Service: AWS Identity and Access Management (IAM)
Short Name:
iam
ARN Format:
arn:aws:iam::${Account}:${ResourceType}/${ResourceName}ARN Regex:
^arn:aws:iam::.+PowerUserAccess
…
SystemAdministratorAction | Access | Reference | Description |
|---|---|---|---|
| iam:GetAccountSummary | Docs | Grants permission to retrieve information about IAM entity usage and IAM quotas in the AWS account | |
| iam:GetLoginProfile | Docs | Grants permission to retrieve the user name and password creation date for the specified IAM user | |
| iam:ListAccessKeys | Docs | Grants permission to list information about the access key IDs that are associated with the specified IAM user | |
| iam:ListAccountAliases | Docs | Grants permission to list the account alias that is associated with the AWS account | |
| iam:ListAttachedGroupPolicies | Docs | Grants permission to list all managed policies that are attached to the specified IAM group | |
| iam:ListAttachedRolePolicies | Docs | Grants permission to list all managed policies that are attached to the specified IAM role | |
| iam:ListAttachedUserPolicies | Docs | Grants permission to list all managed policies that are attached to the specified IAM user | |
| iam:ListCloudFrontPublicKeys | Docs | Grants permission to list all current CloudFront public keys for the account | |
| iam:ListEntitiesForPolicy | Docs | Grants permission to list all IAM identities to which the specified managed policy is attached | |
| iam:ListGroupPolicies | Docs | Grants permission to list the names of the inline policies that are embedded in the specified IAM group | |
| iam:ListGroups | Docs | Grants permission to list the IAM groups that have the specified path prefix | |
| iam:ListGroupsForUser | Docs | Grants permission to list the IAM groups that the specified IAM user belongs to | |
| iam:ListInstanceProfiles | Docs | Grants permission to list the instance profiles that have the specified path prefix | |
| iam:ListInstanceProfilesForRole | Docs | Grants permission to list the instance profiles that have the specified associated IAM role | |
| iam:ListInstanceProfileTags | Docs | Grants permission to list the tags that are attached to the specified instance profile | |
| iam:ListMFADevices | Docs | Grants permission to list the MFA devices for an IAM user | |
| iam:ListMFADeviceTags | Docs | Grants permission to list the tags that are attached to the specified virtual mfa device | |
| iam:ListOpenIDConnectProviders | Docs | Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account | |
| iam:ListOpenIDConnectProviderTags | Docs | Grants permission to list the tags that are attached to the specified OpenID Connect provider | |
| iam:ListPolicies | Docs | Grants permission to list all managed policies | |
| iam:ListPoliciesGrantingServiceAccess | Docs | Grants permission to list information about the policies that grant an entity access to a specific service | |
| iam:ListPolicyTags | Docs | Grants permission to list the tags that are attached to the specified managed policy | |
| iam:ListPolicyVersions | Docs | Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version | |
| iam:ListRolePolicies | Docs | Grants permission to list the names of the inline policies that are embedded in the specified IAM role | |
| iam:ListRoles | Docs | Grants permission to list the IAM roles that have the specified path prefix | |
| iam:ListRoleTags | Docs | Grants permission to list the tags that are attached to the specified IAM role | |
| iam:ListSAMLProviders | Docs | Grants permission to list the SAML provider resources in IAM | |
| iam:ListSAMLProviderTags | Docs | Grants permission to list the tags that are attached to the specified SAML provider | |
| iam:ListServerCertificates | Docs | Grants permission to list the server certificates that have the specified path prefix | |
| iam:ListServerCertificateTags | Docs | Grants permission to list the tags that are attached to the specified server certificate | |
| iam:ListServiceSpecificCredentials | Docs | Grants permission to list the service-specific credentials that are associated with the specified IAM user | |
| iam:ListSigningCertificates | Docs | Grants permission to list information about the signing certificates that are associated with the specified IAM user | |
| iam:ListSSHPublicKeys | Docs | Grants permission to list information about the SSH public keys that are associated with the specified IAM user | |
| iam:ListSTSRegionalEndpointsStatus | Docs | Grants permission to list the status of all active STS regional endpoints | |
| iam:ListUserPolicies | Docs | Grants permission to list the names of the inline policies that are embedded in the specified IAM user | |
| iam:ListUsers | Docs | Grants permission to list the IAM users that have the specified path prefix | |
| iam:ListUserTags | Docs | Grants permission to list the tags that are attached to the specified IAM user | |
| iam:ListVirtualMFADevices | Docs | Grants permission to list virtual MFA devices by assignment status | |
| iam:AttachGroupPolicy | Docs | Grants permission to attach a managed policy to the specified IAM group | |
| iam:AttachRolePolicy | Docs | Grants permission to attach a managed policy to the specified IAM role | |
| iam:AttachUserPolicy | Docs | Grants permission to attach a managed policy to the specified IAM user | |
| iam:CreatePolicy | Docs | Grants permission to create a new managed policy | |
| iam:CreatePolicyVersion | Docs | Grants permission to create a new version of the specified managed policy | |
| iam:DeleteAccountPasswordPolicy | Docs | Grants permission to delete the password policy for the AWS account | |
| iam:DeleteGroupPolicy | Docs | Grants permission to delete the specified inline policy from its group | |
| iam:DeletePolicy | Docs | Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached | |
| iam:DeletePolicyVersion | Docs | Grants permission to delete a version from the specified managed policy | |
| iam:DeleteRolePermissionsBoundary | Docs | Grants permission to remove the permissions boundary from a role | |
| iam:DeleteRolePolicy | Docs | Grants permission to delete the specified inline policy from the specified role | |
| iam:DeleteUserPermissionsBoundary | Docs | Grants permission to remove the permissions boundary from the specified IAM user | |
| iam:DeleteUserPolicy | Docs | Grants permission to delete the specified inline policy from an IAM user | |
| iam:DetachGroupPolicy | Docs | Grants permission to detach a managed policy from the specified IAM group | |
| iam:DetachRolePolicy | Docs | Grants permission to detach a managed policy from the specified role | |
| iam:DetachUserPolicy | Docs | Grants permission to detach a managed policy from the specified IAM user | |
| iam:PutGroupPolicy | Docs | Grants permission to create or update an inline policy document that is embedded in the specified IAM group | |
| iam:PutRolePermissionsBoundary | Docs | Grants permission to set a managed policy as a permissions boundary for a role | |
| iam:PutRolePolicy | Docs | Grants permission to create or update an inline policy document that is embedded in the specified IAM role | |
| iam:PutUserPermissionsBoundary | Docs | Grants permission to set a managed policy as a permissions boundary for an IAM user | |
| iam:PutUserPolicy | Docs | Grants permission to create or update an inline policy document that is embedded in the specified IAM user | |
| iam:SetDefaultPolicyVersion | Docs | Grants permission to set the version of the specified policy as the policy's default version | |
| iam:UpdateAssumeRolePolicy | Docs | Grants permission to update the policy that grants an IAM entity permission to assume a role | |
| iam:GenerateCredentialReport | Docs | Grants permission to generate a credential report for the AWS account | |
| iam:GenerateOrganizationsAccessReport | Docs | Grants permission to generate an access report for an AWS Organizations entity | |
| iam:GenerateServiceLastAccessedDetails | Docs | Grants permission to generate a service last accessed data report for an IAM resource | |
| iam:GetAccessKeyLastUsed | Docs | Grants permission to retrieve information about when the specified access key was last used | |
| iam:GetAccountAuthorizationDetails | Docs | Grants permission to retrieve information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another | |
| iam:GetAccountEmailAddress | Docs | Grants permission to retrieve the email address that is associated with the account | |
| iam:GetAccountName | Docs | Grants permission to retrieve the account name that is associated with the account | |
| iam:GetAccountPasswordPolicy | Docs | Grants permission to retrieve the password policy for the AWS account | |
| iam:GetCloudFrontPublicKey | Docs | Grants permission to retrieve information about the specified CloudFront public key | |
| iam:GetContextKeysForCustomPolicy | Docs | Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy | |
| iam:GetContextKeysForPrincipalPolicy | Docs | Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role) | |
| iam:GetCredentialReport | Docs | Grants permission to retrieve a credential report for the AWS account | |
| iam:GetGroup | Docs | Grants permission to retrieve a list of IAM users in the specified IAM group | |
| iam:GetGroupPolicy | Docs | Grants permission to retrieve an inline policy document that is embedded in the specified IAM group | |
| iam:GetInstanceProfile | Docs | Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role | |
| iam:GetMFADevice | Docs | Grants permission to retrieve information about an MFA device for the specified user | |
| iam:GetOpenIDConnectProvider | Docs | Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM | |
| iam:GetOrganizationsAccessReport | Docs | Grants permission to retrieve an AWS Organizations access report | |
| iam:GetPolicy | Docs | Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached | |
| iam:GetPolicyVersion | Docs | Grants permission to retrieve information about a version of the specified managed policy, including the policy document | |
| iam:GetRole | Docs | Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy | |
| iam:GetRolePolicy | Docs | Grants permission to retrieve an inline policy document that is embedded with the specified IAM role | |
| iam:GetSAMLProvider | Docs | Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated | |
| iam:GetServerCertificate | Docs | Grants permission to retrieve information about the specified server certificate stored in IAM | |
| iam:GetServiceLastAccessedDetails | Docs | Grants permission to retrieve information about the service last accessed data report | |
| iam:GetServiceLastAccessedDetailsWithEntities | Docs | Grants permission to retrieve information about the entities from the service last accessed data report | |
| iam:GetServiceLinkedRoleDeletionStatus | Docs | Grants permission to retrieve an IAM service-linked role deletion status | |
| iam:GetSSHPublicKey | Docs | Grants permission to retrieve the specified SSH public key, including metadata about the key | |
| iam:GetUser | Docs | Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN | |
| iam:GetUserPolicy | Docs | Grants permission to retrieve an inline policy document that is embedded in the specified IAM user | |
| iam:SimulateCustomPolicy | Docs | Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources | |
| iam:SimulatePrincipalPolicy | Docs | Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources | |
| iam:TagInstanceProfile | Docs | Grants permission to add tags to an instance profile | |
| iam:TagMFADevice | Docs | Grants permission to add tags to a virtual mfa device | |
| iam:TagOpenIDConnectProvider | Docs | Grants permission to add tags to an OpenID Connect provider | |
| iam:TagPolicy | Docs | Grants permission to add tags to a managed policy | |
| iam:TagRole | Docs | Grants permission to add tags to an IAM role | |
| iam:TagSAMLProvider | Docs | Grants permission to add tags to a SAML Provider | |
| iam:TagServerCertificate | Docs | Grants permission to add tags to a server certificate | |
| iam:TagUser | Docs | Grants permission to add tags to an IAM user | |
| iam:UntagInstanceProfile | Docs | Grants permission to remove the specified tags from the instance profile | |
| iam:UntagMFADevice | Docs | Grants permission to remove the specified tags from the virtual mfa device | |
| iam:UntagOpenIDConnectProvider | Docs | Grants permission to remove the specified tags from the OpenID Connect provider | |
| iam:UntagPolicy | Docs | Grants permission to remove the specified tags from the managed policy | |
| iam:UntagRole | Docs | Grants permission to remove the specified tags from the role | |
| iam:UntagSAMLProvider | Docs | Grants permission to remove the specified tags from the SAML Provider | |
| iam:UntagServerCertificate | Docs | Grants permission to remove the specified tags from the server certificate | |
| iam:UntagUser | Docs | Grants permission to remove the specified tags from the user | |
| iam:AddClientIDToOpenIDConnectProvider | Docs | Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource | |
| iam:AddRoleToInstanceProfile | Docs | Grants permission to add an IAM role to the specified instance profile | |
| iam:AddUserToGroup | Docs | Grants permission to add an IAM user to the specified IAM group | |
| iam:ChangePassword | Docs | Grants permission to an IAM user to change their own password | |
| iam:CreateAccessKey | Docs | Grants permission to create access key and secret access key for the specified IAM user | |
| iam:CreateAccountAlias | Docs | Grants permission to create an alias for your AWS account | |
| iam:CreateGroup | Docs | Grants permission to create a new group | |
| iam:CreateInstanceProfile | Docs | Grants permission to create a new instance profile | |
| iam:CreateLoginProfile | Docs | Grants permission to create a password for the specified IAM user | |
| iam:CreateOpenIDConnectProvider | Docs | Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC) | |
| iam:CreateRole | Docs | Grants permission to create a new role | |
| iam:CreateSAMLProvider | Docs | Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0 | |
| iam:CreateServiceLinkedRole | Docs | Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf | |
| iam:CreateServiceSpecificCredential | Docs | Grants permission to create a new service-specific credential for an IAM user | |
| iam:CreateUser | Docs | Grants permission to create a new IAM user | |
| iam:CreateVirtualMFADevice | Docs | Grants permission to create a new virtual MFA device | |
| iam:DeactivateMFADevice | Docs | Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled | |
| iam:DeleteAccessKey | Docs | Grants permission to delete the access key pair that is associated with the specified IAM user | |
| iam:DeleteAccountAlias | Docs | Grants permission to delete the specified AWS account alias | |
| iam:DeleteCloudFrontPublicKey | Docs | Grants permission to delete an existing CloudFront public key | |
| iam:DeleteGroup | Docs | Grants permission to delete the specified IAM group | |
| iam:DeleteInstanceProfile | Docs | Grants permission to delete the specified instance profile | |
| iam:DeleteLoginProfile | Docs | Grants permission to delete the password for the specified IAM user | |
| iam:DeleteOpenIDConnectProvider | Docs | Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM | |
| iam:DeleteRole | Docs | Grants permission to delete the specified role | |
| iam:DeleteSAMLProvider | Docs | Grants permission to delete a SAML provider resource in IAM | |
| iam:DeleteServerCertificate | Docs | Grants permission to delete the specified server certificate | |
| iam:DeleteServiceLinkedRole | Docs | Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it | |
| iam:DeleteServiceSpecificCredential | Docs | Grants permission to delete the specified service-specific credential for an IAM user | |
| iam:DeleteSigningCertificate | Docs | Grants permission to delete a signing certificate that is associated with the specified IAM user | |
| iam:DeleteSSHPublicKey | Docs | Grants permission to delete the specified SSH public key | |
| iam:DeleteUser | Docs | Grants permission to delete the specified IAM user | |
| iam:DeleteVirtualMFADevice | Docs | Grants permission to delete a virtual MFA device | |
| iam:EnableMFADevice | Docs | Grants permission to enable an MFA device and associate it with the specified IAM user | |
| iam:PassRole | Docs | Grants permission to pass a role to a service | |
| iam:RemoveClientIDFromOpenIDConnectProvider | Docs | Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource | |
| iam:RemoveRoleFromInstanceProfile | Docs | Grants permission to remove an IAM role from the specified EC2 instance profile | |
| iam:RemoveUserFromGroup | Docs | Grants permission to remove an IAM user from the specified group | |
| iam:ResetServiceSpecificCredential | Docs | Grants permission to reset the password for an existing service-specific credential for an IAM user | |
| iam:ResyncMFADevice | Docs | Grants permission to synchronize the specified MFA device with its IAM entity (user or role) | |
| iam:SetSecurityTokenServicePreferences | Docs | Grants permission to set the STS global endpoint token version | |
| iam:SetSTSRegionalEndpointStatus | Docs | Grants permission to activate or deactivate an STS regional endpoint | |
| iam:UpdateAccessKey | Docs | Grants permission to update the status of the specified access key as Active or Inactive | |
| iam:UpdateAccountEmailAddress | Docs | Grants permission to update the email address that is associated with the account | |
| iam:UpdateAccountName | Docs | Grants permission to update the account name that is associated with the account | |
| iam:UpdateAccountPasswordPolicy | Docs | Grants permission to update the password policy settings for the AWS account | |
| iam:UpdateCloudFrontPublicKey | Docs | Grants permission to update an existing CloudFront public key | |
| iam:UpdateGroup | Docs | Grants permission to update the name or path of the specified IAM group | |
| iam:UpdateLoginProfile | Docs | Grants permission to change the password for the specified IAM user | |
| iam:UpdateOpenIDConnectProviderThumbprint | Docs | Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource | |
| iam:UpdateRole | Docs | Grants permission to update the description or maximum session duration setting of a role | |
| iam:UpdateRoleDescription | Docs | Grants permission to update only the description of a role | |
| iam:UpdateSAMLProvider | Docs | Grants permission to update the metadata document for an existing SAML provider resource | |
| iam:UpdateServerCertificate | Docs | Grants permission to update the name or the path of the specified server certificate stored in IAM | |
| iam:UpdateServiceSpecificCredential | Docs | Grants permission to update the status of a service-specific credential to active or inactive for an IAM user | |
| iam:UpdateSigningCertificate | Docs | Grants permission to update the status of the specified user signing certificate to active or disabled | |
| iam:UpdateSSHPublicKey | Docs | Grants permission to update the status of an IAM user's SSH public key to active or inactive | |
| iam:UpdateUser | Docs | Grants permission to update the name or the path of the specified IAM user | |
| iam:UploadCloudFrontPublicKey | Docs | Grants permission to upload a CloudFront public key | |
| iam:UploadServerCertificate | Docs | Grants permission to upload a server certificate entity for the AWS account | |
| iam:UploadSigningCertificate | Docs | Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user | |
| iam:UploadSSHPublicKey | Docs | Grants permission to upload an SSH public key and associate it with the specified IAM user |
aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeysiam:AWSServiceNameiam:AssociatedResourceArniam:FIDO-FIPS-140-2-certificationiam:FIDO-FIPS-140-3-certificationiam:FIDO-certificationiam:OrganizationsPolicyIdiam:PassedToServiceiam:PermissionsBoundaryiam:PolicyARNiam:RegisterSecurityKeyiam:ResourceTag/${TagKey}