# Actions, resources, and condition keys for Amazon WorkMail
Amazon WorkMail (service prefix: `workmail`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/workmail/latest/userguide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/workmail/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/workmail/latest/adminguide/iam_users_groups.html) permission policies.
**Topics**
+ [Actions defined by Amazon WorkMail](#amazonworkmail-actions-as-permissions)
+ [Resource types defined by Amazon WorkMail](#amazonworkmail-resources-for-iam-policies)
+ [Condition keys for Amazon WorkMail](#amazonworkmail-policy-keys)
## Actions defined by Amazon WorkMail
You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).
The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\*") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\*). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.
The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.
**Note**
Resource condition keys are listed in the [Resource types](#amazonworkmail-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\*required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).
****
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/audit-logging.html](https://docs.aws.amazon.com/workmail/latest/adminguide/audit-logging.html) [permission only]**
- **Description:** Grants permission to configure vended log delivery for WorkMail audit logs
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_AssociateDelegateToResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_AssociateDelegateToResource.html) **
- **Description:** Grants permission to add a member (user or group) to the resource's set of delegates
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_AssociateMemberToGroup.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_AssociateMemberToGroup.html) **
- **Description:** Grants permission to add a member (user or group) to the group's set
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_AssumeImpersonationRole.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_AssumeImpersonationRole.html) **
- **Description:** Grants permission to assume an impersonation role for the given Amazon WorkMail organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** / **Condition keys:** [#amazonworkmail-workmail_ImpersonationRoleId](#amazonworkmail-workmail_ImpersonationRoleId) / **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CancelMailboxExportJob.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CancelMailboxExportJob.html) **
- **Description:** Grants permission to cancel a currently running mailbox export job
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateAlias.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateAlias.html) **
- **Description:** Grants permission to add an alias to the set of a given member (user or group) of WorkMail
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateAvailabilityConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateAvailabilityConfiguration.html) **
- **Description:** Grants permission to create an AvailabilityConfiguration for the given Amazon WorkMail organization and domain
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateGroup.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateGroup.html) **
- **Description:** Grants permission to create a group that can be used in WorkMail by calling the RegisterToWorkMail operation
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateIdentityCenterApplication.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateIdentityCenterApplication.html) **
- **Description:** Grants permission to create an Identity Center application for WorkMail
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateImpersonationRole.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateImpersonationRole.html) **
- **Description:** Grants permission to create an impersonation role for the given Amazon WorkMail organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/create-email-rules.html](https://docs.aws.amazon.com/workmail/latest/adminguide/create-email-rules.html) [permission only]**
- **Description:** Grants permission to create an inbound email flow rule which will apply to all email sent to an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/add_domain.html](https://docs.aws.amazon.com/workmail/latest/adminguide/add_domain.html) [permission only]**
- **Description:** Grants permission to create a mail domain
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateMobileDeviceAccessRule.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateMobileDeviceAccessRule.html) **
- **Description:** Grants permission to create a new mobile device access rule
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateOrganization.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateOrganization.html) **
- **Description:** Grants permission to create a new Amazon WorkMail organization
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/create-email-rules.html](https://docs.aws.amazon.com/workmail/latest/adminguide/create-email-rules.html) [permission only]**
- **Description:** Grants permission to create an outbound email flow rule which will apply to all email sent from an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateResource.html) **
- **Description:** Grants permission to create a new WorkMail resource
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html](https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html) [permission only]**
- **Description:** Grants permission to register an SMTP gateway to a WorkMail organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateUser.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_CreateUser.html) **
- **Description:** Grants permission to create a user, which can be enabled afterwards by calling the RegisterToWorkMail operation
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteAccessControlRule.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteAccessControlRule.html) **
- **Description:** Grants permission to delete an access control rule
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteAlias.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteAlias.html) **
- **Description:** Grants permission to remove one or more specified aliases from a set of aliases for a given user
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteAvailabilityConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteAvailabilityConfiguration.html) **
- **Description:** Grants permission to delete the AvailabilityConfiguration for the given Amazon WorkMail organization and domain
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteEmailMonitoringConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteEmailMonitoringConfiguration.html) **
- **Description:** Grants permission to delete the email monitoring configuration for an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteGroup.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteGroup.html) **
- **Description:** Grants permission to delete a group from WorkMail
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteIdentityCenterApplication.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteIdentityCenterApplication.html) **
- **Description:** Grants permission to delete an Identity Center application for WorkMail
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteIdentityProviderConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteIdentityProviderConfiguration.html) **
- **Description:** Grants permission to delete the identity provider configuration for the organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteImpersonationRole.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteImpersonationRole.html) **
- **Description:** Grants permission to delete an impersonation role for the given Amazon WorkMail organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/remove-email-flow-rule.html](https://docs.aws.amazon.com/workmail/latest/adminguide/remove-email-flow-rule.html) [permission only]**
- **Description:** Grants permission to remove an inbound email flow rule to no longer apply to emails sent to an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/remove_domain.html](https://docs.aws.amazon.com/workmail/latest/adminguide/remove_domain.html) [permission only]**
- **Description:** Grants permission to remove an unused mail domain from an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteMailboxPermissions.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteMailboxPermissions.html) **
- **Description:** Grants permission to delete permissions granted to a member (user or group)
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html#remove_mobile_device](https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html#remove_mobile_device) [permission only]**
- **Description:** Grants permission to remove a mobile device from a user
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteMobileDeviceAccessOverride.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteMobileDeviceAccessOverride.html) **
- **Description:** Grants permission to delete a mobile device access override
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteMobileDeviceAccessRule.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteMobileDeviceAccessRule.html) **
- **Description:** Grants permission to delete a mobile device access rule
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteOrganization.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteOrganization.html) **
- **Description:** Grants permission to delete an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/remove-email-flow-rule.html](https://docs.aws.amazon.com/workmail/latest/adminguide/remove-email-flow-rule.html) [permission only]**
- **Description:** Grants permission to remove an outbound email flow rule so that it no longer applies to emails sent from an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeletePersonalAccessToken.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeletePersonalAccessToken.html) **
- **Description:** Grants permission to delete a personal access token
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteResource.html) **
- **Description:** Grants permission to delete the specified resource
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteRetentionPolicy.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteRetentionPolicy.html) **
- **Description:** Grants permission to delete the retention policy based on the supplied organization and policy identifiers
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html](https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html) [permission only]**
- **Description:** Grants permission to remove an SMTP gateway from an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteUser.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeleteUser.html) **
- **Description:** Grants permission to delete a user from WorkMail and all subsequent systems
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_DeliverToMailboxAction.html](https://docs.aws.amazon.com/sesmailmanager/latest/APIReference/API_DeliverToMailboxAction.html) [permission only]**
- **Description:** Grants permission to deliver emails to a WorkMail organization via the SES MailManager DeliverToMailbox action
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeregisterFromWorkMail.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeregisterFromWorkMail.html) **
- **Description:** Grants permission to mark a user, group, or resource as no longer used in WorkMail
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeregisterMailDomain.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DeregisterMailDomain.html) **
- **Description:** Grants permission to deregister a mail domain from an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeEmailMonitoringConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeEmailMonitoringConfiguration.html) **
- **Description:** Grants permission to retrieve the email monitoring configuration for an organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeEntity.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeEntity.html) **
- **Description:** Grants permission to read details of an entity
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeGroup.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeGroup.html) **
- **Description:** Grants permission to read the details for a group
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeIdentityProviderConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeIdentityProviderConfiguration.html) **
- **Description:** Grants permission to read the identity provider configuration for the organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeInboundDmarcSettings.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeInboundDmarcSettings.html) **
- **Description:** Grants permission to read the settings in a DMARC policy for a specified organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-actions](https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-actions) [permission only]**
- **Description:** Grants permission to read the details of an inbound mail flow rule configured for an organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/domains_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/domains_overview.html) [permission only]**
- **Description:** Grants permission to show the details of all mail domains associated with the organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeMailboxExportJob.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeMailboxExportJob.html) **
- **Description:** Grants permission to retrieve details of a mailbox export job
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeOrganization.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeOrganization.html) **
- **Description:** Grants permission to read details of an organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-outbound](https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-outbound) [permission only]**
- **Description:** Grants permission to read the details of an outbound mail flow rule configured for an organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeResource.html) **
- **Description:** Grants permission to read the details for a resource
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html](https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html) [permission only]**
- **Description:** Grants permission to read the details of an SMTP gateway registered to an organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeUser.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DescribeUser.html) **
- **Description:** Grants permission to read details for a user
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DisassociateDelegateFromResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DisassociateDelegateFromResource.html) **
- **Description:** Grants permission to remove a member from the resource's set of delegates
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_DisassociateMemberFromGroup.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_DisassociateMemberFromGroup.html) **
- **Description:** Grants permission to remove a member from a group
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/add_domain.html](https://docs.aws.amazon.com/workmail/latest/adminguide/add_domain.html) [permission only]**
- **Description:** Grants permission to enable a mail domain in the organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetAccessControlEffect.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetAccessControlEffect.html) **
- **Description:** Grants permission to get the effects of access control rules as they apply to a specified IPv4 address, access protocol action, or user ID
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetDefaultRetentionPolicy.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetDefaultRetentionPolicy.html) **
- **Description:** Grants permission to retrieve the retention policy associated at an organizational level
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetImpersonationRole.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetImpersonationRole.html) **
- **Description:** Grants permission to retrieve an impersonation role for the given Amazon WorkMail organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetImpersonationRoleEffect.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetImpersonationRoleEffect.html) **
- **Description:** Grants permission to get the effect of the rules associated to an impersonation role for a specific user
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/journaling_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/journaling_overview.html) [permission only]**
- **Description:** Grants permission to read the configured journaling and fallback email addresses for email journaling
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMailDomain.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMailDomain.html) **
- **Description:** Grants permission to retrieve details of a given mail domain in an organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/domains_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/domains_overview.html) [permission only]**
- **Description:** Grants permission to get the details of the mail domain
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMailboxDetails.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMailboxDetails.html) **
- **Description:** Grants permission to read the details of the user's mailbox
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMobileDeviceAccessEffect.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMobileDeviceAccessEffect.html) **
- **Description:** Grants permission to simulate the effect of the mobile device access rules for the given attributes of a sample access event
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMobileDeviceAccessOverride.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetMobileDeviceAccessOverride.html) **
- **Description:** Grants permission to retrieve a mobile device access override
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html](https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html) [permission only]**
- **Description:** Grants permission to get the details of the mobile device
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html](https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html) [permission only]**
- **Description:** Grants permission to get a list of the mobile devices associated with the user
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/edit_organization_mobile_policy.html](https://docs.aws.amazon.com/workmail/latest/adminguide/edit_organization_mobile_policy.html) [permission only]**
- **Description:** Grants permission to get the details of the mobile device policy associated with the organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetPersonalAccessTokenMetadata.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_GetPersonalAccessTokenMetadata.html) **
- **Description:** Grants permission to read metadata for a personal access token
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListAccessControlRules.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListAccessControlRules.html) **
- **Description:** Grants permission to list the access control rules
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListAliases.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListAliases.html) **
- **Description:** Grants permission to list the aliases associated with a given entity
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListAvailabilityConfigurations.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListAvailabilityConfigurations.html) **
- **Description:** Grants permission to list all the AvailabilityConfiguration's for the given Amazon WorkMail organization
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListGroupMembers.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListGroupMembers.html) **
- **Description:** Grants permission to read an overview of the members of a group. Users and groups can be members of a group
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListGroups.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListGroups.html) **
- **Description:** Grants permission to list summaries of the organization's groups
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListGroupsForEntity.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListGroupsForEntity.html) **
- **Description:** Grants permission to list the groups to which an entity belongs
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListImpersonationRoles.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListImpersonationRoles.html) **
- **Description:** Grants permission to list the impersonation roles for the given Amazon WorkMail organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-actions](https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-actions) [permission only]**
- **Description:** Grants permission to list inbound mail flow rules configured for an organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMailDomains.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMailDomains.html) **
- **Description:** Grants permission to list the mail domains for a given organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMailboxExportJobs.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMailboxExportJobs.html) **
- **Description:** Grants permission to list mailbox export jobs
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMailboxPermissions.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMailboxPermissions.html) **
- **Description:** Grants permission to list the mailbox permissions associated with a user, group, or resource mailbox
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMobileDeviceAccessOverrides.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMobileDeviceAccessOverrides.html) **
- **Description:** Grants permission to list the mobile device access overrides
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMobileDeviceAccessRules.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListMobileDeviceAccessRules.html) **
- **Description:** Grants permission to list the mobile device access rules
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListOrganizations.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListOrganizations.html) **
- **Description:** Grants permission to list the non-deleted organizations
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-outbound](https://docs.aws.amazon.com/workmail/latest/adminguide/email-flows.html#email-flows-rule-outbound) [permission only]**
- **Description:** Grants permission to list outbound mail flow rules configured for an organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListPersonalAccessTokens.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListPersonalAccessTokens.html) **
- **Description:** Grants permission to list metadata for personal access tokens
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListResourceDelegates.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListResourceDelegates.html) **
- **Description:** Grants permission to list the delegates associated with a resource
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListResources.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListResources.html) **
- **Description:** Grants permission to list the organization's resources
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html](https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html) [permission only]**
- **Description:** Grants permission to list SMTP gateways registered to the organization
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListTagsForResource.html) **
- **Description:** Grants permission to list the tags applied to an Amazon WorkMail organization resource
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** / **Condition keys:** [#amazonworkmail-aws_TagKeys](#amazonworkmail-aws_TagKeys)
[#amazonworkmail-aws_RequestTag___TagKey_](#amazonworkmail-aws_RequestTag___TagKey_) / **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListUsers.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ListUsers.html) **
- **Description:** Grants permission to list the organization's users
- **Access level:** List
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutAccessControlRule.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutAccessControlRule.html) **
- **Description:** Grants permission to add a new access control rule
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutEmailMonitoringConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutEmailMonitoringConfiguration.html) **
- **Description:** Grants permission to add or update the email monitoring configuration for an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutIdentityProviderConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutIdentityProviderConfiguration.html) **
- **Description:** Grants permission to add or update the identity provider configuration for the organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutInboundDmarcSettings.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutInboundDmarcSettings.html) **
- **Description:** Grants permission to enable or disable a DMARC policy for a given organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutMailboxPermissions.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutMailboxPermissions.html) **
- **Description:** Grants permission to set permissions for a user, group, or resource, replacing any existing permissions
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutMobileDeviceAccessOverride.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutMobileDeviceAccessOverride.html) **
- **Description:** Grants permission to add or update a mobile device access override
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutRetentionPolicy.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_PutRetentionPolicy.html) **
- **Description:** Grants permission to add or update the retention policy
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_RegisterMailDomain.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_RegisterMailDomain.html) **
- **Description:** Grants permission to register a new mail domain in an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_RegisterToWorkMail.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_RegisterToWorkMail.html) **
- **Description:** Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_ResetPassword.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_ResetPassword.html) **
- **Description:** Grants permission to allow the administrator to reset the password for a user
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/groups_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/groups_overview.html) [permission only]**
- **Description:** Grants permission to perform a prefix search to find a specific user in a mail group
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/default_domain.html](https://docs.aws.amazon.com/workmail/latest/adminguide/default_domain.html) [permission only]**
- **Description:** Grants permission to set the default mail domain for the organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/journaling_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/journaling_overview.html) [permission only]**
- **Description:** Grants permission to set journaling and fallback email addresses for email journaling
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/edit_organization_mobile_policy.html](https://docs.aws.amazon.com/workmail/latest/adminguide/edit_organization_mobile_policy.html) [permission only]**
- **Description:** Grants permission to set the details of a mobile policy associated with the organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_StartMailboxExportJob.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_StartMailboxExportJob.html) **
- **Description:** Grants permission to start a new mailbox export job
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_TagResource.html) **
- **Description:** Grants permission to tag the specified Amazon WorkMail organization resource
- **Access level:** Tagging
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** / **Condition keys:** [#amazonworkmail-aws_TagKeys](#amazonworkmail-aws_TagKeys)
[#amazonworkmail-aws_RequestTag___TagKey_](#amazonworkmail-aws_RequestTag___TagKey_) / **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_TestAvailabilityConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_TestAvailabilityConfiguration.html) **
- **Description:** Grants permission to performs a test on an availability provider to ensure that access is allowed
- **Access level:** Read
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/test-email-flow-rule.html](https://docs.aws.amazon.com/workmail/latest/adminguide/test-email-flow-rule.html) [permission only]**
- **Description:** Grants permission to test what inbound rules will apply to an email with a given sender and recipient
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/test-email-flow-rule.html](https://docs.aws.amazon.com/workmail/latest/adminguide/test-email-flow-rule.html) [permission only]**
- **Description:** Grants permission to test what outbound rules will apply to an email with a given sender and recipient
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UntagResource.html) **
- **Description:** Grants permission to untag the specified Amazon WorkMail organization resource
- **Access level:** Tagging
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** / **Condition keys:** [#amazonworkmail-aws_TagKeys](#amazonworkmail-aws_TagKeys) / **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateAvailabilityConfiguration.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateAvailabilityConfiguration.html) **
- **Description:** Grants permission to update an existing AvailabilityConfiguration for the given Amazon WorkMail organization and domain
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateDefaultMailDomain.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateDefaultMailDomain.html) **
- **Description:** Grants permission to update which domain is the default domain for an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateGroup.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateGroup.html) **
- **Description:** Grants permission to update details of a group
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateImpersonationRole.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateImpersonationRole.html) **
- **Description:** Grants permission to update an existing impersonation role for the given Amazon WorkMail organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/modify-email-flow-rule.html](https://docs.aws.amazon.com/workmail/latest/adminguide/modify-email-flow-rule.html) [permission only]**
- **Description:** Grants permission to update the details of an inbound email flow rule which will apply to all email sent to an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateMailboxQuota.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateMailboxQuota.html) **
- **Description:** Grants permission to update the maximum size (in MB) of the user's mailbox
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateMobileDeviceAccessRule.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateMobileDeviceAccessRule.html) **
- **Description:** Grants permission to update a mobile device access rule
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/modify-email-flow-rule.html](https://docs.aws.amazon.com/workmail/latest/adminguide/modify-email-flow-rule.html) [permission only]**
- **Description:** Grants permission to update the details of an outbound email flow rule which will apply to all email sent from an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdatePrimaryEmailAddress.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdatePrimaryEmailAddress.html) **
- **Description:** Grants permission to update the primary email for a user, group, or resource
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateResource.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateResource.html) **
- **Description:** Grants permission to update details for the resource
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html](https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html) [permission only]**
- **Description:** Grants permission to update the details of an existing SMTP gateway registered to an organization
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateUser.html](https://docs.aws.amazon.com/workmail/latest/APIReference/API_UpdateUser.html) **
- **Description:** Grants permission to update details of a user
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html#remote_wipe_device](https://docs.aws.amazon.com/workmail/latest/adminguide/manage-devices.html#remote_wipe_device) [permission only]**
- **Description:** Grants permission to remotely wipe the mobile device associated with a user's account
- **Access level:** Write
- **Resource types (\*required):** [#amazonworkmail-organization](#amazonworkmail-organization)
- **Condition keys:**
- **Dependent actions:**
## Resource types defined by Amazon WorkMail
The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazonworkmail-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).
****
| Resource types | ARN | Condition keys |
| --- | --- | --- |
| [https://docs.aws.amazon.com/workmail/latest/adminguide/organizations_overview.html](https://docs.aws.amazon.com/workmail/latest/adminguide/organizations_overview.html) | arn:${Partition}:workmail:${Region}:${Account}:organization/${ResourceId} | [#amazonworkmail-aws_ResourceTag___TagKey_](#amazonworkmail-aws_ResourceTag___TagKey_) |
## Condition keys for Amazon WorkMail
Amazon WorkMail defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).
To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
****
| Condition keys | Description | Type |
| --- | --- | --- |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters access by the tag key-value pairs that are passed in the request | String |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters access by the tag key-value pairs attached to the resource | String |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | Filters access by the tag keys that are passed in the request | ArrayOfString |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonworkmail.html#amazonworkmail-policy-keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonworkmail.html#amazonworkmail-policy-keys) | Filters access by the ImpersonationRoleId that is passed in the request | String |