificates elasticloadbalancing:AddTrustStoreRevocations elasticloadbalancing:ApplySecurityGroupsToLoadBalancer elasticloadbalancing:AttachLoadBalancerToSubnets elasticloadbalancing:ConfigureHealthCheck elasticloadbalancing:CreateAppCookieStickinessPolicy elasticloadbalancing:CreateLBCookieStickinessPolicy elasticloadbalancing:CreateListener elasticloadbalancing:CreateLoadBalancer elasticloadbalancing:CreateLoadBalancerListeners elasticloadbalancing:CreateLoadBalancerPolicy elasticloadbalancing:CreateRule elasticloadbalancing:CreateTargetGroup elasticloadbalancing:CreateTrustStore elasticloadbalancing:CreateWebACLAssociation elasticloadbalancing:DeleteListener elasticloadbalancing:DeleteLoadBalancer elasticloadbalancing:DeleteLoadBalancerListeners elasticloadbalancing:DeleteLoadBalancerPolicy elasticloadbalancing:DeleteRule elasticloadbalancing:DeleteSharedTrustStoreAssociation elasticloadbalancing:DeleteTargetGroup elasticloadbalancing:DeleteTrustStore elasticloadbalancing:DeleteWebACLAssociation elasticloadbalancing:DeregisterInstancesFromLoadBalancer elasticloadbalancing:DeregisterTargets elasticloadbalancing:DescribeAccountLimits elasticloadbalancing:DescribeCapacityReservation elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeListenerAttributes elasticloadbalancing:DescribeListenerCertificates elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancerPolicyTypes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeRules elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroupAttributes elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth elasticloadbalancing:DescribeTrustStoreAssociations elasticloadbalancing:DescribeTrustStoreRevocations elasticloadbalancing:DescribeTrustStores elasticloadbalancing:DescribeWebACLAssociation elasticloadbalancing:DetachLoadBalancerFromSubnets elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer elasticloadbalancing:GetLoadBalancerWebACL elasticloadbalancing:GetResourcePolicy elasticloadbalancing:GetTrustStoreCaCertificatesBundle elasticloadbalancing:GetTrustStoreRevocationContent elasticloadbalancing:ModifyCapacityReservation elasticloadbalancing:ModifyIpPools elasticloadbalancing:ModifyListener elasticloadbalancing:ModifyLoadBalancerAttributes elasticloadbalancing:ModifyRule elasticloadbalancing:ModifyTargetGroup elasticloadbalancing:ModifyTargetGroupAttributes elasticloadbalancing:ModifyTrustStore elasticloadbalancing:RegisterInstancesWithLoadBalancer elasticloadbalancing:RegisterTargets elasticloadbalancing:RemoveListenerCertificates elasticloadbalancing:RemoveTrustStoreRevocations elasticloadbalancing:SetIpAddressType elasticloadbalancing:SetLoadBalancerListenerSSLCertificate elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer elasticloadbalancing:SetLoadBalancerPoliciesOfListener elasticloadbalancing:SetRulePriorities elasticloadbalancing:SetSecurityGroups elasticloadbalancing:SetSubnets  | 
| elastictranscoder |  elastictranscoder:CancelJob elastictranscoder:CreateJob elastictranscoder:CreatePipeline elastictranscoder:CreatePreset elastictranscoder:DeletePipeline elastictranscoder:DeletePreset elastictranscoder:ListJobsByPipeline elastictranscoder:ListJobsByStatus elastictranscoder:ListPipelines elastictranscoder:ListPresets elastictranscoder:ReadJob elastictranscoder:ReadPipeline elastictranscoder:ReadPreset elastictranscoder:TestRole elastictranscoder:UpdatePipeline elastictranscoder:UpdatePipelineNotifications elastictranscoder:UpdatePipelineStatus  | 
| emr-containers |  emr-containers:CancelJobRun emr-containers:CreateJobTemplate emr-containers:CreateManagedEndpoint emr-containers:CreateSecurityConfiguration emr-containers:CreateVirtualCluster emr-containers:DeleteJobTemplate emr-containers:DeleteManagedEndpoint emr-containers:DeleteVirtualCluster emr-containers:DescribeJobRun emr-containers:DescribeJobTemplate emr-containers:DescribeManagedEndpoint emr-containers:DescribeSecurityConfiguration emr-containers:DescribeVirtualCluster emr-containers:GetManagedEndpointSessionCredentials emr-containers:ListJobRuns emr-containers:ListJobTemplates emr-containers:ListManagedEndpoints emr-containers:ListSecurityConfigurations emr-containers:ListVirtualClusters emr-containers:StartJobRun  | 
| emr-serverless |  emr-serverless:CancelJobRun emr-serverless:CreateApplication emr-serverless:DeleteApplication emr-serverless:GetApplication emr-serverless:GetDashboardForJobRun emr-serverless:GetJobRun emr-serverless:ListApplications emr-serverless:ListJobRunAttempts emr-serverless:ListJobRuns emr-serverless:StartApplication emr-serverless:StartJobRun emr-serverless:StopApplication emr-serverless:UpdateApplication  | 
| es |  es:AcceptInboundConnection es:AcceptInboundCrossClusterSearchConnection es:AssociatePackage es:AuthorizeVpcEndpointAccess es:CancelElasticsearchServiceSoftwareUpdate es:CancelServiceSoftwareUpdate es:CreateDomain es:CreateElasticsearchDomain es:CreateIndex es:CreateOutboundConnection es:CreateOutboundCrossClusterSearchConnection es:CreatePackage es:CreateVpcEndpoint es:DeleteDomain es:DeleteElasticsearchDomain es:DeleteElasticsearchServiceRole es:DeleteInboundConnection es:DeleteInboundCrossClusterSearchConnection es:DeleteIndex es:DeleteOutboundConnection es:DeleteOutboundCrossClusterSearchConnection es:DeletePackage es:DeleteVpcEndpoint es:DescribeDomain es:DescribeDomainAutoTunes es:DescribeDomainChangeProgress es:DescribeDomainConfig es:DescribeDomainHealth es:DescribeDomainNodes es:DescribeDomains es:DescribeDryRunProgress es:DescribeElasticsearchDomain es:DescribeElasticsearchDomainConfig es:DescribeElasticsearchDomains es:DescribeElasticsearchInstanceTypeLimits es:DescribeInboundConnections es:DescribeInboundCrossClusterSearchConnections es:DescribeInstanceTypeLimits es:DescribeOutboundConnections es:DescribeOutboundCrossClusterSearchConnections es:DescribePackages es:DescribeReservedElasticsearchInstanceOfferings es:DescribeReservedElasticsearchInstances es:DescribeReservedInstanceOfferings es:DescribeReservedInstances es:DescribeVpcEndpoints es:DissociatePackage es:DissociatePackages es:GetCompatibleElasticsearchVersions es:GetCompatibleVersions es:GetDataSource es:GetDomainMaintenanceStatus es:GetPackageVersionHistory es:GetUpgradeHistory es:GetUpgradeStatus es:ListDataSources es:ListDomainNames es:ListDomainsForPackage es:ListElasticsearchInstanceTypes es:ListElasticsearchVersions es:ListInstanceTypeDetails es:ListPackagesForDomain es:ListScheduledActions es:ListVersions es:ListVpcEndpointAccess es:ListVpcEndpoints es:ListVpcEndpointsForDomain es:PurchaseReservedElasticsearchInstanceOffering es:PurchaseReservedInstanceOffering es:RejectInboundConnection es:RejectInboundCrossClusterSearchConnection es:RevokeVpcEndpointAccess es:StartDomainMaintenance es:StartElasticsearchServiceSoftwareUpdate es:StartServiceSoftwareUpdate es:UpdateDataSource es:UpdateDomainConfig es:UpdateElasticsearchDomainConfig es:UpdateIndex es:UpdatePackage es:UpdatePackageScope es:UpdateScheduledAction es:UpdateVpcEndpoint es:UpgradeDomain es:UpgradeElasticsearchDomain  | 
| events |  events:ActivateEventSource events:CancelReplay events:CreateApiDestination events:CreateArchive events:CreateConnection events:CreateEndpoint events:CreateEventBus events:CreatePartnerEventSource events:DeactivateEventSource events:DeauthorizeConnection events:DeleteApiDestination events:DeleteArchive events:DeleteConnection events:DeleteEndpoint events:DeleteEventBus events:DeletePartnerEventSource events:DeleteRule events:DescribeApiDestination events:DescribeArchive events:DescribeConnection events:DescribeEndpoint events:DescribeEventBus events:DescribeEventSource events:DescribePartnerEventSource events:DescribeReplay events:DescribeRule events:DisableRule events:EnableRule events:ListApiDestinations events:ListArchives events:ListConnections events:ListEndpoints events:ListEventBuses events:ListEventSources events:ListPartnerEventSourceAccounts events:ListPartnerEventSources events:ListReplays events:ListRuleNamesByTarget events:ListRules events:ListTargetsByRule events:PutPermission events:PutRule events:PutTargets events:RemovePermission events:RemoveTargets events:StartReplay events:TestEventPattern events:UpdateApiDestination events:UpdateArchive events:UpdateConnection events:UpdateEndpoint events:UpdateEventBus  | 
| evidently |  evidently:CreateExperiment evidently:CreateFeature evidently:CreateLaunch evidently:CreateProject evidently:CreateSegment evidently:DeleteExperiment evidently:DeleteFeature evidently:DeleteLaunch evidently:DeleteProject evidently:DeleteSegment evidently:GetExperiment evidently:GetExperimentResults evidently:GetFeature evidently:GetLaunch evidently:GetProject evidently:GetSegment evidently:ListExperiments evidently:ListFeatures evidently:ListLaunches evidently:ListProjects evidently:ListSegmentReferences evidently:ListSegments evidently:StartExperiment evidently:StartLaunch evidently:StopExperiment evidently:StopLaunch evidently:TestSegmentPattern evidently:UpdateExperiment evidently:UpdateFeature evidently:UpdateLaunch evidently:UpdateProject evidently:UpdateProjectDataDelivery  | 
| finspace |  finspace:CreateEnvironment finspace:CreateKxChangeset finspace:CreateKxCluster finspace:CreateKxDatabase finspace:CreateKxDataview finspace:CreateKxEnvironment finspace:CreateKxScalingGroup finspace:CreateKxUser finspace:CreateKxVolume finspace:CreateUser finspace:DeleteEnvironment finspace:DeleteKxCluster finspace:DeleteKxClusterNode finspace:DeleteKxDatabase finspace:DeleteKxDataview finspace:DeleteKxEnvironment finspace:DeleteKxScalingGroup finspace:DeleteKxUser finspace:DeleteKxVolume finspace:GetEnvironment finspace:GetKxChangeset finspace:GetKxCluster finspace:GetKxConnectionString finspace:GetKxDatabase finspace:GetKxDataview finspace:GetKxEnvironment finspace:GetKxScalingGroup finspace:GetKxUser finspace:GetKxVolume finspace:GetLoadSampleDataSetGroupIntoEnvironmentStatus finspace:GetUser finspace:ListEnvironments finspace:ListKxChangesets finspace:ListKxClusterNodes finspace:ListKxClusters finspace:ListKxDatabases finspace:ListKxDataviews finspace:ListKxEnvironments finspace:ListKxScalingGroups finspace:ListKxUsers finspace:ListKxVolumes finspace:ListUsers finspace:LoadSampleDataSetGroupIntoEnvironment finspace:ResetUserPassword finspace:UpdateEnvironment finspace:UpdateKxClusterCodeConfiguration finspace:UpdateKxClusterDatabases finspace:UpdateKxDatabase finspace:UpdateKxDataview finspace:UpdateKxEnvironment finspace:UpdateKxEnvironmentNetwork finspace:UpdateKxUser finspace:UpdateKxVolume finspace:UpdateUser  | 
| firehose |  firehose:CreateDeliveryStream firehose:DeleteDeliveryStream firehose:DescribeDeliveryStream firehose:ListDeliveryStreams firehose:StartDeliveryStreamEncryption firehose:StopDeliveryStreamEncryption firehose:UpdateDestination  | 
| fis |  fis:CreateExperimentTemplate fis:CreateTargetAccountConfiguration fis:DeleteExperimentTemplate fis:DeleteTargetAccountConfiguration fis:GetAction fis:GetExperiment fis:GetExperimentTargetAccountConfiguration fis:GetExperimentTemplate fis:GetSafetyLever fis:GetTargetAccountConfiguration fis:GetTargetResourceType fis:ListActions fis:ListExperimentResolvedTargets fis:ListExperimentTargetAccountConfigurations fis:ListExperimentTemplates fis:ListExperiments fis:ListTargetAccountConfigurations fis:ListTargetResourceTypes fis:StartExperiment fis:StopExperiment fis:UpdateExperimentTemplate fis:UpdateSafetyLeverState fis:UpdateTargetAccountConfiguration  | 
| fms |  fms:AssociateAdminAccount fms:AssociateThirdPartyFirewall fms:BatchAssociateResource fms:BatchDisassociateResource fms:DeleteAppsList fms:DeleteNotificationChannel fms:DeletePolicy fms:DeleteProtocolsList fms:DeleteResourceSet fms:DisassociateAdminAccount fms:DisassociateThirdPartyFirewall fms:GetAdminAccount fms:GetAdminScope fms:GetAppsList fms:GetComplianceDetail fms:GetNotificationChannel fms:GetPolicy fms:GetProtectionStatus fms:GetProtocolsList fms:GetResourceSet fms:GetThirdPartyFirewallAssociationStatus fms:GetViolationDetails fms:ListAdminAccountsForOrganization fms:ListAdminsManagingAccount fms:ListAppsLists fms:ListComplianceStatus fms:ListDiscoveredResources fms:ListMemberAccounts fms:ListPolicies fms:ListProtocolsLists fms:ListResourceSetResources fms:ListResourceSets fms:ListThirdPartyFirewallFirewallPolicies fms:PutAdminAccount fms:PutAppsList fms:PutNotificationChannel fms:PutPolicy fms:PutProtocolsList fms:PutResourceSet  | 
| frauddetector |  frauddetector:BatchCreateVariable frauddetector:BatchGetVariable frauddetector:CancelBatchImportJob frauddetector:CancelBatchPredictionJob frauddetector:CreateBatchImportJob frauddetector:CreateBatchPredictionJob frauddetector:CreateDetectorVersion frauddetector:CreateList frauddetector:CreateModel frauddetector:CreateModelVersion frauddetector:CreateRule frauddetector:CreateVariable frauddetector:DeleteBatchImportJob frauddetector:DeleteBatchPredictionJob frauddetector:DeleteDetector frauddetector:DeleteDetectorVersion frauddetector:DeleteEntityType frauddetector:DeleteEvent frauddetector:DeleteEventType frauddetector:DeleteEventsByEventType frauddetector:DeleteExternalModel frauddetector:DeleteLabel frauddetector:DeleteList frauddetector:DeleteModel frauddetector:DeleteModelVersion frauddetector:DeleteOutcome frauddetector:DeleteRule frauddetector:DeleteVariable frauddetector:DescribeDetector frauddetector:DescribeModelVersions frauddetector:GetBatchImportJobs frauddetector:GetBatchPredictionJobs frauddetector:GetDeleteEventsByEventTypeStatus frauddetector:GetDetectorVersion frauddetector:GetDetectors frauddetector:GetEntityTypes frauddetector:GetEvent frauddetector:GetEventPrediction frauddetector:GetEventPredictionMetadata frauddetector:GetEventTypes frauddetector:GetExternalModels frauddetector:GetKMSEncryptionKey frauddetector:GetLabels frauddetector:GetListElements frauddetector:GetListsMetadata frauddetector:GetModelVersion frauddetector:GetModels frauddetector:GetOutcomes frauddetector:GetRules frauddetector:GetVariables frauddetector:ListEventPredictions frauddetector:PutDetector frauddetector:PutEntityType frauddetector:PutEventType frauddetector:PutExternalModel frauddetector:PutKMSEncryptionKey frauddetector:PutLabel frauddetector:PutOutcome frauddetector:SendEvent frauddetector:UpdateDetectorVersion frauddetector:UpdateDetectorVersionMetadata frauddetector:UpdateDetectorVersionStatus frauddetector:UpdateEventLabel frauddetector:UpdateList frauddetector:UpdateModel frauddetector:UpdateModelVersion frauddetector:UpdateModelVersionStatus frauddetector:UpdateRuleMetadata frauddetector:UpdateRuleVersion frauddetector:UpdateVariable  | 
| fsx |  fsx:AssociateFileSystemAliases fsx:CancelDataRepositoryTask fsx:CopyBackup fsx:CreateDataRepositoryTask fsx:CreateFileCache fsx:CreateFileSystem fsx:CreateFileSystemFromBackup fsx:CreateSnapshot fsx:CreateStorageVirtualMachine fsx:CreateVolume fsx:CreateVolumeFromBackup fsx:DeleteBackup fsx:DeleteFileCache fsx:DeleteFileSystem fsx:DeleteSnapshot fsx:DeleteStorageVirtualMachine fsx:DeleteVolume fsx:DescribeBackups fsx:DescribeDataRepositoryAssociations fsx:DescribeDataRepositoryTasks fsx:DescribeFileCaches fsx:DescribeFileSystemAliases fsx:DescribeFileSystems fsx:DescribeS3AccessPointAttachments fsx:DescribeSharedVpcConfiguration fsx:DescribeSnapshots fsx:DescribeStorageVirtualMachines fsx:DescribeVolumes fsx:DetachAndDeleteS3AccessPoint fsx:DisassociateFileSystemAliases fsx:ReleaseFileSystemNfsV3Locks fsx:RestoreVolumeFromSnapshot fsx:StartMisconfiguredStateRecovery fsx:UpdateDataRepositoryAssociation fsx:UpdateFileCache fsx:UpdateFileSystem fsx:UpdateSharedVpcConfiguration fsx:UpdateSnapshot fsx:UpdateStorageVirtualMachine fsx:UpdateVolume  | 
| gamelift |  gamelift:AcceptMatch gamelift:ClaimGameServer gamelift:CreateAlias gamelift:CreateBuild gamelift:CreateContainerGroupDefinition gamelift:CreateFleet gamelift:CreateFleetLocations gamelift:CreateGameServerGroup gamelift:CreateGameSession gamelift:CreateGameSessionQueue gamelift:CreateLocation gamelift:CreateMatchmakingConfiguration gamelift:CreateMatchmakingRuleSet gamelift:CreatePlayerSession gamelift:CreatePlayerSessions gamelift:CreateScript gamelift:CreateVpcPeeringAuthorization gamelift:CreateVpcPeeringConnection gamelift:DeleteAlias gamelift:DeleteBuild gamelift:DeleteContainerGroupDefinition gamelift:DeleteFleet gamelift:DeleteFleetLocations gamelift:DeleteGameServerGroup gamelift:DeleteGameSessionQueue gamelift:DeleteLocation gamelift:DeleteMatchmakingConfiguration gamelift:DeleteMatchmakingRuleSet gamelift:DeleteScalingPolicy gamelift:DeleteScript gamelift:DeleteVpcPeeringAuthorization gamelift:DeleteVpcPeeringConnection gamelift:DeregisterCompute gamelift:DeregisterGameServer gamelift:DescribeAlias gamelift:DescribeBuild gamelift:DescribeCompute gamelift:DescribeContainerFleet gamelift:DescribeContainerGroupDefinition gamelift:DescribeEC2InstanceLimits gamelift:DescribeFleetAttributes gamelift:DescribeFleetCapacity gamelift:DescribeFleetEvents gamelift:DescribeFleetLocationAttributes gamelift:DescribeFleetLocationCapacity gamelift:DescribeFleetLocationUtilization gamelift:DescribeFleetPortSettings gamelift:DescribeFleetUtilization gamelift:DescribeGameServer gamelift:DescribeGameServerGroup gamelift:DescribeGameServerInstances gamelift:DescribeGameSessionDetails gamelift:DescribeGameSessionPlacement gamelift:DescribeGameSessionQueues gamelift:DescribeGameSessions gamelift:DescribeInstances gamelift:DescribeMatchmaking gamelift:DescribeMatchmakingConfigurations gamelift:DescribeMatchmakingRuleSets gamelift:DescribePlayerSessions gamelift:DescribeRuntimeConfiguration gamelift:DescribeScalingPolicies gamelift:DescribeScript gamelift:DescribeVpcPeeringAuthorizations gamelift:DescribeVpcPeeringConnections gamelift:GetComputeAccess gamelift:GetComputeAuthToken gamelift:GetGameSessionLogUrl gamelift:GetInstanceAccess gamelift:ListAliases gamelift:ListBuilds gamelift:ListCompute gamelift:ListContainerFleets gamelift:ListContainerGroupDefinitionVersions gamelift:ListContainerGroupDefinitions gamelift:ListFleetDeployments gamelift:ListFleets gamelift:ListGameServerGroups gamelift:ListGameServers gamelift:ListLocations gamelift:ListScripts gamelift:PutScalingPolicy gamelift:RegisterCompute gamelift:RegisterGameServer gamelift:RequestUploadCredentials gamelift:ResolveAlias gamelift:ResumeGameServerGroup gamelift:SearchGameSessions gamelift:StartFleetActions gamelift:StartGameSessionPlacement gamelift:StartMatchBackfill gamelift:StartMatchmaking gamelift:StopFleetActions gamelift:StopGameSessionPlacement gamelift:StopMatchmaking gamelift:SuspendGameServerGroup gamelift:TerminateGameSession gamelift:UpdateAlias gamelift:UpdateBuild gamelift:UpdateContainerGroupDefinition gamelift:UpdateFleetAttributes gamelift:UpdateFleetCapacity gamelift:UpdateFleetPortSettings gamelift:UpdateGameServer gamelift:UpdateGameServerGroup gamelift:UpdateGameSession gamelift:UpdateGameSessionQueue gamelift:UpdateMatchmakingConfiguration gamelift:UpdateRuntimeConfiguration gamelift:UpdateScript gamelift:ValidateMatchmakingRuleSet  | 
| geo |  geo:AssociateTrackerConsumer geo:BatchDeleteDevicePositionHistory geo:BatchDeleteGeofence geo:BatchEvaluateGeofences geo:BatchGetDevicePosition geo:BatchPutGeofence geo:BatchUpdateDevicePosition geo:CalculateRoute geo:CalculateRouteMatrix geo:CreateGeofenceCollection geo:CreateMap geo:CreatePlaceIndex geo:CreateRouteCalculator geo:CreateTracker geo:DeleteGeofenceCollection geo:DeleteKey geo:DeleteMap geo:DeletePlaceIndex geo:DeleteRouteCalculator geo:DeleteTracker geo:DescribeGeofenceCollection geo:DescribeKey geo:DescribeMap geo:DescribePlaceIndex geo:DescribeRouteCalculator geo:DescribeTracker geo:DisassociateTrackerConsumer geo:ForecastGeofenceEvents geo:GetDevicePosition geo:GetDevicePositionHistory geo:GetGeofence geo:GetMapGlyphs geo:GetMapSprites geo:GetMapStyleDescriptor geo:GetMapTile geo:GetPlace geo:ListDevicePositions geo:ListGeofenceCollections geo:ListGeofences geo:ListKeys geo:ListMaps geo:ListPlaceIndexes geo:ListRouteCalculators geo:ListTrackerConsumers geo:ListTrackers geo:PutGeofence geo:SearchPlaceIndexForPosition geo:SearchPlaceIndexForSuggestions geo:SearchPlaceIndexForText geo:UpdateGeofenceCollection geo:UpdateKey geo:UpdateMap geo:UpdatePlaceIndex geo:UpdateRouteCalculator geo:UpdateTracker geo:VerifyDevicePosition  | 
| glacier |  glacier:AbortMultipartUpload glacier:AbortVaultLock glacier:CompleteMultipartUpload glacier:CompleteVaultLock glacier:CreateVault glacier:DeleteArchive glacier:DeleteVault glacier:DeleteVaultAccessPolicy glacier:DeleteVaultNotifications glacier:DescribeJob glacier:DescribeVault glacier:GetDataRetrievalPolicy glacier:GetJobOutput glacier:GetVaultAccessPolicy glacier:GetVaultLock glacier:GetVaultNotifications glacier:InitiateJob glacier:InitiateMultipartUpload glacier:InitiateVaultLock glacier:ListJobs glacier:ListMultipartUploads glacier:ListParts glacier:ListProvisionedCapacity glacier:ListVaults glacier:PurchaseProvisionedCapacity glacier:SetDataRetrievalPolicy glacier:SetVaultAccessPolicy glacier:SetVaultNotifications glacier:UploadArchive glacier:UploadMultipartPart  | 
| grafana |  grafana:AssociateLicense grafana:CreateWorkspace grafana:CreateWorkspaceApiKey grafana:CreateWorkspaceServiceAccount grafana:CreateWorkspaceServiceAccountToken grafana:DeleteWorkspace grafana:DeleteWorkspaceApiKey grafana:DeleteWorkspaceServiceAccount grafana:DeleteWorkspaceServiceAccountToken grafana:DescribeWorkspace grafana:DescribeWorkspaceAuthentication grafana:DescribeWorkspaceConfiguration grafana:DisassociateLicense grafana:ListPermissions grafana:ListVersions grafana:ListWorkspaceServiceAccountTokens grafana:ListWorkspaceServiceAccounts grafana:ListWorkspaces grafana:UpdatePermissions grafana:UpdateWorkspace grafana:UpdateWorkspaceAuthentication grafana:UpdateWorkspaceConfiguration  | 
| greengrass |  greengrass:AssociateRoleToGroup greengrass:AssociateServiceRoleToAccount greengrass:BatchAssociateClientDeviceWithCoreDevice greengrass:BatchDisassociateClientDeviceFromCoreDevice greengrass:CancelDeployment greengrass:CreateComponentVersion greengrass:CreateConnectorDefinition greengrass:CreateConnectorDefinitionVersion greengrass:CreateCoreDefinition greengrass:CreateCoreDefinitionVersion greengrass:CreateDeployment greengrass:CreateDeviceDefinition greengrass:CreateDeviceDefinitionVersion greengrass:CreateFunctionDefinition greengrass:CreateFunctionDefinitionVersion greengrass:CreateGroup greengrass:CreateGroupCertificateAuthority greengrass:CreateGroupVersion greengrass:CreateLoggerDefinition greengrass:CreateLoggerDefinitionVersion greengrass:CreateResourceDefinition greengrass:CreateResourceDefinitionVersion greengrass:CreateSoftwareUpdateJob greengrass:CreateSubscriptionDefinition greengrass:CreateSubscriptionDefinitionVersion greengrass:DeleteComponent greengrass:DeleteConnectorDefinition greengrass:DeleteCoreDefinition greengrass:DeleteCoreDevice greengrass:DeleteDeployment greengrass:DeleteDeviceDefinition greengrass:DeleteFunctionDefinition greengrass:DeleteGroup greengrass:DeleteLoggerDefinition greengrass:DeleteResourceDefinition greengrass:DeleteSubscriptionDefinition greengrass:DescribeComponent greengrass:DisassociateRoleFromGroup greengrass:DisassociateServiceRoleFromAccount greengrass:GetAssociatedRole greengrass:GetBulkDeploymentStatus greengrass:GetComponent greengrass:GetComponentVersionArtifact greengrass:GetConnectivityInfo greengrass:GetConnectorDefinition greengrass:GetConnectorDefinitionVersion greengrass:GetCoreDefinition greengrass:GetCoreDefinitionVersion greengrass:GetCoreDevice greengrass:GetDeployment greengrass:GetDeploymentStatus greengrass:GetDeviceDefinition greengrass:GetDeviceDefinitionVersion greengrass:GetFunctionDefinition greengrass:GetFunctionDefinitionVersion greengrass:GetGroup greengrass:GetGroupCertificateAuthority greengrass:GetGroupCertificateConfiguration greengrass:GetGroupVersion greengrass:GetLoggerDefinition greengrass:GetLoggerDefinitionVersion greengrass:GetResourceDefinition greengrass:GetResourceDefinitionVersion greengrass:GetServiceRoleForAccount greengrass:GetSubscriptionDefinition greengrass:GetSubscriptionDefinitionVersion greengrass:GetThingRuntimeConfiguration greengrass:ListBulkDeploymentDetailedReports greengrass:ListBulkDeployments greengrass:ListClientDevicesAssociatedWithCoreDevice greengrass:ListComponentVersions greengrass:ListComponents greengrass:ListConnectorDefinitionVersions greengrass:ListConnectorDefinitions greengrass:ListCoreDefinitionVersions greengrass:ListCoreDefinitions greengrass:ListCoreDevices greengrass:ListDeployments greengrass:ListDeviceDefinitionVersions greengrass:ListDeviceDefinitions greengrass:ListEffectiveDeployments greengrass:ListFunctionDefinitionVersions greengrass:ListFunctionDefinitions greengrass:ListGroupCertificateAuthorities greengrass:ListGroupVersions greengrass:ListGroups greengrass:ListInstalledComponents greengrass:ListLoggerDefinitionVersions greengrass:ListLoggerDefinitions greengrass:ListResourceDefinitionVersions greengrass:ListResourceDefinitions greengrass:ListSubscriptionDefinitionVersions greengrass:ListSubscriptionDefinitions greengrass:ResetDeployments greengrass:StartBulkDeployment greengrass:StopBulkDeployment greengrass:UpdateConnectivityInfo greengrass:UpdateConnectorDefinition greengrass:UpdateCoreDefinition greengrass:UpdateDeviceDefinition greengrass:UpdateFunctionDefinition greengrass:UpdateGroup greengrass:UpdateGroupCertificateConfiguration greengrass:UpdateLoggerDefinition greengrass:UpdateResourceDefinition greengrass:UpdateSubscriptionDefinition greengrass:UpdateThingRuntimeConfiguration  | 
| groundstation |  groundstation:CancelContact groundstation:CreateConfig groundstation:CreateDataflowEndpointGroup groundstation:CreateDataflowEndpointGroupV2 groundstation:CreateEphemeris groundstation:CreateMissionProfile groundstation:DeleteConfig groundstation:DeleteDataflowEndpointGroup groundstation:DeleteEphemeris groundstation:DeleteMissionProfile groundstation:DescribeContact groundstation:DescribeEphemeris groundstation:GetConfig groundstation:GetDataflowEndpointGroup groundstation:GetMinuteUsage groundstation:GetMissionProfile groundstation:GetSatellite groundstation:ListConfigs groundstation:ListContacts groundstation:ListDataflowEndpointGroups groundstation:ListEphemerides groundstation:ListGroundStations groundstation:ListMissionProfiles groundstation:ListSatellites groundstation:RegisterAgent groundstation:ReserveContact groundstation:UpdateAgentStatus groundstation:UpdateConfig groundstation:UpdateEphemeris groundstation:UpdateMissionProfile  | 
| guardduty |  guardduty:AcceptAdministratorInvitation guardduty:AcceptInvitation guardduty:ArchiveFindings guardduty:CreateDetector guardduty:CreateFilter guardduty:CreateIPSet guardduty:CreateMalwareProtectionPlan guardduty:CreateMembers guardduty:CreatePublishingDestination guardduty:CreateSampleFindings guardduty:CreateThreatEntitySet guardduty:CreateThreatIntelSet guardduty:CreateTrustedEntitySet guardduty:DeclineInvitations guardduty:DeleteDetector guardduty:DeleteFilter guardduty:DeleteIPSet guardduty:DeleteInvitations guardduty:DeleteMalwareProtectionPlan guardduty:DeleteMembers guardduty:DeletePublishingDestination guardduty:DeleteThreatEntitySet guardduty:DeleteThreatIntelSet guardduty:DeleteTrustedEntitySet guardduty:DescribeMalwareScans guardduty:DescribeOrganizationConfiguration guardduty:DescribePublishingDestination guardduty:DisableOrganizationAdminAccount guardduty:DisassociateFromAdministratorAccount guardduty:DisassociateFromMasterAccount guardduty:DisassociateMembers guardduty:EnableOrganizationAdminAccount guardduty:GetAdministratorAccount guardduty:GetCoverageStatistics guardduty:GetDetector guardduty:GetFilter guardduty:GetFindings guardduty:GetFindingsStatistics guardduty:GetIPSet guardduty:GetInvitationsCount guardduty:GetMalwareProtectionPlan guardduty:GetMalwareScan guardduty:GetMalwareScanSettings guardduty:GetMasterAccount guardduty:GetMemberDetectors guardduty:GetMembers guardduty:GetOrganizationStatistics guardduty:GetRemainingFreeTrialDays guardduty:GetThreatEntitySet guardduty:GetThreatIntelSet guardduty:GetTrustedEntitySet guardduty:GetUsageStatistics guardduty:InviteMembers guardduty:ListCoverage guardduty:ListDetectors guardduty:ListFilters guardduty:ListFindings guardduty:ListIPSets guardduty:ListInvitations guardduty:ListMalwareProtectionPlans guardduty:ListMalwareScans guardduty:ListMembers guardduty:ListOrganizationAdminAccounts guardduty:ListPublishingDestinations guardduty:ListThreatEntitySets guardduty:ListThreatIntelSets guardduty:ListTrustedEntitySets guardduty:StartMalwareScan guardduty:StartMonitoringMembers guardduty:StopMonitoringMembers guardduty:UnarchiveFindings guardduty:UpdateDetector guardduty:UpdateFilter guardduty:UpdateFindingsFeedback guardduty:UpdateIPSet guardduty:UpdateMalwareProtectionPlan guardduty:UpdateMalwareScanSettings guardduty:UpdateMemberDetectors guardduty:UpdateOrganizationConfiguration guardduty:UpdatePublishingDestination guardduty:UpdateThreatEntitySet guardduty:UpdateThreatIntelSet guardduty:UpdateTrustedEntitySet  | 
| healthlake |  healthlake:CancelFHIRExportJobWithDelete healthlake:CreateFHIRDatastore healthlake:CreateResource healthlake:DeleteFHIRDatastore healthlake:DeleteResource healthlake:DescribeFHIRDatastore healthlake:DescribeFHIRExportJob healthlake:DescribeFHIRExportJobWithGet healthlake:DescribeFHIRImportJob healthlake:GetCapabilities healthlake:ListFHIRDatastores healthlake:ListFHIRExportJobs healthlake:ListFHIRImportJobs healthlake:ReadResource healthlake:SearchEverything healthlake:SearchWithGet healthlake:SearchWithPost healthlake:StartFHIRExportJob healthlake:StartFHIRExportJobWithPost healthlake:StartFHIRImportJob healthlake:UpdateResource  | 
| honeycode |  honeycode:BatchCreateTableRows honeycode:BatchDeleteTableRows honeycode:BatchUpdateTableRows honeycode:BatchUpsertTableRows honeycode:DescribeTableDataImportJob honeycode:GetScreenData honeycode:InvokeScreenAutomation honeycode:ListTableColumns honeycode:ListTableRows honeycode:ListTables honeycode:QueryTableRows honeycode:StartTableDataImportJob  | 
| iam |  iam:AddClientIDToOpenIDConnectProvider iam:AddRoleToInstanceProfile iam:AddUserToGroup iam:AttachGroupPolicy iam:AttachRolePolicy iam:AttachUserPolicy iam:ChangePassword iam:CreateAccessKey iam:CreateAccountAlias iam:CreateGroup iam:CreateInstanceProfile iam:CreateLoginProfile iam:CreateOpenIDConnectProvider iam:CreatePolicy iam:CreatePolicyVersion iam:CreateRole iam:CreateSAMLProvider iam:CreateServiceLinkedRole iam:CreateServiceSpecificCredential iam:CreateUser iam:CreateVirtualMFADevice iam:DeactivateMFADevice iam:DeleteAccessKey iam:DeleteAccountAlias iam:DeleteAccountPasswordPolicy iam:DeleteCloudFrontPublicKey iam:DeleteGroup iam:DeleteGroupPolicy iam:DeleteInstanceProfile iam:DeleteLoginProfile iam:DeleteOpenIDConnectProvider iam:DeletePolicy iam:DeletePolicyVersion iam:DeleteRole iam:DeleteRolePermissionsBoundary iam:DeleteRolePolicy iam:DeleteSAMLProvider iam:DeleteSSHPublicKey iam:DeleteServerCertificate iam:DeleteServiceLinkedRole iam:DeleteServiceSpecificCredential iam:DeleteSigningCertificate iam:DeleteUser iam:DeleteUserPermissionsBoundary iam:DeleteUserPolicy iam:DeleteVirtualMFADevice iam:DetachGroupPolicy iam:DetachRolePolicy iam:DetachUserPolicy iam:DisableOrganizationsRootCredentialsManagement iam:DisableOrganizationsRootSessions iam:DisableOutboundWebIdentityFederation iam:EnableMFADevice iam:EnableOrganizationsRootCredentialsManagement iam:EnableOrganizationsRootSessions iam:EnableOutboundWebIdentityFederation iam:GenerateCredentialReport iam:GenerateOrganizationsAccessReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountAuthorizationDetails iam:GetAccountEmailAddress iam:GetAccountName iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCloudFrontPublicKey iam:GetContextKeysForCustomPolicy iam:GetContextKeysForPrincipalPolicy iam:GetCredentialReport iam:GetGroup iam:GetGroupPolicy iam:GetInstanceProfile iam:GetLoginProfile iam:GetMFADevice iam:GetOpenIDConnectProvider iam:GetOrganizationsAccessReport iam:GetOutboundWebIdentityFederationInfo iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetSAMLProvider iam:GetSSHPublicKey iam:GetServerCertificate iam:GetServiceLastAccessedDetails iam:GetServiceLastAccessedDetailsWithEntities iam:GetServiceLinkedRoleDeletionStatus iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListCloudFrontPublicKeys iam:ListDelegationRequests iam:ListEntitiesForPolicy iam:ListGroupPolicies iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfiles iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListOpenIDConnectProviders iam:ListOrganizationsFeatures iam:ListPolicies iam:ListPoliciesGrantingServiceAccess iam:ListPolicyVersions iam:ListRolePolicies iam:ListRoles iam:ListSAMLProviders iam:ListSSHPublicKeys iam:ListSTSRegionalEndpointsStatus iam:ListServerCertificates iam:ListServiceSpecificCredentials iam:ListSigningCertificates iam:ListUserPolicies iam:ListUsers iam:ListVirtualMFADevices iam:PutGroupPolicy iam:PutRolePermissionsBoundary iam:PutRolePolicy iam:PutUserPermissionsBoundary iam:PutUserPolicy iam:RemoveClientIDFromOpenIDConnectProvider iam:RemoveRoleFromInstanceProfile iam:RemoveUserFromGroup iam:ResetServiceSpecificCredential iam:ResyncMFADevice iam:SetDefaultPolicyVersion iam:SetSTSRegionalEndpointStatus iam:SetSecurityTokenServicePreferences iam:SimulateCustomPolicy iam:SimulatePrincipalPolicy iam:UpdateAccessKey iam:UpdateAccountEmailAddress iam:UpdateAccountName iam:UpdateAccountPasswordPolicy iam:UpdateAssumeRolePolicy iam:UpdateCloudFrontPublicKey iam:UpdateGroup iam:UpdateLoginProfile iam:UpdateOpenIDConnectProviderThumbprint iam:UpdateRole iam:UpdateRoleDescription iam:UpdateSAMLProvider iam:UpdateSSHPublicKey iam:UpdateServerCertificate iam:UpdateServiceSpecificCredential iam:UpdateSigningCertificate iam:UpdateUser iam:UploadCloudFrontPublicKey iam:UploadSSHPublicKey iam:UploadServerCertificate iam:UploadSigningCertificate  | 
| identitystore |  identitystore:CreateGroup identitystore:CreateGroupMembership identitystore:CreateUser identitystore:DeleteGroup identitystore:DeleteGroupMembership identitystore:DeleteUser identitystore:DescribeGroup identitystore:DescribeGroupMembership identitystore:DescribeUser identitystore:GetGroupId identitystore:GetGroupMembershipId identitystore:GetUserId identitystore:IsMemberInGroups identitystore:ListGroupMemberships identitystore:ListGroupMembershipsForMember identitystore:ListGroups identitystore:ListUsers identitystore:UpdateGroup identitystore:UpdateUser  | 
| imagebuilder |  imagebuilder:CancelImageCreation imagebuilder:CancelLifecycleExecution imagebuilder:CreateComponent imagebuilder:CreateContainerRecipe imagebuilder:CreateDistributionConfiguration imagebuilder:CreateImage imagebuilder:CreateImagePipeline imagebuilder:CreateImageRecipe imagebuilder:CreateInfrastructureConfiguration imagebuilder:CreateLifecyclePolicy imagebuilder:CreateWorkflow imagebuilder:DeleteComponent imagebuilder:DeleteContainerRecipe imagebuilder:DeleteDistributionConfiguration imagebuilder:DeleteImage imagebuilder:DeleteImagePipeline imagebuilder:DeleteImageRecipe imagebuilder:DeleteInfrastructureConfiguration imagebuilder:DeleteLifecyclePolicy imagebuilder:DeleteWorkflow imagebuilder:DistributeImage imagebuilder:GetComponentPolicy imagebuilder:GetContainerRecipePolicy imagebuilder:GetImagePolicy imagebuilder:GetImageRecipePolicy imagebuilder:GetLifecycleExecution imagebuilder:GetLifecyclePolicy imagebuilder:GetMarketplaceResource imagebuilder:GetWorkflowExecution imagebuilder:GetWorkflowStepExecution imagebuilder:ImportComponent imagebuilder:ImportDiskImage imagebuilder:ImportVmImage imagebuilder:ListComponentBuildVersions imagebuilder:ListComponents imagebuilder:ListContainerRecipes imagebuilder:ListDistributionConfigurations imagebuilder:ListImageBuildVersions imagebuilder:ListImagePackages imagebuilder:ListImagePipelineImages imagebuilder:ListImagePipelines imagebuilder:ListImageRecipes imagebuilder:ListImageScanFindingAggregations imagebuilder:ListImageScanFindings imagebuilder:ListImages imagebuilder:ListInfrastructureConfigurations imagebuilder:ListLifecycleExecutionResources imagebuilder:ListLifecycleExecutions imagebuilder:ListLifecyclePolicies imagebuilder:ListWaitingWorkflowSteps imagebuilder:ListWorkflowExecutions imagebuilder:ListWorkflowStepExecutions imagebuilder:ListWorkflows imagebuilder:PutComponentPolicy imagebuilder:PutContainerRecipePolicy imagebuilder:PutImagePolicy imagebuilder:PutImageRecipePolicy imagebuilder:RetryImage imagebuilder:SendWorkflowStepAction imagebuilder:StartImagePipelineExecution imagebuilder:StartResourceStateUpdate imagebuilder:UpdateDistributionConfiguration imagebuilder:UpdateImagePipeline imagebuilder:UpdateInfrastructureConfiguration  | 
| inspector |  inspector:AddAttributesToFindings inspector:CreateAssessmentTarget inspector:CreateAssessmentTemplate inspector:CreateExclusionsPreview inspector:CreateResourceGroup inspector:DeleteAssessmentRun inspector:DeleteAssessmentTarget inspector:DeleteAssessmentTemplate inspector:DescribeAssessmentRuns inspector:DescribeAssessmentTargets inspector:DescribeAssessmentTemplates inspector:DescribeCrossAccountAccessRole inspector:DescribeExclusions inspector:DescribeFindings inspector:DescribeResourceGroups inspector:DescribeRulesPackages inspector:GetAssessmentReport inspector:GetExclusionsPreview inspector:GetTelemetryMetadata inspector:ListAssessmentRunAgents inspector:ListAssessmentRuns inspector:ListAssessmentTargets inspector:ListAssessmentTemplates inspector:ListEventSubscriptions inspector:ListExclusions inspector:ListFindings inspector:ListRulesPackages inspector:PreviewAgents inspector:RegisterCrossAccountAccessRole inspector:RemoveAttributesFromFindings inspector:StartAssessmentRun inspector:StopAssessmentRun inspector:SubscribeToEvent inspector:UnsubscribeFromEvent inspector:UpdateAssessmentTarget  | 
| inspector2 |  inspector2:AssociateMember inspector2:BatchGetAccountStatus inspector2:BatchGetCodeSnippet inspector2:BatchGetFindingDetails inspector2:BatchGetFreeTrialInfo inspector2:BatchGetMemberEc2DeepInspectionStatus inspector2:BatchUpdateMemberEc2DeepInspectionStatus inspector2:CancelFindingsReport inspector2:CancelSbomExport inspector2:CreateCisScanConfiguration inspector2:CreateCodeSecurityIntegration inspector2:CreateFilter inspector2:CreateFindingsReport inspector2:CreateSbomExport inspector2:DeleteCisScanConfiguration inspector2:DeleteCodeSecurityIntegration inspector2:DeleteFilter inspector2:DescribeOrganizationConfiguration inspector2:Disable inspector2:DisableDelegatedAdminAccount inspector2:DisassociateMember inspector2:Enable inspector2:EnableDelegatedAdminAccount inspector2:GetCisScanReport inspector2:GetCisScanResultDetails inspector2:GetClustersForImage inspector2:GetCodeSecurityIntegration inspector2:GetCodeSecurityScan inspector2:GetConfiguration inspector2:GetDelegatedAdminAccount inspector2:GetEc2DeepInspectionConfiguration inspector2:GetEncryptionKey inspector2:GetFindingsReportStatus inspector2:GetMember inspector2:GetSbomExport inspector2:ListAccountPermissions inspector2:ListCisScanConfigurations inspector2:ListCisScanResultsAggregatedByChecks inspector2:ListCisScanResultsAggregatedByTargetResource inspector2:ListCisScans inspector2:ListCodeSecurityIntegrations inspector2:ListCodeSecurityScanConfigurations inspector2:ListCoverage inspector2:ListCoverageStatistics inspector2:ListDelegatedAdminAccounts inspector2:ListFilters inspector2:ListFindingAggregations inspector2:ListFindings inspector2:ListMembers inspector2:ListUsageTotals inspector2:ResetEncryptionKey inspector2:SearchVulnerabilities inspector2:SendCisSessionHealth inspector2:SendCisSessionTelemetry inspector2:StartCisSession inspector2:StartCodeSecurityScan inspector2:StopCisSession inspector2:UpdateCisScanConfiguration inspector2:UpdateCodeSecurityIntegration inspector2:UpdateConfiguration inspector2:UpdateEc2DeepInspectionConfiguration inspector2:UpdateEncryptionKey inspector2:UpdateFilter inspector2:UpdateOrgEc2DeepInspectionConfiguration inspector2:UpdateOrganizationConfiguration  | 
| iot |  iot:AcceptCertificateTransfer iot:AddThingToBillingGroup iot:AddThingToThingGroup iot:AssociateSbomWithPackageVersion iot:AssociateTargetsWithJob iot:AttachPolicy iot:AttachPrincipalPolicy iot:AttachSecurityProfile iot:AttachThingPrincipal iot:CancelAuditMitigationActionsTask iot:CancelAuditTask iot:CancelCertificateTransfer iot:CancelDetectMitigationActionsTask iot:CancelJob iot:CancelJobExecution iot:ClearDefaultAuthorizer iot:ConfirmTopicRuleDestination iot:CreateAuditSuppression iot:CreateAuthorizer iot:CreateBillingGroup iot:CreateCertificateFromCsr iot:CreateCertificateProvider iot:CreateCommand iot:CreateCustomMetric iot:CreateDimension iot:CreateDomainConfiguration iot:CreateDynamicThingGroup iot:CreateFleetMetric iot:CreateJob iot:CreateJobTemplate iot:CreateKeysAndCertificate iot:CreateMitigationAction iot:CreateOTAUpdate iot:CreatePackage iot:CreatePackageVersion iot:CreatePolicy iot:CreatePolicyVersion iot:CreateProvisioningClaim iot:CreateProvisioningTemplate iot:CreateProvisioningTemplateVersion iot:CreateRoleAlias iot:CreateScheduledAudit iot:CreateSecurityProfile iot:CreateStream iot:CreateThing iot:CreateThingGroup iot:CreateThingType iot:CreateTopicRule iot:CreateTopicRuleDestination iot:DeleteAccountAuditConfiguration iot:DeleteAuditSuppression iot:DeleteAuthorizer iot:DeleteBillingGroup iot:DeleteCACertificate iot:DeleteCertificate iot:DeleteCertificateProvider iot:DeleteCommand iot:DeleteCustomMetric iot:DeleteDimension iot:DeleteDomainConfiguration iot:DeleteDynamicThingGroup iot:DeleteFleetMetric iot:DeleteJob iot:DeleteJobExecution iot:DeleteJobTemplate iot:DeleteMitigationAction iot:DeleteOTAUpdate iot:DeletePackage iot:DeletePackageVersion iot:DeletePolicy iot:DeletePolicyVersion iot:DeleteProvisioningTemplate iot:DeleteProvisioningTemplateVersion iot:DeleteRegistrationCode iot:DeleteRoleAlias iot:DeleteScheduledAudit iot:DeleteSecurityProfile iot:DeleteStream iot:DeleteThing iot:DeleteThingGroup iot:DeleteThingType iot:DeleteTopicRule iot:DeleteTopicRuleDestination iot:DeleteV2LoggingLevel iot:DeprecateThingType iot:DescribeAccountAuditConfiguration iot:DescribeAuditFinding iot:DescribeAuditMitigationActionsTask iot:DescribeAuditSuppression iot:DescribeAuditTask iot:DescribeAuthorizer iot:DescribeBillingGroup iot:DescribeCACertificate iot:DescribeCertificate iot:DescribeCertificateProvider iot:DescribeCustomMetric iot:DescribeDefaultAuthorizer iot:DescribeDetectMitigationActionsTask iot:DescribeDimension iot:DescribeDomainConfiguration iot:DescribeEncryptionConfiguration iot:DescribeEndpoint iot:DescribeEventConfigurations iot:DescribeFleetMetric iot:DescribeIndex iot:DescribeJob iot:DescribeJobExecution iot:DescribeJobTemplate iot:DescribeManagedJobTemplate iot:DescribeMitigationAction iot:DescribeProvisioningTemplate iot:DescribeProvisioningTemplateVersion iot:DescribeRoleAlias iot:DescribeScheduledAudit iot:DescribeSecurityProfile iot:DescribeStream iot:DescribeThing iot:DescribeThingGroup iot:DescribeThingRegistrationTask iot:DescribeThingType iot:DetachPolicy iot:DetachPrincipalPolicy iot:DetachSecurityProfile iot:DetachThingPrincipal iot:DisableTopicRule iot:DisassociateSbomFromPackageVersion iot:EnableTopicRule iot:GetBehaviorModelTrainingSummaries iot:GetBucketsAggregation iot:GetCardinality iot:GetCommand iot:GetEffectivePolicies iot:GetJobDocument iot:GetLoggingOptions iot:GetOTAUpdate iot:GetPackage iot:GetPackageConfiguration iot:GetPackageVersion iot:GetPercentiles iot:GetPolicy iot:GetPolicyVersion iot:GetRegistrationCode iot:GetStatistics iot:GetThingConnectivityData iot:GetTopicRule iot:GetTopicRuleDestination iot:GetV2LoggingOptions iot:ListActiveViolations iot:ListAttachedPolicies iot:ListAuditFindings iot:ListAuditMitigationActionsExecutions iot:ListAuditMitigationActionsTasks iot:ListAuditSuppressions iot:ListAuditTasks iot:ListAuthorizers iot:ListBillingGroups iot:ListCACertificates iot:ListCertificateProviders iot:ListCertificates iot:ListCertificatesByCA iot:ListCommands iot:ListCustomMetrics iot:ListDetectMitigationActionsExecutions iot:ListDetectMitigationActionsTasks iot:ListDimensions iot:ListDomainConfigurations iot:ListFleetMetrics iot:ListIndices iot:ListJobExecutionsForJob iot:ListJobExecutionsForThing iot:ListJobTemplates iot:ListJobs iot:ListManagedJobTemplates iot:ListMetricValues iot:ListMitigationActions iot:ListOTAUpdates iot:ListOutgoingCertificates iot:ListPackageVersions iot:ListPackages iot:ListPolicies iot:ListPolicyPrincipals iot:ListPolicyVersions iot:ListPrincipalPolicies iot:ListPrincipalThings iot:ListPrincipalThingsV2 iot:ListProvisioningTemplateVersions iot:ListProvisioningTemplates iot:ListRelatedResourcesForAuditFinding iot:ListRoleAliases iot:ListSbomValidationResults iot:ListScheduledAudits iot:ListSecurityProfiles iot:ListSecurityProfilesForTarget iot:ListStreams iot:ListTargetsForPolicy iot:ListTargetsForSecurityProfile iot:ListThingGroups iot:ListThingGroupsForThing iot:ListThingPrincipals iot:ListThingPrincipalsV2 iot:ListThingRegistrationTaskReports iot:ListThingRegistrationTasks iot:ListThingTypes iot:ListThings iot:ListThingsInBillingGroup iot:ListThingsInThingGroup iot:ListTopicRuleDestinations iot:ListTopicRules iot:ListV2LoggingLevels iot:ListViolationEvents iot:PutVerificationStateOnViolation iot:RegisterCACertificate iot:RegisterCertificate iot:RegisterCertificateWithoutCA iot:RegisterThing iot:RejectCertificateTransfer iot:RemoveThingFromBillingGroup iot:RemoveThingFromThingGroup iot:ReplaceTopicRule iot:SearchIndex iot:SetDefaultAuthorizer iot:SetDefaultPolicyVersion iot:SetLoggingOptions iot:SetV2LoggingLevel iot:SetV2LoggingOptions iot:StartAuditMitigationActionsTask iot:StartDetectMitigationActionsTask iot:StartOnDemandAuditTask iot:StartThingRegistrationTask iot:StopThingRegistrationTask iot:TestAuthorization iot:TestInvokeAuthorizer iot:TransferCertificate iot:UpdateAccountAuditConfiguration iot:UpdateAuditSuppression iot:UpdateAuthorizer iot:UpdateBillingGroup iot:UpdateCACertificate iot:UpdateCertificate iot:UpdateCertificateProvider iot:UpdateCommand iot:UpdateCustomMetric iot:UpdateDimension iot:UpdateDomainConfiguration iot:UpdateDynamicThingGroup iot:UpdateEncryptionConfiguration iot:UpdateEventConfigurations iot:UpdateFleetMetric iot:UpdateIndexingConfiguration iot:UpdateJob iot:UpdateMitigationAction iot:UpdatePackage iot:UpdatePackageConfiguration iot:UpdatePackageVersion iot:UpdateProvisioningTemplate iot:UpdateRoleAlias iot:UpdateScheduledAudit iot:UpdateSecurityProfile iot:UpdateStream iot:UpdateThing iot:UpdateThingGroup iot:UpdateThingGroupsForThing iot:UpdateThingType iot:UpdateTopicRuleDestination iot:ValidateSecurityProfileBehaviors  | 
| iotanalytics |  iotanalytics:CancelPipelineReprocessing iotanalytics:CreateChannel iotanalytics:CreateDataset iotanalytics:CreateDatasetContent iotanalytics:CreateDatastore iotanalytics:CreatePipeline iotanalytics:DeleteChannel iotanalytics:DeleteDataset iotanalytics:DeleteDatasetContent iotanalytics:DeleteDatastore iotanalytics:DeletePipeline iotanalytics:DescribeChannel iotanalytics:DescribeDataset iotanalytics:DescribeDatastore iotanalytics:DescribeLoggingOptions iotanalytics:DescribePipeline iotanalytics:GetDatasetContent iotanalytics:ListChannels iotanalytics:ListDatasetContents iotanalytics:ListDatasets iotanalytics:ListDatastores iotanalytics:ListPipelines iotanalytics:PutLoggingOptions iotanalytics:RunPipelineActivity iotanalytics:SampleChannelData iotanalytics:StartPipelineReprocessing iotanalytics:UpdateChannel iotanalytics:UpdateDataset iotanalytics:UpdateDatastore iotanalytics:UpdatePipeline  | 
| iotdeviceadvisor |  iotdeviceadvisor:CreateSuiteDefinition iotdeviceadvisor:DeleteSuiteDefinition iotdeviceadvisor:GetEndpoint iotdeviceadvisor:GetSuiteDefinition iotdeviceadvisor:GetSuiteRun iotdeviceadvisor:GetSuiteRunReport iotdeviceadvisor:ListSuiteDefinitions iotdeviceadvisor:ListSuiteRuns iotdeviceadvisor:StartSuiteRun iotdeviceadvisor:StopSuiteRun iotdeviceadvisor:UpdateSuiteDefinition  | 
| iotevents |  iotevents:BatchAcknowledgeAlarm iotevents:BatchDeleteDetector iotevents:BatchDisableAlarm iotevents:BatchEnableAlarm iotevents:BatchResetAlarm iotevents:BatchSnoozeAlarm iotevents:BatchUpdateDetector iotevents:CreateAlarmModel iotevents:CreateDetectorModel iotevents:CreateInput iotevents:DeleteAlarmModel iotevents:DeleteDetectorModel iotevents:DeleteInput iotevents:DescribeAlarm iotevents:DescribeAlarmModel iotevents:DescribeDetector iotevents:DescribeDetectorModel iotevents:DescribeDetectorModelAnalysis iotevents:DescribeInput iotevents:DescribeLoggingOptions iotevents:GetDetectorModelAnalysisResults iotevents:ListAlarmModelVersions iotevents:ListAlarmModels iotevents:ListAlarms iotevents:ListDetectorModelVersions iotevents:ListDetectorModels iotevents:ListDetectors iotevents:ListInputRoutings iotevents:ListInputs iotevents:PutLoggingOptions iotevents:StartDetectorModelAnalysis iotevents:UpdateAlarmModel iotevents:UpdateDetectorModel iotevents:UpdateInput  | 
| iotfleethub |  iotfleethub:CreateApplication iotfleethub:DeleteApplication iotfleethub:DescribeApplication iotfleethub:ListApplications iotfleethub:UpdateApplication  | 
| iotsitewise |  iotsitewise:AssociateAssets iotsitewise:AssociateTimeSeriesToAssetProperty iotsitewise:BatchAssociateProjectAssets iotsitewise:BatchDisassociateProjectAssets iotsitewise:CreateAccessPolicy iotsitewise:CreateAsset iotsitewise:CreateAssetModel iotsitewise:CreateAssetModelCompositeModel iotsitewise:CreateBulkImportJob iotsitewise:CreateComputationModel iotsitewise:CreateDashboard iotsitewise:CreateDataset iotsitewise:CreateGateway iotsitewise:CreatePortal iotsitewise:CreateProject iotsitewise:DeleteAccessPolicy iotsitewise:DeleteAsset iotsitewise:DeleteAssetModel iotsitewise:DeleteAssetModelCompositeModel iotsitewise:DeleteComputationModel iotsitewise:DeleteDashboard iotsitewise:DeleteDataset iotsitewise:DeleteGateway iotsitewise:DeletePortal iotsitewise:DeleteProject iotsitewise:DeleteTimeSeries iotsitewise:DescribeAccessPolicy iotsitewise:DescribeAsset iotsitewise:DescribeAssetCompositeModel iotsitewise:DescribeAssetModel iotsitewise:DescribeAssetModelCompositeModel iotsitewise:DescribeAssetModelInterfaceRelationship iotsitewise:DescribeAssetProperty iotsitewise:DescribeBulkImportJob iotsitewise:DescribeComputationModel iotsitewise:DescribeComputationModelExecutionSummary iotsitewise:DescribeDashboard iotsitewise:DescribeDataset iotsitewise:DescribeDefaultEncryptionConfiguration iotsitewise:DescribeExecution iotsitewise:DescribeGateway iotsitewise:DescribeGatewayCapabilityConfiguration iotsitewise:DescribeLoggingOptions iotsitewise:DescribePortal iotsitewise:DescribeProject iotsitewise:DescribeStorageConfiguration iotsitewise:DescribeTimeSeries iotsitewise:DisassociateAssets iotsitewise:DisassociateTimeSeriesFromAssetProperty iotsitewise:ExecuteAction iotsitewise:ExecuteQuery iotsitewise:ListAccessPolicies iotsitewise:ListActions iotsitewise:ListAssetModelCompositeModels iotsitewise:ListAssetModelProperties iotsitewise:ListAssetModels iotsitewise:ListAssetProperties iotsitewise:ListAssetRelationships iotsitewise:ListAssets iotsitewise:ListAssociatedAssets iotsitewise:ListBulkImportJobs iotsitewise:ListCompositionRelationships iotsitewise:ListComputationModelDataBindingUsages iotsitewise:ListComputationModelResolveToResources iotsitewise:ListComputationModels iotsitewise:ListDashboards iotsitewise:ListDatasets iotsitewise:ListExecutions iotsitewise:ListGateways iotsitewise:ListInterfaceRelationships iotsitewise:ListPortals iotsitewise:ListProjectAssets iotsitewise:ListProjects iotsitewise:ListTimeSeries iotsitewise:PutDefaultEncryptionConfiguration iotsitewise:PutLoggingOptions iotsitewise:PutStorageConfiguration iotsitewise:UpdateAccessPolicy iotsitewise:UpdateAsset iotsitewise:UpdateAssetModel iotsitewise:UpdateAssetModelCompositeModel iotsitewise:UpdateAssetProperty iotsitewise:UpdateComputationModel iotsitewise:UpdateDashboard iotsitewise:UpdateDataset iotsitewise:UpdateGateway iotsitewise:UpdateGatewayCapabilityConfiguration iotsitewise:UpdatePortal iotsitewise:UpdateProject  | 
| iottwinmaker |  iottwinmaker:CancelMetadataTransferJob iottwinmaker:CreateComponentType iottwinmaker:CreateEntity iottwinmaker:CreateMetadataTransferJob iottwinmaker:CreateScene iottwinmaker:CreateSyncJob iottwinmaker:CreateWorkspace iottwinmaker:DeleteComponentType iottwinmaker:DeleteEntity iottwinmaker:DeleteScene iottwinmaker:DeleteSyncJob iottwinmaker:DeleteWorkspace iottwinmaker:ExecuteQuery iottwinmaker:GetMetadataTransferJob iottwinmaker:GetPricingPlan iottwinmaker:GetScene iottwinmaker:GetSyncJob iottwinmaker:ListComponentTypes iottwinmaker:ListComponents iottwinmaker:ListEntities iottwinmaker:ListMetadataTransferJobs iottwinmaker:ListProperties iottwinmaker:ListScenes iottwinmaker:ListSyncJobs iottwinmaker:ListSyncResources iottwinmaker:ListWorkspaces iottwinmaker:UpdateComponentType iottwinmaker:UpdateEntity iottwinmaker:UpdatePricingPlan iottwinmaker:UpdateScene iottwinmaker:UpdateWorkspace  | 
| iotwireless |  iotwireless:AssociateAwsAccountWithPartnerAccount iotwireless:AssociateMulticastGroupWithFuotaTask iotwireless:AssociateWirelessDeviceWithFuotaTask iotwireless:AssociateWirelessDeviceWithMulticastGroup iotwireless:AssociateWirelessDeviceWithThing iotwireless:AssociateWirelessGatewayWithCertificate iotwireless:AssociateWirelessGatewayWithThing iotwireless:CancelMulticastGroupSession iotwireless:CreateDestination iotwireless:CreateDeviceProfile iotwireless:CreateFuotaTask iotwireless:CreateMulticastGroup iotwireless:CreateNetworkAnalyzerConfiguration iotwireless:CreateServiceProfile iotwireless:CreateWirelessDevice iotwireless:CreateWirelessGateway iotwireless:CreateWirelessGatewayTask iotwireless:CreateWirelessGatewayTaskDefinition iotwireless:DeleteDestination iotwireless:DeleteDeviceProfile iotwireless:DeleteFuotaTask iotwireless:DeleteMulticastGroup iotwireless:DeleteNetworkAnalyzerConfiguration iotwireless:DeleteQueuedMessages iotwireless:DeleteServiceProfile iotwireless:DeleteWirelessDevice iotwireless:DeleteWirelessDeviceImportTask iotwireless:DeleteWirelessGateway iotwireless:DeleteWirelessGatewayTask iotwireless:DeleteWirelessGatewayTaskDefinition iotwireless:DeregisterWirelessDevice iotwireless:DisassociateAwsAccountFromPartnerAccount iotwireless:DisassociateMulticastGroupFromFuotaTask iotwireless:DisassociateWirelessDeviceFromFuotaTask iotwireless:DisassociateWirelessDeviceFromMulticastGroup iotwireless:DisassociateWirelessDeviceFromThing iotwireless:DisassociateWirelessGatewayFromCertificate iotwireless:DisassociateWirelessGatewayFromThing iotwireless:GetDestination iotwireless:GetDeviceProfile iotwireless:GetEventConfigurationByResourceTypes iotwireless:GetFuotaTask iotwireless:GetLogLevelsByResourceTypes iotwireless:GetMetricConfiguration iotwireless:GetMetrics iotwireless:GetMulticastGroup iotwireless:GetMulticastGroupSession iotwireless:GetNetworkAnalyzerConfiguration iotwireless:GetPartnerAccount iotwireless:GetPosition iotwireless:GetPositionConfiguration iotwireless:GetPositionEstimate iotwireless:GetResourceEventConfiguration iotwireless:GetResourceLogLevel iotwireless:GetResourcePosition iotwireless:GetServiceEndpoint iotwireless:GetServiceProfile iotwireless:GetWirelessDevice iotwireless:GetWirelessDeviceImportTask iotwireless:GetWirelessDeviceStatistics iotwireless:GetWirelessGateway iotwireless:GetWirelessGatewayCertificate iotwireless:GetWirelessGatewayFirmwareInformation iotwireless:GetWirelessGatewayStatistics iotwireless:GetWirelessGatewayTask iotwireless:GetWirelessGatewayTaskDefinition iotwireless:ListDestinations iotwireless:ListDeviceProfiles iotwireless:ListDevicesForWirelessDeviceImportTask iotwireless:ListEventConfigurations iotwireless:ListFuotaTasks iotwireless:ListMulticastGroups iotwireless:ListMulticastGroupsByFuotaTask iotwireless:ListNetworkAnalyzerConfigurations iotwireless:ListPartnerAccounts iotwireless:ListPositionConfigurations iotwireless:ListQueuedMessages iotwireless:ListServiceProfiles iotwireless:ListWirelessDeviceImportTasks iotwireless:ListWirelessDevices iotwireless:ListWirelessGatewayTaskDefinitions iotwireless:ListWirelessGateways iotwireless:PutPositionConfiguration iotwireless:PutResourceLogLevel iotwireless:ResetAllResourceLogLevels iotwireless:ResetResourceLogLevel iotwireless:SendDataToMulticastGroup iotwireless:SendDataToWirelessDevice iotwireless:StartBulkAssociateWirelessDeviceWithMulticastGroup iotwireless:StartBulkDisassociateWirelessDeviceFromMulticastGroup iotwireless:StartFuotaTask iotwireless:StartMulticastGroupSession iotwireless:StartNetworkAnalyzerStream iotwireless:StartSingleWirelessDeviceImportTask iotwireless:StartWirelessDeviceImportTask iotwireless:TestWirelessDevice iotwireless:UpdateDestination iotwireless:UpdateEventConfigurationByResourceTypes iotwireless:UpdateFuotaTask iotwireless:UpdateLogLevelsByResourceTypes iotwireless:UpdateMetricConfiguration iotwireless:UpdateMulticastGroup iotwireless:UpdateNetworkAnalyzerConfiguration iotwireless:UpdatePartnerAccount iotwireless:UpdatePosition iotwireless:UpdateResourceEventConfiguration iotwireless:UpdateResourcePosition iotwireless:UpdateWirelessDevice iotwireless:UpdateWirelessDeviceImportTask iotwireless:UpdateWirelessGateway  | 
| ivs |  ivs:BatchGetChannel ivs:BatchGetStreamKey ivs:BatchStartViewerSessionRevocation ivs:CreateChannel ivs:CreateEncoderConfiguration ivs:CreateIngestConfiguration ivs:CreateParticipantToken ivs:CreatePlaybackRestrictionPolicy ivs:CreateRecordingConfiguration ivs:CreateStorageConfiguration ivs:CreateStreamKey ivs:DeleteChannel ivs:DeleteEncoderConfiguration ivs:DeleteIngestConfiguration ivs:DeletePlaybackKeyPair ivs:DeletePlaybackRestrictionPolicy ivs:DeletePublicKey ivs:DeleteRecordingConfiguration ivs:DeleteStorageConfiguration ivs:DeleteStreamKey ivs:DisconnectParticipant ivs:GetChannel ivs:GetComposition ivs:GetEncoderConfiguration ivs:GetIngestConfiguration ivs:GetParticipant ivs:GetPlaybackKeyPair ivs:GetPlaybackRestrictionPolicy ivs:GetPublicKey ivs:GetRecordingConfiguration ivs:GetStorageConfiguration ivs:GetStream ivs:GetStreamKey ivs:GetStreamSession ivs:ImportPlaybackKeyPair ivs:ImportPublicKey ivs:ListChannels ivs:ListCompositions ivs:ListEncoderConfigurations ivs:ListIngestConfigurations ivs:ListParticipantEvents ivs:ListParticipantReplicas ivs:ListParticipants ivs:ListPlaybackKeyPairs ivs:ListPlaybackRestrictionPolicies ivs:ListPublicKeys ivs:ListRecordingConfigurations ivs:ListStorageConfigurations ivs:ListStreamKeys ivs:ListStreamSessions ivs:ListStreams ivs:PutMetadata ivs:StartComposition ivs:StartViewerSessionRevocation ivs:StopComposition ivs:StopStream ivs:UpdateChannel ivs:UpdateIngestConfiguration ivs:UpdatePlaybackRestrictionPolicy  | 
| ivschat |  ivschat:CreateChatToken ivschat:CreateLoggingConfiguration ivschat:CreateRoom ivschat:DeleteLoggingConfiguration ivschat:DeleteMessage ivschat:DeleteRoom ivschat:DisconnectUser ivschat:GetLoggingConfiguration ivschat:GetRoom ivschat:ListLoggingConfigurations ivschat:ListRooms ivschat:SendEvent ivschat:UpdateLoggingConfiguration ivschat:UpdateRoom  | 
| kafka |  kafka:BatchAssociateScramSecret kafka:BatchDisassociateScramSecret kafka:CreateCluster kafka:CreateClusterV2 kafka:CreateConfiguration kafka:CreateReplicator kafka:CreateVpcConnection kafka:DeleteCluster kafka:DeleteClusterPolicy kafka:DeleteConfiguration kafka:DeleteReplicator kafka:DeleteVpcConnection kafka:DescribeCluster kafka:DescribeClusterOperation kafka:DescribeClusterOperationV2 kafka:DescribeClusterV2 kafka:DescribeConfiguration kafka:DescribeConfigurationRevision kafka:DescribeVpcConnection kafka:GetBootstrapBrokers kafka:GetClusterPolicy kafka:GetCompatibleKafkaVersions kafka:ListClientVpcConnections kafka:ListClusterOperations kafka:ListClusterOperationsV2 kafka:ListClusters kafka:ListClustersV2 kafka:ListConfigurationRevisions kafka:ListConfigurations kafka:ListKafkaVersions kafka:ListNodes kafka:ListReplicators kafka:ListScramSecrets kafka:ListVpcConnections kafka:PutClusterPolicy kafka:RebootBroker kafka:RejectClientVpcConnection kafka:UpdateBrokerCount kafka:UpdateBrokerStorage kafka:UpdateBrokerType kafka:UpdateClusterConfiguration kafka:UpdateClusterKafkaVersion kafka:UpdateConfiguration kafka:UpdateConnectivity kafka:UpdateMonitoring kafka:UpdateRebalancing kafka:UpdateReplicationInfo kafka:UpdateSecurity kafka:UpdateStorage  | 
| kafkaconnect |  kafkaconnect:CreateConnector kafkaconnect:CreateCustomPlugin kafkaconnect:CreateWorkerConfiguration kafkaconnect:DeleteConnector kafkaconnect:DeleteCustomPlugin kafkaconnect:DeleteWorkerConfiguration kafkaconnect:DescribeConnector kafkaconnect:DescribeCustomPlugin kafkaconnect:DescribeWorkerConfiguration kafkaconnect:ListConnectorOperations kafkaconnect:ListConnectors kafkaconnect:ListCustomPlugins kafkaconnect:ListWorkerConfigurations kafkaconnect:UpdateConnector  | 
| kendra |  kendra:AssociateEntitiesToExperience kendra:AssociatePersonasToEntities kendra:BatchDeleteDocument kendra:BatchDeleteFeaturedResultsSet kendra:BatchGetDocumentStatus kendra:BatchPutDocument kendra:ClearQuerySuggestions kendra:CreateAccessControlConfiguration kendra:CreateDataSource kendra:CreateExperience kendra:CreateFaq kendra:CreateFeaturedResultsSet kendra:CreateIndex kendra:CreateQuerySuggestionsBlockList kendra:CreateThesaurus kendra:DeleteDataSource kendra:DeleteExperience kendra:DeleteFaq kendra:DeleteIndex kendra:DeletePrincipalMapping kendra:DeleteQuerySuggestionsBlockList kendra:DeleteThesaurus kendra:DescribeAccessControlConfiguration kendra:DescribeDataSource kendra:DescribeExperience kendra:DescribeFaq kendra:DescribeFeaturedResultsSet kendra:DescribeIndex kendra:DescribePrincipalMapping kendra:DescribeQuerySuggestionsBlockList kendra:DescribeQuerySuggestionsConfig kendra:DescribeThesaurus kendra:DisassociateEntitiesFromExperience kendra:DisassociatePersonasFromEntities kendra:GetQuerySuggestions kendra:GetSnapshots kendra:ListAccessControlConfigurations kendra:ListDataSourceSyncJobs kendra:ListDataSources kendra:ListEntityPersonas kendra:ListExperienceEntities kendra:ListExperiences kendra:ListFaqs kendra:ListFeaturedResultsSets kendra:ListGroupsOlderThanOrderingId kendra:ListIndices kendra:ListQuerySuggestionsBlockLists kendra:ListThesauri kendra:PutPrincipalMapping kendra:Query kendra:Retrieve kendra:StartDataSourceSyncJob kendra:StopDataSourceSyncJob kendra:SubmitFeedback kendra:UpdateDataSource kendra:UpdateExperience kendra:UpdateFeaturedResultsSet kendra:UpdateIndex kendra:UpdateQuerySuggestionsBlockList kendra:UpdateQuerySuggestionsConfig kendra:UpdateThesaurus  | 
| kinesis |  kinesis:CreateStream kinesis:DecreaseStreamRetentionPeriod kinesis:DeleteStream kinesis:DeregisterStreamConsumer kinesis:DescribeAccountSettings kinesis:DescribeLimits kinesis:DescribeStream kinesis:DescribeStreamConsumer kinesis:DescribeStreamSummary kinesis:DisableEnhancedMonitoring kinesis:EnableEnhancedMonitoring kinesis:IncreaseStreamRetentionPeriod kinesis:ListShards kinesis:ListStreamConsumers kinesis:ListStreams kinesis:MergeShards kinesis:RegisterStreamConsumer kinesis:SplitShard kinesis:StartStreamEncryption kinesis:StopStreamEncryption kinesis:UpdateAccountSettings kinesis:UpdateShardCount kinesis:UpdateStreamMode  | 
| kinesisanalytics |  kinesisanalytics:AddApplicationCloudWatchLoggingOption kinesisanalytics:AddApplicationInput kinesisanalytics:AddApplicationInputProcessingConfiguration kinesisanalytics:AddApplicationOutput kinesisanalytics:AddApplicationReferenceDataSource kinesisanalytics:AddApplicationVpcConfiguration kinesisanalytics:CreateApplication kinesisanalytics:CreateApplicationPresignedUrl kinesisanalytics:CreateApplicationSnapshot kinesisanalytics:DeleteApplication kinesisanalytics:DeleteApplicationCloudWatchLoggingOption kinesisanalytics:DeleteApplicationInputProcessingConfiguration kinesisanalytics:DeleteApplicationOutput kinesisanalytics:DeleteApplicationReferenceDataSource kinesisanalytics:DeleteApplicationSnapshot kinesisanalytics:DeleteApplicationVpcConfiguration kinesisanalytics:DescribeApplication kinesisanalytics:DescribeApplicationOperation kinesisanalytics:DescribeApplicationSnapshot kinesisanalytics:DescribeApplicationVersion kinesisanalytics:DiscoverInputSchema kinesisanalytics:ListApplicationOperations kinesisanalytics:ListApplicationSnapshots kinesisanalytics:ListApplicationVersions kinesisanalytics:ListApplications kinesisanalytics:RollbackApplication kinesisanalytics:StartApplication kinesisanalytics:StopApplication kinesisanalytics:UpdateApplication kinesisanalytics:UpdateApplicationMaintenanceConfiguration  | 
| kms |  kms:CancelKeyDeletion kms:ConnectCustomKeyStore kms:CreateAlias kms:CreateCustomKeyStore kms:CreateGrant kms:CreateKey kms:Decrypt kms:DeleteAlias kms:DeleteCustomKeyStore kms:DeleteImportedKeyMaterial kms:DeriveSharedSecret kms:DescribeCustomKeyStores kms:DescribeKey kms:DisableKey kms:DisableKeyRotation kms:DisconnectCustomKeyStore kms:EnableKey kms:EnableKeyRotation kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyPair kms:GenerateDataKeyPairWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext kms:GenerateMac kms:GenerateRandom kms:GetKeyPolicy kms:GetKeyRotationStatus kms:GetParametersForImport kms:GetPublicKey kms:ImportKeyMaterial kms:ListAliases kms:ListGrants kms:ListKeyPolicies kms:ListKeyRotations kms:ListKeys kms:ListRetirableGrants kms:ReplicateKey kms:RetireGrant kms:RevokeGrant kms:RotateKeyOnDemand kms:ScheduleKeyDeletion kms:Sign kms:UpdateAlias kms:UpdateCustomKeyStore kms:UpdateKeyDescription kms:UpdatePrimaryRegion kms:Verify kms:VerifyMac  | 
| lambda |  lambda:AddLayerVersionPermission lambda:AddPermission lambda:CreateAlias lambda:CreateCodeSigningConfig lambda:CreateEventSourceMapping lambda:CreateFunction lambda:CreateFunctionUrlConfig lambda:DeleteAlias lambda:DeleteCapacityProvider lambda:DeleteCodeSigningConfig lambda:DeleteEventSourceMapping lambda:DeleteFunction lambda:DeleteFunctionCodeSigningConfig lambda:DeleteFunctionConcurrency lambda:DeleteFunctionEventInvokeConfig lambda:DeleteFunctionUrlConfig lambda:DeleteLayerVersion lambda:DeleteProvisionedConcurrencyConfig lambda:GetAccountSettings lambda:GetAlias lambda:GetCapacityProvider lambda:GetCodeSigningConfig lambda:GetEventSourceMapping lambda:GetFunction lambda:GetFunctionCodeSigningConfig lambda:GetFunctionConcurrency lambda:GetFunctionConfiguration lambda:GetFunctionEventInvokeConfig lambda:GetFunctionRecursionConfig lambda:GetFunctionScalingConfig lambda:GetFunctionUrlConfig lambda:GetLayerVersion lambda:GetLayerVersionPolicy lambda:GetPolicy lambda:GetProvisionedConcurrencyConfig lambda:GetRuntimeManagementConfig lambda:ListAliases lambda:ListCapacityProviders lambda:ListCodeSigningConfigs lambda:ListDurableExecutionsByFunction lambda:ListEventSourceMappings lambda:ListFunctionEventInvokeConfigs lambda:ListFunctionUrlConfigs lambda:ListFunctions lambda:ListFunctionsByCodeSigningConfig lambda:ListLayerVersions lambda:ListLayers lambda:ListProvisionedConcurrencyConfigs lambda:ListVersionsByFunction lambda:PublishLayerVersion lambda:PublishVersion lambda:PutFunctionCodeSigningConfig lambda:PutFunctionConcurrency lambda:PutFunctionEventInvokeConfig lambda:PutFunctionRecursionConfig lambda:PutFunctionScalingConfig lambda:PutProvisionedConcurrencyConfig lambda:PutRuntimeManagementConfig lambda:RemoveLayerVersionPermission lambda:RemovePermission lambda:UpdateAlias lambda:UpdateCapacityProvider lambda:UpdateCodeSigningConfig lambda:UpdateEventSourceMapping lambda:UpdateFunctionCode lambda:UpdateFunctionConfiguration lambda:UpdateFunctionEventInvokeConfig lambda:UpdateFunctionUrlConfig  | 
| lex |  lex:BatchCreateCustomVocabularyItem lex:BatchDeleteCustomVocabularyItem lex:BatchUpdateCustomVocabularyItem lex:BuildBotLocale lex:CreateBotAlias lex:CreateBotReplica lex:CreateBotVersion lex:CreateExport lex:CreateIntentVersion lex:CreateResourcePolicy lex:CreateSlotTypeVersion lex:CreateTestSetDiscrepancyReport lex:CreateUploadUrl lex:DeleteBot lex:DeleteBotChannelAssociation lex:DeleteBotReplica lex:DeleteExport lex:DeleteImport lex:DeleteIntentVersion lex:DeleteResourcePolicy lex:DeleteSlotTypeVersion lex:DeleteTestSet lex:DeleteUtterances lex:DescribeBotAlias lex:DescribeBotRecommendation lex:DescribeBotReplica lex:DescribeBotResourceGeneration lex:DescribeBotVersion lex:DescribeCustomVocabularyMetadata lex:DescribeExport lex:DescribeImport lex:DescribeResourcePolicy lex:DescribeTestExecution lex:DescribeTestSet lex:DescribeTestSetDiscrepancyReport lex:DescribeTestSetGeneration lex:GenerateBotElement lex:GetBot lex:GetBotAlias lex:GetBotAliases lex:GetBotChannelAssociation lex:GetBotChannelAssociations lex:GetBotVersions lex:GetBots lex:GetBuiltinIntent lex:GetBuiltinIntents lex:GetBuiltinSlotTypes lex:GetExport lex:GetImport lex:GetIntent lex:GetIntentVersions lex:GetIntents lex:GetMigration lex:GetMigrations lex:GetSlotType lex:GetSlotTypeVersions lex:GetSlotTypes lex:GetTestExecutionArtifactsUrl lex:GetUtterancesView lex:ListBotAliasReplicas lex:ListBotAliases lex:ListBotRecommendations lex:ListBotReplicas lex:ListBotResourceGenerations lex:ListBotVersionReplicas lex:ListBotVersions lex:ListBots lex:ListBuiltInIntents lex:ListBuiltInSlotTypes lex:ListCustomVocabularyItems lex:ListExports lex:ListImports lex:ListIntentMetrics lex:ListIntentPaths lex:ListRecommendedIntents lex:ListSessionAnalyticsData lex:ListSessionMetrics lex:ListTestExecutionResultItems lex:ListTestExecutions lex:ListTestSets lex:PutBot lex:PutBotAlias lex:PutIntent lex:PutSlotType lex:SearchAssociatedTranscripts lex:StartBotRecommendation lex:StartImport lex:StartMigration lex:StartTestExecution lex:StartTestSetGeneration lex:StopBotRecommendation lex:UpdateBotAlias lex:UpdateBotRecommendation lex:UpdateExport lex:UpdateResourcePolicy  | 
| license-manager-linux-subscriptions |  license-manager-linux-subscriptions:DeregisterSubscriptionProvider license-manager-linux-subscriptions:GetRegisteredSubscriptionProvider license-manager-linux-subscriptions:GetServiceSettings license-manager-linux-subscriptions:ListLinuxSubscriptionInstances license-manager-linux-subscriptions:ListLinuxSubscriptions license-manager-linux-subscriptions:ListRegisteredSubscriptionProviders license-manager-linux-subscriptions:RegisterSubscriptionProvider license-manager-linux-subscriptions:UpdateServiceSettings  | 
| lightsail |  lightsail:AllocateStaticIp lightsail:AttachCertificateToDistribution lightsail:AttachDisk lightsail:AttachInstancesToLoadBalancer lightsail:AttachLoadBalancerTlsCertificate lightsail:AttachStaticIp lightsail:CloseInstancePublicPorts lightsail:CopySnapshot lightsail:CreateBucket lightsail:CreateBucketAccessKey lightsail:CreateCertificate lightsail:CreateCloudFormationStack lightsail:CreateContactMethod lightsail:CreateContainerService lightsail:CreateContainerServiceDeployment lightsail:CreateContainerServiceRegistryLogin lightsail:CreateDisk lightsail:CreateDiskFromSnapshot lightsail:CreateDiskSnapshot lightsail:CreateDistribution lightsail:CreateDomain lightsail:CreateGUISessionAccessDetails lightsail:CreateInstanceSnapshot lightsail:CreateInstances lightsail:CreateInstancesFromSnapshot lightsail:CreateKeyPair lightsail:CreateLoadBalancer lightsail:CreateLoadBalancerTlsCertificate lightsail:CreateRelationalDatabase lightsail:CreateRelationalDatabaseFromSnapshot lightsail:CreateRelationalDatabaseSnapshot lightsail:DeleteAlarm lightsail:DeleteAutoSnapshot lightsail:DeleteBucket lightsail:DeleteBucketAccessKey lightsail:DeleteCertificate lightsail:DeleteContactMethod lightsail:DeleteContainerImage lightsail:DeleteContainerService lightsail:DeleteDisk lightsail:DeleteDiskSnapshot lightsail:DeleteDistribution lightsail:DeleteDomain lightsail:DeleteDomainEntry lightsail:DeleteInstance lightsail:DeleteInstanceSnapshot lightsail:DeleteKeyPair lightsail:DeleteKnownHostKeys lightsail:DeleteLoadBalancer lightsail:DeleteLoadBalancerTlsCertificate lightsail:DeleteRelationalDatabase lightsail:DeleteRelationalDatabaseSnapshot lightsail:DetachCertificateFromDistribution lightsail:DetachDisk lightsail:DetachInstancesFromLoadBalancer lightsail:DetachStaticIp lightsail:DisableAddOn lightsail:DownloadDefaultKeyPair lightsail:EnableAddOn lightsail:ExportSnapshot lightsail:GetActiveNames lightsail:GetAlarms lightsail:GetAutoSnapshots lightsail:GetBlueprints lightsail:GetBucketAccessKeys lightsail:GetBucketBundles lightsail:GetBucketMetricData lightsail:GetBuckets lightsail:GetBundles lightsail:GetCertificates lightsail:GetCloudFormationStackRecords lightsail:GetContactMethods lightsail:GetContainerAPIMetadata lightsail:GetContainerImages lightsail:GetContainerLog lightsail:GetContainerServiceDeployments lightsail:GetContainerServiceMetricData lightsail:GetContainerServicePowers lightsail:GetContainerServices lightsail:GetCostEstimate lightsail:GetDisk lightsail:GetDiskSnapshot lightsail:GetDiskSnapshots lightsail:GetDisks lightsail:GetDistributionBundles lightsail:GetDistributionLatestCacheReset lightsail:GetDistributionMetricData lightsail:GetDistributions lightsail:GetDomain lightsail:GetExportSnapshotRecords lightsail:GetInstance lightsail:GetInstanceMetricData lightsail:GetInstancePortStates lightsail:GetInstanceSnapshot lightsail:GetInstanceSnapshots lightsail:GetInstanceState lightsail:GetInstances lightsail:GetKeyPair lightsail:GetKeyPairs lightsail:GetLoadBalancer lightsail:GetLoadBalancerMetricData lightsail:GetLoadBalancerTlsCertificates lightsail:GetLoadBalancerTlsPolicies lightsail:GetLoadBalancers lightsail:GetOperation lightsail:GetOperations lightsail:GetOperationsForResource lightsail:GetRegions lightsail:GetRelationalDatabase lightsail:GetRelationalDatabaseBlueprints lightsail:GetRelationalDatabaseBundles lightsail:GetRelationalDatabaseEvents lightsail:GetRelationalDatabaseLogEvents lightsail:GetRelationalDatabaseLogStreams lightsail:GetRelationalDatabaseMasterUserPassword lightsail:GetRelationalDatabaseMetricData lightsail:GetRelationalDatabaseParameters lightsail:GetRelationalDatabaseSnapshot lightsail:GetRelationalDatabaseSnapshots lightsail:GetRelationalDatabases lightsail:GetSetupHistory lightsail:GetStaticIp lightsail:GetStaticIps lightsail:ImportKeyPair lightsail:IsVpcPeered lightsail:OpenInstancePublicPorts lightsail:PeerVpc lightsail:PutAlarm lightsail:PutInstancePublicPorts lightsail:RebootInstance lightsail:RebootRelationalDatabase lightsail:RegisterContainerImage lightsail:ReleaseStaticIp lightsail:ResetDistributionCache lightsail:SendContactMethodVerification lightsail:SetIpAddressType lightsail:SetResourceAccessForBucket lightsail:SetupInstanceHttps lightsail:StartGUISession lightsail:StartInstance lightsail:StartRelationalDatabase lightsail:StopGUISession lightsail:StopInstance lightsail:StopRelationalDatabase lightsail:TestAlarm lightsail:UnpeerVpc lightsail:UpdateBucket lightsail:UpdateBucketBundle lightsail:UpdateContainerService lightsail:UpdateDistribution lightsail:UpdateDistributionBundle lightsail:UpdateDomainEntry lightsail:UpdateInstanceMetadataOptions lightsail:UpdateLoadBalancerAttribute lightsail:UpdateRelationalDatabase lightsail:UpdateRelationalDatabaseParameters  | 
| logs |  logs:AssociateKmsKey logs:AssociateSourceToS3TableIntegration logs:CancelExportTask logs:CancelImportTask logs:CreateDelivery logs:CreateExportTask logs:CreateLogAnomalyDetector logs:CreateLogGroup logs:CreateLogStream logs:DeleteDataProtectionPolicy logs:DeleteDelivery logs:DeleteDeliveryDestination logs:DeleteDeliveryDestinationPolicy logs:DeleteDeliverySource logs:DeleteDestination logs:DeleteIndexPolicy logs:DeleteIntegration logs:DeleteLogAnomalyDetector logs:DeleteLogGroup logs:DeleteLogStream logs:DeleteMetricFilter logs:DeleteQueryDefinition logs:DeleteResourcePolicy logs:DeleteRetentionPolicy logs:DeleteScheduledQuery logs:DeleteSubscriptionFilter logs:DeleteTransformer logs:DescribeAccountPolicies logs:DescribeConfigurationTemplates logs:DescribeDeliveries logs:DescribeDeliveryDestinations logs:DescribeDeliverySources logs:DescribeDestinations logs:DescribeExportTasks logs:DescribeFieldIndexes logs:DescribeImportTaskBatches logs:DescribeImportTasks logs:DescribeIndexPolicies logs:DescribeLogGroups logs:DescribeLogStreams logs:DescribeMetricFilters logs:DescribeQueries logs:DescribeQueryDefinitions logs:DescribeResourcePolicies logs:DescribeSubscriptionFilters logs:DisassociateKmsKey logs:DisassociateSourceFromS3TableIntegration logs:GetDataProtectionPolicy logs:GetDelivery logs:GetDeliveryDestination logs:GetDeliveryDestinationPolicy logs:GetDeliverySource logs:GetIntegration logs:GetLogAnomalyDetector logs:GetLogFields logs:GetLogGroupFields logs:GetLogRecord logs:GetQueryResults logs:GetScheduledQuery logs:GetScheduledQueryHistory logs:GetTransformer logs:IntegrateWithS3Table logs:ListAnomalies logs:ListIntegrations logs:ListLogAnomalyDetectors logs:ListLogGroupsForQuery logs:ListScheduledQueries logs:ListSourcesForS3TableIntegration logs:ProcessWithPipeline logs:PutDataProtectionPolicy logs:PutDeliveryDestination logs:PutDeliveryDestinationPolicy logs:PutDeliverySource logs:PutDestination logs:PutDestinationPolicy logs:PutIndexPolicy logs:PutIntegration logs:PutLogGroupDeletionProtection logs:PutMetricFilter logs:PutQueryDefinition logs:PutResourcePolicy logs:PutRetentionPolicy logs:PutSubscriptionFilter logs:PutTransformer logs:StartLiveTail logs:StartQuery logs:StopQuery logs:TestMetricFilter logs:TestTransformer logs:UpdateAnomaly logs:UpdateDeliveryConfiguration logs:UpdateLogAnomalyDetector  | 
| lookoutequipment |  lookoutequipment:CreateDataset lookoutequipment:CreateInferenceScheduler lookoutequipment:CreateLabel lookoutequipment:CreateLabelGroup lookoutequipment:CreateModel lookoutequipment:DeleteDataset lookoutequipment:DeleteInferenceScheduler lookoutequipment:DeleteLabel lookoutequipment:DeleteLabelGroup lookoutequipment:DeleteModel lookoutequipment:DeleteResourcePolicy lookoutequipment:DeleteRetrainingScheduler lookoutequipment:DescribeDataIngestionJob lookoutequipment:DescribeDataset lookoutequipment:DescribeInferenceScheduler lookoutequipment:DescribeLabelGroup lookoutequipment:DescribeModel lookoutequipment:DescribeModelVersion lookoutequipment:DescribeResourcePolicy lookoutequipment:DescribeRetrainingScheduler lookoutequipment:Describelabel lookoutequipment:ImportDataset lookoutequipment:ImportModelVersion lookoutequipment:ListDataIngestionJobs lookoutequipment:ListDatasets lookoutequipment:ListInferenceEvents lookoutequipment:ListInferenceExecutions lookoutequipment:ListInferenceSchedulers lookoutequipment:ListLabelGroups lookoutequipment:ListLabels lookoutequipment:ListModelVersions lookoutequipment:ListModels lookoutequipment:ListRetrainingSchedulers lookoutequipment:ListSensorStatistics lookoutequipment:PutResourcePolicy lookoutequipment:StartDataIngestionJob lookoutequipment:StartInferenceScheduler lookoutequipment:StartRetrainingScheduler lookoutequipment:StopInferenceScheduler lookoutequipment:StopRetrainingScheduler lookoutequipment:UpdateActiveModelVersion lookoutequipment:UpdateInferenceScheduler lookoutequipment:UpdateLabelGroup lookoutequipment:UpdateModel lookoutequipment:UpdateRetrainingScheduler  | 
| lookoutmetrics |  lookoutmetrics:ActivateAnomalyDetector lookoutmetrics:BackTestAnomalyDetector lookoutmetrics:CreateAlert lookoutmetrics:CreateAnomalyDetector lookoutmetrics:CreateMetricSet lookoutmetrics:DeactivateAnomalyDetector lookoutmetrics:DeleteAlert lookoutmetrics:DeleteAnomalyDetector lookoutmetrics:DescribeAlert lookoutmetrics:DescribeAnomalyDetectionExecutions lookoutmetrics:DescribeAnomalyDetector lookoutmetrics:DescribeMetricSet lookoutmetrics:DetectMetricSetConfig lookoutmetrics:GetAnomalyGroup lookoutmetrics:GetDataQualityMetrics lookoutmetrics:GetFeedback lookoutmetrics:GetSampleData lookoutmetrics:ListAlerts lookoutmetrics:ListAnomalyDetectors lookoutmetrics:ListAnomalyGroupRelatedMetrics lookoutmetrics:ListAnomalyGroupSummaries lookoutmetrics:ListAnomalyGroupTimeSeries lookoutmetrics:ListMetricSets lookoutmetrics:PutFeedback lookoutmetrics:UpdateAlert lookoutmetrics:UpdateAnomalyDetector lookoutmetrics:UpdateMetricSet  | 
| lookoutvision |  lookoutvision:CreateDataset lookoutvision:CreateModel lookoutvision:CreateProject lookoutvision:DeleteDataset lookoutvision:DeleteModel lookoutvision:DeleteProject lookoutvision:DescribeDataset lookoutvision:DescribeModel lookoutvision:DescribeModelPackagingJob lookoutvision:DescribeProject lookoutvision:DetectAnomalies lookoutvision:ListDatasetEntries lookoutvision:ListModelPackagingJobs lookoutvision:ListModels lookoutvision:ListProjects lookoutvision:StartModel lookoutvision:StartModelPackagingJob lookoutvision:StopModel lookoutvision:UpdateDatasetEntries  | 
| m2 |  m2:CancelBatchJobExecution m2:CreateApplication m2:CreateDataSetExportTask m2:CreateDataSetImportTask m2:CreateDeployment m2:CreateEnvironment m2:DeleteApplication m2:DeleteApplicationFromEnvironment m2:DeleteEnvironment m2:GetApplication m2:GetApplicationVersion m2:GetBatchJobExecution m2:GetDataSetDetails m2:GetDataSetExportTask m2:GetDataSetImportTask m2:GetDeployment m2:GetEnvironment m2:GetSignedBluinsightsUrl m2:ListApplicationVersions m2:ListApplications m2:ListBatchJobDefinitions m2:ListBatchJobExecutions m2:ListBatchJobRestartPoints m2:ListDataSetExportHistory m2:ListDataSetImportHistory m2:ListDataSets m2:ListDeployments m2:ListEngineVersions m2:ListEnvironments m2:StartApplication m2:StartBatchJob m2:StopApplication m2:UpdateApplication m2:UpdateEnvironment  | 
| managedblockchain |  managedblockchain:CreateAccessor managedblockchain:CreateMember managedblockchain:CreateNetwork managedblockchain:CreateNode managedblockchain:CreateProposal managedblockchain:DeleteAccessor managedblockchain:DeleteMember managedblockchain:DeleteNode managedblockchain:GetAccessor managedblockchain:GetMember managedblockchain:GetNetwork managedblockchain:GetNode managedblockchain:GetProposal managedblockchain:InvokeRpcPolygonMainnet managedblockchain:InvokeRpcPolygonMumbaiTestnet managedblockchain:ListAccessors managedblockchain:ListInvitations managedblockchain:ListMembers managedblockchain:ListNetworks managedblockchain:ListNodes managedblockchain:ListProposalVotes managedblockchain:ListProposals managedblockchain:RejectInvitation managedblockchain:UpdateMember managedblockchain:UpdateNode managedblockchain:VoteOnProposal  | 
| mediaconnect |  mediaconnect:AddBridgeOutputs mediaconnect:AddBridgeSources mediaconnect:AddFlowMediaStreams mediaconnect:AddFlowOutputs mediaconnect:AddFlowSources mediaconnect:AddFlowVpcInterfaces mediaconnect:CreateBridge mediaconnect:CreateFlow mediaconnect:CreateGateway mediaconnect:DeleteBridge mediaconnect:DeleteFlow mediaconnect:DeleteGateway mediaconnect:DeleteRouterInput mediaconnect:DeleteRouterNetworkInterface mediaconnect:DeleteRouterOutput mediaconnect:DeregisterGatewayInstance mediaconnect:DescribeBridge mediaconnect:DescribeFlow mediaconnect:DescribeFlowSourceMetadata mediaconnect:DescribeFlowSourceThumbnail mediaconnect:DescribeGateway mediaconnect:DescribeGatewayInstance mediaconnect:DescribeOffering mediaconnect:DescribeReservation mediaconnect:GetRouterInput mediaconnect:GetRouterInputSourceMetadata mediaconnect:GetRouterInputThumbnail mediaconnect:GetRouterNetworkInterface mediaconnect:GetRouterOutput mediaconnect:GrantFlowEntitlements mediaconnect:ListBridges mediaconnect:ListEntitlements mediaconnect:ListFlows mediaconnect:ListGatewayInstances mediaconnect:ListGateways mediaconnect:ListOfferings mediaconnect:ListReservations mediaconnect:ListRouterInputs mediaconnect:ListRouterNetworkInterfaces mediaconnect:ListRouterOutputs mediaconnect:PurchaseOffering mediaconnect:RemoveBridgeOutput mediaconnect:RemoveBridgeSource mediaconnect:RemoveFlowMediaStream mediaconnect:RemoveFlowOutput mediaconnect:RemoveFlowSource mediaconnect:RemoveFlowVpcInterface mediaconnect:RestartRouterInput mediaconnect:RestartRouterOutput mediaconnect:RevokeFlowEntitlement mediaconnect:StartFlow mediaconnect:StartRouterInput mediaconnect:StartRouterOutput mediaconnect:StopFlow mediaconnect:StopRouterInput mediaconnect:StopRouterOutput mediaconnect:TakeRouterInput mediaconnect:UpdateBridge mediaconnect:UpdateBridgeOutput mediaconnect:UpdateBridgeSource mediaconnect:UpdateBridgeState mediaconnect:UpdateFlow mediaconnect:UpdateFlowEntitlement mediaconnect:UpdateFlowMediaStream mediaconnect:UpdateGatewayInstance  | 
| mediaconvert |  mediaconvert:AssociateCertificate mediaconvert:CancelJob mediaconvert:CreateJob mediaconvert:CreateJobTemplate mediaconvert:CreatePreset mediaconvert:CreateQueue mediaconvert:CreateResourceShare mediaconvert:DeleteJobTemplate mediaconvert:DeletePolicy mediaconvert:DeletePreset mediaconvert:DeleteQueue mediaconvert:DescribeEndpoints mediaconvert:DisassociateCertificate mediaconvert:GetJob mediaconvert:GetJobTemplate mediaconvert:GetPolicy mediaconvert:GetPreset mediaconvert:GetQueue mediaconvert:ListJobTemplates mediaconvert:ListJobs mediaconvert:ListPresets mediaconvert:ListQueues mediaconvert:ListVersions mediaconvert:Probe mediaconvert:PutPolicy mediaconvert:SearchJobs mediaconvert:UpdateJobTemplate mediaconvert:UpdatePreset mediaconvert:UpdateQueue  | 
| medialive |  medialive:AcceptInputDeviceTransfer medialive:BatchDelete medialive:BatchStart medialive:BatchStop medialive:BatchUpdateSchedule medialive:CancelInputDeviceTransfer medialive:ClaimDevice medialive:CreateChannel medialive:CreateChannelPlacementGroup medialive:CreateCloudWatchAlarmTemplate medialive:CreateCloudWatchAlarmTemplateGroup medialive:CreateCluster medialive:CreateEventBridgeRuleTemplate medialive:CreateEventBridgeRuleTemplateGroup medialive:CreateInput medialive:CreateInputSecurityGroup medialive:CreateMultiplex medialive:CreateMultiplexProgram medialive:CreateNetwork medialive:CreateNode medialive:CreateNodeRegistrationScript medialive:CreatePartnerInput medialive:CreateSdiSource medialive:CreateSignalMap medialive:DeleteChannel medialive:DeleteChannelPlacementGroup medialive:DeleteCloudWatchAlarmTemplate medialive:DeleteCloudWatchAlarmTemplateGroup medialive:DeleteCluster medialive:DeleteEventBridgeRuleTemplate medialive:DeleteEventBridgeRuleTemplateGroup medialive:DeleteInput medialive:DeleteInputSecurityGroup medialive:DeleteMultiplex medialive:DeleteMultiplexProgram medialive:DeleteNetwork medialive:DeleteNode medialive:DeleteReservation medialive:DeleteSchedule medialive:DeleteSdiSource medialive:DeleteSignalMap medialive:DescribeAccountConfiguration medialive:DescribeChannel medialive:DescribeChannelPlacementGroup medialive:DescribeCluster medialive:DescribeInput medialive:DescribeInputDevice medialive:DescribeInputDeviceThumbnail medialive:DescribeInputSecurityGroup medialive:DescribeMultiplex medialive:DescribeMultiplexProgram medialive:DescribeNetwork medialive:DescribeNode medialive:DescribeOffering medialive:DescribeReservation medialive:DescribeSchedule medialive:DescribeSdiSource medialive:DescribeThumbnails medialive:GetCloudWatchAlarmTemplate medialive:GetCloudWatchAlarmTemplateGroup medialive:GetEventBridgeRuleTemplate medialive:GetEventBridgeRuleTemplateGroup medialive:GetSignalMap medialive:ListAlerts medialive:ListChannelPlacementGroups medialive:ListChannels medialive:ListCloudWatchAlarmTemplateGroups medialive:ListCloudWatchAlarmTemplates medialive:ListClusterAlerts medialive:ListClusters medialive:ListEventBridgeRuleTemplateGroups medialive:ListEventBridgeRuleTemplates medialive:ListInputDeviceTransfers medialive:ListInputDevices medialive:ListInputSecurityGroups medialive:ListInputs medialive:ListMultiplexAlerts medialive:ListMultiplexPrograms medialive:ListMultiplexes medialive:ListNetworks medialive:ListNodes medialive:ListOfferings medialive:ListReservations medialive:ListSdiSources medialive:ListSignalMaps medialive:ListVersions medialive:PurchaseOffering medialive:RebootInputDevice medialive:RejectInputDeviceTransfer medialive:RestartChannelPipelines medialive:StartChannel medialive:StartDeleteMonitorDeployment medialive:StartInputDevice medialive:StartInputDeviceMaintenanceWindow medialive:StartMonitorDeployment medialive:StartMultiplex medialive:StartUpdateSignalMap medialive:StopChannel medialive:StopInputDevice medialive:StopMultiplex medialive:TransferInputDevice medialive:UpdateAccountConfiguration medialive:UpdateChannel medialive:UpdateChannelClass medialive:UpdateChannelPlacementGroup medialive:UpdateCloudWatchAlarmTemplate medialive:UpdateCloudWatchAlarmTemplateGroup medialive:UpdateCluster medialive:UpdateEventBridgeRuleTemplate medialive:UpdateEventBridgeRuleTemplateGroup medialive:UpdateInput medialive:UpdateInputDevice medialive:UpdateInputSecurityGroup medialive:UpdateMultiplex medialive:UpdateMultiplexProgram medialive:UpdateNetwork medialive:UpdateNode medialive:UpdateNodeState medialive:UpdateReservation medialive:UpdateSdiSource  | 
| mediastore |  mediastore:CreateContainer mediastore:DeleteContainer mediastore:DeleteContainerPolicy mediastore:DeleteCorsPolicy mediastore:DeleteLifecyclePolicy mediastore:DeleteMetricPolicy mediastore:DescribeContainer mediastore:GetContainerPolicy mediastore:GetCorsPolicy mediastore:GetLifecyclePolicy mediastore:GetMetricPolicy mediastore:ListContainers mediastore:PutContainerPolicy mediastore:PutCorsPolicy mediastore:PutLifecyclePolicy mediastore:PutMetricPolicy mediastore:StartAccessLogging mediastore:StopAccessLogging  | 
| mediatailor |  mediatailor:ConfigureLogsForPlaybackConfiguration mediatailor:CreateChannel mediatailor:CreateLiveSource mediatailor:CreatePrefetchSchedule mediatailor:CreateProgram mediatailor:CreateSourceLocation mediatailor:CreateVodSource mediatailor:DeleteChannel mediatailor:DeleteChannelPolicy mediatailor:DeleteLiveSource mediatailor:DeletePlaybackConfiguration mediatailor:DeletePrefetchSchedule mediatailor:DeleteProgram mediatailor:DeleteSourceLocation mediatailor:DeleteVodSource mediatailor:DescribeChannel mediatailor:DescribeLiveSource mediatailor:DescribeProgram mediatailor:DescribeSourceLocation mediatailor:DescribeVodSource mediatailor:GetChannelPolicy mediatailor:GetChannelSchedule mediatailor:GetPlaybackConfiguration mediatailor:GetPrefetchSchedule mediatailor:ListAlerts mediatailor:ListChannels mediatailor:ListLiveSources mediatailor:ListPlaybackConfigurations mediatailor:ListPrefetchSchedules mediatailor:ListSourceLocations mediatailor:ListVodSources mediatailor:PutChannelPolicy mediatailor:PutPlaybackConfiguration mediatailor:StartChannel mediatailor:StopChannel mediatailor:UpdateChannel mediatailor:UpdateLiveSource mediatailor:UpdateProgram mediatailor:UpdateSourceLocation mediatailor:UpdateVodSource  | 
| memorydb |  memorydb:BatchUpdateCluster memorydb:CopySnapshot memorydb:CreateAcl memorydb:CreateCluster memorydb:CreateMultiRegionCluster memorydb:CreateParameterGroup memorydb:CreateSnapshot memorydb:CreateSubnetGroup memorydb:CreateUser memorydb:DeleteAcl memorydb:DeleteCluster memorydb:DeleteMultiRegionCluster memorydb:DeleteParameterGroup memorydb:DeleteSnapshot memorydb:DeleteSubnetGroup memorydb:DeleteUser memorydb:DescribeAcls memorydb:DescribeClusters memorydb:DescribeEngineVersions memorydb:DescribeEvents memorydb:DescribeMultiRegionClusters memorydb:DescribeMultiRegionParameterGroups memorydb:DescribeMultiRegionParameters memorydb:DescribeParameterGroups memorydb:DescribeParameters memorydb:DescribeReservedNodes memorydb:DescribeReservedNodesOfferings memorydb:DescribeServiceUpdates memorydb:DescribeSnapshots memorydb:DescribeSubnetGroups memorydb:DescribeUsers memorydb:FailoverShard memorydb:ListAllowedMultiRegionClusterUpdates memorydb:ListAllowedNodeTypeUpdates memorydb:PurchaseReservedNodesOffering memorydb:ResetParameterGroup memorydb:UpdateAcl memorydb:UpdateCluster memorydb:UpdateMultiRegionCluster memorydb:UpdateParameterGroup memorydb:UpdateSubnetGroup memorydb:UpdateUser  | 
| mgh |  mgh:AssociateCreatedArtifact mgh:AssociateDiscoveredResource mgh:AssociateSourceResource mgh:CreateHomeRegionControl mgh:CreateProgressUpdateStream mgh:DeleteHomeRegionControl mgh:DeleteProgressUpdateStream mgh:DescribeApplicationState mgh:DescribeHomeRegionControls mgh:DescribeMigrationTask mgh:DisassociateCreatedArtifact mgh:DisassociateDiscoveredResource mgh:DisassociateSourceResource mgh:GetHomeRegion mgh:ImportMigrationTask mgh:ListApplicationStates mgh:ListCreatedArtifacts mgh:ListDiscoveredResources mgh:ListMigrationTaskUpdates mgh:ListMigrationTasks mgh:ListProgressUpdateStreams mgh:ListSourceResources mgh:NotifyApplicationState mgh:NotifyMigrationTaskState mgh:PutResourceAttributes  | 
| mgn |  mgn:ArchiveApplication mgn:ArchiveWave mgn:AssociateApplications mgn:AssociateSourceServers mgn:ChangeServerLifeCycleState mgn:CreateApplication mgn:CreateConnector mgn:CreateLaunchConfigurationTemplate mgn:CreateReplicationConfigurationTemplate mgn:CreateWave mgn:DeleteApplication mgn:DeleteConnector mgn:DeleteJob mgn:DeleteLaunchConfigurationTemplate mgn:DeleteReplicationConfigurationTemplate mgn:DeleteSourceServer mgn:DeleteVcenterClient mgn:DeleteWave mgn:DescribeJobLogItems mgn:DescribeJobs mgn:DescribeLaunchConfigurationTemplates mgn:DescribeReplicationConfigurationTemplates mgn:DescribeVcenterClients mgn:DisassociateApplications mgn:DisassociateSourceServers mgn:DisconnectFromService mgn:FinalizeCutover mgn:GetReplicationConfiguration mgn:InitializeService mgn:ListConnectors mgn:ListExportErrors mgn:ListExports mgn:ListImportErrors mgn:ListImports mgn:ListManagedAccounts mgn:ListSourceServerActions mgn:ListTemplateActions mgn:MarkAsArchived mgn:PauseReplication mgn:PutSourceServerAction mgn:PutTemplateAction mgn:RemoveSourceServerAction mgn:RemoveTemplateAction mgn:ResumeReplication mgn:RetryDataReplication mgn:StartCutover mgn:StartExport mgn:StartImport mgn:StartReplication mgn:StartTest mgn:StopReplication mgn:TerminateTargetInstances mgn:UnarchiveApplication mgn:UnarchiveWave mgn:UpdateApplication mgn:UpdateConnector mgn:UpdateLaunchConfigurationTemplate mgn:UpdateReplicationConfiguration mgn:UpdateReplicationConfigurationTemplate mgn:UpdateSourceServer mgn:UpdateSourceServerReplicationType mgn:UpdateWave  | 
| migrationhub-strategy |  migrationhub-strategy:GetAntiPattern migrationhub-strategy:GetApplicationComponentDetails migrationhub-strategy:GetApplicationComponentStrategies migrationhub-strategy:GetAssessment migrationhub-strategy:GetImportFileTask migrationhub-strategy:GetLatestAssessmentId migrationhub-strategy:GetMessage migrationhub-strategy:GetPortfolioPreferences migrationhub-strategy:GetPortfolioSummary migrationhub-strategy:GetRecommendationReportDetails migrationhub-strategy:GetServerDetails migrationhub-strategy:GetServerStrategies migrationhub-strategy:ListAnalyzableServers migrationhub-strategy:ListAntiPatterns migrationhub-strategy:ListApplicationComponents migrationhub-strategy:ListCollectors migrationhub-strategy:ListImportFileTask migrationhub-strategy:ListJarArtifacts migrationhub-strategy:ListServers migrationhub-strategy:PutLogData migrationhub-strategy:PutMetricData migrationhub-strategy:PutPortfolioPreferences migrationhub-strategy:RegisterCollector migrationhub-strategy:SendMessage migrationhub-strategy:StartAssessment migrationhub-strategy:StartImportFileTask migrationhub-strategy:StartRecommendationReportGeneration migrationhub-strategy:StopAssessment migrationhub-strategy:UpdateApplicationComponentConfig migrationhub-strategy:UpdateCollectorConfiguration migrationhub-strategy:UpdateServerConfig  | 
| mobiletargeting |  mobiletargeting:CreateApp mobiletargeting:CreateCampaign mobiletargeting:CreateEmailTemplate mobiletargeting:CreateExportJob mobiletargeting:CreateImportJob mobiletargeting:CreateInAppTemplate mobiletargeting:CreateJourney mobiletargeting:CreatePushTemplate mobiletargeting:CreateRecommenderConfiguration mobiletargeting:CreateSegment mobiletargeting:CreateSmsTemplate mobiletargeting:CreateVoiceTemplate mobiletargeting:DeleteAdmChannel mobiletargeting:DeleteApnsChannel mobiletargeting:DeleteApnsSandboxChannel mobiletargeting:DeleteApnsVoipChannel mobiletargeting:DeleteApnsVoipSandboxChannel mobiletargeting:DeleteApp mobiletargeting:DeleteBaiduChannel mobiletargeting:DeleteCampaign mobiletargeting:DeleteEmailChannel mobiletargeting:DeleteEmailTemplate mobiletargeting:DeleteEndpoint mobiletargeting:DeleteEventStream mobiletargeting:DeleteGcmChannel mobiletargeting:DeleteInAppTemplate mobiletargeting:DeleteJourney mobiletargeting:DeletePushTemplate mobiletargeting:DeleteRecommenderConfiguration mobiletargeting:DeleteSegment mobiletargeting:DeleteSmsChannel mobiletargeting:DeleteSmsTemplate mobiletargeting:DeleteUserEndpoints mobiletargeting:DeleteVoiceChannel mobiletargeting:DeleteVoiceTemplate mobiletargeting:GetAdmChannel mobiletargeting:GetApnsChannel mobiletargeting:GetApnsSandboxChannel mobiletargeting:GetApnsVoipChannel mobiletargeting:GetApnsVoipSandboxChannel mobiletargeting:GetApp mobiletargeting:GetApplicationDateRangeKpi mobiletargeting:GetApplicationSettings mobiletargeting:GetApps mobiletargeting:GetBaiduChannel mobiletargeting:GetCampaign mobiletargeting:GetCampaignActivities mobiletargeting:GetCampaignDateRangeKpi mobiletargeting:GetCampaignVersion mobiletargeting:GetCampaignVersions mobiletargeting:GetCampaigns mobiletargeting:GetChannels mobiletargeting:GetEmailChannel mobiletargeting:GetEmailTemplate mobiletargeting:GetEndpoint mobiletargeting:GetEventStream mobiletargeting:GetExportJob mobiletargeting:GetExportJobs mobiletargeting:GetGcmChannel mobiletargeting:GetImportJob mobiletargeting:GetImportJobs mobiletargeting:GetInAppMessages mobiletargeting:GetInAppTemplate mobiletargeting:GetJourney mobiletargeting:GetJourneyDateRangeKpi mobiletargeting:GetJourneyExecutionActivityMetrics mobiletargeting:GetJourneyExecutionMetrics mobiletargeting:GetJourneyRunExecutionActivityMetrics mobiletargeting:GetJourneyRunExecutionMetrics mobiletargeting:GetJourneyRuns mobiletargeting:GetPushTemplate mobiletargeting:GetRecommenderConfiguration mobiletargeting:GetRecommenderConfigurations mobiletargeting:GetSegment mobiletargeting:GetSegmentExportJobs mobiletargeting:GetSegmentImportJobs mobiletargeting:GetSegmentVersion mobiletargeting:GetSegmentVersions mobiletargeting:GetSegments mobiletargeting:GetSmsChannel mobiletargeting:GetSmsTemplate mobiletargeting:GetUserEndpoints mobiletargeting:GetVoiceChannel mobiletargeting:GetVoiceTemplate mobiletargeting:ListJourneys mobiletargeting:ListTemplateVersions mobiletargeting:ListTemplates mobiletargeting:PhoneNumberValidate mobiletargeting:PutEventStream mobiletargeting:RemoveAttributes mobiletargeting:UpdateAdmChannel mobiletargeting:UpdateApnsChannel mobiletargeting:UpdateApnsSandboxChannel mobiletargeting:UpdateApnsVoipChannel mobiletargeting:UpdateApnsVoipSandboxChannel mobiletargeting:UpdateApplicationSettings mobiletargeting:UpdateBaiduChannel mobiletargeting:UpdateCampaign mobiletargeting:UpdateEmailChannel mobiletargeting:UpdateEmailTemplate mobiletargeting:UpdateEndpoint mobiletargeting:UpdateEndpointsBatch mobiletargeting:UpdateGcmChannel mobiletargeting:UpdateInAppTemplate mobiletargeting:UpdateJourney mobiletargeting:UpdateJourneyState mobiletargeting:UpdatePushTemplate mobiletargeting:UpdateRecommenderConfiguration mobiletargeting:UpdateSegment mobiletargeting:UpdateSmsChannel mobiletargeting:UpdateSmsTemplate mobiletargeting:UpdateTemplateActiveVersion mobiletargeting:UpdateVoiceChannel mobiletargeting:UpdateVoiceTemplate mobiletargeting:VerifyOTPMessage  | 
| mq |  mq:CreateBroker mq:CreateConfiguration mq:CreateUser mq:DeleteBroker mq:DeleteConfiguration mq:DeleteUser mq:DescribeBroker mq:DescribeBrokerEngineTypes mq:DescribeBrokerInstanceOptions mq:DescribeConfiguration mq:DescribeConfigurationRevision mq:DescribeUser mq:ListBrokers mq:ListConfigurationRevisions mq:ListConfigurations mq:ListUsers mq:Promote mq:RebootBroker mq:UpdateBroker mq:UpdateConfiguration mq:UpdateUser  | 
| networkmanager |  networkmanager:AcceptAttachment networkmanager:AssociateConnectPeer networkmanager:AssociateCustomerGateway networkmanager:AssociateLink networkmanager:AssociateTransitGatewayConnectPeer networkmanager:CreateConnectAttachment networkmanager:CreateConnectPeer networkmanager:CreateConnection networkmanager:CreateCoreNetwork networkmanager:CreateDevice networkmanager:CreateDirectConnectGatewayAttachment networkmanager:CreateGlobalNetwork networkmanager:CreateLink networkmanager:CreateSite networkmanager:CreateSiteToSiteVpnAttachment networkmanager:CreateTransitGatewayPeering networkmanager:CreateTransitGatewayRouteTableAttachment networkmanager:CreateVpcAttachment networkmanager:DeleteAttachment networkmanager:DeleteConnectPeer networkmanager:DeleteConnection networkmanager:DeleteCoreNetwork networkmanager:DeleteCoreNetworkPolicyVersion networkmanager:DeleteDevice networkmanager:DeleteGlobalNetwork networkmanager:DeleteLink networkmanager:DeletePeering networkmanager:DeleteResourcePolicy networkmanager:DeleteSite networkmanager:DeregisterTransitGateway networkmanager:DescribeGlobalNetworks networkmanager:DisassociateConnectPeer networkmanager:DisassociateCustomerGateway networkmanager:DisassociateLink networkmanager:DisassociateTransitGatewayConnectPeer networkmanager:ExecuteCoreNetworkChangeSet networkmanager:GetConnectAttachment networkmanager:GetConnectPeer networkmanager:GetConnectPeerAssociations networkmanager:GetConnections networkmanager:GetCoreNetwork networkmanager:GetCoreNetworkChangeEvents networkmanager:GetCoreNetworkChangeSet networkmanager:GetCoreNetworkPolicy networkmanager:GetCustomerGatewayAssociations networkmanager:GetDevices networkmanager:GetLinkAssociations networkmanager:GetLinks networkmanager:GetNetworkResourceCounts networkmanager:GetNetworkResourceRelationships networkmanager:GetNetworkResources networkmanager:GetNetworkRoutes networkmanager:GetNetworkTelemetry networkmanager:GetResourcePolicy networkmanager:GetRouteAnalysis networkmanager:GetSiteToSiteVpnAttachment networkmanager:GetSites networkmanager:GetTransitGatewayConnectPeerAssociations networkmanager:GetTransitGatewayPeering networkmanager:GetTransitGatewayRegistrations networkmanager:GetTransitGatewayRouteTableAttachment networkmanager:GetVpcAttachment networkmanager:ListAttachmentRoutingPolicyAssociations networkmanager:ListAttachments networkmanager:ListConnectPeers networkmanager:ListCoreNetworkPolicyVersions networkmanager:ListCoreNetworkPrefixListAssociations networkmanager:ListCoreNetworkRoutingInformation networkmanager:ListCoreNetworks networkmanager:ListOrganizationServiceAccessStatus networkmanager:ListPeerings networkmanager:PutAttachmentRoutingPolicyLabel networkmanager:PutCoreNetworkPolicy networkmanager:PutResourcePolicy networkmanager:RegisterTransitGateway networkmanager:RejectAttachment networkmanager:RemoveAttachmentRoutingPolicyLabel networkmanager:RestoreCoreNetworkPolicyVersion networkmanager:StartOrganizationServiceAccessUpdate networkmanager:StartRouteAnalysis networkmanager:UpdateConnection networkmanager:UpdateCoreNetwork networkmanager:UpdateDevice networkmanager:UpdateDirectConnectGatewayAttachment networkmanager:UpdateGlobalNetwork networkmanager:UpdateLink networkmanager:UpdateNetworkResourceMetadata networkmanager:UpdateSite networkmanager:UpdateVpcAttachment  | 
| nimble |  nimble:AcceptEulas nimble:CreateLaunchProfile nimble:CreateStreamingImage nimble:CreateStreamingSession nimble:CreateStreamingSessionStream nimble:CreateStudio nimble:CreateStudioComponent nimble:DeleteLaunchProfile nimble:DeleteLaunchProfileMember nimble:DeleteStreamingImage nimble:DeleteStreamingSession nimble:DeleteStudio nimble:DeleteStudioComponent nimble:DeleteStudioMember nimble:GetEula nimble:GetLaunchProfileDetails nimble:GetStreamingImage nimble:GetStreamingSession nimble:GetStreamingSessionBackup nimble:GetStreamingSessionStream nimble:GetStudio nimble:GetStudioComponent nimble:GetStudioMember nimble:ListEulas nimble:ListLaunchProfileMembers nimble:ListLaunchProfiles nimble:ListStreamingImages nimble:ListStreamingSessionBackups nimble:ListStreamingSessions nimble:ListStudioComponents nimble:ListStudioMembers nimble:ListStudios nimble:PutLaunchProfileMembers nimble:PutStudioMembers nimble:StartStreamingSession nimble:StartStudioSSOConfigurationRepair nimble:StopStreamingSession nimble:UpdateLaunchProfile nimble:UpdateLaunchProfileMember nimble:UpdateStreamingImage nimble:UpdateStudio nimble:UpdateStudioComponent  | 
| omics |  omics:AbortMultipartReadSetUpload omics:AcceptShare omics:BatchDeleteReadSet omics:CancelAnnotationImportJob omics:CancelRun omics:CancelVariantImportJob omics:CompleteMultipartReadSetUpload omics:CreateAnnotationStore omics:CreateAnnotationStoreVersion omics:CreateMultipartReadSetUpload omics:CreateReferenceStore omics:CreateRunGroup omics:CreateSequenceStore omics:CreateShare omics:CreateVariantStore omics:CreateWorkflow omics:CreateWorkflowVersion omics:DeleteAnnotationStore omics:DeleteAnnotationStoreVersions omics:DeleteReference omics:DeleteReferenceStore omics:DeleteRun omics:DeleteRunGroup omics:DeleteSequenceStore omics:DeleteShare omics:DeleteVariantStore omics:DeleteWorkflow omics:DeleteWorkflowVersion omics:GetAnnotationImportJob omics:GetAnnotationStore omics:GetAnnotationStoreVersion omics:GetReadSet omics:GetReadSetActivationJob omics:GetReadSetExportJob omics:GetReadSetImportJob omics:GetReadSetMetadata omics:GetReference omics:GetReferenceImportJob omics:GetReferenceMetadata omics:GetReferenceStore omics:GetRun omics:GetRunGroup omics:GetRunTask omics:GetSequenceStore omics:GetShare omics:GetVariantImportJob omics:GetVariantStore omics:GetWorkflow omics:GetWorkflowVersion omics:ListAnnotationImportJobs omics:ListAnnotationStoreVersions omics:ListAnnotationStores omics:ListMultipartReadSetUploads omics:ListReadSetActivationJobs omics:ListReadSetExportJobs omics:ListReadSetImportJobs omics:ListReadSetUploadParts omics:ListReadSets omics:ListReferenceImportJobs omics:ListReferenceStores omics:ListReferences omics:ListRunGroups omics:ListRunTasks omics:ListRuns omics:ListSequenceStores omics:ListShares omics:ListVariantImportJobs omics:ListVariantStores omics:ListWorkflowVersions omics:ListWorkflows omics:StartAnnotationImportJob omics:StartReadSetActivationJob omics:StartReadSetExportJob omics:StartReadSetImportJob omics:StartReferenceImportJob omics:StartRun omics:StartVariantImportJob omics:UpdateAnnotationStore omics:UpdateAnnotationStoreVersion omics:UpdateRunGroup omics:UpdateVariantStore omics:UpdateWorkflow omics:UpdateWorkflowVersion omics:UploadReadSetPart  | 
| opsworks |  opsworks:AssignInstance opsworks:AssignVolume opsworks:AssociateElasticIp opsworks:AttachElasticLoadBalancer opsworks:CloneStack opsworks:CreateApp opsworks:CreateDeployment opsworks:CreateInstance opsworks:CreateLayer opsworks:CreateStack opsworks:CreateUserProfile opsworks:DeleteApp opsworks:DeleteInstance opsworks:DeleteLayer opsworks:DeleteStack opsworks:DeleteUserProfile opsworks:DeregisterEcsCluster opsworks:DeregisterElasticIp opsworks:DeregisterInstance opsworks:DeregisterRdsDbInstance opsworks:DeregisterVolume opsworks:DescribeAgentVersions opsworks:DescribeApps opsworks:DescribeCommands opsworks:DescribeDeployments opsworks:DescribeEcsClusters opsworks:DescribeElasticIps opsworks:DescribeElasticLoadBalancers opsworks:DescribeInstances opsworks:DescribeLayers opsworks:DescribeLoadBasedAutoScaling opsworks:DescribeMyUserProfile opsworks:DescribeOperatingSystems opsworks:DescribePermissions opsworks:DescribeRaidArrays opsworks:DescribeRdsDbInstances opsworks:DescribeServiceErrors opsworks:DescribeStackProvisioningParameters opsworks:DescribeStackSummary opsworks:DescribeStacks opsworks:DescribeTimeBasedAutoScaling opsworks:DescribeUserProfiles opsworks:DescribeVolumes opsworks:DetachElasticLoadBalancer opsworks:DisassociateElasticIp opsworks:GetHostnameSuggestion opsworks:GrantAccess opsworks:RebootInstance opsworks:RegisterEcsCluster opsworks:RegisterElasticIp opsworks:RegisterInstance opsworks:RegisterRdsDbInstance opsworks:RegisterVolume opsworks:SetLoadBasedAutoScaling opsworks:SetPermission opsworks:SetTimeBasedAutoScaling opsworks:StartInstance opsworks:StartStack opsworks:StopInstance opsworks:StopStack opsworks:UnassignInstance opsworks:UnassignVolume opsworks:UpdateApp opsworks:UpdateElasticIp opsworks:UpdateInstance opsworks:UpdateLayer opsworks:UpdateMyUserProfile opsworks:UpdateRdsDbInstance opsworks:UpdateStack opsworks:UpdateUserProfile opsworks:UpdateVolume  | 
| opsworks-cm |  opsworks-cm:AssociateNode opsworks-cm:CreateBackup opsworks-cm:CreateServer opsworks-cm:DeleteBackup opsworks-cm:DeleteServer opsworks-cm:DescribeAccountAttributes opsworks-cm:DescribeBackups opsworks-cm:DescribeEvents opsworks-cm:DescribeNodeAssociationStatus opsworks-cm:DescribeServers opsworks-cm:DisassociateNode opsworks-cm:ExportServerEngineAttribute opsworks-cm:RestoreServer opsworks-cm:StartMaintenance opsworks-cm:UpdateServer opsworks-cm:UpdateServerEngineAttributes  | 
| organizations |  organizations:AcceptHandshake organizations:AttachPolicy organizations:CancelHandshake organizations:CloseAccount organizations:CreateAccount organizations:CreateGovCloudAccount organizations:CreateOrganization organizations:CreateOrganizationalUnit organizations:CreatePolicy organizations:DeclineHandshake organizations:DeleteOrganization organizations:DeleteOrganizationalUnit organizations:DeletePolicy organizations:DeleteResourcePolicy organizations:DeregisterDelegatedAdministrator organizations:DescribeAccount organizations:DescribeCreateAccountStatus organizations:DescribeEffectivePolicy organizations:DescribeHandshake organizations:DescribeOrganization organizations:DescribeOrganizationalUnit organizations:DescribePolicy organizations:DescribeResourcePolicy organizations:DescribeResponsibilityTransfer organizations:DetachPolicy organizations:DisableAWSServiceAccess organizations:DisablePolicyType organizations:EnableAWSServiceAccess organizations:EnableAllFeatures organizations:EnablePolicyType organizations:InviteAccountToOrganization organizations:LeaveOrganization organizations:ListAWSServiceAccessForOrganization organizations:ListAccounts organizations:ListAccountsForParent organizations:ListAccountsWithInvalidEffectivePolicy organizations:ListChildren organizations:ListCreateAccountStatus organizations:ListDelegatedAdministrators organizations:ListDelegatedServicesForAccount organizations:ListHandshakesForAccount organizations:ListHandshakesForOrganization organizations:ListInboundResponsibilityTransfers organizations:ListOrganizationalUnitsForParent organizations:ListOutboundResponsibilityTransfers organizations:ListParents organizations:ListPolicies organizations:ListPoliciesForTarget organizations:ListRoots organizations:ListTargetsForPolicy organizations:MoveAccount organizations:PutResourcePolicy organizations:RegisterDelegatedAdministrator organizations:RemoveAccountFromOrganization organizations:TerminateResponsibilityTransfer organizations:UpdateOrganizationalUnit organizations:UpdatePolicy organizations:UpdateResponsibilityTransfer  | 
| outposts |  outposts:CancelCapacityTask outposts:CancelOrder outposts:CreateOrder outposts:CreateOutpost outposts:CreatePrivateConnectivityConfig outposts:CreateSite outposts:DeleteOutpost outposts:DeleteSite outposts:GetCapacityTask outposts:GetCatalogItem outposts:GetConnection outposts:GetOrder outposts:GetOutpost outposts:GetOutpostBillingInformation outposts:GetOutpostInstanceTypes outposts:GetOutpostSupportedInstanceTypes outposts:GetPrivateConnectivityConfig outposts:GetSite outposts:GetSiteAddress outposts:ListAssetInstances outposts:ListAssets outposts:ListBlockingInstancesForCapacityTask outposts:ListCapacityTasks outposts:ListCatalogItems outposts:ListOrders outposts:ListOutposts outposts:ListSites outposts:StartCapacityTask outposts:StartConnection outposts:UpdateOutpost outposts:UpdateSite outposts:UpdateSiteAddress outposts:UpdateSiteRackPhysicalProperties  | 
| panorama |  panorama:CreateApplicationInstance panorama:CreateJobForDevices panorama:CreateNodeFromTemplateJob panorama:CreatePackage panorama:CreatePackageImportJob panorama:DeleteDevice panorama:DeletePackage panorama:DeregisterPackageVersion panorama:DescribeApplicationInstance panorama:DescribeApplicationInstanceDetails panorama:DescribeDevice panorama:DescribeDeviceJob panorama:DescribeNode panorama:DescribeNodeFromTemplateJob panorama:DescribePackage panorama:DescribePackageImportJob panorama:DescribePackageVersion panorama:ListApplicationInstanceDependencies panorama:ListApplicationInstanceNodeInstances panorama:ListApplicationInstances panorama:ListDevices panorama:ListDevicesJobs panorama:ListNodeFromTemplateJobs panorama:ListNodes panorama:ListPackageImportJobs panorama:ListPackages panorama:ProvisionDevice panorama:RegisterPackageVersion panorama:RemoveApplicationInstance panorama:SignalApplicationInstanceNodeInstances panorama:UpdateDeviceMetadata  | 
| pi |  pi:CreatePerformanceAnalysisReport pi:DeletePerformanceAnalysisReport pi:DescribeDimensionKeys pi:GetDimensionKeyDetails pi:GetPerformanceAnalysisReport pi:GetResourceMetadata pi:GetResourceMetrics pi:ListAvailableResourceDimensions pi:ListAvailableResourceMetrics pi:ListPerformanceAnalysisReports  | 
| pipes |  pipes:CreatePipe pipes:DeletePipe pipes:DescribePipe pipes:ListPipes pipes:StartPipe pipes:StopPipe pipes:UpdatePipe  | 
| polly |  polly:DeleteLexicon polly:DescribeVoices polly:GetLexicon polly:GetSpeechSynthesisTask polly:ListLexicons polly:ListSpeechSynthesisTasks polly:PutLexicon polly:StartSpeechSynthesisTask polly:SynthesizeSpeech  | 
| profile |  profile:AddProfileKey profile:BatchGetCalculatedAttributeForProfile profile:BatchGetProfile profile:CreateCalculatedAttributeDefinition profile:CreateDomain profile:CreateEventStream profile:CreateProfile profile:CreateRecommender profile:CreateSegmentDefinition profile:CreateSegmentEstimate profile:CreateSegmentSnapshot profile:CreateUploadJob profile:DeleteCalculatedAttributeDefinition profile:DeleteDomain profile:DeleteDomainObjectType profile:DeleteEventStream profile:DeleteIntegration profile:DeleteProfile profile:DeleteProfileKey profile:DeleteProfileObject profile:DeleteProfileObjectType profile:DeleteRecommender profile:DeleteSegmentDefinition profile:DeleteWorkflow profile:DetectProfileObjectType profile:GetAutoMergingPreview profile:GetCalculatedAttributeDefinition profile:GetCalculatedAttributeForProfile profile:GetDomain profile:GetDomainObjectType profile:GetEventStream profile:GetIdentityResolutionJob profile:GetIntegration profile:GetMatches profile:GetObjectTypeAttributeStatistics profile:GetProfileObjectType profile:GetProfileObjectTypeTemplate profile:GetProfileRecommendations profile:GetRecommender profile:GetSegmentDefinition profile:GetSegmentEstimate profile:GetSegmentMembership profile:GetSegmentSnapshot profile:GetSimilarProfiles profile:GetUploadJob profile:GetUploadJobPath profile:GetWorkflow profile:GetWorkflowSteps profile:ListAccountIntegrations profile:ListCalculatedAttributeDefinitions profile:ListCalculatedAttributesForProfile profile:ListDomainLayouts profile:ListDomainObjectTypes profile:ListDomains profile:ListEventStreams profile:ListIdentityResolutionJobs profile:ListIntegrations profile:ListObjectTypeAttributeValues profile:ListObjectTypeAttributes profile:ListProfileAttributeValues profile:ListProfileObjectTypeTemplates profile:ListProfileObjectTypes profile:ListProfileObjects profile:ListRecommenderRecipes profile:ListRecommenders profile:ListRuleBasedMatches profile:ListSegmentDefinitions profile:ListUploadJobs profile:ListWorkflows profile:MergeProfiles profile:PutDomainObjectType profile:PutIntegration profile:PutProfileObject profile:PutProfileObjectType profile:SearchProfiles profile:StartRecommender profile:StartUploadJob profile:StopRecommender profile:StopUploadJob profile:UpdateCalculatedAttributeDefinition profile:UpdateDomain profile:UpdateProfile profile:UpdateRecommender  | 
| qldb |  qldb:CancelJournalKinesisStream qldb:CreateLedger qldb:DeleteLedger qldb:DescribeJournalKinesisStream qldb:DescribeJournalS3Export qldb:DescribeLedger qldb:ExportJournalToS3 qldb:GetBlock qldb:GetDigest qldb:GetRevision qldb:ListJournalKinesisStreamsForLedger qldb:ListJournalS3Exports qldb:ListJournalS3ExportsForLedger qldb:ListLedgers qldb:StreamJournalToKinesis qldb:UpdateLedger qldb:UpdateLedgerPermissionsMode  | 
| ram |  ram:AcceptResourceShareInvitation ram:AssociateResourceShare ram:AssociateResourceSharePermission ram:CreatePermission ram:CreatePermissionVersion ram:CreateResourceShare ram:DeletePermission ram:DeletePermissionVersion ram:DeleteResourceShare ram:DisassociateResourceShare ram:DisassociateResourceSharePermission ram:EnableSharingWithAwsOrganization ram:GetPermission ram:GetResourcePolicies ram:GetResourceShareAssociations ram:GetResourceShareInvitations ram:GetResourceShares ram:ListPendingInvitationResources ram:ListPermissionAssociations ram:ListPermissionVersions ram:ListPermissions ram:ListPrincipals ram:ListReplacePermissionAssociationsWork ram:ListResourceSharePermissions ram:ListResourceTypes ram:ListResources ram:PromotePermissionCreatedFromPolicy ram:PromoteResourceShareCreatedFromPolicy ram:RejectResourceShareInvitation ram:ReplacePermissionAssociations ram:SetDefaultPermissionVersion ram:UpdateResourceShare  | 
| rbin |  rbin:CreateRule rbin:DeleteRule rbin:GetRule rbin:ListRules rbin:LockRule rbin:UnlockRule rbin:UpdateRule  | 
| rds |  rds:AddRoleToDBCluster rds:AddRoleToDBInstance rds:AddSourceIdentifierToSubscription rds:ApplyPendingMaintenanceAction rds:AuthorizeDBSecurityGroupIngress rds:BacktrackDBCluster rds:CancelExportTask rds:CopyDBClusterParameterGroup rds:CopyDBClusterSnapshot rds:CopyDBParameterGroup rds:CopyDBSnapshot rds:CopyOptionGroup rds:CreateCustomDBEngineVersion rds:CreateDBClusterParameterGroup rds:CreateDBParameterGroup rds:CreateDBProxy rds:CreateDBProxyEndpoint rds:CreateDBSecurityGroup rds:CreateDBSubnetGroup rds:CreateEventSubscription rds:CreateGlobalCluster rds:CreateOptionGroup rds:DeleteBlueGreenDeployment rds:DeleteDBClusterAutomatedBackup rds:DeleteDBClusterParameterGroup rds:DeleteDBClusterSnapshot rds:DeleteDBInstanceAutomatedBackup rds:DeleteDBParameterGroup rds:DeleteDBProxy rds:DeleteDBProxyEndpoint rds:DeleteDBSecurityGroup rds:DeleteDBSnapshot rds:DeleteDBSubnetGroup rds:DeleteEventSubscription rds:DeleteGlobalCluster rds:DeleteOptionGroup rds:DeregisterDBProxyTargets rds:DescribeAccountAttributes rds:DescribeBlueGreenDeployments rds:DescribeCertificates rds:DescribeDBClusterAutomatedBackups rds:DescribeDBClusterBacktracks rds:DescribeDBClusterEndpoints rds:DescribeDBClusterParameterGroups rds:DescribeDBClusterParameters rds:DescribeDBClusterSnapshotAttributes rds:DescribeDBClusterSnapshots rds:DescribeDBClusters rds:DescribeDBEngineVersions rds:DescribeDBInstanceAutomatedBackups rds:DescribeDBInstances rds:DescribeDBLogFiles rds:DescribeDBMajorEngineVersions rds:DescribeDBParameterGroups rds:DescribeDBParameters rds:DescribeDBProxies rds:DescribeDBProxyEndpoints rds:DescribeDBProxyTargetGroups rds:DescribeDBProxyTargets rds:DescribeDBRecommendations rds:DescribeDBSecurityGroups rds:DescribeDBSnapshotAttributes rds:DescribeDBSnapshotTenantDatabases rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeEngineDefaultClusterParameters rds:DescribeEngineDefaultParameters rds:DescribeEventCategories rds:DescribeEventSubscriptions rds:DescribeEvents rds:DescribeExportTasks rds:DescribeGlobalClusters rds:DescribeIntegrations rds:DescribeOptionGroupOptions rds:DescribeOptionGroups rds:DescribeOrderableDBInstanceOptions rds:DescribePendingMaintenanceActions rds:DescribeReservedDBInstances rds:DescribeReservedDBInstancesOfferings rds:DescribeSourceRegions rds:DescribeTenantDatabases rds:DescribeValidDBInstanceModifications rds:DownloadCompleteDBLogFile rds:DownloadDBLogFilePortion rds:FailoverDBCluster rds:FailoverGlobalCluster rds:ModifyActivityStream rds:ModifyCertificates rds:ModifyCurrentDBClusterCapacity rds:ModifyDBClusterEndpoint rds:ModifyDBClusterParameterGroup rds:ModifyDBClusterSnapshotAttribute rds:ModifyDBParameterGroup rds:ModifyDBProxy rds:ModifyDBProxyEndpoint rds:ModifyDBProxyTargetGroup rds:ModifyDBRecommendation rds:ModifyDBSnapshot rds:ModifyDBSnapshotAttribute rds:ModifyDBSubnetGroup rds:ModifyEventSubscription rds:ModifyGlobalCluster rds:ModifyOptionGroup rds:ModifyTenantDatabase rds:PurchaseReservedDBInstancesOffering rds:RebootDBCluster rds:RegisterDBProxyTargets rds:RemoveFromGlobalCluster rds:RemoveRoleFromDBCluster rds:RemoveRoleFromDBInstance rds:RemoveSourceIdentifierFromSubscription rds:ResetDBClusterParameterGroup rds:ResetDBParameterGroup rds:RestoreDBClusterFromS3 rds:RestoreDBClusterFromSnapshot rds:RestoreDBClusterToPointInTime rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBInstanceFromS3 rds:RestoreDBInstanceToPointInTime rds:RevokeDBSecurityGroupIngress rds:StartActivityStream rds:StartDBCluster rds:StartDBInstance rds:StartDBInstanceAutomatedBackupsReplication rds:StartExportTask rds:StopActivityStream rds:StopDBCluster rds:StopDBInstance rds:StopDBInstanceAutomatedBackupsReplication rds:SwitchoverBlueGreenDeployment rds:SwitchoverGlobalCluster rds:SwitchoverReadReplica  | 
| redshift |  redshift:AcceptReservedNodeExchange redshift:AddPartner redshift:AssociateDataShareConsumer redshift:AuthorizeClusterSecurityGroupIngress redshift:AuthorizeDataShare redshift:AuthorizeEndpointAccess redshift:AuthorizeSnapshotAccess redshift:BatchDeleteClusterSnapshots redshift:BatchModifyClusterSnapshots redshift:CancelQuery redshift:CancelResize redshift:CopyClusterSnapshot redshift:CreateAuthenticationProfile redshift:CreateCluster redshift:CreateClusterParameterGroup redshift:CreateClusterSecurityGroup redshift:CreateClusterSnapshot redshift:CreateClusterSubnetGroup redshift:CreateCustomDomainAssociation redshift:CreateEndpointAccess redshift:CreateEventSubscription redshift:CreateHsmClientCertificate redshift:CreateHsmConfiguration redshift:CreateIntegration redshift:CreateRedshiftIdcApplication redshift:CreateScheduledAction redshift:CreateSnapshotCopyGrant redshift:CreateSnapshotSchedule redshift:CreateUsageLimit redshift:DeauthorizeDataShare redshift:DeleteAuthenticationProfile redshift:DeleteCluster redshift:DeleteClusterParameterGroup redshift:DeleteClusterSecurityGroup redshift:DeleteClusterSnapshot redshift:DeleteClusterSubnetGroup redshift:DeleteCustomDomainAssociation redshift:DeleteEndpointAccess redshift:DeleteEventSubscription redshift:DeleteHsmClientCertificate redshift:DeleteHsmConfiguration redshift:DeletePartner redshift:DeleteRedshiftIdcApplication redshift:DeleteResourcePolicy redshift:DeleteScheduledAction redshift:DeleteSnapshotCopyGrant redshift:DeleteSnapshotSchedule redshift:DeleteUsageLimit redshift:DeregisterNamespace redshift:DescribeAccountAttributes redshift:DescribeAuthenticationProfiles redshift:DescribeClusterDbRevisions redshift:DescribeClusterParameterGroups redshift:DescribeClusterParameters redshift:DescribeClusterSecurityGroups redshift:DescribeClusterSnapshots redshift:DescribeClusterSubnetGroups redshift:DescribeClusterTracks redshift:DescribeClusterVersions redshift:DescribeClusters redshift:DescribeCustomDomainAssociations redshift:DescribeDataShares redshift:DescribeDataSharesForConsumer redshift:DescribeDataSharesForProducer redshift:DescribeDefaultClusterParameters redshift:DescribeEndpointAccess redshift:DescribeEndpointAuthorization redshift:DescribeEventCategories redshift:DescribeEventSubscriptions redshift:DescribeEvents redshift:DescribeHsmClientCertificates redshift:DescribeHsmConfigurations redshift:DescribeInboundIntegrations redshift:DescribeIntegrations redshift:DescribeLoggingStatus redshift:DescribeNodeConfigurationOptions redshift:DescribeOrderableClusterOptions redshift:DescribePartners redshift:DescribeRedshiftIdcApplications redshift:DescribeReservedNodeExchangeStatus redshift:DescribeReservedNodeOfferings redshift:DescribeReservedNodes redshift:DescribeResize redshift:DescribeScheduledActions redshift:DescribeSnapshotCopyGrants redshift:DescribeSnapshotSchedules redshift:DescribeStorage redshift:DescribeTableRestoreStatus redshift:DescribeUsageLimits redshift:DisableLogging redshift:DisableSnapshotCopy redshift:DisassociateDataShareConsumer redshift:EnableLogging redshift:EnableSnapshotCopy redshift:FailoverPrimaryCompute redshift:GetClusterCredentials redshift:GetClusterCredentialsWithIAM redshift:GetIdentityCenterAuthToken redshift:GetReservedNodeExchangeConfigurationOptions redshift:GetReservedNodeExchangeOfferings redshift:GetResourcePolicy redshift:ListRecommendations redshift:ModifyAquaConfiguration redshift:ModifyAuthenticationProfile redshift:ModifyCluster redshift:ModifyClusterDbRevision redshift:ModifyClusterIamRoles redshift:ModifyClusterMaintenance redshift:ModifyClusterParameterGroup redshift:ModifyClusterSnapshot redshift:ModifyClusterSnapshotSchedule redshift:ModifyClusterSubnetGroup redshift:ModifyCustomDomainAssociation redshift:ModifyEndpointAccess redshift:ModifyEventSubscription redshift:ModifyRedshiftIdcApplication redshift:ModifyScheduledAction redshift:ModifySnapshotCopyRetentionPeriod redshift:ModifySnapshotSchedule redshift:ModifyUsageLimit redshift:PauseCluster redshift:PurchaseReservedNodeOffering redshift:PutResourcePolicy redshift:RebootCluster redshift:RegisterNamespace redshift:RejectDataShare redshift:ResetClusterParameterGroup redshift:ResizeCluster redshift:RestoreFromClusterSnapshot redshift:RestoreTableFromClusterSnapshot redshift:ResumeCluster redshift:RevokeClusterSecurityGroupIngress redshift:RevokeEndpointAccess redshift:RevokeSnapshotAccess redshift:RotateEncryptionKey redshift:UpdatePartnerStatus  | 
| redshift-data |  redshift-data:BatchExecuteStatement redshift-data:CancelStatement redshift-data:DescribeStatement redshift-data:DescribeTable redshift-data:ExecuteStatement redshift-data:GetStatementResult redshift-data:ListDatabases redshift-data:ListSchemas redshift-data:ListStatements redshift-data:ListTables  | 
| refactor-spaces |  refactor-spaces:CreateApplication refactor-spaces:CreateEnvironment refactor-spaces:CreateRoute refactor-spaces:CreateService refactor-spaces:DeleteApplication refactor-spaces:DeleteEnvironment refactor-spaces:DeleteResourcePolicy refactor-spaces:DeleteRoute refactor-spaces:DeleteService refactor-spaces:GetApplication refactor-spaces:GetEnvironment refactor-spaces:GetResourcePolicy refactor-spaces:GetRoute refactor-spaces:GetService refactor-spaces:ListApplications refactor-spaces:ListEnvironmentVpcs refactor-spaces:ListEnvironments refactor-spaces:ListRoutes refactor-spaces:ListServices refactor-spaces:PutResourcePolicy refactor-spaces:UpdateRoute  | 
| rekognition |  rekognition:AssociateFaces rekognition:CompareFaces rekognition:CopyProjectVersion rekognition:CreateCollection rekognition:CreateDataset rekognition:CreateFaceLivenessSession rekognition:CreateProject rekognition:CreateProjectVersion rekognition:CreateStreamProcessor rekognition:CreateUser rekognition:DeleteCollection rekognition:DeleteDataset rekognition:DeleteFaces rekognition:DeleteProject rekognition:DeleteProjectPolicy rekognition:DeleteProjectVersion rekognition:DeleteStreamProcessor rekognition:DeleteUser rekognition:DescribeCollection rekognition:DescribeDataset rekognition:DescribeProjectVersions rekognition:DescribeProjects rekognition:DescribeStreamProcessor rekognition:DetectCustomLabels rekognition:DetectFaces rekognition:DetectLabels rekognition:DetectModerationLabels rekognition:DetectProtectiveEquipment rekognition:DetectText rekognition:DisassociateFaces rekognition:DistributeDatasetEntries rekognition:GetCelebrityInfo rekognition:GetCelebrityRecognition rekognition:GetContentModeration rekognition:GetFaceDetection rekognition:GetFaceLivenessSessionResults rekognition:GetFaceSearch rekognition:GetLabelDetection rekognition:GetMediaAnalysisJob rekognition:GetPersonTracking rekognition:GetSegmentDetection rekognition:GetTextDetection rekognition:IndexFaces rekognition:ListCollections rekognition:ListDatasetEntries rekognition:ListDatasetLabels rekognition:ListFaces rekognition:ListMediaAnalysisJobs rekognition:ListProjectPolicies rekognition:ListStreamProcessors rekognition:ListUsers rekognition:PutProjectPolicy rekognition:RecognizeCelebrities rekognition:SearchFaces rekognition:SearchFacesByImage rekognition:SearchUsers rekognition:SearchUsersByImage rekognition:StartCelebrityRecognition rekognition:StartContentModeration rekognition:StartFaceDetection rekognition:StartFaceLivenessSession rekognition:StartFaceSearch rekognition:StartLabelDetection rekognition:StartMediaAnalysisJob rekognition:StartPersonTracking rekognition:StartProjectVersion rekognition:StartSegmentDetection rekognition:StartStreamProcessor rekognition:StartTextDetection rekognition:StopProjectVersion rekognition:StopStreamProcessor rekognition:UpdateDatasetEntries rekognition:UpdateStreamProcessor  | 
| resiliencehub |  resiliencehub:AcceptResourceGroupingRecommendations resiliencehub:AddDraftAppVersionResourceMappings resiliencehub:BatchUpdateRecommendationStatus resiliencehub:CreateApp resiliencehub:CreateAppVersionAppComponent resiliencehub:CreateAppVersionResource resiliencehub:CreateRecommendationTemplate resiliencehub:CreateResiliencyPolicy resiliencehub:DeleteApp resiliencehub:DeleteAppAssessment resiliencehub:DeleteAppInputSource resiliencehub:DeleteAppVersionAppComponent resiliencehub:DeleteAppVersionResource resiliencehub:DeleteRecommendationTemplate resiliencehub:DeleteResiliencyPolicy resiliencehub:DescribeApp resiliencehub:DescribeAppAssessment resiliencehub:DescribeAppVersion resiliencehub:DescribeAppVersionAppComponent resiliencehub:DescribeAppVersionResource resiliencehub:DescribeAppVersionResourcesResolutionStatus resiliencehub:DescribeAppVersionTemplate resiliencehub:DescribeDraftAppVersionResourcesImportStatus resiliencehub:DescribeMetricsExport resiliencehub:DescribeResiliencyPolicy resiliencehub:DescribeResourceGroupingRecommendationTask resiliencehub:ImportResourcesToDraftAppVersion resiliencehub:ListAlarmRecommendations resiliencehub:ListAppAssessmentComplianceDrifts resiliencehub:ListAppAssessmentResourceDrifts resiliencehub:ListAppAssessments resiliencehub:ListAppComponentCompliances resiliencehub:ListAppComponentRecommendations resiliencehub:ListAppInputSources resiliencehub:ListAppVersionAppComponents resiliencehub:ListAppVersionResourceMappings resiliencehub:ListAppVersionResources resiliencehub:ListAppVersions resiliencehub:ListApps resiliencehub:ListMetrics resiliencehub:ListRecommendationTemplates resiliencehub:ListResiliencyPolicies resiliencehub:ListResourceGroupingRecommendations resiliencehub:ListSopRecommendations resiliencehub:ListSuggestedResiliencyPolicies resiliencehub:ListTestRecommendations resiliencehub:ListUnsupportedAppVersionResources resiliencehub:PublishAppVersion resiliencehub:PutDraftAppVersionTemplate resiliencehub:RejectResourceGroupingRecommendations resiliencehub:RemoveDraftAppVersionResourceMappings resiliencehub:ResolveAppVersionResources resiliencehub:StartAppAssessment resiliencehub:StartResourceGroupingRecommendationTask resiliencehub:UpdateApp resiliencehub:UpdateAppVersion resiliencehub:UpdateAppVersionAppComponent resiliencehub:UpdateAppVersionResource resiliencehub:UpdateResiliencyPolicy  | 
| resource-explorer-2 |  resource-explorer-2:AssociateDefaultView resource-explorer-2:BatchGetView resource-explorer-2:CreateIndex resource-explorer-2:CreateResourceExplorerSetup resource-explorer-2:CreateView resource-explorer-2:DeleteIndex resource-explorer-2:DeleteResourceExplorerSetup resource-explorer-2:DeleteView resource-explorer-2:DisassociateDefaultView resource-explorer-2:GetAccountLevelServiceConfiguration resource-explorer-2:GetDefaultView resource-explorer-2:GetIndex resource-explorer-2:GetManagedView resource-explorer-2:GetResourceExplorerSetup resource-explorer-2:GetServiceIndex resource-explorer-2:GetServiceView resource-explorer-2:ListIndexes resource-explorer-2:ListIndexesForMembers resource-explorer-2:ListManagedViews resource-explorer-2:ListServiceIndexes resource-explorer-2:ListServiceViews resource-explorer-2:ListStreamingAccessForServices resource-explorer-2:ListSupportedResourceTypes resource-explorer-2:ListViews resource-explorer-2:Search resource-explorer-2:UpdateIndexType resource-explorer-2:UpdateView  | 
| resource-groups |  resource-groups:CancelTagSyncTask resource-groups:GetAccountSettings resource-groups:GetGroup resource-groups:GetGroupConfiguration resource-groups:GetGroupQuery resource-groups:GetTagSyncTask resource-groups:GroupResources resource-groups:ListGroupResources resource-groups:ListGroupingStatuses resource-groups:ListGroups resource-groups:ListTagSyncTasks resource-groups:PutGroupConfiguration resource-groups:SearchResources resource-groups:StartTagSyncTask resource-groups:UngroupResources resource-groups:UpdateAccountSettings resource-groups:UpdateGroup resource-groups:UpdateGroupQuery  | 
| robomaker |  robomaker:BatchDeleteWorlds robomaker:BatchDescribeSimulationJob robomaker:CancelDeploymentJob robomaker:CancelSimulationJob robomaker:CancelSimulationJobBatch robomaker:CancelWorldExportJob robomaker:CancelWorldGenerationJob robomaker:CreateDeploymentJob robomaker:CreateFleet robomaker:CreateRobot robomaker:CreateRobotApplication robomaker:CreateRobotApplicationVersion robomaker:CreateSimulationApplication robomaker:CreateSimulationApplicationVersion robomaker:CreateSimulationJob robomaker:CreateWorldExportJob robomaker:CreateWorldGenerationJob robomaker:CreateWorldTemplate robomaker:DeleteFleet robomaker:DeleteRobot robomaker:DeleteRobotApplication robomaker:DeleteSimulationApplication robomaker:DeleteWorldTemplate robomaker:DeregisterRobot robomaker:DescribeDeploymentJob robomaker:DescribeFleet robomaker:DescribeRobot robomaker:DescribeRobotApplication robomaker:DescribeSimulationApplication robomaker:DescribeSimulationJob robomaker:DescribeSimulationJobBatch robomaker:DescribeWorld robomaker:DescribeWorldExportJob robomaker:DescribeWorldGenerationJob robomaker:DescribeWorldTemplate robomaker:GetWorldTemplateBody robomaker:ListDeploymentJobs robomaker:ListFleets robomaker:ListRobotApplications robomaker:ListRobots robomaker:ListSimulationApplications robomaker:ListSimulationJobBatches robomaker:ListSimulationJobs robomaker:ListWorldExportJobs robomaker:ListWorldGenerationJobs robomaker:ListWorldTemplates robomaker:ListWorlds robomaker:RegisterRobot robomaker:RestartSimulationJob robomaker:StartSimulationJobBatch robomaker:SyncDeploymentJob robomaker:UpdateRobotApplication robomaker:UpdateSimulationApplication robomaker:UpdateWorldTemplate  | 
| rolesanywhere |  rolesanywhere:CreateProfile rolesanywhere:CreateTrustAnchor rolesanywhere:DeleteAttributeMapping rolesanywhere:DeleteCrl rolesanywhere:DeleteProfile rolesanywhere:DeleteTrustAnchor rolesanywhere:DisableCrl rolesanywhere:DisableProfile rolesanywhere:DisableTrustAnchor rolesanywhere:EnableCrl rolesanywhere:EnableProfile rolesanywhere:EnableTrustAnchor rolesanywhere:GetCrl rolesanywhere:GetProfile rolesanywhere:GetSubject rolesanywhere:GetTrustAnchor rolesanywhere:ImportCrl rolesanywhere:ListCrls rolesanywhere:ListProfiles rolesanywhere:ListSubjects rolesanywhere:ListTrustAnchors rolesanywhere:PutAttributeMapping rolesanywhere:PutNotificationSettings rolesanywhere:ResetNotificationSettings rolesanywhere:UpdateCrl rolesanywhere:UpdateProfile rolesanywhere:UpdateTrustAnchor  | 
| route53 |  route53:ActivateKeySigningKey route53:AssociateVPCWithHostedZone route53:ChangeCidrCollection route53:ChangeResourceRecordSets route53:CreateCidrCollection route53:CreateHealthCheck route53:CreateHostedZone route53:CreateKeySigningKey route53:CreateQueryLoggingConfig route53:CreateReusableDelegationSet route53:CreateTrafficPolicy route53:CreateTrafficPolicyInstance route53:CreateTrafficPolicyVersion route53:CreateVPCAssociationAuthorization route53:DeactivateKeySigningKey route53:DeleteCidrCollection route53:DeleteHealthCheck route53:DeleteHostedZone route53:DeleteKeySigningKey route53:DeleteQueryLoggingConfig route53:DeleteReusableDelegationSet route53:DeleteTrafficPolicy route53:DeleteTrafficPolicyInstance route53:DeleteVPCAssociationAuthorization route53:DisableHostedZoneDNSSEC route53:DisassociateVPCFromHostedZone route53:EnableHostedZoneDNSSEC route53:GetAccountLimit route53:GetChange route53:GetCheckerIpRanges route53:GetDNSSEC route53:GetGeoLocation route53:GetHealthCheck route53:GetHealthCheckCount route53:GetHealthCheckLastFailureReason route53:GetHealthCheckStatus route53:GetHostedZone route53:GetHostedZoneCount route53:GetHostedZoneLimit route53:GetQueryLoggingConfig route53:GetReusableDelegationSet route53:GetReusableDelegationSetLimit route53:GetTrafficPolicy route53:GetTrafficPolicyInstance route53:GetTrafficPolicyInstanceCount route53:ListCidrBlocks route53:ListCidrCollections route53:ListCidrLocations route53:ListGeoLocations route53:ListHealthChecks route53:ListHostedZones route53:ListHostedZonesByName route53:ListHostedZonesByVPC route53:ListQueryLoggingConfigs route53:ListResourceRecordSets route53:ListReusableDelegationSets route53:ListTrafficPolicies route53:ListTrafficPolicyInstances route53:ListTrafficPolicyInstancesByHostedZone route53:ListTrafficPolicyInstancesByPolicy route53:ListTrafficPolicyVersions route53:ListVPCAssociationAuthorizations route53:TestDNSAnswer route53:UpdateHealthCheck route53:UpdateHostedZoneComment route53:UpdateTrafficPolicyComment route53:UpdateTrafficPolicyInstance  | 
| route53-recovery-control-config |  route53-recovery-control-config:CreateCluster route53-recovery-control-config:CreateControlPanel route53-recovery-control-config:CreateRoutingControl route53-recovery-control-config:CreateSafetyRule route53-recovery-control-config:DeleteCluster route53-recovery-control-config:DeleteControlPanel route53-recovery-control-config:DeleteRoutingControl route53-recovery-control-config:DeleteSafetyRule route53-recovery-control-config:DescribeCluster route53-recovery-control-config:DescribeControlPanel route53-recovery-control-config:DescribeRoutingControl route53-recovery-control-config:DescribeSafetyRule route53-recovery-control-config:GetResourcePolicy route53-recovery-control-config:ListAssociatedRoute53HealthChecks route53-recovery-control-config:ListClusters route53-recovery-control-config:ListControlPanels route53-recovery-control-config:ListRoutingControls route53-recovery-control-config:ListSafetyRules route53-recovery-control-config:UpdateCluster route53-recovery-control-config:UpdateControlPanel route53-recovery-control-config:UpdateRoutingControl route53-recovery-control-config:UpdateSafetyRule  | 
| route53-recovery-readiness |  route53-recovery-readiness:CreateCell route53-recovery-readiness:CreateCrossAccountAuthorization route53-recovery-readiness:CreateReadinessCheck route53-recovery-readiness:CreateRecoveryGroup route53-recovery-readiness:CreateResourceSet route53-recovery-readiness:DeleteCell route53-recovery-readiness:DeleteCrossAccountAuthorization route53-recovery-readiness:DeleteReadinessCheck route53-recovery-readiness:DeleteRecoveryGroup route53-recovery-readiness:DeleteResourceSet route53-recovery-readiness:GetArchitectureRecommendations route53-recovery-readiness:GetCell route53-recovery-readiness:GetCellReadinessSummary route53-recovery-readiness:GetReadinessCheck route53-recovery-readiness:GetReadinessCheckResourceStatus route53-recovery-readiness:GetReadinessCheckStatus route53-recovery-readiness:GetRecoveryGroup route53-recovery-readiness:GetRecoveryGroupReadinessSummary route53-recovery-readiness:GetResourceSet route53-recovery-readiness:ListCells route53-recovery-readiness:ListCrossAccountAuthorizations route53-recovery-readiness:ListReadinessChecks route53-recovery-readiness:ListRecoveryGroups route53-recovery-readiness:ListResourceSets route53-recovery-readiness:ListRules route53-recovery-readiness:UpdateCell route53-recovery-readiness:UpdateReadinessCheck route53-recovery-readiness:UpdateRecoveryGroup route53-recovery-readiness:UpdateResourceSet  | 
| route53resolver |  route53resolver:AssociateFirewallRuleGroup route53resolver:AssociateResolverEndpointIpAddress route53resolver:AssociateResolverQueryLogConfig route53resolver:AssociateResolverRule route53resolver:CreateFirewallDomainList route53resolver:CreateFirewallRule route53resolver:CreateFirewallRuleGroup route53resolver:CreateResolverEndpoint route53resolver:CreateResolverQueryLogConfig route53resolver:CreateResolverRule route53resolver:DeleteFirewallDomainList route53resolver:DeleteFirewallRule route53resolver:DeleteFirewallRuleGroup route53resolver:DeleteOutpostResolver route53resolver:DeleteResolverEndpoint route53resolver:DeleteResolverQueryLogConfig route53resolver:DeleteResolverRule route53resolver:DisassociateFirewallRuleGroup route53resolver:DisassociateResolverEndpointIpAddress route53resolver:DisassociateResolverQueryLogConfig route53resolver:DisassociateResolverRule route53resolver:GetFirewallConfig route53resolver:GetFirewallDomainList route53resolver:GetFirewallRuleGroup route53resolver:GetFirewallRuleGroupAssociation route53resolver:GetFirewallRuleGroupPolicy route53resolver:GetOutpostResolver route53resolver:GetResolverConfig route53resolver:GetResolverDnssecConfig route53resolver:GetResolverEndpoint route53resolver:GetResolverQueryLogConfig route53resolver:GetResolverQueryLogConfigAssociation route53resolver:GetResolverQueryLogConfigPolicy route53resolver:GetResolverRule route53resolver:GetResolverRuleAssociation route53resolver:GetResolverRulePolicy route53resolver:ImportFirewallDomains route53resolver:ListFirewallConfigs route53resolver:ListFirewallDomainLists route53resolver:ListFirewallDomains route53resolver:ListFirewallRuleGroupAssociations route53resolver:ListFirewallRuleGroups route53resolver:ListFirewallRules route53resolver:ListOutpostResolvers route53resolver:ListResolverConfigs route53resolver:ListResolverDnssecConfigs route53resolver:ListResolverEndpointIpAddresses route53resolver:ListResolverEndpoints route53resolver:ListResolverQueryLogConfigAssociations route53resolver:ListResolverQueryLogConfigs route53resolver:ListResolverRuleAssociations route53resolver:ListResolverRules route53resolver:PutFirewallRuleGroupPolicy route53resolver:PutResolverQueryLogConfigPolicy route53resolver:UpdateFirewallConfig route53resolver:UpdateFirewallDomains route53resolver:UpdateFirewallRule route53resolver:UpdateFirewallRuleGroupAssociation route53resolver:UpdateOutpostResolver route53resolver:UpdateResolverConfig route53resolver:UpdateResolverDnssecConfig route53resolver:UpdateResolverEndpoint route53resolver:UpdateResolverRule  | 
| rum |  rum:BatchCreateRumMetricDefinitions rum:BatchDeleteRumMetricDefinitions rum:BatchGetRumMetricDefinitions rum:CreateAppMonitor rum:DeleteAppMonitor rum:DeleteResourcePolicy rum:DeleteRumMetricsDestination rum:GetAppMonitor rum:GetAppMonitorData rum:GetResourcePolicy rum:ListAppMonitors rum:ListRumMetricsDestinations rum:PutResourcePolicy rum:PutRumMetricsDestination rum:UpdateAppMonitor rum:UpdateRumMetricDefinition  | 
| s3 |  s3:AssociateAccessGrantsIdentityCenter s3:CreateAccessGrant s3:CreateAccessGrantsInstance s3:CreateAccessGrantsLocation s3:CreateAccessPoint s3:CreateAccessPointForObjectLambda s3:CreateBucket s3:CreateBucketMetadataTableConfiguration s3:CreateJob s3:CreateMultiRegionAccessPoint s3:DeleteAccessGrant s3:DeleteAccessGrantsInstance s3:DeleteAccessGrantsInstanceResourcePolicy s3:DeleteAccessGrantsLocation s3:DeleteAccessPoint s3:DeleteAccessPointForObjectLambda s3:DeleteAccessPointPolicy s3:DeleteAccessPointPolicyForObjectLambda s3:DeleteBucket s3:DeleteBucketMetadataTableConfiguration s3:DeleteBucketPolicy s3:DeleteBucketWebsite s3:DeleteMultiRegionAccessPoint s3:DeleteStorageLensConfiguration s3:DescribeJob s3:DescribeMultiRegionAccessPointOperation s3:DissociateAccessGrantsIdentityCenter s3:GetAccelerateConfiguration s3:GetAccessGrant s3:GetAccessGrantsInstance s3:GetAccessGrantsInstanceForPrefix s3:GetAccessGrantsInstanceResourcePolicy s3:GetAccessGrantsLocation s3:GetAccessPoint s3:GetAccessPointConfigurationForObjectLambda s3:GetAccessPointForObjectLambda s3:GetAccessPointPolicy s3:GetAccessPointPolicyForObjectLambda s3:GetAccessPointPolicyStatus s3:GetAccessPointPolicyStatusForObjectLambda s3:GetAccountPublicAccessBlock s3:GetAnalyticsConfiguration s3:GetBucketAbac s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketNotification s3:GetBucketObjectLockConfiguration s3:GetBucketOwnershipControls s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketRequestPayment s3:GetBucketVersioning s3:GetBucketWebsite s3:GetDataAccess s3:GetEncryptionConfiguration s3:GetIntelligentTieringConfiguration s3:GetInventoryConfiguration s3:GetLifecycleConfiguration s3:GetMetricsConfiguration s3:GetMultiRegionAccessPoint s3:GetMultiRegionAccessPointPolicy s3:GetMultiRegionAccessPointPolicyStatus s3:GetMultiRegionAccessPointRoutes s3:GetReplicationConfiguration s3:GetStorageLensConfiguration s3:GetStorageLensDashboard s3:ListAccessGrants s3:ListAccessGrantsInstances s3:ListAccessGrantsLocations s3:ListAccessPoints s3:ListAccessPointsForObjectLambda s3:ListAllMyBuckets s3:ListBucketMultipartUploads s3:ListCallerAccessGrants s3:ListJobs s3:ListMultiRegionAccessPoints s3:ListStorageLensConfigurations s3:PutAccelerateConfiguration s3:PutAccessGrantsInstanceResourcePolicy s3:PutAccessPointConfigurationForObjectLambda s3:PutAccessPointPolicy s3:PutAccessPointPolicyForObjectLambda s3:PutAccountPublicAccessBlock s3:PutAnalyticsConfiguration s3:PutBucketAbac s3:PutBucketAcl s3:PutBucketCORS s3:PutBucketLogging s3:PutBucketNotification s3:PutBucketObjectLockConfiguration s3:PutBucketOwnershipControls s3:PutBucketPolicy s3:PutBucketPublicAccessBlock s3:PutBucketRequestPayment s3:PutBucketVersioning s3:PutBucketWebsite s3:PutEncryptionConfiguration s3:PutIntelligentTieringConfiguration s3:PutInventoryConfiguration s3:PutLifecycleConfiguration s3:PutMetricsConfiguration s3:PutMultiRegionAccessPointPolicy s3:PutReplicationConfiguration s3:PutStorageLensConfiguration s3:SubmitMultiRegionAccessPointRoutes s3:UpdateAccessGrantsLocation s3:UpdateBucketMetadataJournalTableConfiguration s3:UpdateJobPriority s3:UpdateJobStatus  | 
| s3-outposts |  s3-outposts:CreateEndpoint s3-outposts:DeleteEndpoint s3-outposts:ListEndpoints s3-outposts:ListOutpostsWithS3 s3-outposts:ListSharedEndpoints  | 
| sagemaker-geospatial |  sagemaker-geospatial:DeleteEarthObservationJob sagemaker-geospatial:DeleteVectorEnrichmentJob sagemaker-geospatial:ExportEarthObservationJob sagemaker-geospatial:ExportVectorEnrichmentJob sagemaker-geospatial:GetEarthObservationJob sagemaker-geospatial:GetRasterDataCollection sagemaker-geospatial:GetTile sagemaker-geospatial:GetVectorEnrichmentJob sagemaker-geospatial:ListEarthObservationJobs sagemaker-geospatial:ListRasterDataCollections sagemaker-geospatial:ListVectorEnrichmentJobs sagemaker-geospatial:SearchRasterDataCollection sagemaker-geospatial:StartEarthObservationJob sagemaker-geospatial:StartVectorEnrichmentJob sagemaker-geospatial:StopEarthObservationJob sagemaker-geospatial:StopVectorEnrichmentJob  | 
| savingsplans |  savingsplans:CreateSavingsPlan savingsplans:DeleteQueuedSavingsPlan savingsplans:DescribeSavingsPlanRates savingsplans:DescribeSavingsPlans savingsplans:DescribeSavingsPlansOfferingRates savingsplans:DescribeSavingsPlansOfferings savingsplans:ReturnSavingsPlan  | 
| schemas |  schemas:CreateDiscoverer schemas:CreateRegistry schemas:CreateSchema schemas:DeleteDiscoverer schemas:DeleteRegistry schemas:DeleteResourcePolicy schemas:DeleteSchema schemas:DeleteSchemaVersion schemas:DescribeCodeBinding schemas:DescribeDiscoverer schemas:DescribeRegistry schemas:DescribeSchema schemas:ExportSchema schemas:GetCodeBindingSource schemas:GetDiscoveredSchema schemas:GetResourcePolicy schemas:ListDiscoverers schemas:ListRegistries schemas:ListSchemaVersions schemas:ListSchemas schemas:PutCodeBinding schemas:PutResourcePolicy schemas:SearchSchemas schemas:StartDiscoverer schemas:StopDiscoverer schemas:UpdateDiscoverer schemas:UpdateRegistry schemas:UpdateSchema  | 
| sdb |  sdb:CreateDomain sdb:DeleteDomain sdb:DomainMetadata sdb:ListDomains  | 
| secretsmanager |  secretsmanager:CancelRotateSecret secretsmanager:CreateSecret secretsmanager:DeleteResourcePolicy secretsmanager:DeleteSecret secretsmanager:DescribeSecret secretsmanager:GetRandomPassword secretsmanager:GetResourcePolicy secretsmanager:GetSecretValue secretsmanager:ListSecretVersionIds secretsmanager:ListSecrets secretsmanager:PutResourcePolicy secretsmanager:PutSecretValue secretsmanager:RemoveRegionsFromReplication secretsmanager:ReplicateSecretToRegions secretsmanager:RestoreSecret secretsmanager:RotateSecret secretsmanager:StopReplicationToReplica secretsmanager:UpdateSecret secretsmanager:ValidateResourcePolicy  | 
| securityhub |  securityhub:AcceptAdministratorInvitation securityhub:AcceptInvitation securityhub:BatchDeleteAutomationRules securityhub:BatchDisableStandards securityhub:BatchEnableStandards securityhub:BatchGetAutomationRules securityhub:BatchGetConfigurationPolicyAssociations securityhub:BatchGetSecurityControls securityhub:BatchGetStandardsControlAssociations securityhub:BatchImportFindings securityhub:BatchUpdateAutomationRules securityhub:BatchUpdateFindings securityhub:BatchUpdateStandardsControlAssociations securityhub:ConnectorRegistrationsV2 securityhub:CreateActionTarget securityhub:CreateAggregatorV2 securityhub:CreateAutomationRule securityhub:CreateAutomationRuleV2 securityhub:CreateConfigurationPolicy securityhub:CreateConnectorV2 securityhub:CreateFindingAggregator securityhub:CreateInsight securityhub:CreateMembers securityhub:CreateTicketV2 securityhub:DeclineInvitations securityhub:DeleteActionTarget securityhub:DeleteAggregatorV2 securityhub:DeleteAutomationRuleV2 securityhub:DeleteConfigurationPolicy securityhub:DeleteConnectorV2 securityhub:DeleteFindingAggregator securityhub:DeleteInsight securityhub:DeleteInvitations securityhub:DeleteMembers securityhub:DescribeActionTargets securityhub:DescribeHub securityhub:DescribeOrganizationConfiguration securityhub:DescribeProducts securityhub:DescribeSecurityHubV2 securityhub:DescribeStandards securityhub:DisableImportFindingsForProduct securityhub:DisableOrganizationAdminAccount securityhub:DisableSecurityHub securityhub:DisableSecurityHubV2 securityhub:DisassociateFromAdministratorAccount securityhub:DisassociateFromMasterAccount securityhub:DisassociateMembers securityhub:EnableImportFindingsForProduct securityhub:EnableOrganizationAdminAccount securityhub:EnableSecurityHub securityhub:GetAdministratorAccount securityhub:GetAggregatorV2 securityhub:GetAutomationRuleV2 securityhub:GetConfigurationPolicy securityhub:GetConfigurationPolicyAssociation securityhub:GetConnectorV2 securityhub:GetEnabledStandards securityhub:GetFindingAggregator securityhub:GetFindingHistory securityhub:GetFindings securityhub:GetInsightResults securityhub:GetInsights securityhub:GetInvitationsCount securityhub:GetMasterAccount securityhub:GetMembers securityhub:GetSecurityControlDefinition securityhub:InviteMembers securityhub:ListAggregatorsV2 securityhub:ListAutomationRules securityhub:ListAutomationRulesV2 securityhub:ListConfigurationPolicies securityhub:ListConfigurationPolicyAssociations securityhub:ListConnectorsV2 securityhub:ListEnabledProductsForImport securityhub:ListFindingAggregators securityhub:ListInvitations securityhub:ListMembers securityhub:ListOrganizationAdminAccounts securityhub:ListSecurityControlDefinitions securityhub:ListStandardsControlAssociations securityhub:StartConfigurationPolicyAssociation securityhub:StartConfigurationPolicyDisassociation securityhub:UpdateActionTarget securityhub:UpdateAggregatorV2 securityhub:UpdateAutomationRuleV2 securityhub:UpdateConfigurationPolicy securityhub:UpdateConnectorV2 securityhub:UpdateFindingAggregator securityhub:UpdateFindings securityhub:UpdateInsight securityhub:UpdateOrganizationConfiguration securityhub:UpdateSecurityControl securityhub:UpdateSecurityHubConfiguration  | 
| securitylake |  securitylake:CreateAwsLogSource securitylake:CreateCustomLogSource securitylake:CreateDataLakeExceptionSubscription securitylake:CreateDataLakeOrganizationConfiguration securitylake:CreateSubscriber securitylake:CreateSubscriberNotification securitylake:DeleteAwsLogSource securitylake:DeleteCustomLogSource securitylake:DeleteDataLakeExceptionSubscription securitylake:DeleteDataLakeOrganizationConfiguration securitylake:DeleteSubscriber securitylake:DeleteSubscriberNotification securitylake:DeregisterDataLakeDelegatedAdministrator securitylake:GetDataLakeExceptionSubscription securitylake:GetDataLakeOrganizationConfiguration securitylake:GetDataLakeSources securitylake:GetSubscriber securitylake:ListDataLakes securitylake:ListLogSources securitylake:ListSubscribers securitylake:RegisterDataLakeDelegatedAdministrator securitylake:UpdateDataLakeExceptionSubscription securitylake:UpdateSubscriber securitylake:UpdateSubscriberNotification  | 
| serverlessrepo |  serverlessrepo:CreateApplication serverlessrepo:CreateApplicationVersion serverlessrepo:CreateCloudFormationChangeSet serverlessrepo:CreateCloudFormationTemplate serverlessrepo:DeleteApplication serverlessrepo:GetApplication serverlessrepo:GetApplicationPolicy serverlessrepo:GetCloudFormationTemplate serverlessrepo:ListApplicationDependencies serverlessrepo:ListApplicationVersions serverlessrepo:ListApplications serverlessrepo:PutApplicationPolicy serverlessrepo:UnshareApplication serverlessrepo:UpdateApplication  | 
| servicecatalog |  servicecatalog:AcceptPortfolioShare servicecatalog:AssociateBudgetWithResource servicecatalog:AssociatePrincipalWithPortfolio servicecatalog:AssociateProductWithPortfolio servicecatalog:AssociateServiceActionWithProvisioningArtifact servicecatalog:BatchAssociateServiceActionWithProvisioningArtifact servicecatalog:BatchDisassociateServiceActionFromProvisioningArtifact servicecatalog:CopyProduct servicecatalog:CreateAttributeGroup servicecatalog:CreateConstraint servicecatalog:CreatePortfolio servicecatalog:CreatePortfolioShare servicecatalog:CreateProduct servicecatalog:CreateProvisionedProductPlan servicecatalog:CreateProvisioningArtifact servicecatalog:CreateServiceAction servicecatalog:DeleteAttributeGroup servicecatalog:DeleteConstraint servicecatalog:DeletePortfolio servicecatalog:DeletePortfolioShare servicecatalog:DeleteProduct servicecatalog:DeleteProvisionedProductPlan servicecatalog:DeleteProvisioningArtifact servicecatalog:DeleteServiceAction servicecatalog:DescribeConstraint servicecatalog:DescribeCopyProductStatus servicecatalog:DescribePortfolio servicecatalog:DescribePortfolioShareStatus servicecatalog:DescribePortfolioShares servicecatalog:DescribeProduct servicecatalog:DescribeProductAsAdmin servicecatalog:DescribeProductView servicecatalog:DescribeProvisionedProduct servicecatalog:DescribeProvisionedProductPlan servicecatalog:DescribeProvisioningArtifact servicecatalog:DescribeProvisioningParameters servicecatalog:DescribeRecord servicecatalog:DescribeServiceAction servicecatalog:DescribeServiceActionExecutionParameters servicecatalog:DisableAWSOrganizationsAccess servicecatalog:DisassociateBudgetFromResource servicecatalog:DisassociatePrincipalFromPortfolio servicecatalog:DisassociateProductFromPortfolio servicecatalog:DisassociateServiceActionFromProvisioningArtifact servicecatalog:EnableAWSOrganizationsAccess servicecatalog:ExecuteProvisionedProductPlan servicecatalog:ExecuteProvisionedProductServiceAction servicecatalog:GetAWSOrganizationsAccessStatus servicecatalog:GetProvisionedProductOutputs servicecatalog:ImportAsProvisionedProduct servicecatalog:ListAcceptedPortfolioShares servicecatalog:ListAttributeGroups servicecatalog:ListBudgetsForResource servicecatalog:ListConstraintsForPortfolio servicecatalog:ListLaunchPaths servicecatalog:ListOrganizationPortfolioAccess servicecatalog:ListPortfolioAccess servicecatalog:ListPortfolios servicecatalog:ListPortfoliosForProduct servicecatalog:ListPrincipalsForPortfolio servicecatalog:ListProvisionedProductPlans servicecatalog:ListProvisioningArtifacts servicecatalog:ListProvisioningArtifactsForServiceAction servicecatalog:ListRecordHistory servicecatalog:ListServiceActions servicecatalog:ListServiceActionsForProvisioningArtifact servicecatalog:ListStackInstancesForProvisionedProduct servicecatalog:NotifyProvisionProductEngineWorkflowResult servicecatalog:NotifyTerminateProvisionedProductEngineWorkflowResult servicecatalog:NotifyUpdateProvisionedProductEngineWorkflowResult servicecatalog:ProvisionProduct servicecatalog:RejectPortfolioShare servicecatalog:ScanProvisionedProducts servicecatalog:SearchProducts servicecatalog:SearchProductsAsAdmin servicecatalog:SearchProvisionedProducts servicecatalog:TerminateProvisionedProduct servicecatalog:UpdateConstraint servicecatalog:UpdatePortfolio servicecatalog:UpdatePortfolioShare servicecatalog:UpdateProduct servicecatalog:UpdateProvisionedProduct servicecatalog:UpdateProvisionedProductProperties servicecatalog:UpdateProvisioningArtifact servicecatalog:UpdateServiceAction  | 
| servicediscovery |  servicediscovery:CreateHttpNamespace servicediscovery:CreatePrivateDnsNamespace servicediscovery:CreatePublicDnsNamespace servicediscovery:CreateService servicediscovery:DeleteNamespace servicediscovery:DeleteService servicediscovery:DeleteServiceAttributes servicediscovery:DeregisterInstance servicediscovery:GetInstance servicediscovery:GetInstancesHealthStatus servicediscovery:GetNamespace servicediscovery:GetOperation servicediscovery:GetService servicediscovery:ListInstances servicediscovery:ListNamespaces servicediscovery:ListOperations servicediscovery:ListServices servicediscovery:RegisterInstance servicediscovery:UpdateHttpNamespace servicediscovery:UpdateInstanceCustomHealthStatus servicediscovery:UpdatePrivateDnsNamespace servicediscovery:UpdatePublicDnsNamespace servicediscovery:UpdateService servicediscovery:UpdateServiceAttributes  | 
| servicequotas |  servicequotas:AssociateServiceQuotaTemplate servicequotas:CreateSupportCase servicequotas:DeleteServiceQuotaIncreaseRequestFromTemplate servicequotas:DisassociateServiceQuotaTemplate servicequotas:GetAWSDefaultServiceQuota servicequotas:GetAssociationForServiceQuotaTemplate servicequotas:GetAutoManagementConfiguration servicequotas:GetQuotaUtilizationReport servicequotas:GetRequestedServiceQuotaChange servicequotas:GetServiceQuota servicequotas:GetServiceQuotaIncreaseRequestFromTemplate servicequotas:ListAWSDefaultServiceQuotas servicequotas:ListRequestedServiceQuotaChangeHistory servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota servicequotas:ListServiceQuotaIncreaseRequestsInTemplate servicequotas:ListServiceQuotas servicequotas:ListServices servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate servicequotas:RequestServiceQuotaIncrease servicequotas:StartAutoManagement servicequotas:StartQuotaUtilizationReport servicequotas:StopAutoManagement servicequotas:UpdateAutoManagement  | 
| ses |  ses:BatchGetMetricData ses:CloneReceiptRuleSet ses:CreateAddonInstance ses:CreateAddonSubscription ses:CreateAddressList ses:CreateAddressListImportJob ses:CreateArchive ses:CreateConfigurationSet ses:CreateConfigurationSetEventDestination ses:CreateConfigurationSetTrackingOptions ses:CreateContact ses:CreateContactList ses:CreateCustomVerificationEmailTemplate ses:CreateDedicatedIpPool ses:CreateDeliverabilityTestReport ses:CreateEmailIdentity ses:CreateEmailIdentityPolicy ses:CreateEmailTemplate ses:CreateImportJob ses:CreateIngressPoint ses:CreateMultiRegionEndpoint ses:CreateReceiptFilter ses:CreateReceiptRule ses:CreateReceiptRuleSet ses:CreateRelay ses:CreateRuleSet ses:CreateTemplate ses:CreateTenant ses:CreateTenantResourceAssociation ses:CreateTrafficPolicy ses:DeleteAddonInstance ses:DeleteAddonSubscription ses:DeleteAddressList ses:DeleteArchive ses:DeleteConfigurationSet ses:DeleteConfigurationSetEventDestination ses:DeleteConfigurationSetTrackingOptions ses:DeleteContact ses:DeleteContactList ses:DeleteCustomVerificationEmailTemplate ses:DeleteDedicatedIpPool ses:DeleteEmailIdentity ses:DeleteEmailIdentityPolicy ses:DeleteEmailTemplate ses:DeleteIdentity ses:DeleteIdentityPolicy ses:DeleteIngressPoint ses:DeleteMultiRegionEndpoint ses:DeleteReceiptFilter ses:DeleteReceiptRule ses:DeleteReceiptRuleSet ses:DeleteRelay ses:DeleteRuleSet ses:DeleteSuppressedDestination ses:DeleteTemplate ses:DeleteTenant ses:DeleteTenantResourceAssociation ses:DeleteTrafficPolicy ses:DeleteVerifiedEmailAddress ses:DeregisterMemberFromAddressList ses:DescribeActiveReceiptRuleSet ses:DescribeConfigurationSet ses:DescribeReceiptRule ses:DescribeReceiptRuleSet ses:GetAccount ses:GetAccountSendingEnabled ses:GetAddonInstance ses:GetAddonSubscription ses:GetAddressList ses:GetArchive ses:GetArchiveExport ses:GetArchiveMessage ses:GetArchiveMessageContent ses:GetArchiveSearch ses:GetArchiveSearchResults ses:GetBlacklistReports ses:GetConfigurationSet ses:GetConfigurationSetEventDestinations ses:GetContact ses:GetContactList ses:GetCustomVerificationEmailTemplate ses:GetDedicatedIp ses:GetDedicatedIpPool ses:GetDedicatedIps ses:GetDeliverabilityDashboardOptions ses:GetDeliverabilityTestReport ses:GetDomainDeliverabilityCampaign ses:GetDomainStatisticsReport ses:GetEmailAddressInsights ses:GetEmailIdentity ses:GetEmailIdentityPolicies ses:GetEmailTemplate ses:GetIdentityDkimAttributes ses:GetIdentityMailFromDomainAttributes ses:GetIdentityNotificationAttributes ses:GetIdentityPolicies ses:GetIdentityVerificationAttributes ses:GetImportJob ses:GetIngressPoint ses:GetMemberOfAddressList ses:GetMessageInsights ses:GetMultiRegionEndpoint ses:GetRelay ses:GetRuleSet ses:GetSendQuota ses:GetSendStatistics ses:GetSuppressedDestination ses:GetTemplate ses:GetTenant ses:GetTrafficPolicy ses:ListAddonInstances ses:ListAddonSubscriptions ses:ListAddressListImportJobs ses:ListAddressLists ses:ListArchiveExports ses:ListArchiveSearches ses:ListArchives ses:ListConfigurationSets ses:ListContactLists ses:ListContacts ses:ListCustomVerificationEmailTemplates ses:ListDedicatedIpPools ses:ListDeliverabilityTestReports ses:ListDomainDeliverabilityCampaigns ses:ListEmailIdentities ses:ListEmailTemplates ses:ListExportJobs ses:ListIdentities ses:ListIdentityPolicies ses:ListImportJobs ses:ListIngressPoints ses:ListMembersOfAddressList ses:ListMultiRegionEndpoints ses:ListReceiptFilters ses:ListReceiptRuleSets ses:ListRecommendations ses:ListRelays ses:ListReputationEntities ses:ListResourceTenants ses:ListRuleSets ses:ListSuppressedDestinations ses:ListTemplates ses:ListTenantResources ses:ListTenants ses:ListTrafficPolicies ses:ListVerifiedEmailAddresses ses:PutAccountDedicatedIpWarmupAttributes ses:PutAccountDetails ses:PutAccountSendingAttributes ses:PutAccountSuppressionAttributes ses:PutAccountVdmAttributes ses:PutConfigurationSetArchivingOptions ses:PutConfigurationSetDeliveryOptions ses:PutConfigurationSetReputationOptions ses:PutConfigurationSetSendingOptions ses:PutConfigurationSetSuppressionOptions ses:PutConfigurationSetTrackingOptions ses:PutConfigurationSetVdmOptions ses:PutDedicatedIpInPool ses:PutDedicatedIpPoolScalingAttributes ses:PutDedicatedIpWarmupAttributes ses:PutDeliverabilityDashboardOption ses:PutEmailIdentityConfigurationSetAttributes ses:PutEmailIdentityDkimAttributes ses:PutEmailIdentityDkimSigningAttributes ses:PutEmailIdentityFeedbackAttributes ses:PutEmailIdentityMailFromAttributes ses:PutIdentityPolicy ses:PutSuppressedDestination ses:RegisterMemberToAddressList ses:ReorderReceiptRuleSet ses:SendBounce ses:SendCustomVerificationEmail ses:SetActiveReceiptRuleSet ses:SetIdentityDkimEnabled ses:SetIdentityFeedbackForwardingEnabled ses:SetIdentityHeadersInNotificationsEnabled ses:SetIdentityMailFromDomain ses:SetIdentityNotificationTopic ses:SetReceiptRulePosition ses:StartArchiveExport ses:StartArchiveSearch ses:StopArchiveExport ses:StopArchiveSearch ses:TestRenderEmailTemplate ses:TestRenderTemplate ses:UpdateAccountSendingEnabled ses:UpdateArchive ses:UpdateConfigurationSetEventDestination ses:UpdateConfigurationSetReputationMetricsEnabled ses:UpdateConfigurationSetSendingEnabled ses:UpdateConfigurationSetTrackingOptions ses:UpdateContact ses:UpdateContactList ses:UpdateCustomVerificationEmailTemplate ses:UpdateEmailIdentityPolicy ses:UpdateEmailTemplate ses:UpdateIngressPoint ses:UpdateReceiptRule ses:UpdateRelay ses:UpdateRuleSet ses:UpdateTemplate ses:UpdateTrafficPolicy ses:VerifyDomainDkim ses:VerifyDomainIdentity ses:VerifyEmailAddress ses:VerifyEmailIdentity  | 
| shield |  shield:AssociateDRTLogBucket shield:AssociateHealthCheck shield:AssociateProactiveEngagementDetails shield:CreateProtection shield:CreateProtectionGroup shield:CreateSubscription shield:DeleteProtection shield:DeleteProtectionGroup shield:DeleteSubscription shield:DescribeAttack shield:DescribeAttackStatistics shield:DescribeDRTAccess shield:DescribeEmergencyContactSettings shield:DescribeProtection shield:DescribeProtectionGroup shield:DescribeSubscription shield:DisableApplicationLayerAutomaticResponse shield:DisableProactiveEngagement shield:DisassociateDRTLogBucket shield:DisassociateDRTRole shield:DisassociateHealthCheck shield:EnableApplicationLayerAutomaticResponse shield:EnableProactiveEngagement shield:GetSubscriptionState shield:ListAttacks shield:ListProtectionGroups shield:ListProtections shield:ListResourcesInProtectionGroup shield:UpdateApplicationLayerAutomaticResponse shield:UpdateEmergencyContactSettings shield:UpdateProtectionGroup shield:UpdateSubscription  | 
| signer |  signer:AddProfilePermission signer:CancelSigningProfile signer:DescribeSigningJob signer:GetSigningPlatform signer:GetSigningProfile signer:ListProfilePermissions signer:ListSigningJobs signer:ListSigningPlatforms signer:ListSigningProfiles signer:PutSigningProfile signer:RemoveProfilePermission signer:RevokeSignature signer:RevokeSigningProfile signer:SignPayload signer:StartSigningJob  | 
| simspaceweaver |  simspaceweaver:CreateSnapshot simspaceweaver:DeleteApp simspaceweaver:DeleteSimulation simspaceweaver:DescribeApp simspaceweaver:DescribeSimulation simspaceweaver:ListApps simspaceweaver:ListSimulations simspaceweaver:StartApp simspaceweaver:StartClock simspaceweaver:StartSimulation simspaceweaver:StopApp simspaceweaver:StopClock simspaceweaver:StopSimulation  | 
| sms |  sms:CreateApp sms:CreateReplicationJob sms:DeleteApp sms:DeleteAppLaunchConfiguration sms:DeleteAppReplicationConfiguration sms:DeleteAppValidationConfiguration sms:DeleteReplicationJob sms:DeleteServerCatalog sms:DisassociateConnector sms:GenerateChangeSet sms:GenerateTemplate sms:GetApp sms:GetAppLaunchConfiguration sms:GetAppReplicationConfiguration sms:GetAppValidationConfiguration sms:GetAppValidationOutput sms:GetConnectors sms:GetReplicationJobs sms:GetReplicationRuns sms:GetServers sms:ImportAppCatalog sms:ImportServerCatalog sms:LaunchApp sms:ListApps sms:NotifyAppValidationOutput sms:PutAppLaunchConfiguration sms:PutAppReplicationConfiguration sms:PutAppValidationConfiguration sms:StartAppReplication sms:StartOnDemandAppReplication sms:StartOnDemandReplicationRun sms:StopAppReplication sms:TerminateApp sms:UpdateApp sms:UpdateReplicationJob  | 
| sms-voice |  sms-voice:AssociateProtectConfiguration sms-voice:CreateConfigurationSet sms-voice:CreateConfigurationSetEventDestination sms-voice:CreateEventDestination sms-voice:CreateOptOutList sms-voice:CreatePool sms-voice:CreateProtectConfiguration sms-voice:CreateRegistration sms-voice:CreateRegistrationAssociation sms-voice:CreateRegistrationAttachment sms-voice:CreateRegistrationVersion sms-voice:CreateVerifiedDestinationNumber sms-voice:DeleteAccountDefaultProtectConfiguration sms-voice:DeleteConfigurationSet sms-voice:DeleteConfigurationSetEventDestination sms-voice:DeleteDefaultMessageType sms-voice:DeleteDefaultSenderId sms-voice:DeleteEventDestination sms-voice:DeleteKeyword sms-voice:DeleteMediaMessageSpendLimitOverride sms-voice:DeleteOptOutList sms-voice:DeleteOptedOutNumber sms-voice:DeletePool sms-voice:DeleteProtectConfiguration sms-voice:DeleteProtectConfigurationRuleSetNumberOverride sms-voice:DeleteRegistration sms-voice:DeleteRegistrationAttachment sms-voice:DeleteResourcePolicy sms-voice:DeleteTextMessageSpendLimitOverride sms-voice:DeleteVerifiedDestinationNumber sms-voice:DeleteVoiceMessageSpendLimitOverride sms-voice:DescribeAccountAttributes sms-voice:DescribeAccountLimits sms-voice:DescribeConfigurationSets sms-voice:DescribeKeywords sms-voice:DescribeOptOutLists sms-voice:DescribeOptedOutNumbers sms-voice:DescribePhoneNumbers sms-voice:DescribePools sms-voice:DescribeProtectConfigurations sms-voice:DescribeRegistrationAttachments sms-voice:DescribeRegistrationFieldDefinitions sms-voice:DescribeRegistrationFieldValues sms-voice:DescribeRegistrationSectionDefinitions sms-voice:DescribeRegistrationTypeDefinitions sms-voice:DescribeRegistrationVersions sms-voice:DescribeRegistrations sms-voice:DescribeSenderIds sms-voice:DescribeSpendLimits sms-voice:DescribeVerifiedDestinationNumbers sms-voice:DisassociateOriginationIdentity sms-voice:DisassociateProtectConfiguration sms-voice:DiscardRegistrationVersion sms-voice:GetConfigurationSetEventDestinations sms-voice:GetProtectConfigurationCountryRuleSet sms-voice:GetResourcePolicy sms-voice:ListConfigurationSets sms-voice:ListPoolOriginationIdentities sms-voice:ListProtectConfigurationRuleSetNumberOverrides sms-voice:ListRegistrationAssociations sms-voice:PutKeyword sms-voice:PutOptedOutNumber sms-voice:PutProtectConfigurationRuleSetNumberOverride sms-voice:PutResourcePolicy sms-voice:ReleasePhoneNumber sms-voice:ReleaseSenderId sms-voice:RequestPhoneNumber sms-voice:RequestSenderId sms-voice:SendDestinationNumberVerificationCode sms-voice:SetAccountDefaultProtectConfiguration sms-voice:SetDefaultMessageFeedbackEnabled sms-voice:SetDefaultMessageType sms-voice:SetDefaultSenderId sms-voice:SetMediaMessageSpendLimitOverride sms-voice:SetTextMessageSpendLimitOverride sms-voice:SetVoiceMessageSpendLimitOverride sms-voice:SubmitRegistrationVersion sms-voice:UpdateConfigurationSetEventDestination sms-voice:UpdateEventDestination sms-voice:UpdatePhoneNumber sms-voice:UpdatePool sms-voice:UpdateProtectConfiguration sms-voice:UpdateProtectConfigurationCountryRuleSet sms-voice:UpdateSenderId  | 
| snowball |  snowball:CancelCluster snowball:CancelJob snowball:CreateAddress snowball:CreateCluster snowball:CreateJob snowball:CreateLongTermPricing snowball:CreateReturnShippingLabel snowball:DescribeAddress snowball:DescribeAddresses snowball:DescribeCluster snowball:DescribeJob snowball:DescribeReturnShippingLabel snowball:GetJobManifest snowball:GetJobUnlockCode snowball:GetSnowballUsage snowball:GetSoftwareUpdates snowball:ListClusterJobs snowball:ListClusters snowball:ListCompatibleImages snowball:ListJobs snowball:ListLongTermPricing snowball:ListPickupLocations snowball:ListServiceVersions snowball:UpdateCluster snowball:UpdateJob snowball:UpdateJobShipmentState snowball:UpdateLongTermPricing  | 
| sqs |  sqs:AddPermission sqs:CancelMessageMoveTask sqs:CreateQueue sqs:DeleteQueue sqs:PurgeQueue sqs:RemovePermission sqs:SetQueueAttributes  | 
| ssm |  ssm:AssociateOpsItemRelatedItem ssm:CancelCommand ssm:CancelMaintenanceWindowExecution ssm:CreateActivation ssm:CreateAssociation ssm:CreateAssociationBatch ssm:CreateDocument ssm:CreateMaintenanceWindow ssm:CreateOpsItem ssm:CreateOpsMetadata ssm:CreatePatchBaseline ssm:CreateResourceDataSync ssm:DeleteActivation ssm:DeleteAssociation ssm:DeleteDocument ssm:DeleteInventory ssm:DeleteMaintenanceWindow ssm:DeleteOpsItem ssm:DeleteOpsMetadata ssm:DeleteParameter ssm:DeleteParameters ssm:DeletePatchBaseline ssm:DeleteResourceDataSync ssm:DeleteResourcePolicy ssm:DeregisterManagedInstance ssm:DeregisterPatchBaselineForPatchGroup ssm:DeregisterTargetFromMaintenanceWindow ssm:DeregisterTaskFromMaintenanceWindow ssm:DescribeActivations ssm:DescribeAssociation ssm:DescribeAssociationExecutionTargets ssm:DescribeAssociationExecutions ssm:DescribeAutomationExecutions ssm:DescribeAutomationStepExecutions ssm:DescribeAvailablePatches ssm:DescribeDocument ssm:DescribeDocumentParameters ssm:DescribeDocumentPermission ssm:DescribeEffectiveInstanceAssociations ssm:DescribeEffectivePatchesForPatchBaseline ssm:DescribeInstanceAssociationsStatus ssm:DescribeInstanceInformation ssm:DescribeInstancePatchStates ssm:DescribeInstancePatchStatesForPatchGroup ssm:DescribeInstancePatches ssm:DescribeInstanceProperties ssm:DescribeInventoryDeletions ssm:DescribeMaintenanceWindowExecutionTaskInvocations ssm:DescribeMaintenanceWindowExecutionTasks ssm:DescribeMaintenanceWindowExecutions ssm:DescribeMaintenanceWindowSchedule ssm:DescribeMaintenanceWindowTargets ssm:DescribeMaintenanceWindowTasks ssm:DescribeMaintenanceWindows ssm:DescribeMaintenanceWindowsForTarget ssm:DescribeOpsItems ssm:DescribeParameters ssm:DescribePatchBaselines ssm:DescribePatchGroupState ssm:DescribePatchGroups ssm:DescribePatchProperties ssm:DescribeSessions ssm:DisassociateOpsItemRelatedItem ssm:GetAccessToken ssm:GetAutomationExecution ssm:GetCalendarState ssm:GetCommandInvocation ssm:GetConnectionStatus ssm:GetDefaultPatchBaseline ssm:GetDeployablePatchSnapshotForInstance ssm:GetDocument ssm:GetExecutionPreview ssm:GetInventory ssm:GetInventorySchema ssm:GetMaintenanceWindow ssm:GetMaintenanceWindowExecution ssm:GetMaintenanceWindowExecutionTask ssm:GetMaintenanceWindowExecutionTaskInvocation ssm:GetMaintenanceWindowTask ssm:GetOpsItem ssm:GetOpsMetadata ssm:GetOpsSummary ssm:GetParameter ssm:GetParameterHistory ssm:GetParameters ssm:GetParametersByPath ssm:GetPatchBaseline ssm:GetPatchBaselineForPatchGroup ssm:GetResourcePolicies ssm:GetServiceSetting ssm:LabelParameterVersion ssm:ListAssociationVersions ssm:ListAssociations ssm:ListCommandInvocations ssm:ListCommands ssm:ListComplianceItems ssm:ListComplianceSummaries ssm:ListDocumentMetadataHistory ssm:ListDocumentVersions ssm:ListDocuments ssm:ListInstanceAssociations ssm:ListInventoryEntries ssm:ListNodes ssm:ListNodesSummary ssm:ListOpsItemEvents ssm:ListOpsItemRelatedItems ssm:ListOpsMetadata ssm:ListResourceComplianceSummaries ssm:ListResourceDataSync ssm:ModifyDocumentPermission ssm:PutComplianceItems ssm:PutInventory ssm:PutParameter ssm:PutResourcePolicy ssm:RegisterDefaultPatchBaseline ssm:RegisterManagedInstance ssm:RegisterPatchBaselineForPatchGroup ssm:RegisterTargetWithMaintenanceWindow ssm:RegisterTaskWithMaintenanceWindow ssm:ResetServiceSetting ssm:ResumeSession ssm:SendAutomationSignal ssm:SendCommand ssm:StartAssociationsOnce ssm:StartAutomationExecution ssm:StartChangeRequestExecution ssm:StartSession ssm:StopAutomationExecution ssm:TerminateSession ssm:UnlabelParameterVersion ssm:UpdateAssociation ssm:UpdateAssociationStatus ssm:UpdateDocument ssm:UpdateDocumentDefaultVersion ssm:UpdateDocumentMetadata ssm:UpdateInstanceInformation ssm:UpdateMaintenanceWindow ssm:UpdateMaintenanceWindowTarget ssm:UpdateMaintenanceWindowTask ssm:UpdateManagedInstanceRole ssm:UpdateOpsItem ssm:UpdateOpsMetadata ssm:UpdatePatchBaseline ssm:UpdateResourceDataSync ssm:UpdateServiceSetting  | 
| ssm-incidents |  ssm-incidents:BatchGetIncidentFindings ssm-incidents:CreateReplicationSet ssm-incidents:CreateResponsePlan ssm-incidents:CreateTimelineEvent ssm-incidents:DeleteIncidentRecord ssm-incidents:DeleteReplicationSet ssm-incidents:DeleteResourcePolicy ssm-incidents:DeleteResponsePlan ssm-incidents:DeleteTimelineEvent ssm-incidents:GetIncidentRecord ssm-incidents:GetReplicationSet ssm-incidents:GetResourcePolicies ssm-incidents:GetResponsePlan ssm-incidents:GetTimelineEvent ssm-incidents:ListIncidentFindings ssm-incidents:ListIncidentRecords ssm-incidents:ListRelatedItems ssm-incidents:ListReplicationSets ssm-incidents:ListResponsePlans ssm-incidents:ListTimelineEvents ssm-incidents:PutResourcePolicy ssm-incidents:StartIncident ssm-incidents:UpdateDeletionProtection ssm-incidents:UpdateIncidentRecord ssm-incidents:UpdateRelatedItems ssm-incidents:UpdateReplicationSet ssm-incidents:UpdateResponsePlan ssm-incidents:UpdateTimelineEvent  | 
| ssm-sap |  ssm-sap:BackupDatabase ssm-sap:DeleteResourcePermission ssm-sap:DeregisterApplication ssm-sap:GetApplication ssm-sap:GetComponent ssm-sap:GetConfigurationCheckOperation ssm-sap:GetDatabase ssm-sap:GetOperation ssm-sap:GetResourcePermission ssm-sap:ListApplications ssm-sap:ListComponents ssm-sap:ListConfigurationCheckDefinitions ssm-sap:ListConfigurationCheckOperations ssm-sap:ListDatabases ssm-sap:ListOperationEvents ssm-sap:ListOperations ssm-sap:ListSubCheckResults ssm-sap:ListSubCheckRuleResults ssm-sap:PutResourcePermission ssm-sap:RegisterApplication ssm-sap:RestoreDatabase ssm-sap:StartApplication ssm-sap:StartApplicationRefresh ssm-sap:StartConfigurationChecks ssm-sap:StopApplication ssm-sap:UpdateApplicationSettings ssm-sap:UpdateHANABackupSettings  | 
| states |  states:CreateActivity states:CreateStateMachine states:CreateStateMachineAlias states:DeleteActivity states:DeleteStateMachine states:DeleteStateMachineAlias states:DeleteStateMachineVersion states:DescribeActivity states:DescribeExecution states:DescribeMapRun states:DescribeStateMachine states:DescribeStateMachineAlias states:DescribeStateMachineForExecution states:GetExecutionHistory states:ListActivities states:ListExecutions states:ListMapRuns states:ListStateMachineAliases states:ListStateMachineVersions states:ListStateMachines states:SendTaskFailure states:SendTaskHeartbeat states:SendTaskSuccess states:StartExecution states:StopExecution states:UpdateMapRun states:UpdateStateMachine states:UpdateStateMachineAlias states:ValidateStateMachineDefinition  | 
| sts |  sts:AssumeRole sts:AssumeRoleWithSAML sts:AssumeRoleWithWebIdentity sts:DecodeAuthorizationMessage sts:GetAccessKeyInfo sts:GetCallerIdentity sts:GetFederationToken sts:GetSessionToken sts:GetWebIdentityToken  | 
| swf |  swf:DeleteActivityType swf:DeleteWorkflowType swf:DeprecateActivityType swf:DeprecateDomain swf:DeprecateWorkflowType swf:DescribeActivityType swf:DescribeDomain swf:DescribeWorkflowType swf:ListActivityTypes swf:ListDomains swf:ListWorkflowTypes swf:RegisterActivityType swf:RegisterDomain swf:RegisterWorkflowType swf:UndeprecateActivityType swf:UndeprecateDomain swf:UndeprecateWorkflowType  | 
| synthetics |  synthetics:AssociateResource synthetics:CreateCanary synthetics:CreateGroup synthetics:DeleteCanary synthetics:DeleteGroup synthetics:DescribeCanaries synthetics:DescribeCanariesLastRun synthetics:DescribeRuntimeVersions synthetics:DisassociateResource synthetics:GetCanary synthetics:GetCanaryRuns synthetics:GetGroup synthetics:ListAssociatedGroups synthetics:ListGroupResources synthetics:ListGroups synthetics:StartCanary synthetics:StartCanaryDryRun synthetics:StopCanary synthetics:UpdateCanary  | 
| tag |  tag:DescribeReportCreation tag:GetComplianceSummary tag:GetResources tag:StartReportCreation  | 
| textract |  textract:AnalyzeDocument textract:AnalyzeExpense textract:AnalyzeID textract:CreateAdapter textract:CreateAdapterVersion textract:DeleteAdapter textract:DeleteAdapterVersion textract:DetectDocumentText textract:GetAdapter textract:GetAdapterVersion textract:GetDocumentAnalysis textract:GetDocumentTextDetection textract:GetExpenseAnalysis textract:GetLendingAnalysis textract:GetLendingAnalysisSummary textract:ListAdapterVersions textract:ListAdapters textract:StartDocumentAnalysis textract:StartDocumentTextDetection textract:StartExpenseAnalysis textract:StartLendingAnalysis textract:UpdateAdapter  | 
| timestream |  timestream:CancelQuery timestream:CreateDatabase timestream:CreateScheduledQuery timestream:CreateTable timestream:DeleteDatabase timestream:DeleteScheduledQuery timestream:DeleteTable timestream:DescribeAccountSettings timestream:DescribeDatabase timestream:DescribeScheduledQuery timestream:DescribeTable timestream:ExecuteScheduledQuery timestream:ListBatchLoadTasks timestream:ListDatabases timestream:ListScheduledQueries timestream:ListTables timestream:PrepareQuery timestream:UpdateAccountSettings timestream:UpdateDatabase timestream:UpdateScheduledQuery timestream:UpdateTable  | 
| tnb |  tnb:CancelSolNetworkOperation tnb:CreateSolFunctionPackage tnb:CreateSolNetworkInstance tnb:CreateSolNetworkPackage tnb:DeleteSolFunctionPackage tnb:DeleteSolNetworkInstance tnb:DeleteSolNetworkPackage tnb:GetSolFunctionInstance tnb:GetSolFunctionPackage tnb:GetSolFunctionPackageContent tnb:GetSolFunctionPackageDescriptor tnb:GetSolNetworkInstance tnb:GetSolNetworkOperation tnb:GetSolNetworkPackage tnb:GetSolNetworkPackageContent tnb:GetSolNetworkPackageDescriptor tnb:InstantiateSolNetworkInstance tnb:ListSolFunctionInstances tnb:ListSolFunctionPackages tnb:ListSolNetworkInstances tnb:ListSolNetworkOperations tnb:ListSolNetworkPackages tnb:PutSolFunctionPackageContent tnb:PutSolNetworkPackageContent tnb:TerminateSolNetworkInstance tnb:UpdateSolFunctionPackage tnb:UpdateSolNetworkInstance tnb:UpdateSolNetworkPackage tnb:ValidateSolFunctionPackageContent tnb:ValidateSolNetworkPackageContent  | 
| transcribe |  transcribe:CreateCallAnalyticsCategory transcribe:CreateLanguageModel transcribe:CreateMedicalVocabulary transcribe:CreateVocabulary transcribe:CreateVocabularyFilter transcribe:DeleteCallAnalyticsCategory transcribe:DeleteCallAnalyticsJob transcribe:DeleteLanguageModel transcribe:DeleteMedicalScribeJob transcribe:DeleteMedicalTranscriptionJob transcribe:DeleteMedicalVocabulary transcribe:DeleteTranscriptionJob transcribe:DeleteVocabulary transcribe:DeleteVocabularyFilter transcribe:DescribeLanguageModel transcribe:GetCallAnalyticsCategory transcribe:GetCallAnalyticsJob transcribe:GetMedicalScribeJob transcribe:GetMedicalTranscriptionJob transcribe:GetMedicalVocabulary transcribe:GetTranscriptionJob transcribe:GetVocabulary transcribe:GetVocabularyFilter transcribe:ListCallAnalyticsCategories transcribe:ListCallAnalyticsJobs transcribe:ListLanguageModels transcribe:ListMedicalScribeJobs transcribe:ListMedicalTranscriptionJobs transcribe:ListMedicalVocabularies transcribe:ListTranscriptionJobs transcribe:ListVocabularies transcribe:ListVocabularyFilters transcribe:StartCallAnalyticsJob transcribe:StartCallAnalyticsStreamTranscription transcribe:StartCallAnalyticsStreamTranscriptionWebSocket transcribe:StartMedicalScribeJob transcribe:StartMedicalStreamTranscription transcribe:StartMedicalStreamTranscriptionWebSocket transcribe:StartMedicalTranscriptionJob transcribe:StartStreamTranscription transcribe:StartStreamTranscriptionWebSocket transcribe:StartTranscriptionJob transcribe:UpdateCallAnalyticsCategory transcribe:UpdateMedicalVocabulary transcribe:UpdateVocabulary transcribe:UpdateVocabularyFilter  | 
| transfer |  transfer:CreateAccess transfer:CreateAgreement transfer:CreateConnector transfer:CreateProfile transfer:CreateServer transfer:CreateUser transfer:CreateWebApp transfer:CreateWorkflow transfer:DeleteAccess transfer:DeleteAgreement transfer:DeleteCertificate transfer:DeleteConnector transfer:DeleteHostKey transfer:DeleteProfile transfer:DeleteServer transfer:DeleteSshPublicKey transfer:DeleteUser transfer:DeleteWebApp transfer:DeleteWebAppCustomization transfer:DeleteWorkflow transfer:DescribeAccess transfer:DescribeAgreement transfer:DescribeCertificate transfer:DescribeConnector transfer:DescribeExecution transfer:DescribeHostKey transfer:DescribeProfile transfer:DescribeSecurityPolicy transfer:DescribeServer transfer:DescribeUser transfer:DescribeWebApp transfer:DescribeWebAppCustomization transfer:DescribeWorkflow transfer:ImportCertificate transfer:ImportHostKey transfer:ImportSshPublicKey transfer:ListAccesses transfer:ListCertificates transfer:ListConnectors transfer:ListExecutions transfer:ListFileTransferResults transfer:ListHostKeys transfer:ListProfiles transfer:ListSecurityPolicies transfer:ListServers transfer:ListUsers transfer:ListWebApps transfer:ListWorkflows transfer:SendWorkflowStepState transfer:StartDirectoryListing transfer:StartFileTransfer transfer:StartRemoteDelete transfer:StartRemoteMove transfer:StartServer transfer:StopServer transfer:TestConnection transfer:TestIdentityProvider transfer:UpdateAccess transfer:UpdateAgreement transfer:UpdateCertificate transfer:UpdateConnector transfer:UpdateHostKey transfer:UpdateProfile transfer:UpdateServer transfer:UpdateUser transfer:UpdateWebApp transfer:UpdateWebAppCustomization  | 
| translate |  translate:CreateParallelData translate:DeleteParallelData translate:DeleteTerminology translate:DescribeTextTranslationJob translate:GetParallelData translate:GetTerminology translate:ImportTerminology translate:ListLanguages translate:ListParallelData translate:ListTerminologies translate:ListTextTranslationJobs translate:StartTextTranslationJob translate:StopTextTranslationJob translate:TranslateDocument translate:TranslateText translate:UpdateParallelData  | 
| voiceid |  voiceid:AssociateFraudster voiceid:CreateDomain voiceid:CreateWatchlist voiceid:DeleteDomain voiceid:DeleteFraudster voiceid:DeleteSpeaker voiceid:DeleteWatchlist voiceid:DescribeDomain voiceid:DescribeFraudster voiceid:DescribeFraudsterRegistrationJob voiceid:DescribeSpeaker voiceid:DescribeSpeakerEnrollmentJob voiceid:DescribeWatchlist voiceid:DisassociateFraudster voiceid:EvaluateSession voiceid:ListDomains voiceid:ListFraudsterRegistrationJobs voiceid:ListFraudsters voiceid:ListSpeakerEnrollmentJobs voiceid:ListSpeakers voiceid:ListWatchlists voiceid:OptOutSpeaker voiceid:StartFraudsterRegistrationJob voiceid:StartSpeakerEnrollmentJob voiceid:UpdateDomain voiceid:UpdateWatchlist  | 
| vpc-lattice |  vpc-lattice:CreateAccessLogSubscription vpc-lattice:CreateListener vpc-lattice:CreateResourceConfiguration vpc-lattice:CreateResourceGateway vpc-lattice:CreateRule vpc-lattice:CreateService vpc-lattice:CreateServiceNetwork vpc-lattice:CreateServiceNetworkResourceAssociation vpc-lattice:CreateServiceNetworkServiceAssociation vpc-lattice:CreateServiceNetworkVpcAssociation vpc-lattice:CreateTargetGroup vpc-lattice:DeleteAccessLogSubscription vpc-lattice:DeleteAuthPolicy vpc-lattice:DeleteDomainVerification vpc-lattice:DeleteListener vpc-lattice:DeleteResourceConfiguration vpc-lattice:DeleteResourceEndpointAssociation vpc-lattice:DeleteResourceGateway vpc-lattice:DeleteResourcePolicy vpc-lattice:DeleteRule vpc-lattice:DeleteService vpc-lattice:DeleteServiceNetwork vpc-lattice:DeleteServiceNetworkResourceAssociation vpc-lattice:DeleteServiceNetworkServiceAssociation vpc-lattice:DeleteServiceNetworkVpcAssociation vpc-lattice:DeleteTargetGroup vpc-lattice:DeregisterTargets vpc-lattice:GetAccessLogSubscription vpc-lattice:GetAuthPolicy vpc-lattice:GetDomainVerification vpc-lattice:GetListener vpc-lattice:GetResourceConfiguration vpc-lattice:GetResourceGateway vpc-lattice:GetResourcePolicy vpc-lattice:GetRule vpc-lattice:GetService vpc-lattice:GetServiceNetwork vpc-lattice:GetServiceNetworkResourceAssociation vpc-lattice:GetServiceNetworkServiceAssociation vpc-lattice:GetServiceNetworkVpcAssociation vpc-lattice:GetTargetGroup vpc-lattice:ListAccessLogSubscriptions vpc-lattice:ListDomainVerifications vpc-lattice:ListListeners vpc-lattice:ListResourceConfigurations vpc-lattice:ListResourceEndpointAssociations vpc-lattice:ListResourceGateways vpc-lattice:ListRules vpc-lattice:ListServiceNetworkResourceAssociations vpc-lattice:ListServiceNetworkServiceAssociations vpc-lattice:ListServiceNetworkVpcAssociations vpc-lattice:ListServiceNetworkVpcEndpointAssociations vpc-lattice:ListServiceNetworks vpc-lattice:ListServices vpc-lattice:ListTargetGroups vpc-lattice:ListTargets vpc-lattice:PutAuthPolicy vpc-lattice:PutResourcePolicy vpc-lattice:RegisterTargets vpc-lattice:StartDomainVerification vpc-lattice:UpdateAccessLogSubscription vpc-lattice:UpdateListener vpc-lattice:UpdateResourceConfiguration vpc-lattice:UpdateResourceGateway vpc-lattice:UpdateRule vpc-lattice:UpdateService vpc-lattice:UpdateServiceNetwork vpc-lattice:UpdateServiceNetworkVpcAssociation vpc-lattice:UpdateTargetGroup  | 
| wafv2 |  wafv2:AssociateWebACL wafv2:CheckCapacity wafv2:CreateAPIKey wafv2:CreateIPSet wafv2:CreateRegexPatternSet wafv2:CreateRuleGroup wafv2:CreateWebACL wafv2:DeleteAPIKey wafv2:DeleteFirewallManagerRuleGroups wafv2:DeleteIPSet wafv2:DeleteLoggingConfiguration wafv2:DeletePermissionPolicy wafv2:DeleteRegexPatternSet wafv2:DeleteRuleGroup wafv2:DeleteWebACL wafv2:DescribeAllManagedProducts wafv2:DescribeManagedProductsByVendor wafv2:DescribeManagedRuleGroup wafv2:DisassociateWebACL wafv2:GenerateMobileSdkReleaseUrl wafv2:GetDecryptedAPIKey wafv2:GetIPSet wafv2:GetLoggingConfiguration wafv2:GetManagedRuleSet wafv2:GetMobileSdkRelease wafv2:GetRateBasedStatementManagedKeys wafv2:GetRegexPatternSet wafv2:GetRuleGroup wafv2:GetSampledRequests wafv2:GetWebACLForResource wafv2:ListAPIKeys wafv2:ListAvailableManagedRuleGroupVersions wafv2:ListAvailableManagedRuleGroups wafv2:ListIPSets wafv2:ListLoggingConfigurations wafv2:ListManagedRuleSets wafv2:ListMobileSdkReleases wafv2:ListRegexPatternSets wafv2:ListResourcesForWebACL wafv2:ListRuleGroups wafv2:ListWebACLs wafv2:PutLoggingConfiguration wafv2:PutManagedRuleSetVersions wafv2:UpdateIPSet wafv2:UpdateManagedRuleSetVersionExpiryDate wafv2:UpdateRegexPatternSet wafv2:UpdateRuleGroup wafv2:UpdateWebACL  | 
| wellarchitected |  wellarchitected:AssociateLenses wellarchitected:AssociateProfiles wellarchitected:CreateLensShare wellarchitected:CreateLensVersion wellarchitected:CreateMilestone wellarchitected:CreateProfile wellarchitected:CreateProfileShare wellarchitected:CreateReviewTemplate wellarchitected:CreateWorkload wellarchitected:CreateWorkloadShare wellarchitected:DeleteLens wellarchitected:DeleteLensShare wellarchitected:DeleteProfile wellarchitected:DeleteProfileShare wellarchitected:DeleteReviewTemplate wellarchitected:DeleteTemplateShare wellarchitected:DeleteWorkload wellarchitected:DeleteWorkloadShare wellarchitected:DisassociateLenses wellarchitected:DisassociateProfiles wellarchitected:ExportLens wellarchitected:GetAnswer wellarchitected:GetConsolidatedReport wellarchitected:GetGlobalSettings wellarchitected:GetLens wellarchitected:GetLensReview wellarchitected:GetLensReviewReport wellarchitected:GetLensVersionDifference wellarchitected:GetMilestone wellarchitected:GetProfile wellarchitected:GetProfileTemplate wellarchitected:GetReviewTemplate wellarchitected:GetReviewTemplateAnswer wellarchitected:GetReviewTemplateLensReview wellarchitected:GetWorkload wellarchitected:ImportLens wellarchitected:ListAnswers wellarchitected:ListCheckDetails wellarchitected:ListCheckSummaries wellarchitected:ListLensReviewImprovements wellarchitected:ListLensReviews wellarchitected:ListLensShares wellarchitected:ListLenses wellarchitected:ListMilestones wellarchitected:ListNotifications wellarchitected:ListProfileNotifications wellarchitected:ListProfileShares wellarchitected:ListProfiles wellarchitected:ListReviewTemplateAnswers wellarchitected:ListReviewTemplates wellarchitected:ListShareInvitations wellarchitected:ListTemplateShares wellarchitected:ListWorkloadShares wellarchitected:ListWorkloads wellarchitected:UpdateAnswer wellarchitected:UpdateGlobalSettings wellarchitected:UpdateIntegration wellarchitected:UpdateLensReview wellarchitected:UpdateProfile wellarchitected:UpdateReviewTemplate wellarchitected:UpdateReviewTemplateLensReview wellarchitected:UpdateShareInvitation wellarchitected:UpdateWorkload wellarchitected:UpdateWorkloadShare wellarchitected:UpgradeLensReview wellarchitected:UpgradeProfileVersion wellarchitected:UpgradeReviewTemplateLensReview  | 
| wisdom |  wisdom:CreateAssistant wisdom:CreateAssistantAssociation wisdom:CreateContent wisdom:CreateKnowledgeBase wisdom:CreateQuickResponse wisdom:CreateSession wisdom:DeleteAssistant wisdom:DeleteAssistantAssociation wisdom:DeleteContent wisdom:DeleteImportJob wisdom:DeleteKnowledgeBase wisdom:DeleteQuickResponse wisdom:GetAssistant wisdom:GetAssistantAssociation wisdom:GetContent wisdom:GetContentAssociation wisdom:GetContentSummary wisdom:GetImportJob wisdom:GetKnowledgeBase wisdom:GetRecommendations wisdom:GetSession wisdom:ListAssistantAssociations wisdom:ListAssistants wisdom:ListContentAssociations wisdom:ListContents wisdom:ListImportJobs wisdom:ListKnowledgeBases wisdom:ListQuickResponses wisdom:NotifyRecommendationsReceived wisdom:QueryAssistant wisdom:RemoveKnowledgeBaseTemplateUri wisdom:SearchContent wisdom:SearchQuickResponses wisdom:SearchSessions wisdom:StartContentUpload wisdom:StartImportJob wisdom:UpdateContent wisdom:UpdateKnowledgeBaseTemplateUri wisdom:UpdateQuickResponse wisdom:UpdateSession  | 
| worklink |  worklink:AssociateDomain worklink:AssociateWebsiteAuthorizationProvider worklink:AssociateWebsiteCertificateAuthority worklink:CreateFleet worklink:DeleteFleet worklink:DescribeAuditStreamConfiguration worklink:DescribeCompanyNetworkConfiguration worklink:DescribeDevice worklink:DescribeDevicePolicyConfiguration worklink:DescribeDomain worklink:DescribeFleetMetadata worklink:DescribeIdentityProviderConfiguration worklink:DescribeWebsiteCertificateAuthority worklink:DisassociateDomain worklink:DisassociateWebsiteAuthorizationProvider worklink:DisassociateWebsiteCertificateAuthority worklink:ListDevices worklink:ListDomains worklink:ListFleets worklink:ListWebsiteAuthorizationProviders worklink:ListWebsiteCertificateAuthorities worklink:RestoreDomainAccess worklink:RevokeDomainAccess worklink:SignOutUser worklink:UpdateAuditStreamConfiguration worklink:UpdateCompanyNetworkConfiguration worklink:UpdateDevicePolicyConfiguration worklink:UpdateDomainMetadata worklink:UpdateFleetMetadata worklink:UpdateIdentityProviderConfiguration  | 
| workspaces |  workspaces:AcceptAccountLinkInvitation workspaces:AssociateConnectionAlias workspaces:AssociateIpGroups workspaces:AssociateWorkspaceApplication workspaces:CopyWorkspaceImage workspaces:CreateAccountLinkInvitation workspaces:CreateConnectClientAddIn workspaces:CreateConnectionAlias workspaces:CreateIpGroup workspaces:CreateStandbyWorkspaces workspaces:CreateUpdatedWorkspaceImage workspaces:CreateWorkspaceBundle workspaces:CreateWorkspaceImage workspaces:CreateWorkspaces workspaces:CreateWorkspacesPool workspaces:DeleteAccountLinkInvitation workspaces:DeleteClientBranding workspaces:DeleteConnectClientAddIn workspaces:DeleteConnectionAlias workspaces:DeleteIpGroup workspaces:DeleteWorkspaceBundle workspaces:DeleteWorkspaceImage workspaces:DeployWorkspaceApplications workspaces:DeregisterWorkspaceDirectory workspaces:DescribeAccount workspaces:DescribeAccountModifications workspaces:DescribeApplicationAssociations workspaces:DescribeApplications workspaces:DescribeBundleAssociations workspaces:DescribeClientBranding workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddIns workspaces:DescribeConnectionAliasPermissions workspaces:DescribeConnectionAliases workspaces:DescribeCustomWorkspaceImageImport workspaces:DescribeImageAssociations workspaces:DescribeIpGroups workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceImagePermissions workspaces:DescribeWorkspaceSnapshots workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspacesPoolSessions workspaces:DescribeWorkspacesPools workspaces:DisassociateConnectionAlias workspaces:DisassociateIpGroups workspaces:DisassociateWorkspaceApplication workspaces:GetAccountLink workspaces:ImportClientBranding workspaces:ImportWorkspaceImage workspaces:ListAccountLinks workspaces:ListAvailableManagementCidrRanges workspaces:MigrateWorkspace workspaces:ModifyAccount workspaces:ModifyCertificateBasedAuthProperties workspaces:ModifyClientProperties workspaces:ModifyEndpointEncryptionMode workspaces:ModifySamlProperties workspaces:ModifySelfservicePermissions workspaces:ModifyStreamingProperties workspaces:ModifyWorkspaceAccessProperties workspaces:ModifyWorkspaceCreationProperties workspaces:ModifyWorkspaceProperties workspaces:ModifyWorkspaceState workspaces:RebootWorkspaces workspaces:RebuildWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:RejectAccountLinkInvitation workspaces:RestoreWorkspace workspaces:StartWorkspaces workspaces:StartWorkspacesPool workspaces:StopWorkspaces workspaces:StopWorkspacesPool workspaces:TerminateWorkspaces workspaces:TerminateWorkspacesPool workspaces:TerminateWorkspacesPoolSession workspaces:UpdateConnectClientAddIn workspaces:UpdateConnectionAliasPermission workspaces:UpdateWorkspaceBundle workspaces:UpdateWorkspaceImagePermission workspaces:UpdateWorkspacesPool  | 
| xray |  xray:CreateGroup xray:CreateSamplingRule xray:DeleteGroup xray:DeleteResourcePolicy xray:DeleteSamplingRule xray:GetEncryptionConfig xray:GetGroup xray:GetGroups xray:GetInsight xray:GetInsightEvents xray:GetInsightImpactGraph xray:GetInsightSummaries xray:GetSamplingRules xray:ListResourcePolicies xray:PutEncryptionConfig xray:PutResourcePolicy xray:UpdateGroup xray:UpdateSamplingRule  | 

# IAM Access Analyzer quotas
<a name="access-analyzer-quotas"></a>

IAM Access Analyzer has the following quotas:


| Resource | Default quota | Maximum quota | 
| --- | --- | --- | 
|  Maximum account-level analyzers per analyzer type per AWS account per Region  |  1  |  1  | 
|  Maximum organization-level external or unused access analyzers per analyzer type per AWS account per Region  |  5  |  20¹  | 
|  Maximum organization-level internal access analyzers per AWS organization per Region  |  1  |  1  | 
|  Maximum archive rules per analyzer  |  100 Each archive rule can have up to 20 values per criterion.  |  1,000¹  | 
| Maximum number of access previews per analyzer per hour | 1,000 | 1,000 | 
| AWS CloudTrail log files processed per policy generations | 100,000 | 100,000 | 
| Concurrent policy generations | 1 | 1 | 
| Policy generation AWS CloudTrail data size | 25 GB | 25 GB | 
| Policy generation AWS CloudTrail time range | 90 days | 90 days | 
| Policy generations per day |  Africa (Cape Town): 5 Asia Pacific (Hong Kong): 5 Asia Pacific (Jakarta): 5 Europe (Milan): 5 Middle East (Bahrain): 5 All other supported regions: 50  Canceled policy generation requests apply to the daily quota.   | Africa (Cape Town): 5 Asia Pacific (Hong Kong): 5 Asia Pacific (Jakarta): 5 Europe (Milan): 5 Middle East (Bahrain): 5 All other supported regions: 50 | 

¹Some quotas are customer-configurable using [Service Quotas](https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html).