AWS IAM Service Principals Reference

Search the complete AWS service principal reference for IAM trust policies, resource policies, and service-linked role setup.

Generated AWS service principal data

Generated from AWS docs and Policy Generator data for IAM trust policy lookups.

200 of 587 matching rows shown

Service name	Service principal	Reference
AWS App2Container	`a2c.amazonaws.com`	-
Alexa for Business	`a4b.amazonaws.com`	-
AWS IAM Access Analyzer	`access-analyzer.amazonaws.com`	-
AWS Account Management	`account.amazonaws.com`	-
AWS Private Certificate Authority	`acm-pca.amazonaws.com`	-
AWS Certificate Manager (ACM)	`acm.amazonaws.com`	Documentation
AWS Compute Optimizer Automation	`aco-automation.amazonaws.com`	-
AWS Action Recommendations	`action-recommendations.amazonaws.com`	-
AWS Activate	`activate.amazonaws.com`	-
Amazon WorkSpaces AgentAccess MCP Server	`agentaccess-mcp.amazonaws.com`	-
AWS DevOps Agent Service	`aidevops.amazonaws.com`	-
Amazon AI Operations	`aiops.amazonaws.com`	-
Amazon MWAA Environment	`airflow-env.amazonaws.com`	-
AWS MWAA Serverless	`airflow-serverless.amazonaws.com`	-
Amazon Managed Workflows for Apache Airflow	`airflow.amazonaws.com`	-
Alexa App Kit	`alexa-appkit.amazon.com`	-
Alexa Smart Home	`alexa-connectedhome.amazon.com`	-
Amazon MQ	`amazonmq.amazonaws.com`	-
AWS Amplify	`amplify.amazonaws.com`	-
AWS Amplify Admin	`amplifybackend.amazonaws.com`	-
AWS Amplify UI Builder	`amplifyuibuilder.amazonaws.com`	-
Amazon OpenSearch Serverless	`aoss.amazonaws.com`	-
Amazon EventBridge	`apidestinations.events.amazonaws.com`	-
Amazon API Gateway Management	`apigateway.amazonaws.com`	-
Amazon AppIntegrations	`app-integrations.amazonaws.com`	Documentation
AWS AppConfig	`appconfig.amazonaws.com`	-
AWS AppFabric	`appfabric.amazonaws.com`	-
Amazon AppFlow	`appflow.amazonaws.com`	-
AWS Application Auto Scaling	`application-autoscaling.amazonaws.com`	-
Application Cost Profiler	`application-cost-profiler.amazonaws.com`	-
CloudWatch Application Insights	`application-insights.amazonaws.com`	-
Amazon CloudWatch Application Signals MCP Server	`application-signals-mcp.amazonaws.com`	-
Amazon CloudWatch Application Signals	`application-signals.amazonaws.com`	-
Amazon CloudWatch	`application-signals.cloudwatch.amazonaws.com`	-
AWS Application Transformation Service	`application-transformation.amazonaws.com`	-
Amazon CloudWatch Application Insights	`applicationinsights.amazonaws.com`	-
AWS App Mesh Preview	`appmesh-preview.amazonaws.com`	-
AWS App Mesh Preview	`appmesh.amazonaws.com`	Documentation
AWS App Runner	`apprunner.amazonaws.com`	-
Amazon AppStream 2.0	`appstream.amazonaws.com`	-
Application Auto Scaling	`appstream.application-autoscaling.amazonaws.com`	-
AWS App Studio	`appstudio.amazonaws.com`	-
AWS AppSync	`appsync.amazonaws.com`	-
AWS Mainframe Modernization Application Testing	`apptest.amazonaws.com`	-
Amazon Managed Service for Prometheus	`aps.amazonaws.com`	-
Amazon ARC Region switch	`arc-region-switch.amazonaws.com`	-
Amazon Application Recovery Controller - Zonal Shift	`arc-zonal-shift.amazonaws.com`	-
Application Discovery Arsenal	`arsenal.amazonaws.com`	-
AWS Artifact	`artifact.amazonaws.com`	-
AWS Cost Explorer	`assets.marketplace.amazonaws.com`	-
Amazon Athena	`athena.amazonaws.com`	-
AWS Audit Manager	`auditmanager.amazonaws.com`	Documentation
Automation	`automation.amazonaws.com`	-
AWS Auto Scaling	`autoscaling-plans.amazonaws.com`	Documentation
Amazon EC2 Auto Scaling	`autoscaling.amazonaws.com`	Documentation
Aws Artifact Account Sync	`aws-artifact-account-sync.amazonaws.com`	-
Claude Platform on AWS	`aws-external-anthropic.amazonaws.com`	-
AWS Marketplace Management Portal	`aws-marketplace-management.amazonaws.com`	-
AWS Cost Explorer	`aws-marketplace.amazonaws.com`	-
AWS Billing Console	`aws-portal.amazonaws.com`	-
AWS Connector Service	`awsconnector.amazonaws.com`	-
Amazon S3	`awspolicygen.s3.amazonaws.com`	-
AWS B2B Data Interchange	`b2bi.amazonaws.com`	-
AWS Backup Gateway	`backup-gateway.amazonaws.com`	-
AWS Backup Search	`backup-search.amazonaws.com`	-
AWS Backup storage	`backup-storage.amazonaws.com`	-
AWS Backup	`backup.amazonaws.com`	-
AWS Batch	`batch.amazonaws.com`	-
Amazon S3	`batchoperations.s3.amazonaws.com`	-
AWS Billing and Cost Management Dashboards	`bcm-dashboards.amazonaws.com`	-
AWS Billing And Cost Management Data Exports	`bcm-data-exports.amazonaws.com`	-
AWS Billing And Cost Management Pricing Calculator	`bcm-pricing-calculator.amazonaws.com`	-
AWS Billing And Cost Management Recommended Actions	`bcm-recommended-actions.amazonaws.com`	-
Amazon Bedrock Agentcore	`bedrock-agentcore.amazonaws.com`	-
Amazon Bedrock Powered by AWS Mantle	`bedrock-mantle.amazonaws.com`	-
Amazon Bedrock	`bedrock.amazonaws.com`	-
AWS Billing	`billing.amazonaws.com`	-
AWS Billing Conductor	`billingconductor.amazonaws.com`	-
AWS Billing Console	`billingconsole.amazonaws.com`	-
Amazon Braket	`braket.amazonaws.com`	-
AWS Budget Service	`budgets.amazonaws.com`	-
AWS BugBust	`bugbust.amazonaws.com`	-
AWS App Runner	`build.apprunner.amazonaws.com`	-
Amazon OpenSearch Service	`cases.amazonaws.com`	-
Amazon Keyspaces (for Apache Cassandra)	`cassandra.amazonaws.com`	-
Application Auto Scaling	`cassandra.application-autoscaling.amazonaws.com`	-
AWS Cost Explorer Service	`ce.amazonaws.com`	-
Amazon Lex	`channels.lex.amazonaws.com`	-
Amazon Lex	`channels.lexv2.amazonaws.com`	-
AWS Chatbot	`chatbot.amazonaws.com`	-
Amazon Chime	`chime.amazonaws.com`	-
AWS Clean Rooms ML	`cleanrooms-ml.amazonaws.com`	-
AWS Clean Rooms	`cleanrooms.amazonaws.com`	-
AWS Cloud9	`cloud9.amazonaws.com`	Documentation
Amazon Cloud Directory	`clouddirectory.amazonaws.com`	-
AWS Cloud Control API	`cloudformation.amazonaws.com`	-
Amazon CloudFront KeyValueStore	`cloudfront-keyvaluestore.amazonaws.com`	-
Amazon CloudFront	`cloudfront.amazonaws.com`	-
AWS CloudHSM	`cloudhsm.amazonaws.com`	Documentation
Amazon CloudSearch	`cloudsearch.amazonaws.com`	-
AWS CloudShell	`cloudshell.amazonaws.com`	-
AWS CloudTrail Data	`cloudtrail-data.amazonaws.com`	-
AWS CloudTrail	`cloudtrail.amazonaws.com`	-
AWS Account Management	`cloudwatch-crossaccount.amazonaws.com`	-
Amazon CloudWatch	`cloudwatch.amazonaws.com`	-
AWS CodeArtifact	`codeartifact.amazonaws.com`	-
AWS CodeBuild	`codebuild.amazonaws.com`	-
Codecatalyst Runner	`codecatalyst-runner.amazonaws.com`	-
Amazon CodeCatalyst	`codecatalyst.amazonaws.com`	Documentation
AWS CodeCommit	`codecommit.amazonaws.com`	-
AWS CodeConnections	`codeconnections.amazonaws.com`	-
AWS CodeDeploy secure host commands service	`codedeploy-commands-secure.amazonaws.com`	-
AWS CodeDeploy	`codedeploy.amazonaws.com`	-
Amazon CodeGuru Profiler	`codeguru-profiler.amazonaws.com`	Documentation
Amazon CodeGuru Reviewer	`codeguru-reviewer.amazonaws.com`	-
Amazon CodeGuru Security	`codeguru-security.amazonaws.com`	-
Amazon CodeGuru	`codeguru.amazonaws.com`	-
AWS CodePipeline	`codepipeline.amazonaws.com`	-
AWS CodeStar Connections	`codestar-connections.amazonaws.com`	-
AWS CodeStar Notifications	`codestar-notifications.amazonaws.com`	Documentation
AWS CodeStar	`codestar.amazonaws.com`	-
Amazon CodeWhisperer	`codewhisperer.amazonaws.com`	-
Cognito Identity Us Gov	`cognito-identity-us-gov.amazonaws.com`	-
Amazon Cognito Identity	`cognito-identity.amazonaws.com`	-
Amazon Cognito User Pools	`cognito-idp.amazonaws.com`	-
Amazon Cognito Sync	`cognito-sync.amazonaws.com`	-
Amazon Comprehend	`comprehend.amazonaws.com`	-
Amazon Comprehend Medical	`comprehendmedical.amazonaws.com`	-
AWS Compute Optimizer	`compute-optimizer.amazonaws.com`	Documentation
Config Conforms	`config-conforms.amazonaws.com`	-
Config Multiaccountsetup	`config-multiaccountsetup.amazonaws.com`	-
AWS Config	`config.amazonaws.com`	Documentation
Amazon Connect Outbound Campaigns	`connect-campaigns.amazonaws.com`	-
Amazon Connect Customer	`connect.amazonaws.com`	Documentation
AWS Console Mobile App	`consoleapp.amazonaws.com`	-
AWS Consolidated Billing	`consolidatedbilling.amazonaws.com`	-
AWS Application Discovery Service	`continuousexport.discovery.amazonaws.com`	-
Contract Iq	`contract.iq.amazonaws.com`	-
Amazon DynamoDB	`contributorinsights.dynamodb.amazonaws.com`	-
AWS Control Catalog	`controlcatalog.amazonaws.com`	-
AWS Control Tower	`controltower.amazonaws.com`	-
AWS Cost Optimization Hub	`cost-optimization-hub.amazonaws.com`	-
Cost Optimization Hub Bcm	`cost-optimization-hub.bcm.amazonaws.com`	-
AWS Cost Anomaly Detection	`costalerts.amazonaws.com`	-
AWS IoT Core	`credentials.iot.amazonaws.com`	-
AWS Cost and Usage Report	`cur.amazonaws.com`	-
Application Auto Scaling	`custom-resource.application-autoscaling.amazonaws.com`	-
Amazon RDS	`custom.rds-preview.amazonaws.com`	-
AWS Directory Service	`custom.rds.amazonaws.com`	-
AWS Customer Verification Service	`customer-verification.amazonaws.com`	-
AWS Glue DataBrew	`databrew.amazonaws.com`	-
AWS Data Exchange	`dataexchange.amazonaws.com`	-
AWS Data Pipeline	`datapipeline.amazonaws.com`	-
AWS DataSync	`datasync.amazonaws.com`	-
Amazon DataZone	`datazone.amazonaws.com`	-
Datazonecontrol	`datazonecontrol.amazonaws.com`	-
Amazon DynamoDB Accelerator (DAX)	`dax.amazonaws.com`	Documentation
Database Query Metadata Service	`dbqms.amazonaws.com`	-
AWS Deadline Cloud	`deadline.amazonaws.com`	-
Deepcomposer	`deepcomposer.amazonaws.com`	-
AWS DeepLens	`deeplens.amazonaws.com`	-
Deepracer	`deepracer.amazonaws.com`	-
CloudWatch Logs Delivery	`delivery.logs.amazonaws.com`	-
Amazon Detective	`detective.amazonaws.com`	-
AWS Device Farm	`devicefarm.amazonaws.com`	-
Amazon DevOps Guru	`devops-guru.amazonaws.com`	Documentation
Diode	`diode.amazonaws.com`	-
AWS Direct Connect	`directconnect.amazonaws.com`	Documentation
AWS Application Discovery Service	`discovery.amazonaws.com`	-
Amazon Data Lifecycle Manager	`dlm.amazonaws.com`	-
AWS Database Migration Service	`dms.amazonaws.com`	-
Dms Region Name	`dms.region-name.amazonaws.com`	-
AWS Migration Hub	`dmsintegration.migrationhub.amazonaws.com`	-
Amazon DocumentDB Elastic Clusters	`docdb-elastic.amazonaws.com`	Documentation
AWS Elastic Disaster Recovery	`drs.amazonaws.com`	Documentation
AWS Directory Service Data	`ds-data.amazonaws.com`	-
AWS Directory Service	`ds.amazonaws.com`	Documentation
Amazon Aurora DSQL	`dsql.amazonaws.com`	Documentation
Amazon DynamoDB	`dynamodb.amazonaws.com`	-
Application Auto Scaling	`dynamodb.application-autoscaling.amazonaws.com`	-
Amazon Elastic Block Store	`ebs.amazonaws.com`	-
Ec	`ec.amazonaws.com`	-
Amazon EC2 Instance Connect	`ec2-instance-connect.amazonaws.com`	Documentation
Amazon EC2	`ec2.amazonaws.com`	-
Application Auto Scaling	`ec2.application-autoscaling.amazonaws.com`	Documentation
Ec2fastlaunch	`ec2fastlaunch.amazonaws.com`	-
Amazon EC2 Fleet	`ec2fleet.amazonaws.com`	-
Amazon Message Delivery Service	`ec2messages.amazonaws.com`	-
Amazon EC2 Scheduled Instances	`ec2scheduled.amazonaws.com`	-
Amazon Elastic Container Registry Public	`ecr-public.amazonaws.com`	-
Amazon Elastic Container Registry	`ecr.amazonaws.com`	-
Amazon ECS MCP Service	`ecs-mcp.amazonaws.com`	-
Amazon ECS Tasks	`ecs-tasks.amazonaws.com`	-
Amazon Elastic Container Service	`ecs.amazonaws.com`	-
Application Auto Scaling	`ecs.application-autoscaling.amazonaws.com`	-
AWS Lambda	`edgelambda.amazonaws.com`	-
Amazon EKS Auth	`eks-auth.amazonaws.com`	-
Eks Connector	`eks-connector.amazonaws.com`	-
Amazon EKS Fargate Pods	`eks-fargate-pods.amazonaws.com`	-
Amazon EKS Fargate	`eks-fargate.amazonaws.com`	-

What is an AWS service principal?

A service principal is an identifier that represents an AWS service in IAM policies. When you see something like lambda.amazonaws.com or ec2.amazonaws.comin a policy's Principal element, that's a service principal. These identifiers allow AWS services to assume IAM roles and perform actions on your behalf.

Think of service principals as the identity card that AWS services present when they need to access resources in your account. Without the correct service principal in your trust policy, an AWS service cannot assume the role you created for it.

The service principal is defined by AWS itself. You cannot create custom service principals or use wildcards like "Service": "*" in IAM policies. Each AWS service has its own specific identifier.

How to use this service principal list

Search for the AWS service name, such as Lambda, ECS Tasks, CloudTrail, or CodeBuild.
Copy the exact service principal value, for example lambda.amazonaws.com or ecs-tasks.amazonaws.com.
Add it to the Principal.Service field in your IAM role trust policy or resource-based policy.
Use the documentation link when you need AWS service-specific trust policy requirements.
Add aws:SourceAccount or aws:SourceArn conditions whenever the target AWS service supports them.

The most common mistake is copying a service name instead of the service principal. IAM needs the exact principal string in the policy, not the marketing name of the AWS service.

Service principal format and structure

The standard service principal format is:

service-name.amazonaws.com

Common examples include:

lambda.amazonaws.com for AWS Lambda
ec2.amazonaws.com for Amazon EC2
s3.amazonaws.com for Amazon S3
ecs-tasks.amazonaws.com for Amazon ECS tasks
codebuild.amazonaws.com for AWS CodeBuild

When multiple services need to assume the same role, specify them as an array:

"Principal": {
  "Service": [
    "ecs.amazonaws.com",
    "elasticloadbalancing.amazonaws.com"
  ]
}

This syntax is useful when you need a shared role for services that work together. For a deeper CDK example, read the guide on creating IAM roles with multiple principals using AWS CDK.

How service principals enable service-to-service access

An AWS service, such as Lambda, needs to access resources in your account.
The service presents its service principal and calls sts:AssumeRole.
IAM checks the role's trust policy to verify the service principal is allowed.
If authorized, IAM returns temporary security credentials.
The service uses these credentials to access your resources.

This mechanism ensures that only the intended AWS services can assume roles in your account. The trust policy acts as the gatekeeper, and the service principal is the key.

Trust policies for IAM roles

Trust policies define which principals can assume an IAM role. For service roles, you specify the AWS service principal that should be able to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This trust policy allows AWS Lambda to assume the role. When Lambda needs to execute your function, it presents its service principal and calls sts:AssumeRole. IAM validates the trust policy and issues temporary credentials.

Resource-based policies

Service principals also appear in resource-based policies attached to AWS resources like S3 buckets, SNS topics, or SQS queues. These policies allow AWS services to access your resources directly.

For example, an S3 bucket policy that allows CloudTrail to write logs uses the cloudtrail.amazonaws.com service principal. Add aws:SourceAccount or aws:SourceArn conditions whenever possible so another account cannot misuse the service principal to write to your resource.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudTrailAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111122223333"
        }
      }
    },
    {
      "Sid": "CloudTrailWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-cloudtrail-bucket/AWSLogs/111122223333/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111122223333"
        }
      }
    }
  ]
}

Service-linked roles

Service-linked roles are a special type of service role that's predefined by an AWS service. These roles include the permissions the service needs to operate, and only that specific service can assume them.

AWS defines the permissions and trust policy for the role.
Many services create the role automatically when you first use the service.
You usually cannot delete the role until the dependent service resources are removed.
The role name typically follows the AWSServiceRoleForServiceName pattern.

Service	Service-linked role name	Service principal
Amazon RDS	AWSServiceRoleForRDS	`rds.amazonaws.com`
AWS Lambda	AWSServiceRoleForLambda	`lambda.amazonaws.com`
Amazon API Gateway	AWSServiceRoleForAPIGateway	`ops.apigateway.amazonaws.com`
AWS Systems Manager	AWSServiceRoleForAmazonSSM	`ssm.amazonaws.com`

Regionalized service principals

Most service principals work globally across all AWS regions. For opt-in regions launched after March 20, 2019, service principal behavior changes for cross-region requests.

Common opt-in regions include:

Region name	Region code
Africa (Cape Town)	`af-south-1`
Asia Pacific (Hong Kong)	`ap-east-1`
Asia Pacific (Hyderabad)	`ap-south-2`
Europe (Milan)	`eu-south-1`
Middle East (UAE)	`me-central-1`

Same-region requests normally use service-name.amazonaws.com.
Cross-region requests from opt-in regions use service-name.region.amazonaws.com.
For IAM role trust policies, AWS recommends the non-regionalized format because IAM is global.

Example: an S3 bucket in ap-east-1 sending notifications to an SNS topic in another region may need s3.ap-east-1.amazonaws.com instead of s3.amazonaws.com.

{
  "Effect": "Allow",
  "Principal": {
    "Service": "s3.ap-east-1.amazonaws.com"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:ap-southeast-1:111122223333:MyTopic",
  "Condition": {
    "StringEquals": {
      "aws:SourceAccount": "111122223333"
    },
    "ArnLike": {
      "aws:SourceArn": "arn:aws:s3:::my-bucket-*"
    }
  }
}

Confused deputy protection

The confused deputy problem occurs when an entity without permission tricks a more privileged service into performing actions on its behalf. With service principals, this usually appears in cross-service access.

Use these condition keys in resource policies where supported:

Condition key	Purpose
`aws:SourceArn`	Limits access to a specific source resource.
`aws:SourceAccount`	Limits access to a specific AWS account.
`aws:SourceOrgID`	Limits access to your AWS Organization.
`aws:SourceOrgPaths`	Limits access to specific OU paths.

For multi-account environments, Resource Control Policies can enforce this centrally. The pattern below denies S3 access by AWS service principals unless the request comes from your AWS Organization:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceConfusedDeputyProtection",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:*"],
      "Resource": "*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:SourceOrgID": "o-abc123xyz"
        },
        "Null": {
          "aws:SourceAccount": "false"
        },
        "Bool": {
          "aws:PrincipalIsAWSService": "true"
        }
      }
    }
  ]
}

Infrastructure as code examples

AWS CDK provides the ServicePrincipal class for trust policies:

import * as iam from 'aws-cdk-lib/aws-iam';

const lambdaRole = new iam.Role(this, 'LambdaExecutionRole', {
  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
  description: 'Execution role for Lambda function',
});

In CloudFormation, define service principals in the AssumeRolePolicyDocument:

Resources:
  CloudFormationServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action: sts:AssumeRole

Troubleshooting service principal errors

Invalid principal in policy: check the service principal format, avoid wildcards in the Service element, and verify the service principal exists in the table.
Access Denied when a service assumes a role: verify the trust policy includes the correct service principal and allows sts:AssumeRole.
Cross-region requests failing: check whether the source is in an opt-in region and needs the regionalized service principal format.
Service-linked role cannot be deleted: remove the resources that depend on the service-linked role first.

IDE autocomplete

If you prefer working directly in your IDE, the IAM Service Principal Snippets extension autocompletes service principals directly in IAM policies.

Related tools

Amazon Resource Names (ARNs) Reference

Search AWS service prefixes and Amazon Resource Name formats for IAM policies and resource references.

CloudFormation Resource Attributes Reference

Search AWS CloudFormation resource types and the attributes available through Fn::GetAtt for each resource.

CloudFormation Resource Properties Reference

Search AWS CloudFormation resource types and their configurable properties with direct AWS documentation links.

Next step

Want AWS engineering that feels this practical?

I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.

Explore AWS services

← Back to tools