| Action | Description | Resource | Condition |
|---|---|---|---|
| iam:AddRoleToInstanceProfile | Adds the specified IAM role to the specified instance profile. | arn:aws:iam::$account:instance-profile/$instance-profile-name | - |
| iam:AddUserToGroup | Adds the specified user to the specified group. | arn:aws:iam::$account:group/$group-name | - |
| iam:AddClientIDToOpenIDConnectProvider | Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource. | arn:aws:iam::$account:oidc-provider/$provider-name | - |
| iam:AttachGroupPolicy | Attaches the specified managed policy to the specified IAM group. | arn:aws:iam::$account:group/$group-name | iam:PolicyArn |
| iam:AttachRolePolicy | Attaches the specified managed policy to the specified IAM role. | arn:aws:iam::$account:role/$role-name | iam:PolicyArn |
| iam:AttachUserPolicy | Attaches the specified managed policy to the specified user. | arn:aws:iam::$account:user/$user-name | iam:PolicyArn |
| iam:ChangePassword | Changes the password of the IAM user who is calling this action. | arn:aws:iam::$account:user/$user-name | - |
| iam:CreateAccessKey | Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. | arn:aws:iam::$account:user/$user-name | - |
| iam:CreateAccountAlias | Creates an alias for your AWS account. | * | - |
| iam:CreateGroup | Creates a new group. | arn:aws:iam::$account:group/$group-name | - |
| iam:CreateInstanceProfile | Creates a new instance profile. | arn:aws:iam::$account:instance-profile/$instance-profile-name | - |
| iam:CreateLoginProfile | Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. | arn:aws:iam::$account:user/$user-name | - |
| iam:CreateOpenIDConnectProvider | Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC). | arn:aws:iam::$account:oidc-provider/$provider-name | - |
| iam:CreatePolicy | Creates a new managed policy for your AWS account. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:CreatePolicyVersion | Creates a new version of the specified managed policy. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:CreateRole | Creates a new role for your AWS account. | arn:aws:iam::$account:role/$role-name | - |
| iam:CreateSAMLProvider | Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2. | arn:aws:iam::$account:saml-provider/$provider-name | - |
| iam:CreateUser | Creates a new IAM user for your AWS account. | arn:aws:iam::$account:user/$user-name | - |
| iam:CreateVirtualMFADevice | Creates a new virtual MFA device for the AWS account. | arn:aws:iam::$account:mfa/$virtual-device-name | - |
| iam:DeactivateMFADevice | Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteAccessKey | Deletes the access key pair associated with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteAccountAlias | Deletes the specified AWS account alias. | * | - |
| iam:DeleteAccountPasswordPolicy | Deletes the password policy for the AWS account. | * | - |
| iam:DeleteGroup | Deletes the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:DeleteGroupPolicy | Deletes the specified inline policy that is embedded in the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:DeleteInstanceProfile | Deletes the specified instance profile. | arn:aws:iam::$account:instance-profile/$instance-profile-name | - |
| iam:DeleteLoginProfile | Deletes the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteOpenIDConnectProvider | Deletes an OpenID Connect identity provider (IdP) resource object in IAM. | arn:aws:iam::$account:oidc-provider/$provider-name | - |
| iam:DeletePolicy | Deletes the specified managed policy. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:DeletePolicyVersion | Deletes the specified version from the specified managed policy. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:DeleteRole | Deletes the specified role. | arn:aws:iam::$account:role/$role-name | - |
| iam:DeleteRolePolicy | Deletes the specified inline policy that is embedded in the specified IAM role. | arn:aws:iam::$account:role/$role-name | - |
| iam:DeleteSAMLProvider | Deletes a SAML provider resource in IAM. | arn:aws:iam::$account:saml-provider/$provider-name | - |
| iam:DeleteSSHPublicKey | Deletes the specified SSH public key. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteServerCertificate | Deletes the specified server certificate. | arn:aws:iam::$account:server-certificate/$certificate-name | - |
| iam:DeleteSigningCertificate | Deletes a signing certificate associated with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteUser | Deletes the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteUserPolicy | Deletes the specified inline policy that is embedded in the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteVirtualMFADevice | Deletes a virtual MFA device. | arn:aws:iam::$account:mfa/$virtual-device-name | - |
| iam:DetachGroupPolicy | Removes the specified managed policy from the specified IAM group. | arn:aws:iam::$account:group/$group-name | iam:PolicyArn |
| iam:DetachRolePolicy | Removes the specified managed policy from the specified role. | arn:aws:iam::$account:role/$role-name | iam:PolicyArn |
| iam:DetachUserPolicy | Removes the specified managed policy from the specified user. | arn:aws:iam::$account:group/$user-name | iam:PolicyArn |
| iam:EnableMFADevice | Enables the specified MFA device and associates it with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:GenerateCredentialReport | Generates a credential report for the AWS account. | * | - |
| iam:GetAccessKeyLastUsed | Retrieves information about when the specified access key was last used. | arn:aws:iam::$account:user/$user-name | - |
| iam:GetAccountAuthorizationDetails | Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. | * | - |
| iam:GetAccountPasswordPolicy | Retrieves the password policy for the AWS account. | * | - |
| iam:GetAccountSummary | Retrieves information about IAM entity usage and IAM quotas in the AWS account. | * | - |
| iam:GetContextKeysForCustomPolicy | Gets a list of all of the context keys referenced in the input policies. | * | - |
| iam:GetContextKeysForPrincipalPolicy | Gets a list of all of the context keys referenced in all of the IAM policies attached to the specified IAM entity. | * | - |
| iam:GetCredentialReport | Retrieves a credential report for the AWS account. | * | - |
| iam:GetGroup | Returns a list of IAM users that are in the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:GetGroupPolicy | Retrieves the specified inline policy document that is embedded in the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:GetInstanceProfile | Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. | arn:aws:iam::$account:instance-profile/$instance-profile-name | - |
| iam:GetLoginProfile | Retrieves the user name and password-creation date for the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:GetOpenIDConnectProvider | Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM. | arn:aws:iam::$account:oidc-provider/$provider-name | - |
| iam:GetPolicy | Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:GetPolicyVersion | Retrieves information about the specified version of the specified managed policy, including the policy document. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:GetRole | Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. | arn:aws:iam::$account:role/$role-name | - |
| iam:GetRolePolicy | Retrieves the specified inline policy document that is embedded with the specified IAM role. | arn:aws:iam::$account:role/$role-name | - |
| iam:GetSAMLProvider | Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated. | arn:aws:iam::$account:saml-provider/$provider-name | - |
| iam:GetSSHPublicKey | Retrieves the specified SSH public key, including metadata about the key. | arn:aws:iam::$account:user/$user-name | - |
| iam:GetServerCertificate | Retrieves information about the specified server certificate stored in IAM. | arn:aws:iam::$account:server-certificate/$certificate-name | - |
| iam:GetServiceLastAccessedDetailsWithEntities | View access advisor information, this is an IAM policy permission only, not an API action that can be called. | * | - |
| iam:GetUser | Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN. | arn:aws:iam::$account:user/$user-name | - |
| iam:GetUserPolicy | Retrieves the specified inline policy document that is embedded in the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListAccessKeys | Returns information about the access key IDs associated with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListAccountAliases | Lists the account alias associated with the AWS account (Note: you can have only one). | * | - |
| iam:ListAttachedGroupPolicies | Lists all managed policies that are attached to the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:ListAttachedRolePolicies | Lists all managed policies that are attached to the specified IAM role. | arn:aws:iam::$account:role/$role-name | - |
| iam:ListAttachedUserPolicies | Lists all managed policies that are attached to the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListEntitiesForPolicy | Lists all IAM users, groups, and roles that the specified managed policy is attached to. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:ListGroupPolicies | Lists the names of the inline policies that are embedded in the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:ListGroups | Lists the IAM groups that have the specified path prefix. | * | - |
| iam:ListGroupsForUser | Lists the IAM groups that the specified IAM user belongs to. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListInstanceProfiles | Lists the instance profiles that have the specified path prefix. | arn:aws:iam::$account:instance-profile/$instance-profile-name | - |
| iam:ListInstanceProfilesForRole | Lists the instance profiles that have the specified associated IAM role. | arn:aws:iam::$account:role/$role-name | - |
| iam:ListMFADevices | Lists the MFA devices for an IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListOpenIDConnectProviders | Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account. | * | - |
| iam:ListPolicies | Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies. | * | - |
| iam:ListPoliciesGrantingServiceAccess | View access advisor information, this is an IAM policy permission only, not an API action that can be called. | * | - |
| iam:ListPolicyVersions | Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:ListRolePolicies | Lists the names of the inline policies that are embedded in the specified IAM role. | arn:aws:iam::$account:role/$role-name | - |
| iam:ListRoles | Lists the IAM roles that have the specified path prefix. | * | - |
| iam:ListSAMLProviders | Lists the SAML provider resource objects defined in IAM in the account. | * | - |
| iam:ListSSHPublicKeys | Returns information about the SSH public keys associated with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListServerCertificates | Lists the server certificates stored in IAM that have the specified path prefix. | * | - |
| iam:ListSigningCertificates | Returns information about the signing certificates associated with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListUserPolicies | Lists the names of the inline policies embedded in the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ListUsers | Lists the IAM users that have the specified path prefix. | * | - |
| iam:ListVirtualMFADevices | Lists the virtual MFA devices defined in the AWS account by assignment status. | * | - |
| iam:PutGroupPolicy | Adds or updates an inline policy document that is embedded in the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:PutRolePolicy | Adds or updates an inline policy document that is embedded in the specified IAM role. | arn:aws:iam::$account:role/$role-name | - |
| iam:PutUserPolicy | Adds or updates an inline policy document that is embedded in the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:RemoveClientIDFromOpenIDConnectProvider | Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object. | arn:aws:iam::$account:oidc-provider/$provider-name | - |
| iam:RemoveRoleFromInstanceProfile | Removes the specified IAM role from the specified EC2 instance profile. | arn:aws:iam::$account:instance-profile/$instance-profile-name | - |
| iam:RemoveUserFromGroup | Removes the specified user from the specified group. | arn:aws:iam::$account:group/$group-name | - |
| iam:ResyncMFADevice | Synchronizes the specified MFA device with its IAM resource object on the AWS servers. | arn:aws:iam::$account:user/$user-name | - |
| iam:SetDefaultPolicyVersion | Sets the specified version of the specified policy as the policy's default (operative) version. | arn:aws:iam::$account:policy/$policy-name | - |
| iam:SimulateCustomPolicy | Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API actions and AWS resources to determine the policies' effective permissions. | * | - |
| iam:SimulatePrincipalPolicy | Simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions. | * | - |
| iam:UpdateAccessKey | Changes the status of the specified access key from Active to Inactive, or vice versa. | arn:aws:iam::$account:user/$user-name | - |
| iam:UpdateAccountPasswordPolicy | Updates the password policy settings for the AWS account. | * | - |
| iam:UpdateAssumeRolePolicy | Updates the policy that grants an IAM entity permission to assume a role. | arn:aws:iam::$account:role/$role-name | - |
| iam:UpdateGroup | Updates the name and/or the path of the specified IAM group. | arn:aws:iam::$account:group/$group-name | - |
| iam:UpdateLoginProfile | Changes the password for the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:UpdateOpenIDConnectProviderThumbprint | Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints. | arn:aws:iam::$account:oidc-provider/$provider-name | - |
| iam:UpdateSAMLProvider | Updates the metadata document for an existing SAML provider resource object. | arn:aws:iam::$account:saml-provider/$provider-name | - |
| iam:UpdateSSHPublicKey | Sets the status of an IAM user's SSH public key to active or inactive. | arn:aws:iam::$account:user/$user-name | - |
| iam:UpdateServerCertificate | Updates the name and/or the path of the specified server certificate stored in IAM. | arn:aws:iam::$account:server-certificate/$certificate-name | - |
| iam:UpdateSigningCertificate | Changes the status of the specified user signing certificate from active to disabled, or vice versa. | arn:aws:iam::$account:user/$user-name | - |
| iam:UpdateUser | Updates the name and/or the path of the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:UploadSSHPublicKey | Uploads an SSH public key and associates it with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:UploadServerCertificate | Uploads a server certificate entity for the AWS account. | arn:aws:iam::$account:server-certificate/$certificate-name | - |
| iam:UploadSigningCertificate | Uploads an X.509 signing certificate and associates it with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:GenerateServiceLastAccessedDetails | View access advisor information, this is an IAM policy permission only, not an API action that can be called. | * | - |
| iam:GetServiceLastAccessedDetails | View access advisor information, this is an IAM policy permission only, not an API action that can be called. | * | - |
| iam:PassRole | This is an IAM policy permission only, not an API action that can be called. | arn:aws:iam::$account:role/$role-name | - |
| iam:CreateServiceLinkedRole | Creates an IAM role that is linked to a specific AWS service. | arn:aws:iam::$account:role/$role-name | iam:AWSServiceName |
| iam:CreateServiceSpecificCredential | Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. | arn:aws:iam::$account:user/$user-name | - |
| iam:DeleteServiceLinkedRole | Submits a service-linked role deletion request. | arn:aws:iam::$account:role/$role-name | iam:AWSServiceName |
| iam:DeleteServiceSpecificCredential | Deletes the specified service-specific credential. | arn:aws:iam::$account:user/$user-name | - |
| iam:GetServiceLinkedRoleDeletionStatus | Retrieves the status of your service-linked role deletion. | ??? | ??? |
| iam:ListServiceSpecificCredentials | Returns information about the service-specific credentials associated with the specified IAM user. | arn:aws:iam::$account:user/$user-name | - |
| iam:ResetServiceSpecificCredential | Resets the password for a service-specific credential. | arn:aws:iam::$account:user/$user-name | - |
| iam:UpdateRoleDescription | Modifies the description of a role. | arn:aws:iam::$account:role/$role-name | ??? |
| iam:UpdateServiceSpecificCredential | Sets the status of a service-specific credential to Active or Inactive. | arn:aws:iam::$account:user/$user-name | - |
This repository has been archived by the owner on Oct 2, 2023. It is now read-only.