Actions, resources, and condition keys for Amazon WorkMail
Amazon WorkMail (service prefix: workmail) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon WorkMail
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AssociateDelegateToResource |
Write |
|||
|
AssociateMemberToGroup |
Write |
|||
|
AssumeImpersonationRole |
Write |
|||
|
CancelMailboxExportJob |
Write |
|||
|
CreateAlias |
Write |
|||
|
CreateAvailabilityConfiguration |
Write |
|||
|
CreateGroup |
Write |
|||
|
CreateIdentityCenterApplication |
Write |
|||
|
CreateImpersonationRole |
Write |
|||
|
CreateMobileDeviceAccessRule |
Write |
|||
|
CreateOrganization |
Write |
|||
|
CreateResource |
Write |
|||
|
CreateUser |
Write |
|||
|
DeleteAccessControlRule |
Write |
|||
|
DeleteAlias |
Write |
|||
|
DeleteAvailabilityConfiguration |
Write |
|||
|
DeleteEmailMonitoringConfiguration |
Write |
|||
|
DeleteGroup |
Write |
|||
|
DeleteIdentityCenterApplication |
Write |
|||
|
DeleteIdentityProviderConfiguration |
Write |
|||
|
DeleteImpersonationRole |
Write |
|||
|
DeleteMailboxPermissions |
Write |
|||
|
DeleteMobileDeviceAccessOverride |
Write |
|||
|
DeleteMobileDeviceAccessRule |
Write |
|||
|
DeleteOrganization |
Write |
|||
|
DeletePersonalAccessToken |
Write |
|||
|
DeleteResource |
Write |
|||
|
DeleteRetentionPolicy |
Write |
|||
|
DeleteUser |
Write |
|||
|
DeregisterFromWorkMail |
Write |
|||
|
DeregisterMailDomain |
Write |
|||
|
DescribeEmailMonitoringConfiguration |
Read |
|||
|
DescribeEntity |
Read |
|||
|
DescribeGroup |
List |
|||
|
DescribeIdentityProviderConfiguration |
Read |
|||
|
DescribeInboundDmarcSettings |
Read |
|||
|
DescribeMailboxExportJob |
Read |
|||
|
DescribeOrganization |
List |
|||
|
DescribeResource |
List |
|||
|
DescribeUser |
List |
|||
|
DisassociateDelegateFromResource |
Write |
|||
|
DisassociateMemberFromGroup |
Write |
|||
|
GetAccessControlEffect |
Read |
|||
|
GetDefaultRetentionPolicy |
Read |
|||
|
GetImpersonationRole |
Read |
|||
|
GetImpersonationRoleEffect |
Read |
|||
|
GetMailDomain |
Read |
|||
|
GetMailboxDetails |
Read |
|||
|
GetMobileDeviceAccessEffect |
Read |
|||
|
GetMobileDeviceAccessOverride |
Read |
|||
|
GetPersonalAccessTokenMetadata |
Read |
|||
|
ListAccessControlRules |
Read |
|||
|
ListAliases |
List |
|||
|
ListAvailabilityConfigurations |
Read |
|||
|
ListGroupMembers |
List |
|||
|
ListGroups |
List |
|||
|
ListGroupsForEntity |
List |
|||
|
ListImpersonationRoles |
List |
|||
|
ListMailDomains |
List |
|||
|
ListMailboxExportJobs |
List |
|||
|
ListMailboxPermissions |
List |
|||
|
ListMobileDeviceAccessOverrides |
Read |
|||
|
ListMobileDeviceAccessRules |
Read |
|||
|
ListOrganizations |
List |
|||
|
ListPersonalAccessTokens |
List |
|||
|
ListResourceDelegates |
List |
|||
|
ListResources |
List |
|||
|
ListTagsForResource |
List |
|||
|
ListUsers |
List |
|||
|
PutAccessControlRule |
Write |
|||
|
PutEmailMonitoringConfiguration |
Write |
|||
iam:PassedToService |
events.workmail.amazonaws.com |
Write |
||
|
PutIdentityProviderConfiguration |
Write |
|||
|
PutInboundDmarcSettings |
Write |
|||
|
PutMailboxPermissions |
Write |
|||
|
PutMobileDeviceAccessOverride |
Write |
|||
|
PutRetentionPolicy |
Write |
|||
|
RegisterMailDomain |
Write |
|||
|
RegisterToWorkMail |
Write |
|||
|
ResetPassword |
Write |
|||
|
StartMailboxExportJob |
Write |
|||
iam:PassedToService |
workmail.amazonaws.com |
Write |
||
|
TagResource |
Tagging, Write |
|||
|
TestAvailabilityConfiguration |
Read |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateAvailabilityConfiguration |
Write |
|||
|
UpdateDefaultMailDomain |
Write |
|||
|
UpdateGroup |
Write |
|||
|
UpdateImpersonationRole |
Write |
|||
|
UpdateMailboxQuota |
Write |
|||
|
UpdateMobileDeviceAccessRule |
Write |
|||
|
UpdatePrimaryEmailAddress |
Write |
|||
|
UpdateResource |
Write |
|||
|
UpdateUser |
Write |
Actions defined by Amazon WorkMail
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to add a member (user or group) to the resource's set of delegates |
Write |
|||
Grants permission to add a member (user or group) to the group's set |
Write |
|||
Grants permission to assume an impersonation role for the given Amazon WorkMail organization |
Write |
|||
Grants permission to cancel a currently running mailbox export job |
Write |
|||
Grants permission to add an alias to the set of a given member (user or group) of WorkMail |
Write |
|||
Grants permission to create an AvailabilityConfiguration for the given Amazon WorkMail organization and domain |
Write |
|||
Grants permission to create a group that can be used in WorkMail by calling the RegisterToWorkMail operation |
Write |
|||
Grants permission to create an Identity Center application for WorkMail |
Write |
|||
Grants permission to create an impersonation role for the given Amazon WorkMail organization |
Write |
|||
Grants permission to create a new mobile device access rule |
Write |
|||
Grants permission to create a new Amazon WorkMail organization |
Write |
|||
Grants permission to create a new WorkMail resource |
Write |
|||
Grants permission to create a user, which can be enabled afterwards by calling the RegisterToWorkMail operation |
Write |
|||
Grants permission to delete an access control rule |
Write |
|||
Grants permission to remove one or more specified aliases from a set of aliases for a given user |
Write |
|||
Grants permission to delete the AvailabilityConfiguration for the given Amazon WorkMail organization and domain |
Write |
|||
Grants permission to delete the email monitoring configuration for an organization |
Write |
|||
Grants permission to delete a group from WorkMail |
Write |
|||
Grants permission to delete an Identity Center application for WorkMail |
Write |
|||
Grants permission to delete the identity provider configuration for the organization |
Write |
|||
Grants permission to delete an impersonation role for the given Amazon WorkMail organization |
Write |
|||
Grants permission to delete permissions granted to a member (user or group) |
Write |
|||
Grants permission to delete a mobile device access override |
Write |
|||
Grants permission to delete a mobile device access rule |
Write |
|||
Grants permission to delete an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization |
Write |
|||
Grants permission to delete a personal access token |
Write |
|||
Grants permission to delete the specified resource |
Write |
|||
Grants permission to delete the retention policy based on the supplied organization and policy identifiers |
Write |
|||
Grants permission to delete a user from WorkMail and all subsequent systems |
Write |
|||
Grants permission to mark a user, group, or resource as no longer used in WorkMail |
Write |
|||
Grants permission to deregister a mail domain from an organization |
Write |
|||
Grants permission to retrieve the email monitoring configuration for an organization |
Read |
|||
Grants permission to read details of an entity |
Read |
|||
Grants permission to read the details for a group |
List |
|||
Grants permission to read the identity provider configuration for the organization |
Read |
|||
Grants permission to read the settings in a DMARC policy for a specified organization |
Read |
|||
Grants permission to retrieve details of a mailbox export job |
Read |
|||
Grants permission to read details of an organization |
List |
|||
Grants permission to read the details for a resource |
List |
|||
Grants permission to read details for a user |
List |
|||
Grants permission to remove a member from the resource's set of delegates |
Write |
|||
Grants permission to remove a member from a group |
Write |
|||
Grants permission to get the effects of access control rules as they apply to a specified IPv4 address, access protocol action, or user ID |
Read |
|||
Grants permission to retrieve the retention policy associated at an organizational level |
Read |
|||
Grants permission to retrieve an impersonation role for the given Amazon WorkMail organization |
Read |
|||
Grants permission to get the effect of the rules associated to an impersonation role for a specific user |
Read |
|||
Grants permission to retrieve details of a given mail domain in an organization |
Read |
|||
Grants permission to read the details of the user's mailbox |
Read |
|||
Grants permission to simulate the effect of the mobile device access rules for the given attributes of a sample access event |
Read |
|||
Grants permission to retrieve a mobile device access override |
Read |
|||
Grants permission to read metadata for a personal access token |
Read |
|||
Grants permission to list the access control rules |
Read |
|||
Grants permission to list the aliases associated with a given entity |
List |
|||
Grants permission to list all the AvailabilityConfiguration's for the given Amazon WorkMail organization |
Read |
|||
Grants permission to read an overview of the members of a group. Users and groups can be members of a group |
List |
|||
Grants permission to list summaries of the organization's groups |
List |
|||
Grants permission to list the groups to which an entity belongs |
List |
|||
Grants permission to list the impersonation roles for the given Amazon WorkMail organization |
List |
|||
Grants permission to list the mail domains for a given organization |
List |
|||
Grants permission to list mailbox export jobs |
List |
|||
Grants permission to list the mailbox permissions associated with a user, group, or resource mailbox |
List |
|||
Grants permission to list the mobile device access overrides |
Read |
|||
Grants permission to list the mobile device access rules |
Read |
|||
Grants permission to list the non-deleted organizations |
List |
|||
Grants permission to list metadata for personal access tokens |
List |
|||
Grants permission to list the delegates associated with a resource |
List |
|||
Grants permission to list the organization's resources |
List |
|||
Grants permission to list the tags applied to an Amazon WorkMail organization resource |
List |
|||
Grants permission to list the organization's users |
List |
|||
Grants permission to add a new access control rule |
Write |
|||
Grants permission to add or update the email monitoring configuration for an organization |
Write |
|||
Grants permission to add or update the identity provider configuration for the organization |
Write |
|||
Grants permission to enable or disable a DMARC policy for a given organization |
Write |
|||
Grants permission to set permissions for a user, group, or resource, replacing any existing permissions |
Write |
|||
Grants permission to add or update a mobile device access override |
Write |
|||
Grants permission to add or update the retention policy |
Write |
|||
Grants permission to register a new mail domain in an organization |
Write |
|||
Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities |
Write |
|||
Grants permission to allow the administrator to reset the password for a user |
Write |
|||
Grants permission to start a new mailbox export job |
Write |
|||
Grants permission to tag the specified Amazon WorkMail organization resource |
Tagging, Write |
|||
Grants permission to performs a test on an availability provider to ensure that access is allowed |
Read |
|||
Grants permission to untag the specified Amazon WorkMail organization resource |
Tagging, Write |
|||
Grants permission to update an existing AvailabilityConfiguration for the given Amazon WorkMail organization and domain |
Write |
|||
Grants permission to update which domain is the default domain for an organization |
Write |
|||
Grants permission to update details of a group |
Write |
|||
Grants permission to update an existing impersonation role for the given Amazon WorkMail organization |
Write |
|||
Grants permission to update the maximum size (in MB) of the user's mailbox |
Write |
|||
Grants permission to update a mobile device access rule |
Write |
|||
Grants permission to update the primary email for a user, group, or resource |
Write |
|||
Grants permission to update details for the resource |
Write |
|||
Grants permission to update details of a user |
Write |
Permission-only actions for Amazon WorkMail
The following actions are defined by Amazon WorkMail but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to configure vended log delivery for WorkMail audit logs |
Write |
|||
Grants permission to create an inbound email flow rule which will apply to all email sent to an organization |
Write |
|||
Grants permission to create a mail domain |
Write |
|||
Grants permission to create an outbound email flow rule which will apply to all email sent from an organization |
Write |
|||
Grants permission to register an SMTP gateway to a WorkMail organization |
Write |
|||
Grants permission to remove an inbound email flow rule to no longer apply to emails sent to an organization |
Write |
|||
Grants permission to remove an unused mail domain from an organization |
Write |
|||
Grants permission to remove a mobile device from a user |
Write |
|||
Grants permission to remove an outbound email flow rule so that it no longer applies to emails sent from an organization |
Write |
|||
Grants permission to remove an SMTP gateway from an organization |
Write |
|||
Grants permission to deliver emails to a WorkMail organization via the SES MailManager DeliverToMailbox action |
Write |
|||
Grants permission to read the details of an inbound mail flow rule configured for an organization |
Read |
|||
Grants permission to show the details of all mail domains associated with the organization |
List |
|||
Grants permission to read the details of an outbound mail flow rule configured for an organization |
Read |
|||
Grants permission to read the details of an SMTP gateway registered to an organization |
Read |
|||
Grants permission to enable a mail domain in the organization |
Write |
|||
Grants permission to read the configured journaling and fallback email addresses for email journaling |
Read |
|||
Grants permission to get the details of the mail domain |
Read |
|||
Grants permission to get the details of the mobile device |
Read |
|||
Grants permission to get a list of the mobile devices associated with the user |
Read |
|||
Grants permission to get the details of the mobile device policy associated with the organization |
Read |
|||
Grants permission to list inbound mail flow rules configured for an organization |
List |
|||
Grants permission to list outbound mail flow rules configured for an organization |
List |
|||
Grants permission to list SMTP gateways registered to the organization |
List |
|||
Grants permission to perform a prefix search to find a specific user in a mail group |
Read |
|||
Grants permission to set the default mail domain for the organization |
Write |
|||
Grants permission to set journaling and fallback email addresses for email journaling |
Write |
|||
Grants permission to set the details of a mobile policy associated with the organization |
Write |
|||
Grants permission to test what inbound rules will apply to an email with a given sender and recipient |
Write |
|||
Grants permission to test what outbound rules will apply to an email with a given sender and recipient |
Write |
|||
Grants permission to update the details of an inbound email flow rule which will apply to all email sent to an organization |
Write |
|||
Grants permission to update the details of an outbound email flow rule which will apply to all email sent from an organization |
Write |
|||
Grants permission to update the details of an existing SMTP gateway registered to an organization |
Write |
|||
Grants permission to remotely wipe the mobile device associated with a user's account |
Write |
Resource types defined by Amazon WorkMail
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:workmail:${Region}:${Account}:organization/${ResourceId} |
Condition keys for Amazon WorkMail
Amazon WorkMail defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tag key-value pairs that are passed in the request |
String |
|
Filters access by the tag key-value pairs attached to the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by the ImpersonationRoleId that is passed in the request |
String |