You can specify the following actions in the Action element of an IAM policy statement.
| Action | Description | Used By | Access Level | Resource Types | Condition Keys |
|---|
You can use the following methods in the AWS CLI, SDKs or API.
| Method | Description | IAM Action | ARN Template Show Original |
|---|
Consume the above permissions with your own tooling.
You can specify the following actions in the Action element of an IAM policy statement.
| Action | Description | Used By | Access Level | Resource Types | Condition Keys |
|---|
Consume the above permissions with your own tooling.
List
Read
Tagging
Write
Permissions management
Unknown
The aws.permissions.cloud website uses a variety of information gathered within the IAM Dataset and exposes that information in a clean, easy-to-read format.
aws.permissions.cloud was built in order to provide an alternate, community-driven source of truth for AWS identity. If you would like to contribute to or suggest a feature for this website, please raise it in the aws.permissions.cloud repo. If you have found a data issue with the IAM permissions or API methods, please raise it in the IAM Dataset repo.
The website can be navigated using the left sidebar or by quickly looking up a specific managed policy, IAM permission or API method in the top search bar.
The dashboard has a small selection of statistics about the global state of IAM permissions and API methods.
The managed policies section lists all known AWS Managed Policies with the ability to view individual policies in-depth. Additional analysis is presented about the effective IAM permissions the policy provides.
The following table represents the attributes available on either a managed policy or an effective IAM action within it:
| Tag | Description |
|---|---|
| credentials exposure | A managed policy or managed policy action tag that indicates the presence of an action that could produce a response that contains credentials. |
| resource exposure | A managed policy or managed policy action tag that indicates the presence of an action that could expose AWS resources to the public. |
| data access | A managed policy or managed policy action tag that indicates the presence of an action that could return data within AWS data stores. |
| unknown actions | A managed policy tag indicating that the managed policy contains an action that is not documented in the official Service Authorization Reference. |
| unknown | A managed policy action tag that indicates the action is not documented in the official Service Authorization Reference. |
| possible privesc | A managed policy or managed policy action tag that indicates the presence of an action that could potentially lead to a privilege escalation. |
| grantless | A managed policy tag that indicates the policy does not explicitely allow actions. These policies are typically used as Service Control Policies. |
| undocumented actions | A managed policy tag that indicates the presence of undocumented actions within the policy. |
| malformed | A managed policy tag that indicates the presence of a malformed statement within the policy. |
| deprecated | A managed policy tag that indicates the policy is deprecated. |
IAM Permissions are available on all service pages. Each IAM permission details its own description, access level, resolved resource type ARN pattern, condition keys, as well as the API methods that are known to consume that permission.
The following table represents the attributes available on an IAM action:
| Tag | Description |
|---|---|
| undocumented | An IAM permission tag that indicates the permission is not documented in the official Service Authorization Reference but has been identified as existing. |
| required | An IAM permission tag that indicates that the presence of an entry matching the preceeding ARN template is required. |
API Methods are available on all service pages. Each API Method details its own description, ARN template format (including special functions), as well as the IAM permissions the action may require. IAM permissions are required unless one of the below tags resolves to non-existance.
If a variable is not present in the API method request, its value should instead be replaced with an *.
The following table represents the attributes available on an API method:
| Tag | Description |
|---|---|
| undocumented | An API method tag that indicates the method is not documented in the official Service Authorization Reference but has been identified as existing and has an associated IAM permission requirement. |
| overridden | A permission ARN template tag that indicated the preceeding template format was manually constructed, overriding any permission ARN format hints. |
| if truthy comparison value then success value otherwise failure value | A permission ARN template tag that resolves to the success value when the comparison value exists and is truthy, otherwise resolving to the failure value, or to non-existance when the failure value is not present. |
| urlencode value | A permission ARN template tag that resolves to the URL-encoded version of the specified value. |
| if ARN matches format value | A permission ARN template tag that resolves to the value if the value matches the ARN format hints, otherwise to non-existance. |
| for the property value get first match of the regex pattern regex pattern | A permission ARN template tag that resolves to the first Regex match of the value given the provided pattern, or to non-existance where a first match is not found. |
Enter your IAM policy in the box below.
Below is a breakdown of the effective actions for the policy.
| Action | Based On | Access Level |
|---|