Amazon Web Services Adapter IAM Permissions

When using Amazon Web Services Adapter, appropriate permissions are required for the accounts used in connecting to each of Amazon Web Service.
For more details on IAM permissions required for each adapter, refer to the following.

Amazon DynamoDB Adapter

IAM permissions required for Amazon DynamoDB Adapter are as follows.

Global resource

Action name Remarks
dynamodb:ListTables
  • Required when performing [Connection test].

Operation

Get Item (Scan)

Action name Remarks
dynamodb:ListTables
  • Required when performing [Update table name list].
dynamodb:DescribeTable
  • Required when performing [Update index name list] and [Update schema definition].
dynamodb:Scan  

Get Item (Query)

Action name Remarks
dynamodb:ListTables
  • Required when performing [Update table name list].
dynamodb:DescribeTable
  • Required when performing [Update index name list] and [Update attribute list].
dynamodb:Scan
  • Required when performing [Update attribute list].
dynamodb:Query  

Add/Replace Item

Action name Remarks
dynamodb:ListTables
  • Required when performing [Update table name list].
dynamodb:DescribeTable
  • Required when performing [Update attribute list].
dynamodb:Scan
  • Required when performing [Update attribute list].
dynamodb:PutItem  

Delete Item

Action name Remarks
dynamodb:ListTables
  • Required when performing [Update table name list].
dynamodb:DescribeTable
  • Required when performing [Update primary key list].
dynamodb:Scan
  • Required when performing [Update primary key list].
dynamodb:DeleteItem  

Amazon EC2 Adapter

IAM permissions required for Amazon EC2 Adapter are as follows.

Global resource

Action name Remarks
ec2:DescribeAvailabilityZones
  • Required when performing [Connection test].

Operation

Start Instances

Action name Remarks
ec2:DescribeAddresses
  • Required when getting [Instance list].
ec2:DescribeInstances  
ec2:StartInstances  

Stop Instances

Action name Remarks
ec2:DescribeInstances  
ec2:StopInstances  

Describe Instances

Action name Remarks
ec2:DescribeImages  
ec2:DescribeInstances  

Amazon S3 Adapter

IAM permissions required for Amazon S3 Adapter are as follows.

Global resource

Action name Remarks
s3:ListAllMyBuckets
  • Required when performing [Connection test].

Operation

Get Bucket List

Action name Remarks
s3:ListBucket
  • The target bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Get File/Folder List

Action name Remarks
s3:GetObjectAcl  
s3:ListBucket
  • The target bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Read File/Folder

Action name Remarks
s3:GetObject  
s3:GetObjectAcl
  • Required when [Include permissions in result] is checked.
s3:ListBucket
  • The target bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Write File/Folder

Action name Remarks
s3:PutObject  
s3:GetObjectAcl
  • Required when [Include permissions in result] is checked.
s3:PutObjectAcl
  • Required when “Public” is selected in [Permissions].
s3:CreateBucket
  • Required when [Create a bucket when it doesn't exist] is checked.
s3:ListBucket
  • The target bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Copy File/Folder

Action name Remarks
s3:GetObject  
s3:GetObjectAcl  
s3:GetObjectTagging  
s3:PutObject  
s3:PutObjectAcl  
s3:PutObjectTagging  
s3:CreateBucket
  • Required when [Create a copy destination bucket when it doesn't exist] is checked.
s3:ListBucket
  • The target bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Delete File/Folder

Action name Remarks
s3:GetObject  
s3:DeleteObject  
s3:DeleteBucket
  • Required when [Delete bucket] is checked.
s3:ListBucket
  • The target bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Read File/Folder (Data)

Action name Remarks
s3:GetObject  
s3:GetObjectAcl
  • Required when [Include permissions in result] is checked.
s3:ListAllMyBuckets  

Write File/Folder (Data)

Action name Remarks
s3:PutObject  
s3:GetObjectAcl
  • Required when [Include permissions in result] is checked.
s3:CreateBucket
  • Required when [Create a bucket when it doesn't exist] is checked.
s3:ListBucket
  • The target Bucket has to be included in an available Resource.
s3:ListAllMyBuckets  

Amazon SQS Adapter

IAM permissions required for Amazon SQS Adapter are as follows.

Global resource

Action name Remarks
sqs:ListQueues
  • Required when performing [Connection test].

Operation

Receive Message

Action name Remarks
sqs:GetQueueUrl  
sqs:ReceiveMessage  

Send Message

Action name Remarks
sqs:GetQueueUrl  
sqs:ListQueues
  • Required when getting [Queue name] list.
sqs:SendMessage  

Delete Message

Action name Remarks
sqs:DeleteMessage  
sqs:GetQueueUrl  
sqs:ListQueues
  • Required when getting [Queue name] list.

Amazon SimpleDB Adapter

IAM permissions required for Amazon SimpleDB Adapter are as follows.

Global resource

Action name Remarks
sdb:ListDomains
  • Required when performing [Connection test].

Operation

Read Item

Action name Remarks
sdb:ListDomains  
sdb:Select  

Execute Query

Action name Remarks
sdb:ListDomains  
sdb:Select  

Put Item

Action name Remarks
sdb:BatchPutAttributes  
sdb:ListDomains
  • Required when getting [Domain name] list.

Delete Item

Action name Remarks
sdb:BatchDeleteAttributes  
sdb:ListDomains
  • Required when getting [Domain name] list.

Create Domain

Action name Remarks
sdb:CreateDomain  
sdb:ListDomains  

Delete Domain

Action name Remarks
sdb:DeleteDomain  
sdb:ListDomains  

Amazon Redshift Adapter

For details on permissions required in the specification of COPY command used by Amazon Redshift Adapter, refer to "COPY - Amazon Redshift" (http://docs.aws.amazon.com/en_us/redshift/latest/dg/r_COPY.html).

ScriptRunner for Amazon SQS

IAM permissions required for ScriptRunner for Amazon SQS are as follows.

ScriptRunner for Amazon SQS Settings

Action name Remarks
sqs:GetQueueUrl
  • Required when performing [Connection test].

ScriptRunner for Amazon SQS Manager

Action name Remarks
sqs:GetQueueUrl
  • Required for script execution request queue and script execution result queue.
sqs:ReceiveMessage
  • Required for script execution request queue.
sqs:SendMessage
  • Required for script execution result queue.
sqs:DeleteMessage
  • Required for script execution request queue.

ScriptRunner AmazonSQS Client

Action name Remarks
sqs:GetQueueUrl
  • Required for script execution request queue and script execution result queue.
sqs:ReceiveMessage
  • Required for script execution result queue.
sqs:SendMessage
  • Required for script execution request queue.
sqs:DeleteMessage
  • Required for script execution result queue.

Amazon Kinesis Trigger

For details on permissions required to use Amazon Kinesis Trigger, refer to "Developing Amazon Streams Consumers Using the Amazon Kinesis Client Library" (http://docs.aws.amazon.com/en_us/streams/latest/dev/developing-consumers-with-kcl.html).