A list of IAM permissions you can use in policy documents. Collected from the myriad of places Amazon hides them. (incomplete)

IAM Permissions List.md

List of IAM Permissions

This is a list of controls that can be placed into an IAM policy document. All content comes from AWS documentation.

Something wrong? Try looking here.

Table of Contents generated with DocToc

• List of IAM Permissions
  • IAM Policy Variables
  • AWS Billing
  • Auto Scaling
  • CloudFormation
  • CloudTrail
  • CloudWatch
  • CloudWatch Logs
  • Database Migration Service (DMS)
  • DynamoDB
  • Elastic Beanstalk
  • ElastiCache
  • EC2
  • EC2 Container Service (ECS)
  • Elastic File System (EFS)
  • Elastic Load Balancer (ELB)
  • Elastic MapReduce (EMR)
  • Identity and Access Management (IAM)
  • Kinesis
  • Key Management Service (KMS)
  • Lambda
  • OpsWorks
  • Relational Database Service (RDS)
  • Redshift
  • Route 53
  • Route53 Domains
  • S3
  • Security Token Service (STS)
  • Simple Email Service (SES)
  • Simple Notification Service (SNS)
  • Simple Queue Service (SQS)
  • Support
  • Trusted Advisor

IAM Policy Variables

• aws:CurrentTime —To check for date/time conditions.
• aws:EpochTime —To check for date/time conditions using a date in epoch or UNIX time.
• aws:TokenIssueTime This is the date and time that temporary security credentials were issued and can be used with date/time conditions. (Note: This key is only available in requests that are signed using temporary security credentials. For more information about temporary security credentials, see Temporary Security Credentials.)
• aws:principaltype —To check the type of principal (user, account, federated user, - etc.) for the current request.
• aws:SecureTransport —To check whether the request was sent using SSL. For services - that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport - key has no meaning.
• aws:SourceArn —To check the source of the request, using the Amazon Resource Name - (ARN) of the source. (This value is available for only some services. For more - information, see Amazon Resource Name (ARN) under "Element Descriptions" in the - Amazon Simple Queue Service Developer Guide.)
• aws:SourceIp —To check the IP address of the requester. Note that if you use - aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP - address of the instance is evaluated.
• aws:UserAgent —To check the client application that made the request.
• aws:userid —To check the user ID of the requester.
• aws:username —To check the user name of the requester, if available.
• ec2:SourceInstanceARN This is the Amazon Resource Name (ARN) of the Amazon EC2 instance from which the request is made. This key is present only when the request comes from an Amazon EC2 instance using an IAM role associated with an EC2 instance profile.

The values for aws:username, aws:userid, and aws:principaltype depend on what type of principal initiated the request—whether the request was made using the credentials of an AWS account, an IAM user, an IAM role, and so on. The following table shows values for these keys for different types of principal.

Principal	aws:username	aws:userid	aws:principaltype
AWS account	(not present)	AWS account ID	Account
IAM user	IAM-user-name	unique ID	User
Federated user	(not present)	account:caller-specified-name	FederatedUser
Web federated user (Login with Amazon, Amazon Cognito, Facebook, Google) *	(not present)	role id:caller-specified-role-name	AssumedRole
SAML federated user **	(not present)	role id:caller-specified-role-name	AssumedRole
Assumed role	(not present)	role-id:caller-specified-role-name	AssumedRole
Role assigned to an Amazon EC2 instance	(not present)	role-id:ec2-instance-id	AssumedRole
Anonymous caller (Amazon SQS, Amazon SNS, and Amazon S3 only)	(not present)	(not present)	Anonymous

* For information about policy keys that are available when you use web identity federation, see Identifying Users with Web Identity Federation.

** For information about policy keys that are available when you use SAML federation, see Uniquely Identifying Users in SAML-Based Federation.

In this table:

• not present means that the value is not in the current request information, and any attempt to match it fails and causes the request to be denied.
• role-id is a unique identifier assigned to each role at creation. You can display the role ID with the AWS CLI command: aws iam get-role --role-name ${rolename}
• caller-specified-name and caller-specified-role-name are names that are passed by the calling process (e.g. application or service) when it makes a call to get temporary credentials.
• ec2-instance-id is a value assigned to the instance when it is launched and appears on the Instances page of the Amazon EC2 console. You can also display the instance ID by running the AWS CLI command: aws ec2 describe-instances

AWS Billing

aws-portal:

• ModifyAccount
• ModifyBilling
• ModifyPaymentMethods
• ViewAccount
• ViewBilling
• ViewBudget
• ViewPaymentMethods
• ViewUsage

Auto Scaling

autoscaling:

• AttachInstances
• AttachLoadBalancers
• CompleteLifecycleAction
• CreateAutoScalingGroup
• CreateLaunchConfiguration
• CreateOrUpdateTags
• DeleteAutoScalingGroup
• DeleteLaunchConfiguration
• DeleteLifecycleHook
• DeleteNotificationConfiguration
• DeletePolicy
• DeleteScheduledAction
• DeleteTags
• DescribeAccountLimits
• DescribeAdjustmentTypes
• DescribeAutoScalingGroups
• DescribeAutoScalingInstances
• DescribeAutoScalingNotificationTypes
• DescribeLaunchConfigurations
• DescribeLifecycleHooks
• DescribeLifecycleHookTypes
• DescribeLoadBalancers
• DescribeMetricCollectionTypes
• DescribeNotificationConfigurations
• DescribePolicies
• DescribeScalingActivities
• DescribeScalingProcessTypes
• DescribeScheduledActions
• DescribeTags
• DescribeTerminationPolicyTypes
• DetachInstances
• DetachLoadBalancers
• DisableMetricsCollection
• EnableMetricsCollection
• EnterStandby
• ExecutePolicy
• ExitStandby
• PutLifecycleHook
• PutNotificationConfiguration
• PutScalingPolicy
• PutScheduledUpdateGroupAction
• RecordLifecycleActionHeartbeat
• ResumeProcesses
• SetDesiredCapacity
• SetInstanceHealth
• SetInstanceProtection
• SuspendProcesses
• TerminateInstanceInAutoScalingGroup
• UpdateAutoScalingGroup

CloudFormation

cloudformation:

• CancelUpdateStack
• ContinueUpdateRollback
• CreateChangeSet
• CreateStack
• CreateUploadBucket
• DeleteStack
• DescribeAccountLimits
• DescribeChangeSet
• DescribeStackEvents
• DescribeStackResource
• DescribeStackResources
• DescribeStacks
• EstimateTemplateCost
• ExecuteChangeSet
• GetStackPolicy
• GetTemplate
• GetTemplateSummary
• ListChangeSets
• ListStackResources
• ListStacks
• PreviewStackUpdate
• SetStackPolicy
• SignalResource
• UpdateStack
• ValidateTemplate

CloudTrail

cloudtrail:

• AddTags
• CreateTrail
• DeleteTrail
• DescribeTrails
• GetTrailStatus
• ListPublicKeys
• ListTags
• LookupEvents
• RemoveTags
• StartLogging
• StopLogging
• UpdateTrail

CloudWatch

cloudwatch:

• CancelExportTask
• CreateExportTask
• CreateLogGroup
• CreateLogStream
• DeleteDestination
• DeleteLogGroup
• DeleteLogStream
• DeleteMetricFilter
• DeleteRetentionPolicy
• DeleteSubscriptionFilter
• DescribeDestinations
• DescribeExportTasks
• DescribeLogGroups
• DescribeLogStreams
• DescribeMetricFilters
• DescribeSubscriptionFilters
• FilterLogEvents
• GetLogEvents
• PutDestination
• PutDestinationPolicy
• PutLogEvents
• PutMetricFilter
• PutRetentionPolicy
• PutSubscriptionFilter
• TestMetricFilter

CloudWatch Logs

logs:

• CancelExportTask
• CreateExportTask
• CreateLogGroup
• CreateLogStream
• DeleteDestination
• DeleteLogGroup
• DeleteLogStream
• DeleteMetricFilter
• DeleteRetentionPolicy
• DeleteSubscriptionFilter
• DescribeDestinations
• DescribeExportTasks
• DescribeLogGroups
• DescribeLogStreams
• DescribeMetricFilters
• DescribeSubscriptionFilters
• FilterLogEvents
• GetLogEvents
• PutDestination
• PutDestinationPolicy
• PutLogEvents
• PutMetricFilter
• PutRetentionPolicy
• PutSubscriptionFilter
• TestMetricFilter

Database Migration Service (DMS)

dms:

• AddTagsToResource
• CreateEndpoint
• CreateReplicationInstance
• CreateReplicationSubnetGroup
• CreateReplicationTask
• DeleteEndpoint
• DeleteReplicationInstance
• DeleteReplicationSubnetGroup
• DeleteReplicationTask
• DescribeAccountAttributes
• DescribeConnections
• DescribeEndpointTypes
• DescribeEndpoints
• DescribeOrderableReplicationInstances
• DescribeRefreshSchemasStatus
• DescribeReplicationInstances
• DescribeReplicationSubnetGroups
• DescribeReplicationTasks
• DescribeSchemas
• DescribeTableStatistics
• ListTagsForResource
• ModifyEndpoint
• ModifyReplicationInstance
• ModifyReplicationSubnetGroup
• RefreshSchemas
• RemoveTagsFromResource
• StartReplicationTask
• StopReplicationTask
• TestConnection

DynamoDB

dynamodb:

• BatchGetItem
• BatchWriteItem
• CreateTable
• DeleteItem
• DeleteTable
• DescribeReservedCapacity
• DescribeReservedCapacityOfferings
• DescribeStream
• DescribeTable
• GetItem
• GetRecords
• GetShardIterator
• ListStreams
• ListTables
• PurchaseReservedCapacityOfferings
• PutItem
• Query
• Scan
• UpdateItem
• UpdateTable

Elastic Beanstalk

elasticbeanstalk:

• CheckDNSAvailability
• CreateApplication
• CreateApplicationVersion
• CreateConfigurationTemplate
• CreateEnvironment
• CreateStorageLocation
• DeleteApplication
• DeleteApplicationVersion
• DeleteConfigurationTemplate
• DeleteEnvironmentConfiguration
• DescribeApplicationVersions
• DescribeApplications
• DescribeConfigurationOptions
• DescribeConfigurationSettings
• DescribeEnvironmentHealth
• DescribeEnvironmentResources
• DescribeEnvironments
• DescribeEvents
• DescribeInstancesHealth
• ListAvailableSolutionStacks
• RebuildEnvironment
• RequestEnvironmentInfo
• RestartAppServer
• RetrieveEnvironmentInfo
• SwapEnvironmentCNAMEs
• TerminateEnvironment
• UpdateApplication
• UpdateApplicationVersion
• UpdateConfigurationTemplate
• UpdateEnvironment
• ValidateConfigurationSettings

ElastiCache

elasticache:

• AddTagsToResource
• AuthorizeCacheSecurityGroupIngress
• CopySnapshot
• CreateCacheCluster
• CreateCacheParameterGroup
• CreateCacheSecurityGroup
• CreateCacheSubnetGroup
• CreateReplicationGroup
• CreateSnapshot
• DeleteCacheCluster
• DeleteCacheParameterGroup
• DeleteCacheSecurityGroup
• DeleteCacheSubnetGroup
• DeleteReplicationGroup
• DeleteSnapshot
• DescribeCacheClusters
• DescribeCacheEngineVersions
• DescribeCacheParameterGroups
• DescribeCacheParameters
• DescribeCacheSecurityGroups
• DescribeCacheSubnetGroups
• DescribeEngineDefaultParameters
• DescribeEvents
• DescribeReplicationGroups
• DescribeReservedCacheNodes
• DescribeReservedCacheNodesOfferings
• DescribeSnapshots
• ListAllowedNodeTypeModifications
• ListTagsForResource
• ModifyCacheCluster
• ModifyCacheParameterGroup
• ModifyCacheSubnetGroup
• ModifyReplicationGroup
• PurchaseReservedCacheNodesOffering
• RebootCacheCluster
• RemoveTagsFromResource
• ResetCacheParameterGroup
• RevokeCacheSecurityGroupIngress

EC2

ec2:

• AcceptVpcPeeringConnection
• AllocateAddress
• AllocateHosts
• AssignPrivateIpAddresses
• AssociateAddress
• AssociateDhcpOptions
• AssociateRouteTable
• AttachClassicLinkVpc
• AttachInternetGateway
• AttachNetworkInterface
• AttachVolume
• AttachVpnGateway
• AuthorizeSecurityGroupEgress
• AuthorizeSecurityGroupIngress
• BundleInstance
• CancelBundleTask
• CancelConversionTask
• CancelExportTask
• CancelImportTask
• CancelReservedInstancesListing
• CancelSpotFleetRequests
• CancelSpotInstanceRequests
• ConfirmProductInstance
• CopyImage
• CopySnapshot
• CreateCustomerGateway
• CreateDhcpOptions
• CreateFlowLogs
• CreateImage
• CreateInstanceExportTask
• CreateInternetGateway
• CreateKeyPair
• CreateNatGateway
• CreateNetworkAcl
• CreateNetworkAclEntry
• CreateNetworkInterface
• CreatePlacementGroup
• CreateReservedInstancesListing
• CreateRoute
• CreateRouteTable
• CreateSecurityGroup
• CreateSnapshot
• CreateSpotDatafeedSubscription
• CreateSubnet
• CreateTags
• CreateVolume
• CreateVpc
• CreateVpcEndpoint
• CreateVpcPeeringConnection
• CreateVpnConnection
• CreateVpnConnectionRoute
• CreateVpnGateway
• DeleteCustomerGateway
• DeleteDhcpOptions
• DeleteFlowLogs
• DeleteInternetGateway
• DeleteKeyPair
• DeleteNatGateway
• DeleteNetworkAcl
• DeleteNetworkAclEntry
• DeleteNetworkInterface
• DeletePlacementGroup
• DeleteRoute
• DeleteRouteTable
• DeleteSecurityGroup
• DeleteSnapshot
• DeleteSpotDatafeedSubscription
• DeleteSubnet
• DeleteTags
• DeleteVolume
• DeleteVpc
• DeleteVpcEndpoints
• DeleteVpcPeeringConnection
• DeleteVpnConnection
• DeleteVpnConnectionRoute
• DeleteVpnGateway
• DeregisterImage
• DescribeAccountAttributes
• DescribeAddresses
• DescribeAvailabilityZones
• DescribeBundleTasks
• DescribeClassicLinkInstances
• DescribeConversionTasks
• DescribeCustomerGateways
• DescribeDhcpOptions
• DescribeExportTasks
• DescribeFlowLogs
• DescribeHosts
• DescribeIdFormat
• DescribeImageAttribute
• DescribeImages
• DescribeImportImageTasks
• DescribeImportSnapshotTasks
• DescribeInstanceAttribute
• DescribeInstances
• DescribeInstanceStatus
• DescribeInternetGateways
• DescribeKeyPairs
• DescribeMovingAddresses
• DescribeNatGateways
• DescribeNetworkAcls
• DescribeNetworkInterfaceAttribute
• DescribeNetworkInterfaces
• DescribePlacementGroups
• DescribePrefixLists
• DescribeRegions
• DescribeReservedInstances
• DescribeReservedInstancesListings
• DescribeReservedInstancesModifications
• DescribeReservedInstancesOfferings
• DescribeRouteTables
• DescribeScheduledInstanceAvailability
• DescribeScheduledInstances
• DescribeSecurityGroupReferences
• DescribeSecurityGroups
• DescribeSnapshotAttribute
• DescribeSnapshots
• DescribeSpotDatafeedSubscription
• DescribeSpotFleetInstances
• DescribeSpotFleetRequestHistory
• DescribeSpotFleetRequests
• DescribeSpotInstanceRequests
• DescribeSpotPriceHistory
• DescribeStaleSecurityGroups
• DescribeSubnets
• DescribeTags
• DescribeVolumeAttribute
• DescribeVolumes
• DescribeVolumeStatus
• DescribeVpcAttribute
• DescribeVpcClassicLink
• DescribeVpcClassicLinkDnsSupport
• DescribeVpcEndpoints
• DescribeVpcEndpointServices
• DescribeVpcPeeringConnections
• DescribeVpcs
• DescribeVpnConnections
• DescribeVpnGateways
• DetachClassicLinkVpc
• DetachInternetGateway
• DetachNetworkInterface
• DetachVolume
• DetachVpnGateway
• DisableVgwRoutePropagation
• DisableVpcClassicLink
• DisableVpcClassicLinkDnsSupport
• DisassociateAddress
• DisassociateRouteTable
• EnableVgwRoutePropagation
• EnableVolumeIO
• EnableVpcClassicLink
• EnableVpcClassicLinkDnsSupport
• GetConsoleOutput
• GetConsoleScreenshot
• GetPasswordData
• ImportImage
• ImportInstance
• ImportKeyPair
• ImportSnapshot
• ImportVolume
• ModifyHosts
• ModifyIdFormat
• ModifyImageAttribute
• ModifyInstanceAttribute
• ModifyInstancePlacement
• ModifyNetworkInterfaceAttribute
• ModifyReservedInstances
• ModifySnapshotAttribute
• ModifySpotFleetRequest
• ModifySubnetAttribute
• ModifyVolumeAttribute
• ModifyVpcAttribute
• ModifyVpcEndpoint
• ModifyVpcPeeringConnectionOptions
• MonitorInstances
• MoveAddressToVpc
• PurchaseReservedInstancesOffering
• PurchaseScheduledInstances
• RebootInstances
• RegisterImage
• RejectVpcPeeringConnection
• ReleaseAddress
• ReleaseHosts
• ReplaceNetworkAclAssociation
• ReplaceNetworkAclEntry
• ReplaceRoute
• ReplaceRouteTableAssociation
• ReportInstanceStatus
• RequestSpotFleet
• RequestSpotInstances
• ResetImageAttribute
• ResetInstanceAttribute
• ResetNetworkInterfaceAttribute
• ResetSnapshotAttribute
• RestoreAddressToClassic
• RevokeSecurityGroupEgress
• RevokeSecurityGroupIngress
• RunInstances
• RunScheduledInstances
• StartInstances
• StopInstances
• TerminateInstances
• UnassignPrivateIpAddresses
• UnmonitorInstances

EC2 Container Service (ECS)

ecs:

• CreateCluster
• CreateService
• DeleteCluster
• DeleteService
• DeregisterContainerInstance
• DeregisterTaskDefinition
• DescribeClusters
• DescribeContainerInstances
• DescribeServices
• DescribeTaskDefinition
• DescribeTasks
• DiscoverPollEndpoint
• ListClusters
• ListContainerInstances
• ListServices
• ListTaskDefinitionFamilies
• ListTaskDefinitions
• ListTasks
• RegisterContainerInstance
• RegisterTaskDefinition
• RunTask
• StartTask
• StopTask
• SubmitContainerStateChange
• SubmitTaskStateChange
• UpdateContainerAgent
• UpdateService

Elastic File System (EFS)

elasticfilesystem:

• CreateFileSystem
• CreateMountTarget
• Dependencies
• ec2:DescribeSubnets
• ec2:DescribeNetworkInterfaces
• ec2:CreateNetworkInterface
• CreateTags
• DeleteFileSystem
• Dependencies
• ec2:DeleteNetworkInterface
• DeleteMountTarget
• DeleteTags
• DescribeFileSystems
• DescribeMountTargetSecurityGroups
• Dependencies
• ec2:DescribeNetworkInterfaceAttribute
• DescribeMountTargets
• DescribeTags
• ModifyMountTargetSecurityGroups
• Dependencies
• ec2:ModifyNetworkInterfaceAttribute

Elastic Load Balancer (ELB)##

elasticloadbalancing:

• AddTags
• ApplySecurityGroupsToLoadBalancer
• AttachLoadBalancerToSubnets
• ConfigureHealthCheck
• CreateAppCookieStickinessPolicy
• CreateLBCookieStickinessPolicy
• CreateLoadBalancer
• CreateLoadBalancerListeners
• CreateLoadBalancerPolicy
• DeleteLoadBalancer
• DeleteLoadBalancerListeners
• DeleteLoadBalancerPolicy
• DeregisterInstancesFromLoadBalancer
• DescribeInstanceHealth
• DescribeLoadBalancerAttributes
• DescribeLoadBalancerPolicies
• DescribeLoadBalancerPolicyTypes
• DescribeLoadBalancers
• DescribeTags
• DetachLoadBalancerFromSubnets
• DisableAvailabilityZonesForLoadBalancer
• EnableAvailabilityZonesForLoadBalancer
• ModifyLoadBalancerAttributes
• RegisterInstancesWithLoadBalancer
• RemoveTags
• SetLoadBalancerListenerSSLCertificate
• SetLoadBalancerPoliciesForBackendServer
• SetLoadBalancerPoliciesOfListener

Elastic MapReduce (EMR)

elasticmapreduce:

• AddInstanceGroups
• AddJobFlowSteps
• AddTags
• DescribeCluster
• DescribeJobFlows
• DescribeStep
• ListBootstrapActions
• ListClusters
• ListInstanceGroups
• ListInstances
• ListSteps
• ModifyInstanceGroups
• RemoveTags
• RunJobFlow
• SetTerminationProtection
• SetVisibleToAllUsers
• TerminateJobFlows

Identity and Access Management (IAM)

iam:

• AddClientIDToOpenIDConnectProvider
• AddRoleToInstanceProfile
• AddUserToGroup
• AttachGroupPolicy
• AttachRolePolicy
• AttachUserPolicy
• ChangePassword
• CreateAccessKey
• CreateAccountAlias
• CreateGroup
• CreateInstanceProfile
• CreateLoginProfile
• CreateOpenIDConnectProvider
• CreatePolicy
• CreatePolicyVersion
• CreateRole
• CreateSAMLProvider
• CreateUser
• CreateVirtualMFADevice
• DeactivateMFADevice
• DeleteAccessKey
• DeleteAccountAlias
• DeleteAccountPasswordPolicy
• DeleteGroup
• DeleteGroupPolicy
• DeleteInstanceProfile
• DeleteLoginProfile
• DeleteOpenIDConnectProvider
• DeletePolicy
• DeletePolicyVersion
• DeleteRole
• DeleteRolePolicy
• DeleteSAMLProvider
• DeleteServerCertificate
• DeleteSigningCertificate
• DeleteSSHPublicKey
• DeleteUser
• DeleteUserPolicy
• DeleteVirtualMFADevice
• DetachGroupPolicy
• DetachRolePolicy
• DetachUserPolicy
• EnableMFADevice
• GenerateCredentialReport
• GetAccessKeyLastUsed
• GetAccountAuthorizationDetails
• GetAccountPasswordPolicy
• GetAccountSummary
• GetContextKeysForCustomPolicy
• GetContextKeysForPrincipalPolicy
• GetCredentialReport
• GetGroup
• GetGroupPolicy
• GetInstanceProfile
• GetLoginProfile
• GetOpenIDConnectProvider
• GetPolicy
• GetPolicyVersion
• GetRole
• GetRolePolicy
• GetSAMLProvider
• GetServerCertificate
• GetSSHPublicKey
• GetUser
• GetUserPolicy
• ListAccessKeys
• ListAccountAliases
• ListAttachedGroupPolicies
• ListAttachedRolePolicies
• ListAttachedUserPolicies
• ListEntitiesForPolicy
• ListGroupPolicies
• ListGroups
• ListGroupsForUser
• ListInstanceProfiles
• ListInstanceProfilesForRole
• ListMFADevices
• ListOpenIDConnectProviders
• ListPolicies
• ListPolicyVersions
• ListRolePolicies
• ListRoles
• ListSAMLProviders
• ListServerCertificates
• ListSigningCertificates
• ListSSHPublicKeys
• ListUserPolicies
• ListUsers
• ListVirtualMFADevices
• PutGroupPolicy
• PutRolePolicy
• PutUserPolicy
• RemoveClientIDFromOpenIDConnectProvider
• RemoveRoleFromInstanceProfile
• RemoveUserFromGroup
• ResyncMFADevice
• SetDefaultPolicyVersion
• SimulateCustomPolicy
• SimulatePrincipalPolicy
• UpdateAccessKey
• UpdateAccountPasswordPolicy
• UpdateAssumeRolePolicy
• UpdateGroup
• UpdateLoginProfile
• UpdateOpenIDConnectProviderThumbprint
• UpdateSAMLProvider
• UpdateServerCertificate
• UpdateSigningCertificate
• UpdateSSHPublicKey
• UpdateUser
• UploadServerCertificate
• UploadSigningCertificate
• UploadSSHPublicKey

Kinesis##

kinesis:

• AddTagsToStream
• CreateStream
• DecreaseStreamRetentionPeriod
• DeleteStream
• DescribeStream
• DisableEnhancedMonitoring
• EnableEnhancedMonitoring
• GetRecords
• GetShardIterator
• IncreaseStreamRetentionPeriod
• ListStreams
• ListTagsForStream
• MergeShards
• PutRecord
• PutRecords
• RemoveTagsFromStream
• SplitShard

Key Management Service (KMS)

kms:

• CancelKeyDeletion
• CreateAlias
• CreateGrant
• CreateKey
• Decrypt
• DeleteAlias
• DescribeKey
• DisableKey
• DisableKeyRotation
• EnableKey
• EnableKeyRotation
• Encrypt
• GenerateDataKey
• GenerateDataKeyWithoutPlaintext
• GenerateRandom
• GetKeyPolicy
• GetKeyRotationStatus
• ListAliases
• ListGrants
• ListKeyPolicies
• ListKeys
• ListRetirableGrants
• PutKeyPolicy
• ReEncrypt
• RetireGrant
• RevokeGrant
• ScheduleKeyDeletion
• UpdateAlias
• UpdateKeyDescription

Lambda

lambda:

• AddPermission
• CreateAlias
• CreateEventSourceMapping
• CreateFunction
• DeleteAlias
• DeleteEventSourceMapping
• DeleteFunction
• GetAlias
• GetEventSourceMapping
• GetFunction
• GetFunctionConfiguration
• GetPolicy
• Invoke
• InvokeAsync
• ListAliases
• ListEventSourceMappings
• ListFunctions
• ListVersionsByFunction
• PublishVersion
• RemovePermission
• UpdateAlias
• UpdateEventSourceMapping
• UpdateFunctionCode
• UpdateFunctionConfiguration

[OpsWorks](AWS OpsWorks)

opsworks:

• AssignInstance
• AssignVolume
• AssociateElasticIp
• AttachElasticLoadBalancer
• CloneStack
• CreateApp
• CreateDeployment
• CreateInstance
• CreateLayer
• CreateStack
• CreateUserProfile
• DeleteApp
• DeleteInstance
• DeleteLayer
• DeleteStack
• DeleteUserProfile
• DeregisterEcsCluster
• DeregisterElasticIp
• DeregisterInstance
• DeregisterRdsDbInstance
• DeregisterVolume
• DescribeAgentVersions
• DescribeApps
• DescribeCommands
• DescribeDeployments
• DescribeEcsClusters
• DescribeElasticIps
• DescribeElasticLoadBalancers
• DescribeInstances
• DescribeLayers
• DescribeLoadBasedAutoScaling
• DescribeMyUserProfile
• DescribePermissions
• DescribeRaidArrays
• DescribeRdsDbInstances
• DescribeServiceErrors
• DescribeStackProvisioningParameters
• DescribeStacks
• DescribeStackSummary
• DescribeTimeBasedAutoScaling
• DescribeUserProfiles
• DescribeVolumes
• DetachElasticLoadBalancer
• DisassociateElasticIp
• GetHostnameSuggestion
• GrantAccess
• RebootInstance
• RegisterEcsCluster
• RegisterElasticIp
• RegisterInstance
• RegisterRdsDbInstance
• RegisterVolume
• SetLoadBasedAutoScaling
• SetPermission
• SetTimeBasedAutoScaling
• StartInstance
• StartStack
• StopInstance
• StopStack
• UnassignInstance
• UnassignVolume
• UpdateApp
• UpdateElasticIp
• UpdateInstance
• UpdateLayer
• UpdateMyUserProfile
• UpdateRdsDbInstance
• UpdateStack
• UpdateUserProfile
• UpdateVolume

Relational Database Service (RDS)

rds:

• AddSourceIdentifierToSubscription
• AddTagsToResource
• ApplyPendingMaintenanceAction
• AuthorizeDBSecurityGroupIngress
• CopyDBClusterSnapshot
• CopyDBParameterGroup
• CopyDBSnapshot
• CopyOptionGroup
• CreateDBCluster
• CreateDBClusterParameterGroup
• CreateDBClusterSnapshot
• CreateDBInstance
• CreateDBInstanceReadReplica
• CreateDBParameterGroup
• CreateDBSecurityGroup
• CreateDBSnapshot
• CreateDBSubnetGroup
• CreateEventSubscription
• CreateOptionGroup
• DeleteDBCluster
• DeleteDBClusterParameterGroup
• DeleteDBClusterSnapshot
• DeleteDBInstance
• DeleteDBParameterGroup
• DeleteDBSecurityGroup
• DeleteDBSnapshot
• DeleteDBSubnetGroup
• DeleteEventSubscription
• DeleteOptionGroup
• DescribeAccountAttributes
• DescribeCertificates
• DescribeDBClusterParameterGroups
• DescribeDBClusterParameters
• DescribeDBClusters
• DescribeDBClusterSnapshotAttributes
• DescribeDBClusterSnapshots
• DescribeDBEngineVersions
• DescribeDBInstances
• DescribeDBLogFiles
• DescribeDBParameterGroups
• DescribeDBParameters
• DescribeDBSecurityGroups
• DescribeDBSnapshotAttributes
• DescribeDBSnapshots
• DescribeDBSubnetGroups
• DescribeEngineDefaultClusterParameters
• DescribeEngineDefaultParameters
• DescribeEventCategories
• DescribeEvents
• DescribeEventSubscriptions
• DescribeOptionGroupOptions
• DescribeOptionGroups
• DescribeOrderableDBInstanceOptions
• DescribePendingMaintenanceActions
• DescribeReservedDBInstances
• DescribeReservedDBInstancesOfferings
• DownloadDBLogFilePortion
• FailoverDBCluster
• ListTagsForResource
• ModifyDBCluster
• ModifyDBClusterParameterGroup
• ModifyDBClusterSnapshotAttribute
• ModifyDBInstance
• ModifyDBParameterGroup
• ModifyDBSnapshotAttribute
• ModifyDBSubnetGroup
• ModifyEventSubscription
• ModifyOptionGroup
• PromoteReadReplica
• PromoteReadReplicaDBCluster
• PurchaseReservedDBInstancesOffering
• RebootDBInstance
• RemoveSourceIdentifierFromSubscription
• RemoveTagsFromResource
• ResetDBClusterParameterGroup
• ResetDBParameterGroup
• RestoreDBClusterFromSnapshot
• RestoreDBClusterToPointInTime
• RestoreDBInstanceFromDBSnapshot
• RestoreDBInstanceToPointInTime
• RevokeDBSecurityGroupIngress

Redshift

redshift:

• AuthorizeClusterSecurityGroupIngress
• AuthorizeSnapshotAccess
• CancelQuerySession
• CopyClusterSnapshot
• CreateCluster
• CreateClusterParameterGroup
• CreateClusterSecurityGroup
• CreateClusterSnapshot
• CreateClusterSubnetGroup
• CreateEventSubscription
• CreateHsmClientCertificate
• CreateHsmConfiguration
• CreateTags
• DeleteCluster
• DeleteClusterParameterGroup
• DeleteClusterSecurityGroup
• DeleteClusterSnapshot
• DeleteClusterSubnetGroup
• DeleteEventSubscription
• DeleteHsmClientCertificate
• DeleteHsmConfiguration
• DeleteTags
• DescribeClusterParameterGroups
• DescribeClusterParameters
• DescribeClusterSecurityGroups
• DescribeClusterSnapshots
• DescribeClusterSubnetGroups
• DescribeClusterVersions
• DescribeClusters
• DescribeDefaultClusterParameters
• DescribeEventCategories
• DescribeEventSubscriptions
• DescribeEvents
• DescribeHsmClientCertificates
• DescribeHsmConfigurations
• DescribeLoggingStatus
• DescribeOrderableClusterOptions
• DescribeReservedNodeOfferings
• DescribeReservedNodes
• DescribeResize
• DescribeTags
• DisableLogging
• DisableSnapshotCopy
• EnableLogging
• EnableSnapshotCopy
• ModifyCluster
• ModifyClusterParameterGroup
• ModifyClusterSubnetGroup
• ModifyEventSubscription
• ModifySnapshotCopyRetentionPeriod
• PurchaseReservedNodeOffering
• RebootCluster
• ResetClusterParameterGroup
• RestoreFromClusterSnapshot
• RevokeClusterSecurityGroupIngress
• RevokeSnapshotAccess
• RotateEncryptionKey
• ViewQueriesInConsole

Route 53

route53:

• AssociateVPCWithHostedZone
• ChangeResourceRecordSets
• ChangeTagsForResource
• CreateHealthCheck
• CreateHostedZone
• CreateReusableDelegationSet
• CreateTrafficPolicy
• CreateTrafficPolicyInstance
• CreateTrafficPolicyVersion
• DeleteHealthCheck
• DeleteHostedZone
• DeleteReusableDelegationSet
• DeleteTrafficPolicy
• DeleteTrafficPolicyInstance
• DisableDomainAutoRenew
• DisassociateVPCFromHostedZone
• EnableDomainAutoRenew
• GetChange
• GetCheckerIpRanges
• GetGeoLocation
• GetHealthCheck
• GetHealthCheckCount
• GetHealthCheckLastFailureReason
• GetHealthCheckStatus
• GetHostedZone
• GetHostedZoneCount
• GetReusableDelegationSet
• GetTrafficPolicy
• GetTrafficPolicyInstance
• GetTrafficPolicyInstanceCount
• ListGeoLocations
• ListHealthChecks
• ListHostedZones
• ListHostedZonesByName
• ListResourceRecordSets
• ListReusableDelegationSets
• ListTagsForResource
• ListTagsForResources
• ListTrafficPolicies
• ListTrafficPolicyInstances
• ListTrafficPolicyInstancesByHostedZone
• ListTrafficPolicyInstancesByPolicy
• route53:ListTrafficPolicyVersions
• route53:UpdateHealthCheck
• route53:UpdateHostedZoneComment
• route53:UpdateTrafficPolicyComment
• route53:UpdateTrafficPolicyInstance

Route53 Domains

route53domains:

• CheckDomainAvailability
• DeleteDomain
• DeleteTagsForDomain
• DisableDomainTransferLock
• EnableDomainTransferLock
• GetDomainDetail
• GetOperationDetail
• ListDomains
• ListOperations
• ListTagsForDomain
• RegisterDomain
• RetrieveDomainAuthCode
• TransferDomain
• UpdateDomainContact
• UpdateDomainContactPrivacy
• UpdateDomainNameservers
• UpdateTagsForDomain

S3

s3:

• AbortMultipartUpload
• CreateBucket
• DeleteBucket
• DeleteBucketPolicy
• DeleteBucketWebsite
• DeleteObject
• GetAccelerateConfiguration
• GetBucketAcl
• GetBucketCORS
• GetBucketLocation
• GetBucketLogging
• GetBucketNotification
• GetBucketPolicy
• GetBucketRequestPayment
• GetBucketTagging
• GetBucketVersioning
• GetBucketWebsite
• GetLifecycleConfiguration
• GetObject
• GetObjectAcl
• GetObjectTorrent
• GetObjectVersionAcl
• GetReplicationConfiguration
• ListAllMyBuckets
• ListBucket
• ListBucketMultipartUploads
• ListBucketVersions
• ListMultipartUploadParts
• PutAccelerateConfiguration
• PutBucketAcl
• PutBucketCORS
• PutBucketLogging
• PutBucketNotification
• PutBucketPolicy
• PutBucketRequestPayment
• PutBucketTagging
• PutBucketVersioning
• PutBucketWebsite
• PutLifecycleConfiguration
• PutObject
• PutObjectAcl
• PutObjectVersionAcl
• RestoreObject

Security Token Service (STS)

sts:

• AssumeRole
• AssumeRoleWithSAML
• AssumeRoleWithWebIdentity
• DecodeAuthorizationMessage
• GetCallerIdentity
• GetFederationToken
• GetSessionToken

Simple Email Service (SES)

ses:

• CloneReceiptRuleSet
• CreateReceiptFilter
• CreateReceiptRule
• CreateReceiptRuleSet
• DeleteIdentity
• DeleteIdentityPolicy
• DeleteReceiptFilter
• DeleteReceiptRule
• DeleteReceiptRuleSet
• DeleteVerifiedEmailAddress
• DescribeActiveReceiptRuleSet
• DescribeReceiptRule
• DescribeReceiptRuleSet
• GetIdentityDkimAttributes
• GetIdentityMailFromDomainAttributes
• GetIdentityNotificationAttributes
• GetIdentityPolicies
• GetIdentityVerificationAttributes
• GetSendQuota
• GetSendStatistics
• ListIdentities
• ListIdentityPolicies
• ListReceiptFilters
• ListReceiptRuleSets
• ListVerifiedEmailAddresses
• PutIdentityPolicy
• ReorderReceiptRuleSet
• SendBounce
• SendEmail
• SendRawEmail
• SetActiveReceiptRuleSet
• SetIdentityDkimEnabled
• SetIdentityFeedbackForwardingEnabled
• SetIdentityHeadersInNotificationsEnabled
• SetIdentityMailFromDomain
• SetIdentityNotificationTopic
• SetReceiptRulePosition
• UpdateReceiptRule
• VerifyDomainDkim
• VerifyDomainIdentity
• VerifyEmailAddress
• VerifyEmailIdentity

Simple Notification Service (SNS)

• AddPermission
• CheckIfPhoneNumberIsOptedOut
• ConfirmSubscription
• CreatePlatformApplication
• CreatePlatformEndpoint
• CreateTopic
• DeleteEndpoint
• DeletePlatformApplication
• DeleteTopic
• GetEndpointAttributes
• GetPlatformApplicationAttributes
• GetSMSAttributes
• GetSubscriptionAttributes
• GetTopicAttributes
• ListEndpointsByPlatformApplication
• ListPhoneNumbersOptedOut
• ListPlatformApplications
• ListSubscriptions
• ListSubscriptionsByTopic
• ListTopics
• OptInPhoneNumber
• Publish
• RemovePermission
• SetEndpointAttributes
• SetPlatformApplicationAttributes
• SetSMSAttributes
• SetSubscriptionAttributes
• SetTopicAttributes
• Subscribe
• Unsubscribe

Simple Queue Service (SQS)

sqs:

• AddPermission
• ChangeMessageVisibility
• ChangeMessageVisibilityBatch
• CreateQueue
• DeleteMessage
• DeleteMessageBatch
• DeleteQueue
• GetQueueAttributes
• GetQueueUrl
• ListDeadLetterSourceQueues
• ListQueues
• PurgeQueue
• ReceiveMessage
• RemovePermission
• SendMessage
• SendMessageBatch
• SetQueueAttributes

Support##

support:

• AddAttachmentsToSet
• AddCommunicationToCase
• CreateCase
• DescribeAttachment
• DescribeCases
• DescribeCommunications
• DescribeServices
• DescribeSeverityLevels
• DescribeTrustedAdvisorCheckRefreshStatuses
• DescribeTrustedAdvisorCheckResult
• DescribeTrustedAdvisorChecks
• DescribeTrustedAdvisorCheckSummaries
• RefreshTrustedAdvisorCheck
• ResolveCase

Trusted Advisor

trustedadvisor:

• DescribeCheckSummaries
• DescribeCheckItems
• RefreshCheck
• DescribeCheckRefreshStatuses
• ExcludeCheckItems
• IncludeCheckItems
• DescribeNotificationPreferences
• UpdateNotificationPreferences

@mechcozmo Found a few missing: s3:PutEncryptionConfiguration and s3:GetEncryptionConfiguration - https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources

looks like a line with sns: went missing in one of the updates...
https://gist.github.com/dbethke/9ab7c49f884300e960f261e17256a699

Hey @mechcozmo, this reference page is very useful, thanks.
I found a sns permission missing:
SNS:ListTagsForResource -> https://docs.aws.amazon.com/sns/latest/api/API_ListTagsForResource.html

codestar:*
https://docs.aws.amazon.com/codestar/latest/userguide/security_iam_id-based-policy-examples.html

cloudfront:

AssociateAlias
CreateCachePolicy
CreateCloudFrontOriginAccessIdentity
CreateDistribution
CreateDistributionWithTags
CreateFieldLevelEncryptionConfig
CreateFieldLevelEncryptionProfile
CreateFunction
CreateInvalidation
CreateKeyGroup
CreateMonitoringSubscription
CreateOriginRequestPolicy
CreatePublicKey
CreateRealtimeLogConfig
CreateResponseHeadersPolicy
CreateStreamingDistribution
CreateStreamingDistributionWithTags
DeleteCachePolicy
DeleteCloudFrontOriginAccessIdentity
DeleteDistribution
DeleteFieldLevelEncryptionConfig
DeleteFieldLevelEncryptionProfile
DeleteFunction
DeleteKeyGroup
DeleteMonitoringSubscription
DeleteOriginRequestPolicy
DeletePublicKey
DeleteRealtimeLogConfig
DeleteResponseHeadersPolicy
DeleteStreamingDistribution
DescribeFunction
GetCachePolicy
GetCachePolicyConfig
GetCloudFrontOriginAccessIdentity
GetCloudFrontOriginAccessIdentityConfig
GetDistribution
GetDistributionConfig
GetFieldLevelEncryption
GetFieldLevelEncryptionConfig
GetFieldLevelEncryptionProfile
GetFieldLevelEncryptionProfileConfig
GetFunction
GetInvalidation
GetKeyGroup
GetKeyGroupConfig
GetMonitoringSubscription
GetOriginRequestPolicy
GetOriginRequestPolicyConfig
GetPublicKey
GetPublicKeyConfig
GetRealtimeLogConfig
GetResponseHeadersPolicy
GetResponseHeadersPolicyConfig
GetStreamingDistribution
GetStreamingDistributionConfig
ListCachePolicies
ListCloudFrontOriginAccessIdentities
ListConflictingAliases
ListDistributions
ListDistributionsByCachePolicyId
ListDistributionsByKeyGroup
ListDistributionsByOriginRequestPolicyId
ListDistributionsByRealtimeLogConfig
ListDistributionsByResponseHeadersPolicyId
ListDistributionsByWebACLId
ListFieldLevelEncryptionConfigs
ListFieldLevelEncryptionProfiles
ListFunctions
ListInvalidations
ListKeyGroups
ListOriginRequestPolicies
ListPublicKeys
ListRealtimeLogConfigs
ListResponseHeadersPolicies
ListStreamingDistributions
ListTagsForResource
PublishFunction
TagResource
TestFunction
UntagResource
UpdateCachePolicy
UpdateCloudFrontOriginAccessIdentity
UpdateDistribution
UpdateFieldLevelEncryptionConfig
UpdateFieldLevelEncryptionProfile
UpdateFunction
UpdateKeyGroup
UpdateOriginRequestPolicy
UpdatePublicKey
UpdateRealtimeLogConfig
UpdateResponseHeadersPolicy
UpdateStreamingDistribution

Discovered some additional permissions for IAM:
iam:
ListRoleTags
TagRole
UntagRole
ListUserTags
TagUser
UntagUser