When working with AWS IAM policies and trust relationships, you need to know the exact service principal for each AWS service. This comprehensive reference provides instant access to all 578 AWS service principals, making IAM policy development faster and more accurate.
In this guide, you'll learn:
- What service principals are and how they enable service-to-service access
- How to use the complete auto-updated reference table
- Trust policies, resource-based policies, and service-linked roles
- Regional service principal variations for opt-in regions
- How to protect against confused deputy attacks
- Infrastructure as Code examples for CDK and CloudFormation
What is an AWS Service Principal?
A service principal is an identifier that represents an AWS service in IAM policies. When you see something like lambda.amazonaws.com or ec2.amazonaws.com in a policy's Principal element, that's a service principal. These identifiers allow AWS services to assume IAM roles and perform actions on your behalf.
Think of service principals as the "identity card" that AWS services present when they need to access resources in your account. Without the correct service principal in your trust policy, an AWS service cannot assume the role you've created for it.
The service principal is defined by AWS itself, and you cannot create custom service principals or use wildcards like "Service": "*" in IAM policies. Each AWS service has its own specific identifier.
Service Principal Format and Structure
Service principals follow a standardized naming convention. The standard format is:
service-name.amazonaws.com
Here are some common examples:
lambda.amazonaws.comfor AWS Lambdaec2.amazonaws.comfor Amazon EC2s3.amazonaws.comfor Amazon S3ecs-tasks.amazonaws.comfor Amazon ECS Taskscodebuild.amazonaws.comfor AWS CodeBuild
When multiple services need to assume the same role, you can specify them using an array format:
"Principal": {
"Service": [
"ecs.amazonaws.com",
"elasticloadbalancing.amazonaws.com"
]
}
This syntax is useful when you need a shared role for services that work together, like ECS and Elastic Load Balancing. You can learn more about creating such roles in my guide on how to create IAM roles with multiple principals using AWS CDK.
How Service Principals Enable Service-to-Service Access
Service principals work through a trust relationship mechanism. Here's how the flow works:
- An AWS service (like Lambda) needs to access resources in your account
- The service presents its service principal and calls
sts:AssumeRole - IAM checks the role's trust policy to verify the service principal is allowed
- If authorized, IAM returns temporary security credentials
- The service uses these credentials to access your resources
This mechanism ensures that only the intended AWS services can assume roles in your account. The trust policy acts as the gatekeeper, and the service principal is the key.
Complete AWS Service Principals Reference (2026)
The table below contains every AWS service principal, automatically fetched from the AWS Policy Generator and updated for 2026. Use your browser's search function (Ctrl+F or Cmd+F) to quickly find the service you need:
Total Unique Service Principals: 578 | With Documentation Links: 91 | Last Updated: January 2, 2026
| Service Name | Service Principal | Reference |
|---|---|---|
| AWS App2Container | a2c.amazonaws.com | |
| Alexa for Business | a4b.amazonaws.com | |
| AWS IAM Access Analyzer | access-analyzer.amazonaws.com | |
| AWS Account Management | account.amazonaws.com | |
| AWS Private Certificate Authority | acm-pca.amazonaws.com | |
| AWS Certificate Manager (ACM) | acm.amazonaws.com | Documentation |
| AWS Compute Optimizer Automation | aco-automation.amazonaws.com | |
| AWS Action Recommendations | action-recommendations.amazonaws.com | |
| AWS Activate | activate.amazonaws.com | |
| AWS DevOps Agent Service | aidevops.amazonaws.com | |
| Amazon AI Operations | aiops.amazonaws.com | |
| Amazon MWAA Environment | airflow-env.amazonaws.com | |
| AWS MWAA Serverless | airflow-serverless.amazonaws.com | |
| Amazon Managed Workflows for Apache Airflow | airflow.amazonaws.com | |
| Alexa App Kit | alexa-appkit.amazon.com | |
| Alexa Smart Home | alexa-connectedhome.amazon.com | |
| Amazon MQ | amazonmq.amazonaws.com | |
| AWS Amplify | amplify.amazonaws.com | |
| AWS Amplify Admin | amplifybackend.amazonaws.com | |
| AWS Amplify UI Builder | amplifyuibuilder.amazonaws.com | |
| Amazon OpenSearch Serverless | aoss.amazonaws.com | |
| Amazon EventBridge | apidestinations.events.amazonaws.com | |
| Amazon API Gateway Management | apigateway.amazonaws.com | |
| Amazon AppIntegrations | app-integrations.amazonaws.com | Documentation |
| AWS AppConfig | appconfig.amazonaws.com | |
| AWS AppFabric | appfabric.amazonaws.com | |
| Amazon AppFlow | appflow.amazonaws.com | |
| AWS Application Auto Scaling | application-autoscaling.amazonaws.com | |
| Application Cost Profiler | application-cost-profiler.amazonaws.com | |
| CloudWatch Application Insights | application-insights.amazonaws.com | |
| Amazon CloudWatch Application Signals | application-signals.amazonaws.com | |
| Amazon CloudWatch | application-signals.cloudwatch.amazonaws.com | |
| AWS Application Transformation Service | application-transformation.amazonaws.com | |
| Amazon CloudWatch Application Insights | applicationinsights.amazonaws.com | |
| AWS App Mesh Preview | appmesh-preview.amazonaws.com | |
| AWS App Mesh Preview | appmesh.amazonaws.com | Documentation |
| AWS App Runner | apprunner.amazonaws.com | |
| Amazon AppStream 2.0 | appstream.amazonaws.com | |
| Application Auto Scaling | appstream.application-autoscaling.amazonaws.com | |
| AWS App Studio | appstudio.amazonaws.com | |
| AWS AppSync | appsync.amazonaws.com | |
| AWS Mainframe Modernization Application Testing | apptest.amazonaws.com | |
| Amazon Managed Service for Prometheus | aps.amazonaws.com | |
| Amazon ARC Region switch | arc-region-switch.amazonaws.com | |
| Amazon Application Recovery Controller - Zonal Shift | arc-zonal-shift.amazonaws.com | |
| Application Discovery Arsenal | arsenal.amazonaws.com | |
| AWS Artifact | artifact.amazonaws.com | |
| AWS Cost Explorer | assets.marketplace.amazonaws.com | |
| Amazon Athena | athena.amazonaws.com | |
| AWS Audit Manager | auditmanager.amazonaws.com | Documentation |
| Automation | automation.amazonaws.com | |
| AWS Auto Scaling | autoscaling-plans.amazonaws.com | Documentation |
| Amazon EC2 Auto Scaling | autoscaling.amazonaws.com | Documentation |
| Aws Artifact Account Sync | aws-artifact-account-sync.amazonaws.com | |
| AWS Marketplace Management Portal | aws-marketplace-management.amazonaws.com | |
| AWS Cost Explorer | aws-marketplace.amazonaws.com | |
| AWS MCP Server | aws-mcp.amazonaws.com | |
| AWS Billing Console | aws-portal.amazonaws.com | |
| AWS Connector Service | awsconnector.amazonaws.com | |
| Amazon S3 | awspolicygen.s3.amazonaws.com | |
| AWS B2B Data Interchange | b2bi.amazonaws.com | |
| AWS Backup Gateway | backup-gateway.amazonaws.com | |
| AWS Backup Search | backup-search.amazonaws.com | |
| AWS Backup storage | backup-storage.amazonaws.com | |
| AWS Backup | backup.amazonaws.com | |
| AWS Batch | batch.amazonaws.com | |
| Amazon S3 | batchoperations.s3.amazonaws.com | |
| AWS Billing and Cost Management Dashboards | bcm-dashboards.amazonaws.com | |
| AWS Billing And Cost Management Data Exports | bcm-data-exports.amazonaws.com | |
| AWS Billing And Cost Management Pricing Calculator | bcm-pricing-calculator.amazonaws.com | |
| AWS Billing And Cost Management Recommended Actions | bcm-recommended-actions.amazonaws.com | |
| Amazon Bedrock Agentcore | bedrock-agentcore.amazonaws.com | |
| Amazon Bedrock Powered by AWS Mantle | bedrock-mantle.amazonaws.com | |
| Amazon Bedrock | bedrock.amazonaws.com | |
| AWS Billing | billing.amazonaws.com | |
| AWS Billing Conductor | billingconductor.amazonaws.com | |
| AWS Billing Console | billingconsole.amazonaws.com | |
| Amazon Braket | braket.amazonaws.com | |
| AWS Budget Service | budgets.amazonaws.com | |
| AWS BugBust | bugbust.amazonaws.com | |
| AWS App Runner | build.apprunner.amazonaws.com | |
| Amazon OpenSearch Service | cases.amazonaws.com | |
| Amazon Keyspaces (for Apache Cassandra) | cassandra.amazonaws.com | |
| Application Auto Scaling | cassandra.application-autoscaling.amazonaws.com | |
| AWS Cost Explorer Service | ce.amazonaws.com | |
| Amazon Lex | channels.lex.amazonaws.com | |
| Amazon Lex | channels.lexv2.amazonaws.com | |
| AWS Chatbot | chatbot.amazonaws.com | |
| Amazon Chime | chime.amazonaws.com | |
| AWS Clean Rooms ML | cleanrooms-ml.amazonaws.com | |
| AWS Clean Rooms | cleanrooms.amazonaws.com | |
| AWS Cloud9 | cloud9.amazonaws.com | Documentation |
| Amazon Cloud Directory | clouddirectory.amazonaws.com | |
| AWS Cloud Control API | cloudformation.amazonaws.com | |
| Amazon CloudFront KeyValueStore | cloudfront-keyvaluestore.amazonaws.com | |
| Amazon CloudFront | cloudfront.amazonaws.com | |
| AWS CloudHSM | cloudhsm.amazonaws.com | Documentation |
| Amazon CloudSearch | cloudsearch.amazonaws.com | |
| AWS CloudShell | cloudshell.amazonaws.com | |
| AWS CloudTrail Data | cloudtrail-data.amazonaws.com | |
| AWS CloudTrail | cloudtrail.amazonaws.com | |
| AWS Account Management | cloudwatch-crossaccount.amazonaws.com | |
| Amazon CloudWatch | cloudwatch.amazonaws.com | |
| AWS CodeArtifact | codeartifact.amazonaws.com | |
| AWS CodeBuild | codebuild.amazonaws.com | |
| Codecatalyst Runner | codecatalyst-runner.amazonaws.com | |
| Amazon CodeCatalyst | codecatalyst.amazonaws.com | Documentation |
| AWS CodeCommit | codecommit.amazonaws.com | |
| AWS CodeConnections | codeconnections.amazonaws.com | |
| AWS CodeDeploy secure host commands service | codedeploy-commands-secure.amazonaws.com | |
| AWS CodeDeploy | codedeploy.amazonaws.com | |
| Amazon CodeGuru Profiler | codeguru-profiler.amazonaws.com | Documentation |
| Amazon CodeGuru Reviewer | codeguru-reviewer.amazonaws.com | |
| Amazon CodeGuru Security | codeguru-security.amazonaws.com | |
| Amazon CodeGuru | codeguru.amazonaws.com | |
| AWS CodePipeline | codepipeline.amazonaws.com | |
| AWS CodeStar Connections | codestar-connections.amazonaws.com | |
| AWS CodeStar Notifications | codestar-notifications.amazonaws.com | Documentation |
| AWS CodeStar | codestar.amazonaws.com | |
| Amazon CodeWhisperer | codewhisperer.amazonaws.com | |
| Cognito Identity Us Gov | cognito-identity-us-gov.amazonaws.com | |
| Amazon Cognito Identity | cognito-identity.amazonaws.com | |
| Amazon Cognito User Pools | cognito-idp.amazonaws.com | |
| Amazon Cognito Sync | cognito-sync.amazonaws.com | |
| Amazon Comprehend | comprehend.amazonaws.com | |
| Amazon Comprehend Medical | comprehendmedical.amazonaws.com | |
| AWS Compute Optimizer | compute-optimizer.amazonaws.com | Documentation |
| Config Conforms | config-conforms.amazonaws.com | |
| Config Multiaccountsetup | config-multiaccountsetup.amazonaws.com | |
| AWS Config | config.amazonaws.com | Documentation |
| Amazon Connect Outbound Campaigns | connect-campaigns.amazonaws.com | |
| Amazon Connect | connect.amazonaws.com | Documentation |
| AWS Console Mobile App | consoleapp.amazonaws.com | |
| AWS Consolidated Billing | consolidatedbilling.amazonaws.com | |
| AWS Application Discovery Service | continuousexport.discovery.amazonaws.com | |
| Contract Iq | contract.iq.amazonaws.com | |
| Amazon DynamoDB | contributorinsights.dynamodb.amazonaws.com | |
| AWS Control Catalog | controlcatalog.amazonaws.com | |
| AWS Control Tower | controltower.amazonaws.com | |
| AWS Cost Optimization Hub | cost-optimization-hub.amazonaws.com | |
| Cost Optimization Hub Bcm | cost-optimization-hub.bcm.amazonaws.com | |
| AWS Cost Anomaly Detection | costalerts.amazonaws.com | |
| AWS IoT Core | credentials.iot.amazonaws.com | |
| AWS Cost and Usage Report | cur.amazonaws.com | |
| Application Auto Scaling | custom-resource.application-autoscaling.amazonaws.com | |
| Amazon RDS | custom.rds-preview.amazonaws.com | |
| AWS Directory Service | custom.rds.amazonaws.com | |
| AWS Customer Verification Service | customer-verification.amazonaws.com | |
| AWS Glue DataBrew | databrew.amazonaws.com | |
| AWS Data Exchange | dataexchange.amazonaws.com | |
| AWS Data Pipeline | datapipeline.amazonaws.com | |
| AWS DataSync | datasync.amazonaws.com | |
| Amazon DataZone | datazone.amazonaws.com | |
| Datazonecontrol | datazonecontrol.amazonaws.com | |
| Amazon DynamoDB Accelerator (DAX) | dax.amazonaws.com | Documentation |
| Database Query Metadata Service | dbqms.amazonaws.com | |
| AWS Deadline Cloud | deadline.amazonaws.com | |
| Deepcomposer | deepcomposer.amazonaws.com | |
| AWS DeepLens | deeplens.amazonaws.com | |
| AWS DeepRacer | deepracer.amazonaws.com | |
| CloudWatch Logs Delivery | delivery.logs.amazonaws.com | |
| Amazon Detective | detective.amazonaws.com | |
| AWS Device Farm | devicefarm.amazonaws.com | |
| Amazon DevOps Guru | devops-guru.amazonaws.com | Documentation |
| Diode | diode.amazonaws.com | |
| AWS Direct Connect | directconnect.amazonaws.com | Documentation |
| AWS Application Discovery Service | discovery.amazonaws.com | |
| Amazon Data Lifecycle Manager | dlm.amazonaws.com | |
| AWS Database Migration Service | dms.amazonaws.com | |
| Dms Region Name | dms.region-name.amazonaws.com | |
| AWS Migration Hub | dmsintegration.migrationhub.amazonaws.com | |
| Amazon DocumentDB Elastic Clusters | docdb-elastic.amazonaws.com | Documentation |
| AWS Elastic Disaster Recovery | drs.amazonaws.com | Documentation |
| AWS Directory Service Data | ds-data.amazonaws.com | |
| AWS Directory Service | ds.amazonaws.com | Documentation |
| Amazon Aurora DSQL | dsql.amazonaws.com | |
| Amazon DynamoDB | dynamodb.amazonaws.com | |
| Application Auto Scaling | dynamodb.application-autoscaling.amazonaws.com | |
| Amazon Elastic Block Store | ebs.amazonaws.com | |
| Ec | ec.amazonaws.com | |
| Amazon EC2 Instance Connect | ec2-instance-connect.amazonaws.com | Documentation |
| Amazon EC2 | ec2.amazonaws.com | |
| Application Auto Scaling | ec2.application-autoscaling.amazonaws.com | Documentation |
| Ec2fastlaunch | ec2fastlaunch.amazonaws.com | |
| Amazon EC2 Fleet | ec2fleet.amazonaws.com | |
| Amazon Message Delivery Service | ec2messages.amazonaws.com | |
| Amazon EC2 Scheduled Instances | ec2scheduled.amazonaws.com | |
| Amazon Elastic Container Registry Public | ecr-public.amazonaws.com | |
| Amazon Elastic Container Registry | ecr.amazonaws.com | |
| Amazon ECS Tasks | ecs-tasks.amazonaws.com | |
| Amazon Elastic Container Service | ecs.amazonaws.com | |
| Application Auto Scaling | ecs.application-autoscaling.amazonaws.com | |
| AWS Lambda | edgelambda.amazonaws.com | |
| Amazon EKS Auth | eks-auth.amazonaws.com | |
| Eks Connector | eks-connector.amazonaws.com | |
| Amazon EKS Fargate Pods | eks-fargate-pods.amazonaws.com | |
| Amazon EKS Fargate | eks-fargate.amazonaws.com | |
| Amazon EKS MCP Server | eks-mcp.amazonaws.com | |
| Amazon EKS Node Groups | eks-nodegroup.amazonaws.com | |
| Amazon Elastic Kubernetes Service | eks.amazonaws.com | |
| AWS Cost Explorer | elastic-inference.amazonaws.com | |
| Elasticache Snapshot | elasticache-snapshot.amazonaws.com | |
| Amazon ElastiCache | elasticache.amazonaws.com | Documentation |
| AWS Elastic Beanstalk | elasticbeanstalk.amazonaws.com | |
| Amazon Elastic File System (Amazon EFS) | elasticfilesystem.amazonaws.com | Documentation |
| AWS Elastic Load Balancing V2 | elasticloadbalancing.amazonaws.com | Documentation |
| Amazon Elastic MapReduce | elasticmapreduce.amazonaws.com | |
| Amazon Elastic Transcoder | elastictranscoder.amazonaws.com | |
| AWS Elemental Appliances and Software Activation Service | elemental-activations.amazonaws.com | |
| AWS Elemental Appliances and Software | elemental-appliances-software.amazonaws.com | |
| AWS Elemental Support Cases | elemental-support-cases.amazonaws.com | |
| AWS Elemental Support Content | elemental-support-content.amazonaws.com | |
| Amazon Cognito user pools | email.cognito-idp.amazonaws.com | Documentation |
| Amazon EMR on EKS (EMR Containers) | emr-containers.amazonaws.com | Documentation |
| Amazon EMR Serverless | emr-serverless.amazonaws.com | |
| AWS Entity Resolution | entityresolution.amazonaws.com | |
| Amazon OpenSearch Service | es.amazonaws.com | |
| AWS Health | event-processor.health.amazonaws.com | |
| Amazon EventBridge | events.amazonaws.com | |
| Amazon OpenSearch Service | events.managedservices.amazonaws.com | |
| Amazon WorkMail | events.workmail.amazonaws.com | Documentation |
| Amazon CloudWatch Evidently | evidently.amazonaws.com | |
| Amazon Elastic VMware Service | evs.amazonaws.com | Documentation |
| Amazon API Gateway | execute-api.amazonaws.com | |
| Fargate | fargate.amazonaws.com | |
| Amazon FinSpace API | finspace-api.amazonaws.com | |
| AWS Cost Explorer | finspace.amazonaws.com | Documentation |
| Amazon Kinesis Data Firehose | firehose.amazonaws.com | |
| AWS Fault Injection Simulator | fis.amazonaws.com | Documentation |
| AWS Firewall Manager | fms.amazonaws.com | |
| Amazon Forecast | forecast.amazonaws.com | |
| Amazon Fraud Detector | frauddetector.amazonaws.com | |
| Amazon FreeRTOS | freertos.amazonaws.com | |
| AWS Free Tier | freetier.amazonaws.com | |
| Amazon FSx | fsx.amazonaws.com | |
| Galaxy | galaxy.amazonaws.com | |
| Amazon GameLift Servers | gamelift.amazonaws.com | |
| Amazon GameLift Streams | gameliftstreams.amazonaws.com | |
| Amazon Location Service Maps | geo-maps.amazonaws.com | |
| Amazon Location Service Places | geo-places.amazonaws.com | |
| Amazon Location Service Routes | geo-routes.amazonaws.com | |
| Amazon Location | geo.amazonaws.com | |
| Amazon S3 | github-cloud.s3.amazonaws.com | |
| Amazon S3 Glacier | glacier.amazonaws.com | |
| AWS Global Accelerator | globalaccelerator.amazonaws.com | Documentation |
| AWS Glue | glue.amazonaws.com | |
| Amazon Managed Grafana | grafana.amazonaws.com | Documentation |
| AWS IoT Greengrass | greengrass.amazonaws.com | |
| AWS Ground Station | groundstation.amazonaws.com | Documentation |
| Amazon GroundTruth Labeling | groundtruthlabeling.amazonaws.com | |
| Amazon GuardDuty | guardduty.amazonaws.com | |
| AWS Health APIs and Notifications | health.amazonaws.com | |
| AWS HealthLake | healthlake.amazonaws.com | |
| Amazon Honeycode | honeycode.amazonaws.com | |
| AWS CloudFormation | hooks.cloudformation.amazonaws.com | |
| AWS Identity and Access Management (IAM) | iam.amazonaws.com | |
| AWS Identity Sync | identity-sync.amazonaws.com | |
| AWS Identity Store Auth | identitystore-auth.amazonaws.com | |
| AWS IAM Identity Center | identitystore.amazonaws.com | |
| Amazon EC2 Image Builder | imagebuilder.amazonaws.com | Documentation |
| AWS Import Export Disk Service | importexport.amazonaws.com | |
| Amazon InspectorScan | inspector-scan.amazonaws.com | |
| Amazon Inspector Classic | inspector.amazonaws.com | Documentation |
| Amazon Inspector2 | inspector2.amazonaws.com | |
| Amazon CloudWatch Internet Monitor | internetmonitor.amazonaws.com | |
| AWS Invoicing Service | invoicing.amazonaws.com | |
| AWS IoT Device Tester | iot-device-tester.amazonaws.com | |
| AWS IoT Core | iot.amazonaws.com | |
| Iot1click | iot1click.amazonaws.com | |
| AWS IoT Analytics | iotanalytics.amazonaws.com | |
| AWS IoT Core Device Advisor | iotdeviceadvisor.amazonaws.com | |
| AWS IoT Events | iotevents.amazonaws.com | |
| AWS IoT Fleet Hub for Device Management | iotfleethub.amazonaws.com | |
| AWS IoT FleetWise | iotfleetwise.amazonaws.com | |
| AWS IoT Jobs DataPlane | iotjobsdata.amazonaws.com | |
| AWS IoT Managed Integrations Service | iotmanagedintegrations.amazonaws.com | Documentation |
| Iotroborunner | iotroborunner.amazonaws.com | |
| AWS IoT SiteWise | iotsitewise.amazonaws.com | |
| AWS IoT Things Graph | iotthingsgraph.amazonaws.com | |
| AWS IoT TwinMaker | iottwinmaker.amazonaws.com | Documentation |
| AWS IoT Wireless | iotwireless.amazonaws.com | |
| AWS IQ Permissions | iq-permission.amazonaws.com | |
| AWS IQ | iq.amazonaws.com | |
| Amazon Interactive Video Service | ivs.amazonaws.com | Documentation |
| Amazon Interactive Video Service Chat | ivschat.amazonaws.com | |
| Jellyfish | jellyfish.amazonaws.com | |
| Apache Kafka APIs for Amazon MSK clusters | kafka-cluster.amazonaws.com | |
| Amazon Managed Streaming for Apache Kafka | kafka.amazonaws.com | |
| Amazon Managed Streaming for Kafka Connect | kafkaconnect.amazonaws.com | Documentation |
| Amazon Kendra Intelligent Ranking | kendra-ranking.amazonaws.com | |
| Amazon Kendra | kendra.amazonaws.com | |
| Amazon Kinesis Data Streams | kinesis.amazonaws.com | |
| Amazon Kinesis Data Analytics | kinesisanalytics.amazonaws.com | |
| Amazon DynamoDB | kinesisreplication.dynamodb.amazonaws.com | |
| Amazon Kinesis Video Streams | kinesisvideo.amazonaws.com | |
| AWS Key Management Service | kms.amazonaws.com | |
| AWS Lake Formation | lakeformation.amazonaws.com | Documentation |
| Amazon CloudWatch | lambda.alarms.cloudwatch.amazonaws.com | |
| AWS Lambda | lambda.amazonaws.com | |
| AWS Launch Wizard | launchwizard.amazonaws.com | |
| Amazon Lex | lex.amazonaws.com | Documentation |
| Amazon Lex V2 | lexv2.amazonaws.com | Documentation |
| AWS Cost Explorer | license-management.marketplace.amazonaws.com | |
| AWS License Manager Linux Subscriptions Manager | license-manager-linux-subscriptions.amazonaws.com | |
| AWS License Manager User Subscriptions | license-manager-user-subscriptions.amazonaws.com | Documentation |
| AWS License Manager | license-manager.amazonaws.com | |
| AWS Account Management | license-manager.member-account.amazonaws.com | |
| Amazon Lightsail | lightsail.amazonaws.com | |
| CloudFront Logging | logger.cloudfront.amazonaws.com | |
| Amazon S3 Server Access Logging | logging.s3.amazonaws.com | |
| Amazon CloudWatch Logs | logs.amazonaws.com | Documentation |
| Amazon Lookout for Equipment | lookoutequipment.amazonaws.com | |
| Amazon Lookout for Metrics | lookoutmetrics.amazonaws.com | |
| Amazon Lookout for Vision | lookoutvision.amazonaws.com | |
| AWS Mainframe Modernization Service | m2.amazonaws.com | Documentation |
| Amazon Machine Learning | machinelearning.amazonaws.com | |
| Amazon Macie | macie.amazonaws.com | Documentation |
| Amazon Macie | macie2.amazonaws.com | |
| AWS Elastic Beanstalk | maintenance.elasticbeanstalk.amazonaws.com | |
| Amazon GuardDuty | malware-protection-plan.guardduty.amazonaws.com | |
| Amazon GuardDuty | malware-protection.guardduty.amazonaws.com | |
| Amazon Managed Blockchain Query | managedblockchain-query.amazonaws.com | |
| Amazon Managed Blockchain | managedblockchain.amazonaws.com | |
| Amazon OpenSearch Service | managedservices.amazonaws.com | |
| AWS Elastic Beanstalk | managedupdates.elasticbeanstalk.amazonaws.com | |
| AWS Migration Acceleration Program Credits | mapcredits.amazonaws.com | |
| AWS Marketplace Commerce Analytics Service | marketplacecommerceanalytics.amazonaws.com | |
| Amazon Mechanical Turk | mechanicalturk.amazonaws.com | |
| AWS Elemental MediaConnect | mediaconnect.amazonaws.com | |
| AWS Elemental MediaConvert | mediaconvert.amazonaws.com | |
| AmazonMediaImport | mediaimport.amazonaws.com | |
| AWS Elemental MediaLive | medialive.amazonaws.com | |
| AWS Elemental MediaPackage VOD | mediapackage-vod.amazonaws.com | |
| AWS Elemental MediaPackage | mediapackage.amazonaws.com | |
| AWS Elemental MediaPackage V2 | mediapackagev2.amazonaws.com | |
| AWS Elemental MediaStore | mediastore.amazonaws.com | |
| AWS Elemental MediaTailor | mediatailor.amazonaws.com | |
| AWS HealthImaging | medical-imaging.amazonaws.com | |
| Amazon Chime | meetings.chime.amazonaws.com | |
| AWS CloudFormation | member.org.stacksets.cloudformation.amazonaws.com | |
| Amazon MemoryDB | memorydb.amazonaws.com | Documentation |
| AWS Cost Explorer | metering-marketplace.amazonaws.com | |
| AWS Migration Hub | mgh.amazonaws.com | |
| AWS Application Migration Service | mgn.amazonaws.com | Documentation |
| AWS Migration Hub Orchestrator | migrationhub-orchestrator.amazonaws.com | Documentation |
| AWS Migration Hub Strategy Recommendations | migrationhub-strategy.amazonaws.com | Documentation |
| AWS Migration Hub | migrationhub.amazonaws.com | |
| Amazon Mobile Analytics | mobileanalytics.amazonaws.com | |
| AWS Mobile Hub | mobilehub.amazonaws.com | |
| Amazon Pinpoint | mobiletargeting.amazonaws.com | |
| Amazon CloudWatch | monitoring.amazonaws.com | |
| RDS Enhanced Monitoring | monitoring.rds.amazonaws.com | |
| Amazon Monitron | monitron.amazonaws.com | |
| Multi-party approval | mpa.amazonaws.com | |
| Amazon MQ | mq.amazonaws.com | Documentation |
| Amazon Neptune | neptune-db.amazonaws.com | |
| Amazon Neptune Analytics | neptune-graph.amazonaws.com | |
| AWS Network Firewall | network-firewall.amazonaws.com | Documentation |
| AWS Shield network security director | network-security-director.amazonaws.com | |
| Network Flow Monitor | networkflowmonitor.amazonaws.com | |
| AWS Network Manager Chat | networkmanager-chat.amazonaws.com | |
| AWS Network Manager | networkmanager.amazonaws.com | Documentation |
| Amazon CloudWatch Network Synthetic Monitor | networkmonitor.amazonaws.com | |
| Amazon Nimble Studio | nimble.amazonaws.com | |
| AWS User Notifications Contacts | notifications-contacts.amazonaws.com | |
| AWS User Notifications | notifications.amazonaws.com | |
| Amazon Nova Act | nova-act.amazonaws.com | |
| Amazon CloudWatch Observability Access Manager | oam.amazonaws.com | |
| Amazon OpenSearch Serverless | observability.aoss.amazonaws.com | Documentation |
| Amazon CloudWatch Observability Admin Service | observabilityadmin.amazonaws.com | |
| AWS Service - Oracle Database@AWS | odb.amazonaws.com | |
| AWS HealthOmics | omics.amazonaws.com | |
| Amazon One Enterprise | one.amazonaws.com | |
| Amazon OpenSearch | opensearch.amazonaws.com | |
| AWS Cost Explorer | opensearchservice.amazonaws.com | |
| Amazon API Gateway | ops.apigateway.amazonaws.com | Documentation |
| Amazon EMR Serverless | ops.emr-serverless.amazonaws.com | Documentation |
| AWS Systems Manager | opsdatasync.ssm.amazonaws.com | |
| AWS OpsWorks Configuration Management | opsworks-cm.amazonaws.com | |
| AWS OpsWorks | opsworks.amazonaws.com | |
| AWS Organizations | organizations.amazonaws.com | |
| AWS Service Catalog | orgsdatasync.servicecatalog.amazonaws.com | |
| Amazon OpenSearch Ingestion | osis.amazonaws.com | |
| AWS Outposts | outposts.amazonaws.com | Documentation |
| AWS Panorama | panorama.amazonaws.com | Documentation |
| AWS Partner central account management | partnercentral-account-management.amazonaws.com | |
| AWS Partner Central | partnercentral.amazonaws.com | |
| AWS Payment Cryptography | payment-cryptography.amazonaws.com | |
| AWS Payments | payments.amazonaws.com | |
| AWS Private CA Connector for Active Directory | pca-connector-ad.amazonaws.com | |
| AWS Private CA Connector for SCEP | pca-connector-scep.amazonaws.com | |
| AWS Parallel Computing Service | pcs.amazonaws.com | Documentation |
| AWS IQ | permission.iq.amazonaws.com | Documentation |
| Amazon Personalize | personalize.amazonaws.com | |
| AWS Performance Insights | pi.amazonaws.com | |
| Amazon Pinpoint | pinpoint.amazonaws.com | |
| Amazon OpenSearch Service | pipes.amazonaws.com | |
| Amazon Polly | polly.amazonaws.com | |
| Amazon Route 53 Recovery Readiness | practice-run.arc-zonal-shift.amazonaws.com | Documentation |
| AWS Price List | pricing.amazonaws.com | |
| AWS PricingPlanManager Service | pricingplanmanager.amazonaws.com | |
| AWS service providing managed private networks | private-networks.amazonaws.com | |
| Amazon Connect Customer Profiles | profile.amazonaws.com | Documentation |
| AWS Proton | proton.amazonaws.com | |
| Amazon ECR | pullthroughcache.ecr.amazonaws.com | |
| AWS Purchase Orders Console | purchase-orders.amazonaws.com | |
| Purchaseorders | purchaseorders.amazonaws.com | |
| Amazon Q | q.amazonaws.com | |
| Amazon Q Business Q Apps | qapps.amazonaws.com | Documentation |
| Amazon Q Business | qbusiness.amazonaws.com | Documentation |
| Amazon Q Developer | qdeveloper.amazonaws.com | |
| Amazon QLDB | qldb.amazonaws.com | |
| Amazon QuickSight | quicksight.amazonaws.com | |
| AWS Resource Access Manager (AWS RAM) | ram.amazonaws.com | Documentation |
| AWS Recycle Bin | rbin.amazonaws.com | |
| Amazon RDS Data API | rds-data.amazonaws.com | |
| Amazon RDS IAM Authentication | rds-db.amazonaws.com | |
| Rds Preview | rds-preview.amazonaws.com | |
| Amazon Relational Database Service (Amazon RDS) ( Info ) | rds.amazonaws.com | Documentation |
| Application Auto Scaling | rds.application-autoscaling.amazonaws.com | |
| Reachabilityanalyzer Networkinsights | reachabilityanalyzer.networkinsights.amazonaws.com | |
| Amazon Redshift Data API | redshift-data.amazonaws.com | |
| Amazon Redshift Serverless | redshift-serverless.amazonaws.com | |
| Amazon Redshift | redshift.amazonaws.com | Documentation |
| AWS Migration Hub Refactor Spaces | refactor-spaces.amazonaws.com | Documentation |
| Amazon ElastiCache | region.elasticache-snapshot.amazonaws.com | |
| Amazon Rekognition | rekognition.amazonaws.com | |
| AWS Config | remediation.config.amazonaws.com | |
| Amazon Keyspaces | replication.cassandra.amazonaws.com | |
| DynamoDB Global Tables | replication.dynamodb.amazonaws.com | |
| Amazon ECR | replication.ecr.amazonaws.com | |
| Amazon Lex | replication.lexv2.amazonaws.com | |
| Lambda Replicator | replicator.lambda.amazonaws.com | |
| AWS Trusted Advisor | reporting.trustedadvisor.amazonaws.com | |
| AWS CodeStar Connections | repository.sync.codeconnections.amazonaws.com | Documentation |
| AWS re:Post Private | repostspace.amazonaws.com | Documentation |
| AWS Resilience Hub | resiliencehub.amazonaws.com | |
| AWS Resource Explorer | resource-explorer-2.amazonaws.com | Documentation |
| Resource Explorer | resource-explorer.amazonaws.com | |
| AWS Resource Groups | resource-groups.amazonaws.com | |
| AWS CloudFormation | resource.cloudformation.amazonaws.com | |
| AWS Resource Groups | resourcegroups.amazonaws.com | Documentation |
| AWS CloudFormation | resources.cloudformation.amazonaws.com | |
| AWS Backup | restore-testing.backup.amazonaws.com | |
| Amazon RHEL Knowledgebase Portal | rhelkb.amazonaws.com | |
| AWS RoboMaker | robomaker.amazonaws.com | |
| AWS Identity and Access Management Roles Anywhere | rolesanywhere.amazonaws.com | Documentation |
| Amazon Route 53 Recovery Cluster | route53-recovery-cluster.amazonaws.com | |
| Amazon Route 53 Recovery Controls | route53-recovery-control-config.amazonaws.com | |
| Amazon Route 53 Recovery Readiness | route53-recovery-readiness.amazonaws.com | |
| Amazon Route 53 | route53.amazonaws.com | |
| Amazon Route 53 Domains | route53domains.amazonaws.com | |
| AWS Route53 Global Resolver | route53globalresolver.amazonaws.com | |
| Amazon OpenSearch Service | route53profiles.amazonaws.com | |
| Amazon Route 53 Resolver | route53resolver.amazonaws.com | |
| AWS RTB Fabric | rtbfabric.amazonaws.com | Documentation |
| AWS CloudWatch RUM | rum.amazonaws.com | |
| Amazon S3 Object Lambda | s3-object-lambda.amazonaws.com | |
| Amazon Simple Storage Service (Amazon S3) on AWS Outposts | s3-outposts.amazonaws.com | Documentation |
| Amazon S3 | s3.amazonaws.com | |
| Amazon FSx | s3.data-source.lustre.fsx.amazonaws.com | |
| Amazon S3 Express | s3express.amazonaws.com | |
| Amazon S3 Tables | s3tables.amazonaws.com | |
| Amazon S3 Vectors | s3vectors.amazonaws.com | |
| Amazon SageMaker data science assistant | sagemaker-data-science-assistant.amazonaws.com | |
| Amazon SageMaker geospatial capabilities | sagemaker-geospatial.amazonaws.com | |
| Sagemaker Groundtruth Synthetic | sagemaker-groundtruth-synthetic.amazonaws.com | |
| Amazon SageMaker with MLflow | sagemaker-mlflow.amazonaws.com | |
| Amazon SageMaker Unified Studio MCP | sagemaker-unified-studio-mcp.amazonaws.com | |
| Amazon SageMaker | sagemaker.amazonaws.com | |
| Application Auto Scaling | sagemaker.application-autoscaling.amazonaws.com | |
| AWS Savings Plans | savingsplans.amazonaws.com | |
| Amazon EventBridge Scheduler | scheduler.amazonaws.com | |
| Amazon EventBridge Schema Registry | schemas.amazonaws.com | |
| AWS Supply Chain | scn.amazonaws.com | |
| Scraper Aps | scraper.aps.amazonaws.com | |
| Amazon SimpleDB | sdb.amazonaws.com | |
| AWS Secrets Manager | secretsmanager.amazonaws.com | |
| AWS Security Incident Response | security-ir.amazonaws.com | |
| AWS Security Agent | securityagent.amazonaws.com | |
| AWS Security Hub CSPM | securityhub.amazonaws.com | Documentation |
| Amazon Security Lake | securitylake.amazonaws.com | |
| AWS Serverless Application Repository | serverlessrepo.amazonaws.com | |
| AWS Service Catalog AppRegistry | servicecatalog-appregistry.amazonaws.com | |
| AWS Service Catalog | servicecatalog.amazonaws.com | |
| AWS Cloud Map | servicediscovery.amazonaws.com | |
| AWS Microservice Extractor for .NET | serviceextract.amazonaws.com | |
| Service Quotas | servicequotas.amazonaws.com | |
| Amazon Simple Email Service (Amazon SES) v2 | ses.amazonaws.com | Documentation |
| AWS Shield | shield.amazonaws.com | Documentation |
| AWS Signer | signer.amazonaws.com | |
| AWS Sign-In | signin.amazonaws.com | |
| AWS SimSpace Weaver | simspaceweaver.amazonaws.com | |
| AWS End User Messaging SMS and Voice V2 | sms-voice.amazonaws.com | Documentation |
| AWS Server Migration Service | sms.amazonaws.com | |
| AWS Migration Hub | smsintegration.migrationhub.amazonaws.com | |
| AWS Snow Device Management | snow-device-management.amazonaws.com | |
| AWS Snowball | snowball.amazonaws.com | |
| Amazon SNS | sns.amazonaws.com | |
| AWS End User Messaging Social | social-messaging.amazonaws.com | Documentation |
| Spot | spot.amazonaws.com | |
| Amazon EC2 Spot Fleet | spotfleet.amazonaws.com | |
| AWS SQL Workbench | sqlworkbench.amazonaws.com | |
| Amazon SQS | sqs.amazonaws.com | |
| AWS Systems Manager Incident Manager Contacts | ssm-contacts.amazonaws.com | |
| AWS Systems Manager GUI Connect | ssm-guiconnect.amazonaws.com | |
| AWS Systems Manager Incident Manager | ssm-incidents.amazonaws.com | Documentation |
| AWS Systems Manager Quick Setup | ssm-quicksetup.amazonaws.com | |
| AWS Systems Manager for SAP | ssm-sap.amazonaws.com | |
| AWS Systems Manager | ssm.amazonaws.com | |
| Amazon Message Gateway Service | ssmmessages.amazonaws.com | |
| AWS IAM Identity Center directory | sso-directory.amazonaws.com | |
| AWS IAM Identity Center OIDC service | sso-oauth.amazonaws.com | |
| AWS IAM Identity Center | sso.amazonaws.com | Documentation |
| AWS CloudFormation | stacksets.cloudformation.amazonaws.com | |
| AWS Step Functions | states.amazonaws.com | |
| Amazon S3 | storage-lens.s3.amazonaws.com | |
| AWS Storage Gateway | storagegateway.amazonaws.com | |
| Amazon CloudWatch | streams.metrics.cloudwatch.amazonaws.com | |
| AWS Security Token Service | sts.amazonaws.com | |
| AWS Support Console | support-console.amazonaws.com | |
| AWS Support | support.amazonaws.com | Documentation |
| AWS Support App in Slack | supportapp.amazonaws.com | |
| AWS Support Plans | supportplans.amazonaws.com | |
| Supportrecommendations | supportrecommendations.amazonaws.com | |
| AWS Sustainability | sustainability.amazonaws.com | |
| Amazon Simple Workflow Service | swf.amazonaws.com | |
| AWS Proton | sync.proton.amazonaws.com | |
| Amazon CloudWatch Synthetics | synthetics.amazonaws.com | |
| Amazon Resource Group Tagging API | tag.amazonaws.com | |
| AWS Resource Groups Tagging | tagging.amazonaws.com | |
| Tagpolicies Tag | tagpolicies.tag.amazonaws.com | |
| AWS App Runner | tasks.apprunner.amazonaws.com | |
| AWS Tax Settings | tax.amazonaws.com | |
| Amazon Textract | textract.amazonaws.com | |
| Amazon WorkSpaces Thin Client | thinclient.amazonaws.com | |
| Amazon Timestream InfluxDB | timestream-influxdb.amazonaws.com | |
| Amazon Timestream | timestream.amazonaws.com | |
| Amazon Timestream Influxdb | timestreamforinfluxdb.amazonaws.com | Documentation |
| AWS Tiros | tiros.amazonaws.com | |
| AWS Telco Network Builder | tnb.amazonaws.com | |
| Amazon Transcribe | transcribe.amazonaws.com | |
| AWS Transfer Family | transfer.amazonaws.com | |
| AWS Transform custom | transform-custom.amazonaws.com | |
| AWS Transform | transform.amazonaws.com | |
| AWS Transit Gateway | transitgateway.amazonaws.com | |
| Amazon Translate | translate.amazonaws.com | |
| AWS Security Incident Response | triage.security-ir.amazonaws.com | Documentation |
| AWS Trusted Advisor | trustedadvisor.amazonaws.com | Documentation |
| AWS Diagnostic tools | ts.amazonaws.com | |
| Tts | tts.amazonaws.com | |
| AWS User Subscriptions | user-subscriptions.amazonaws.com | |
| AWS Service for managing AWS Console user experience capabilities. | uxc.amazonaws.com | |
| AWS Marketplace Vendor Insights | vendor-insights.amazonaws.com | |
| AWS Verified Access | verified-access.amazonaws.com | |
| Amazon Verified Permissions | verifiedpermissions.amazonaws.com | |
| Vmie | vmie.amazonaws.com | |
| Amazon Connect Voice ID | voiceid.amazonaws.com | |
| VPC Flow Logs | vpc-flow-logs.amazonaws.com | |
| Amazon VPC Lattice Services | vpc-lattice-svcs.amazonaws.com | |
| Amazon VPC Lattice | vpc-lattice.amazonaws.com | Documentation |
| AWS PrivateLink | vpce.amazonaws.com | |
| Amazon CloudFront | vpcorigin.cloudfront.amazonaws.com | Documentation |
| AWS WAF Regional | waf-regional.amazonaws.com | |
| AWS WAF Regional | waf.amazonaws.com | Documentation |
| AWS WAF V2 | wafv2.amazonaws.com | Documentation |
| Amazon WorkSpaces Application Manager | wam.amazonaws.com | |
| AWS Well-Architected Tool | wellarchitected.amazonaws.com | |
| AWS Wickr | wickr.amazonaws.com | |
| Amazon Q in Connect | wisdom.amazonaws.com | |
| Amazon WorkDocs | workdocs.amazonaws.com | |
| Amazon WorkLink | worklink.amazonaws.com | |
| Amazon WorkMail | workmail.amazonaws.com | |
| Amazon WorkMail Message Flow | workmailmessageflow.amazonaws.com | |
| AWS WorkSpaces Managed Instances | workspaces-instances.amazonaws.com | |
| Amazon WorkSpaces Secure Browser | workspaces-web.amazonaws.com | |
| Amazon WorkSpaces | workspaces.amazonaws.com | |
| AWS X-Ray | xray.amazonaws.com |
Note: The data is automatically fetched from the official AWS Policy Generator and parsed into this markdown table using a custom Node.js script. The table is regularly updated to include the latest AWS services.
How to Use This Service Principal List
Now that you have the complete reference, let's explore the three main contexts where you'll use service principals: trust policies, resource-based policies, and service-linked roles.
Trust Policies for IAM Roles
Trust policies define which principals can assume an IAM role. For service roles, you specify the AWS service principal that should be able to assume the role. This is the most common use case.
Here's a basic trust policy structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
This trust policy allows AWS Lambda to assume the role. When Lambda needs to execute your function, it presents its service principal and calls sts:AssumeRole. IAM validates the trust policy and issues temporary credentials.
For Lambda execution roles specifically, the role also needs a permissions policy granting access to CloudWatch Logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
You can learn how to assign custom IAM roles to Lambda functions using AWS CDK for more advanced configurations.
Resource-Based Policies
Service principals also appear in resource-based policies attached to AWS resources like S3 buckets, SNS topics, or SQS queues. These policies allow AWS services to access your resources directly.
Here's an example S3 bucket policy that allows CloudTrail to write logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-cloudtrail-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "CloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-cloudtrail-bucket/AWSLogs/111122223333/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
}
]
}
Notice the aws:SourceAccount condition. This is critical for security, and we'll cover why in the confused deputy protection section below.
Service-Linked Roles
Service-linked roles are a special type of service role that's predefined by an AWS service. These roles include all the permissions the service needs to operate, and only that specific service can assume them.
Key characteristics of service-linked roles:
- Predefined by AWS: You cannot modify the permissions
- Automatic creation: Many services create them automatically when you first use the service
- Cannot be deleted until resources are removed: Ensures the service can continue operating
- Named with a specific pattern: Usually
AWSServiceRoleFor<ServiceName>
Here's an example of common service-linked roles:
| Service | Service-Linked Role Name | Service Principal |
|---|---|---|
| Amazon RDS | AWSServiceRoleForRDS | rds.amazonaws.com |
| AWS Lambda | AWSServiceRoleForLambda | lambda.amazonaws.com |
| Amazon API Gateway | AWSServiceRoleForAPIGateway | ops.apigateway.amazonaws.com |
| AWS Systems Manager | AWSServiceRoleForAmazonSSM | ssm.amazonaws.com |
| AWS Config | AWSServiceRoleForConfig | config.amazonaws.com |
For container workloads, understanding roles is especially important. Check out my guide on ECS task role vs execution role to understand how ECS uses different service principals for different purposes.
Regionalized Service Principals: Opt-In Regions Guide
Most service principals work globally across all AWS regions. However, when you're working with opt-in regions (regions launched after March 2019), service principal behavior changes for cross-region requests.
Understanding this distinction is essential when building multi-region architectures or when your resources span both standard and opt-in regions.
When to Use Regionalized Format
AWS regions launched after March 20, 2019 are called opt-in regions. These include:
| Region Name | Region Code |
|---|---|
| Africa (Cape Town) | af-south-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Hyderabad) | ap-south-2 |
| Asia Pacific (Jakarta) | ap-southeast-3 |
| Asia Pacific (Melbourne) | ap-southeast-4 |
| Europe (Milan) | eu-south-1 |
| Europe (Spain) | eu-south-2 |
| Europe (Zurich) | eu-central-2 |
| Israel (Tel Aviv) | il-central-1 |
| Middle East (Bahrain) | me-south-1 |
| Middle East (UAE) | me-central-1 |
The key rule is:
- Same-region requests: Use the standard format
service-name.amazonaws.com - Cross-region requests from opt-in regions: Use the regionalized format
service-name.{region}.amazonaws.com
For IAM role trust policies, AWS recommends always using the non-regionalized format because IAM is a global service.
Cross-Region Service Principal Examples
Let's say you have an S3 bucket in the opt-in region ap-east-1 (Hong Kong) and want to send bucket notifications to an SNS topic in ap-southeast-1 (Singapore).
Incorrect approach (will fail):
{
"Principal": {
"Service": "s3.amazonaws.com"
}
}
Correct approach (will succeed):
{
"Principal": {
"Service": "s3.ap-east-1.amazonaws.com"
}
}
Since the bucket is in an opt-in region and makes a cross-region request, you must use the regionalized service principal name s3.ap-east-1.amazonaws.com.
Here's a complete SNS topic policy example for this scenario:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.ap-east-1.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-1:111122223333:MyTopic",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::my-bucket-*"
}
}
}
]
}
Confused Deputy Protection with Service Principals
The confused deputy problem is a critical security issue where an entity without permission can trick a more privileged entity (the "deputy") into performing actions on their behalf. When using service principals, this typically happens with cross-service access.
For example, without proper protection, an attacker could configure their own CloudTrail in a different account to write logs to your S3 bucket, if they know your bucket name and your bucket policy only checks the service principal.
This is why following AWS account security best practices includes implementing confused deputy protection in all resource-based policies.
Using aws:SourceAccount and aws:SourceArn
AWS provides condition keys to prevent confused deputy attacks. Here's when to use each:
| Condition Key | Purpose | Use Case |
|---|---|---|
aws:SourceArn | Limits access to a specific resource | Most effective - use the full ARN when possible |
aws:SourceAccount | Limits access to a specific AWS account | Use when SourceArn doesn't contain the account ID |
aws:SourceOrgID | Limits access to your AWS Organization | Organization-wide protection |
aws:SourceOrgPaths | Limits access to specific OU paths | Granular organization control |
Most effective approach - use aws:SourceArn with the full ARN:
{
"Effect": "Allow",
"Principal": {
"Service": "appstream.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/script.ps1",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:appstream:us-east-1:111122223333:fleet/MyFleet"
}
}
}
If the ARN doesn't contain the account ID, use both aws:SourceArn and aws:SourceAccount:
{
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::my-bucket-*"
}
}
}
Organization-Wide Protection with RCPs
For organizations managing multiple AWS accounts, Resource Control Policies (RCPs) provide centralized enforcement of confused deputy protection. Instead of modifying individual resource policies, you can apply organization-wide controls.
Here's an RCP that denies AWS service principals access to S3 unless the request originates from within your organization:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceConfusedDeputyProtection",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:*"],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceOrgID": "o-abc123xyz"
},
"Null": {
"aws:SourceAccount": "false"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
]
}
This policy ensures that AWS service principals can only access S3 buckets when the request originates from your organization. For more on organization-level controls, see my guide on Service Control Policies and AWS Organizations best practices.
Service Principals in Infrastructure as Code
When defining IAM roles in infrastructure as code, you need to correctly specify service principals. Here are examples for both AWS CDK and CloudFormation.
AWS CDK Examples
AWS CDK provides the ServicePrincipal class for defining service principals in trust policies:
import * as iam from 'aws-cdk-lib/aws-iam';
import * as lambda from 'aws-cdk-lib/aws-lambda';
// Create a role for Lambda with a service principal
const lambdaRole = new iam.Role(this, 'LambdaExecutionRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Execution role for Lambda function',
});
// Add permissions to write to CloudWatch Logs
lambdaRole.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
],
resources: ['arn:aws:logs:*:*:*'],
}));
For roles that need multiple service principals, use CompositePrincipal:
const multiServiceRole = new iam.Role(this, 'MultiServiceRole', {
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('ecs.amazonaws.com'),
new iam.ServicePrincipal('elasticloadbalancing.amazonaws.com'),
),
});
Learn more about this pattern in my detailed guide on creating IAM roles with multiple principals using AWS CDK.
CloudFormation Trust Policy Templates
In CloudFormation, define service principals in the AssumeRolePolicyDocument:
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation service role example
Resources:
CloudFormationServiceRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudFormationServiceRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/PowerUserAccess
Description: Service role for CloudFormation deployments
For cross-account deployments using cross-account assume role, you can combine service principals with account principals.
Troubleshooting Service Principal Errors
When working with service principals, you may encounter common errors. Here are the most frequent issues and how to resolve them:
"Invalid principal in policy"
- Check that the service principal format is correct (
service-name.amazonaws.com) - Verify you haven't used wildcards (
*) in the Service element - Ensure the service principal exists (check the table above)
"Access Denied" when a service tries to assume a role
- Verify the trust policy includes the correct service principal
- Check that the
sts:AssumeRoleaction is allowed - For opt-in regions, ensure you're using the correct format (regionalized vs non-regionalized)
Cross-region requests failing
- If the source is in an opt-in region and the destination is in another region, use the regionalized format
- Example:
s3.ap-east-1.amazonaws.cominstead ofs3.amazonaws.com
Service-linked role cannot be deleted
- Service-linked roles can only be deleted after removing all associated resources
- Check for remaining resources in the service that created the role
Confused deputy protection blocking legitimate access
- Verify your
aws:SourceAccountoraws:SourceArnconditions match the actual source - For organization-wide RCPs, ensure the
aws:SourceOrgIDis correct
For CLI-based troubleshooting, you can assume IAM roles via CLI to test whether your trust policies are configured correctly.
VS Code Extension for Service Principal Autocomplete
If you prefer working directly in your IDE, I've created a VS Code extension that automatically generates IAM service principal snippets for you.
Instead of looking up this table every time, you can use the IAM Service Principal Snippets extension to autocomplete service principals directly in your IAM policies.
Related AWS Reference Resources
- AWS CloudFormation Resource Attributes - Complete reference of all CloudFormation resource types and their attributes
- AWS CloudFormation Resource Properties - Comprehensive table of all CloudFormation resource properties
- Amazon Resource Names (ARNs) - Complete reference list of ARNs for all AWS services
- AWS IAM Documentation - Official guide to IAM policy principals