AWS IAM Service Principals Reference
Search the complete AWS service principal reference for IAM trust policies, resource policies, and service-linked role setup.
Generated AWS service principal data
Generated from AWS docs and Policy Generator data for IAM trust policy lookups.
587 of 587 rows
| Service name | Service principal | Reference |
|---|---|---|
| AWS App2Container | a2c.amazonaws.com | - |
| Alexa for Business | a4b.amazonaws.com | - |
| AWS IAM Access Analyzer | access-analyzer.amazonaws.com | - |
| AWS Account Management | account.amazonaws.com | - |
| AWS Private Certificate Authority | acm-pca.amazonaws.com | - |
| AWS Certificate Manager (ACM) | acm.amazonaws.com | Documentation |
| AWS Compute Optimizer Automation | aco-automation.amazonaws.com | - |
| AWS Action Recommendations | action-recommendations.amazonaws.com | - |
| AWS Activate | activate.amazonaws.com | - |
| Amazon WorkSpaces AgentAccess MCP Server | agentaccess-mcp.amazonaws.com | - |
| AWS DevOps Agent Service | aidevops.amazonaws.com | - |
| Amazon AI Operations | aiops.amazonaws.com | - |
| Amazon MWAA Environment | airflow-env.amazonaws.com | - |
| AWS MWAA Serverless | airflow-serverless.amazonaws.com | - |
| Amazon Managed Workflows for Apache Airflow | airflow.amazonaws.com | - |
| Alexa App Kit | alexa-appkit.amazon.com | - |
| Alexa Smart Home | alexa-connectedhome.amazon.com | - |
| Amazon MQ | amazonmq.amazonaws.com | - |
| AWS Amplify | amplify.amazonaws.com | - |
| AWS Amplify Admin | amplifybackend.amazonaws.com | - |
| AWS Amplify UI Builder | amplifyuibuilder.amazonaws.com | - |
| Amazon OpenSearch Serverless | aoss.amazonaws.com | - |
| Amazon EventBridge | apidestinations.events.amazonaws.com | - |
| Amazon API Gateway Management | apigateway.amazonaws.com | - |
| Amazon AppIntegrations | app-integrations.amazonaws.com | Documentation |
| AWS AppConfig | appconfig.amazonaws.com | - |
| AWS AppFabric | appfabric.amazonaws.com | - |
| Amazon AppFlow | appflow.amazonaws.com | - |
| AWS Application Auto Scaling | application-autoscaling.amazonaws.com | - |
| Application Cost Profiler | application-cost-profiler.amazonaws.com | - |
| CloudWatch Application Insights | application-insights.amazonaws.com | - |
| Amazon CloudWatch Application Signals MCP Server | application-signals-mcp.amazonaws.com | - |
| Amazon CloudWatch Application Signals | application-signals.amazonaws.com | - |
| Amazon CloudWatch | application-signals.cloudwatch.amazonaws.com | - |
| AWS Application Transformation Service | application-transformation.amazonaws.com | - |
| Amazon CloudWatch Application Insights | applicationinsights.amazonaws.com | - |
| AWS App Mesh Preview | appmesh-preview.amazonaws.com | - |
| AWS App Mesh Preview | appmesh.amazonaws.com | Documentation |
| AWS App Runner | apprunner.amazonaws.com | - |
| Amazon AppStream 2.0 | appstream.amazonaws.com | - |
| Application Auto Scaling | appstream.application-autoscaling.amazonaws.com | - |
| AWS App Studio | appstudio.amazonaws.com | - |
| AWS AppSync | appsync.amazonaws.com | - |
| AWS Mainframe Modernization Application Testing | apptest.amazonaws.com | - |
| Amazon Managed Service for Prometheus | aps.amazonaws.com | - |
| Amazon ARC Region switch | arc-region-switch.amazonaws.com | - |
| Amazon Application Recovery Controller - Zonal Shift | arc-zonal-shift.amazonaws.com | - |
| Application Discovery Arsenal | arsenal.amazonaws.com | - |
| AWS Artifact | artifact.amazonaws.com | - |
| AWS Cost Explorer | assets.marketplace.amazonaws.com | - |
| Amazon Athena | athena.amazonaws.com | - |
| AWS Audit Manager | auditmanager.amazonaws.com | Documentation |
| Automation | automation.amazonaws.com | - |
| AWS Auto Scaling | autoscaling-plans.amazonaws.com | Documentation |
| Amazon EC2 Auto Scaling | autoscaling.amazonaws.com | Documentation |
| Aws Artifact Account Sync | aws-artifact-account-sync.amazonaws.com | - |
| Claude Platform on AWS | aws-external-anthropic.amazonaws.com | - |
| AWS Marketplace Management Portal | aws-marketplace-management.amazonaws.com | - |
| AWS Cost Explorer | aws-marketplace.amazonaws.com | - |
| AWS Billing Console | aws-portal.amazonaws.com | - |
| AWS Connector Service | awsconnector.amazonaws.com | - |
| Amazon S3 | awspolicygen.s3.amazonaws.com | - |
| AWS B2B Data Interchange | b2bi.amazonaws.com | - |
| AWS Backup Gateway | backup-gateway.amazonaws.com | - |
| AWS Backup Search | backup-search.amazonaws.com | - |
| AWS Backup storage | backup-storage.amazonaws.com | - |
| AWS Backup | backup.amazonaws.com | - |
| AWS Batch | batch.amazonaws.com | - |
| Amazon S3 | batchoperations.s3.amazonaws.com | - |
| AWS Billing and Cost Management Dashboards | bcm-dashboards.amazonaws.com | - |
| AWS Billing And Cost Management Data Exports | bcm-data-exports.amazonaws.com | - |
| AWS Billing And Cost Management Pricing Calculator | bcm-pricing-calculator.amazonaws.com | - |
| AWS Billing And Cost Management Recommended Actions | bcm-recommended-actions.amazonaws.com | - |
| Amazon Bedrock Agentcore | bedrock-agentcore.amazonaws.com | - |
| Amazon Bedrock Powered by AWS Mantle | bedrock-mantle.amazonaws.com | - |
| Amazon Bedrock | bedrock.amazonaws.com | - |
| AWS Billing | billing.amazonaws.com | - |
| AWS Billing Conductor | billingconductor.amazonaws.com | - |
| AWS Billing Console | billingconsole.amazonaws.com | - |
| Amazon Braket | braket.amazonaws.com | - |
| AWS Budget Service | budgets.amazonaws.com | - |
| AWS BugBust | bugbust.amazonaws.com | - |
| AWS App Runner | build.apprunner.amazonaws.com | - |
| Amazon OpenSearch Service | cases.amazonaws.com | - |
| Amazon Keyspaces (for Apache Cassandra) | cassandra.amazonaws.com | - |
| Application Auto Scaling | cassandra.application-autoscaling.amazonaws.com | - |
| AWS Cost Explorer Service | ce.amazonaws.com | - |
| Amazon Lex | channels.lex.amazonaws.com | - |
| Amazon Lex | channels.lexv2.amazonaws.com | - |
| AWS Chatbot | chatbot.amazonaws.com | - |
| Amazon Chime | chime.amazonaws.com | - |
| AWS Clean Rooms ML | cleanrooms-ml.amazonaws.com | - |
| AWS Clean Rooms | cleanrooms.amazonaws.com | - |
| AWS Cloud9 | cloud9.amazonaws.com | Documentation |
| Amazon Cloud Directory | clouddirectory.amazonaws.com | - |
| AWS Cloud Control API | cloudformation.amazonaws.com | - |
| Amazon CloudFront KeyValueStore | cloudfront-keyvaluestore.amazonaws.com | - |
| Amazon CloudFront | cloudfront.amazonaws.com | - |
| AWS CloudHSM | cloudhsm.amazonaws.com | Documentation |
| Amazon CloudSearch | cloudsearch.amazonaws.com | - |
| AWS CloudShell | cloudshell.amazonaws.com | - |
| AWS CloudTrail Data | cloudtrail-data.amazonaws.com | - |
| AWS CloudTrail | cloudtrail.amazonaws.com | - |
| AWS Account Management | cloudwatch-crossaccount.amazonaws.com | - |
| Amazon CloudWatch | cloudwatch.amazonaws.com | - |
| AWS CodeArtifact | codeartifact.amazonaws.com | - |
| AWS CodeBuild | codebuild.amazonaws.com | - |
| Codecatalyst Runner | codecatalyst-runner.amazonaws.com | - |
| Amazon CodeCatalyst | codecatalyst.amazonaws.com | Documentation |
| AWS CodeCommit | codecommit.amazonaws.com | - |
| AWS CodeConnections | codeconnections.amazonaws.com | - |
| AWS CodeDeploy secure host commands service | codedeploy-commands-secure.amazonaws.com | - |
| AWS CodeDeploy | codedeploy.amazonaws.com | - |
| Amazon CodeGuru Profiler | codeguru-profiler.amazonaws.com | Documentation |
| Amazon CodeGuru Reviewer | codeguru-reviewer.amazonaws.com | - |
| Amazon CodeGuru Security | codeguru-security.amazonaws.com | - |
| Amazon CodeGuru | codeguru.amazonaws.com | - |
| AWS CodePipeline | codepipeline.amazonaws.com | - |
| AWS CodeStar Connections | codestar-connections.amazonaws.com | - |
| AWS CodeStar Notifications | codestar-notifications.amazonaws.com | Documentation |
| AWS CodeStar | codestar.amazonaws.com | - |
| Amazon CodeWhisperer | codewhisperer.amazonaws.com | - |
| Cognito Identity Us Gov | cognito-identity-us-gov.amazonaws.com | - |
| Amazon Cognito Identity | cognito-identity.amazonaws.com | - |
| Amazon Cognito User Pools | cognito-idp.amazonaws.com | - |
| Amazon Cognito Sync | cognito-sync.amazonaws.com | - |
| Amazon Comprehend | comprehend.amazonaws.com | - |
| Amazon Comprehend Medical | comprehendmedical.amazonaws.com | - |
| AWS Compute Optimizer | compute-optimizer.amazonaws.com | Documentation |
| Config Conforms | config-conforms.amazonaws.com | - |
| Config Multiaccountsetup | config-multiaccountsetup.amazonaws.com | - |
| AWS Config | config.amazonaws.com | Documentation |
| Amazon Connect Outbound Campaigns | connect-campaigns.amazonaws.com | - |
| Amazon Connect Customer | connect.amazonaws.com | Documentation |
| AWS Console Mobile App | consoleapp.amazonaws.com | - |
| AWS Consolidated Billing | consolidatedbilling.amazonaws.com | - |
| AWS Application Discovery Service | continuousexport.discovery.amazonaws.com | - |
| Contract Iq | contract.iq.amazonaws.com | - |
| Amazon DynamoDB | contributorinsights.dynamodb.amazonaws.com | - |
| AWS Control Catalog | controlcatalog.amazonaws.com | - |
| AWS Control Tower | controltower.amazonaws.com | - |
| AWS Cost Optimization Hub | cost-optimization-hub.amazonaws.com | - |
| Cost Optimization Hub Bcm | cost-optimization-hub.bcm.amazonaws.com | - |
| AWS Cost Anomaly Detection | costalerts.amazonaws.com | - |
| AWS IoT Core | credentials.iot.amazonaws.com | - |
| AWS Cost and Usage Report | cur.amazonaws.com | - |
| Application Auto Scaling | custom-resource.application-autoscaling.amazonaws.com | - |
| Amazon RDS | custom.rds-preview.amazonaws.com | - |
| AWS Directory Service | custom.rds.amazonaws.com | - |
| AWS Customer Verification Service | customer-verification.amazonaws.com | - |
| AWS Glue DataBrew | databrew.amazonaws.com | - |
| AWS Data Exchange | dataexchange.amazonaws.com | - |
| AWS Data Pipeline | datapipeline.amazonaws.com | - |
| AWS DataSync | datasync.amazonaws.com | - |
| Amazon DataZone | datazone.amazonaws.com | - |
| Datazonecontrol | datazonecontrol.amazonaws.com | - |
| Amazon DynamoDB Accelerator (DAX) | dax.amazonaws.com | Documentation |
| Database Query Metadata Service | dbqms.amazonaws.com | - |
| AWS Deadline Cloud | deadline.amazonaws.com | - |
| Deepcomposer | deepcomposer.amazonaws.com | - |
| AWS DeepLens | deeplens.amazonaws.com | - |
| Deepracer | deepracer.amazonaws.com | - |
| CloudWatch Logs Delivery | delivery.logs.amazonaws.com | - |
| Amazon Detective | detective.amazonaws.com | - |
| AWS Device Farm | devicefarm.amazonaws.com | - |
| Amazon DevOps Guru | devops-guru.amazonaws.com | Documentation |
| Diode | diode.amazonaws.com | - |
| AWS Direct Connect | directconnect.amazonaws.com | Documentation |
| AWS Application Discovery Service | discovery.amazonaws.com | - |
| Amazon Data Lifecycle Manager | dlm.amazonaws.com | - |
| AWS Database Migration Service | dms.amazonaws.com | - |
| Dms Region Name | dms.region-name.amazonaws.com | - |
| AWS Migration Hub | dmsintegration.migrationhub.amazonaws.com | - |
| Amazon DocumentDB Elastic Clusters | docdb-elastic.amazonaws.com | Documentation |
| AWS Elastic Disaster Recovery | drs.amazonaws.com | Documentation |
| AWS Directory Service Data | ds-data.amazonaws.com | - |
| AWS Directory Service | ds.amazonaws.com | Documentation |
| Amazon Aurora DSQL | dsql.amazonaws.com | Documentation |
| Amazon DynamoDB | dynamodb.amazonaws.com | - |
| Application Auto Scaling | dynamodb.application-autoscaling.amazonaws.com | - |
| Amazon Elastic Block Store | ebs.amazonaws.com | - |
| Ec | ec.amazonaws.com | - |
| Amazon EC2 Instance Connect | ec2-instance-connect.amazonaws.com | Documentation |
| Amazon EC2 | ec2.amazonaws.com | - |
| Application Auto Scaling | ec2.application-autoscaling.amazonaws.com | Documentation |
| Ec2fastlaunch | ec2fastlaunch.amazonaws.com | - |
| Amazon EC2 Fleet | ec2fleet.amazonaws.com | - |
| Amazon Message Delivery Service | ec2messages.amazonaws.com | - |
| Amazon EC2 Scheduled Instances | ec2scheduled.amazonaws.com | - |
| Amazon Elastic Container Registry Public | ecr-public.amazonaws.com | - |
| Amazon Elastic Container Registry | ecr.amazonaws.com | - |
| Amazon ECS MCP Service | ecs-mcp.amazonaws.com | - |
| Amazon ECS Tasks | ecs-tasks.amazonaws.com | - |
| Amazon Elastic Container Service | ecs.amazonaws.com | - |
| Application Auto Scaling | ecs.application-autoscaling.amazonaws.com | - |
| AWS Lambda | edgelambda.amazonaws.com | - |
| Amazon EKS Auth | eks-auth.amazonaws.com | - |
| Eks Connector | eks-connector.amazonaws.com | - |
| Amazon EKS Fargate Pods | eks-fargate-pods.amazonaws.com | - |
| Amazon EKS Fargate | eks-fargate.amazonaws.com | - |
| Amazon EKS MCP Server | eks-mcp.amazonaws.com | - |
| Amazon EKS Node Groups | eks-nodegroup.amazonaws.com | - |
| Amazon Elastic Kubernetes Service | eks.amazonaws.com | - |
| AWS Cost Explorer | elastic-inference.amazonaws.com | - |
| Elasticache Snapshot | elasticache-snapshot.amazonaws.com | - |
| Amazon ElastiCache | elasticache.amazonaws.com | Documentation |
| AWS Elastic Beanstalk | elasticbeanstalk.amazonaws.com | - |
| Amazon Elastic File System (Amazon EFS) | elasticfilesystem.amazonaws.com | Documentation |
| AWS Elastic Load Balancing V2 | elasticloadbalancing.amazonaws.com | Documentation |
| Amazon Elastic MapReduce | elasticmapreduce.amazonaws.com | - |
| Amazon Elastic Transcoder | elastictranscoder.amazonaws.com | - |
| AWS Elemental Appliances and Software Activation Service | elemental-activations.amazonaws.com | - |
| AWS Elemental Appliances and Software | elemental-appliances-software.amazonaws.com | - |
| AWS Elemental Inference | elemental-inference.amazonaws.com | - |
| AWS Elemental Support Cases | elemental-support-cases.amazonaws.com | - |
| AWS Elemental Support Content | elemental-support-content.amazonaws.com | - |
| Amazon Cognito user pools | email.cognito-idp.amazonaws.com | Documentation |
| Amazon EMR on EKS (EMR Containers) | emr-containers.amazonaws.com | Documentation |
| Amazon EMR Serverless | emr-serverless.amazonaws.com | - |
| AWS Entity Resolution | entityresolution.amazonaws.com | - |
| Amazon OpenSearch Service | es.amazonaws.com | - |
| AWS Health | event-processor.health.amazonaws.com | - |
| Amazon EventBridge | events.amazonaws.com | - |
| Amazon OpenSearch Service | events.managedservices.amazonaws.com | - |
| AWS Directory Service | events.rds.amazonaws.com | - |
| Amazon WorkMail | events.workmail.amazonaws.com | Documentation |
| Amazon CloudWatch Evidently | evidently.amazonaws.com | - |
| Amazon Elastic VMware Service | evs.amazonaws.com | Documentation |
| Amazon API Gateway | execute-api.amazonaws.com | - |
| Fargate | fargate.amazonaws.com | - |
| Amazon FinSpace API | finspace-api.amazonaws.com | - |
| AWS Cost Explorer | finspace.amazonaws.com | Documentation |
| Amazon Kinesis Data Firehose | firehose.amazonaws.com | - |
| AWS Fault Injection Simulator | fis.amazonaws.com | Documentation |
| AWS Firewall Manager | fms.amazonaws.com | - |
| Amazon Forecast | forecast.amazonaws.com | - |
| Amazon Fraud Detector | frauddetector.amazonaws.com | - |
| Amazon FreeRTOS | freertos.amazonaws.com | - |
| AWS Free Tier | freetier.amazonaws.com | - |
| Amazon FSx | fsx.amazonaws.com | - |
| Galaxy | galaxy.amazonaws.com | - |
| Amazon GameLift Servers | gamelift.amazonaws.com | - |
| Amazon GameLift Streams | gameliftstreams.amazonaws.com | - |
| Amazon Location Service Maps | geo-maps.amazonaws.com | - |
| Amazon Location Service Places | geo-places.amazonaws.com | - |
| Amazon Location Service Routes | geo-routes.amazonaws.com | - |
| Amazon Location | geo.amazonaws.com | - |
| Amazon S3 | github-cloud.s3.amazonaws.com | - |
| Amazon S3 Glacier | glacier.amazonaws.com | - |
| AWS Global Accelerator | globalaccelerator.amazonaws.com | Documentation |
| AWS Glue | glue.amazonaws.com | - |
| Amazon Managed Grafana | grafana.amazonaws.com | Documentation |
| AWS IoT Greengrass | greengrass.amazonaws.com | - |
| AWS Ground Station | groundstation.amazonaws.com | Documentation |
| Amazon GroundTruth Labeling | groundtruthlabeling.amazonaws.com | - |
| Amazon GuardDuty | guardduty.amazonaws.com | - |
| Amazon Connect Health | health-agent.amazonaws.com | - |
| AWS Health APIs and Notifications | health.amazonaws.com | - |
| AWS HealthLake | healthlake.amazonaws.com | - |
| Amazon Honeycode | honeycode.amazonaws.com | - |
| AWS CloudFormation | hooks.cloudformation.amazonaws.com | - |
| AWS Identity and Access Management (IAM) | iam.amazonaws.com | - |
| AWS Identity Sync | identity-sync.amazonaws.com | - |
| AWS Identity Store Auth | identitystore-auth.amazonaws.com | - |
| AWS IAM Identity Center | identitystore.amazonaws.com | - |
| Amazon EC2 Image Builder | imagebuilder.amazonaws.com | Documentation |
| AWS Import Export Disk Service | importexport.amazonaws.com | - |
| Amazon InspectorScan | inspector-scan.amazonaws.com | - |
| Amazon Inspector Classic | inspector.amazonaws.com | Documentation |
| Amazon Inspector2 Telemetry Channel | inspector2-telemetry.amazonaws.com | - |
| Amazon Inspector2 | inspector2.amazonaws.com | - |
| AWS Interconnect | interconnect.amazonaws.com | - |
| Amazon CloudWatch Internet Monitor | internetmonitor.amazonaws.com | - |
| AWS Invoicing Service | invoicing.amazonaws.com | - |
| AWS IoT Device Tester | iot-device-tester.amazonaws.com | - |
| AWS IoT Core | iot.amazonaws.com | - |
| Iot1click | iot1click.amazonaws.com | - |
| AWS IoT Analytics | iotanalytics.amazonaws.com | - |
| AWS IoT Core Device Advisor | iotdeviceadvisor.amazonaws.com | - |
| AWS IoT Events | iotevents.amazonaws.com | - |
| AWS IoT Fleet Hub for Device Management | iotfleethub.amazonaws.com | - |
| AWS IoT FleetWise | iotfleetwise.amazonaws.com | - |
| AWS IoT Jobs DataPlane | iotjobsdata.amazonaws.com | - |
| AWS IoT Managed Integrations Service | iotmanagedintegrations.amazonaws.com | Documentation |
| Iotroborunner | iotroborunner.amazonaws.com | - |
| AWS IoT SiteWise | iotsitewise.amazonaws.com | - |
| AWS IoT Things Graph | iotthingsgraph.amazonaws.com | - |
| AWS IoT TwinMaker | iottwinmaker.amazonaws.com | Documentation |
| AWS IoT Wireless | iotwireless.amazonaws.com | - |
| AWS IQ Permissions | iq-permission.amazonaws.com | - |
| AWS IQ | iq.amazonaws.com | - |
| Amazon Interactive Video Service | ivs.amazonaws.com | Documentation |
| Amazon Interactive Video Service Chat | ivschat.amazonaws.com | - |
| Jellyfish | jellyfish.amazonaws.com | - |
| Apache Kafka APIs for Amazon MSK clusters | kafka-cluster.amazonaws.com | - |
| Amazon Managed Streaming for Apache Kafka | kafka.amazonaws.com | - |
| Amazon Managed Streaming for Kafka Connect | kafkaconnect.amazonaws.com | Documentation |
| Amazon Kendra Intelligent Ranking | kendra-ranking.amazonaws.com | - |
| Amazon Kendra | kendra.amazonaws.com | - |
| Amazon Kinesis Data Streams | kinesis.amazonaws.com | - |
| Amazon Kinesis Data Analytics | kinesisanalytics.amazonaws.com | - |
| Amazon DynamoDB | kinesisreplication.dynamodb.amazonaws.com | - |
| Amazon Kinesis Video Streams | kinesisvideo.amazonaws.com | - |
| AWS Key Management Service | kms.amazonaws.com | - |
| AWS Lake Formation | lakeformation.amazonaws.com | Documentation |
| Amazon CloudWatch | lambda.alarms.cloudwatch.amazonaws.com | - |
| AWS Lambda | lambda.amazonaws.com | - |
| AWS Launch Wizard | launchwizard.amazonaws.com | - |
| Amazon Lex | lex.amazonaws.com | - |
| Amazon Lex V2 | lexv2.amazonaws.com | Documentation |
| AWS Cost Explorer | license-management.marketplace.amazonaws.com | - |
| AWS License Manager Linux Subscriptions Manager | license-manager-linux-subscriptions.amazonaws.com | - |
| AWS License Manager User Subscriptions | license-manager-user-subscriptions.amazonaws.com | Documentation |
| AWS License Manager | license-manager.amazonaws.com | - |
| AWS Account Management | license-manager.member-account.amazonaws.com | - |
| Amazon Lightsail | lightsail.amazonaws.com | - |
| CloudFront Logging | logger.cloudfront.amazonaws.com | - |
| Amazon S3 Server Access Logging | logging.s3.amazonaws.com | - |
| Amazon CloudWatch Logs | logs.amazonaws.com | Documentation |
| Amazon Lookout for Equipment | lookoutequipment.amazonaws.com | - |
| Amazon Lookout for Metrics | lookoutmetrics.amazonaws.com | - |
| Amazon Lookout for Vision | lookoutvision.amazonaws.com | - |
| AWS Mainframe Modernization Service | m2.amazonaws.com | Documentation |
| Amazon Machine Learning | machinelearning.amazonaws.com | - |
| Amazon Macie | macie.amazonaws.com | Documentation |
| Amazon Macie | macie2.amazonaws.com | - |
| AWS Elastic Beanstalk | maintenance.elasticbeanstalk.amazonaws.com | - |
| Amazon GuardDuty | malware-protection-plan.guardduty.amazonaws.com | - |
| Amazon GuardDuty | malware-protection.guardduty.amazonaws.com | - |
| Amazon Managed Blockchain Query | managedblockchain-query.amazonaws.com | - |
| Amazon Managed Blockchain | managedblockchain.amazonaws.com | - |
| Amazon OpenSearch Service | managedservices.amazonaws.com | - |
| AWS Elastic Beanstalk | managedupdates.elasticbeanstalk.amazonaws.com | - |
| AWS Migration Acceleration Program Credits | mapcredits.amazonaws.com | - |
| AWS Marketplace Commerce Analytics Service | marketplacecommerceanalytics.amazonaws.com | - |
| Amazon Mechanical Turk | mechanicalturk.amazonaws.com | - |
| AWS Elemental MediaConnect | mediaconnect.amazonaws.com | - |
| AWS Elemental MediaConvert | mediaconvert.amazonaws.com | - |
| AmazonMediaImport | mediaimport.amazonaws.com | - |
| AWS Elemental MediaLive | medialive.amazonaws.com | - |
| AWS Elemental MediaPackage VOD | mediapackage-vod.amazonaws.com | - |
| AWS Elemental MediaPackage | mediapackage.amazonaws.com | - |
| AWS Elemental MediaPackage V2 | mediapackagev2.amazonaws.com | - |
| AWS Elemental MediaStore | mediastore.amazonaws.com | - |
| AWS Elemental MediaTailor | mediatailor.amazonaws.com | - |
| AWS HealthImaging | medical-imaging.amazonaws.com | - |
| Amazon Chime | meetings.chime.amazonaws.com | - |
| AWS CloudFormation | member.org.stacksets.cloudformation.amazonaws.com | - |
| Amazon MemoryDB | memorydb.amazonaws.com | Documentation |
| AWS Cost Explorer | metering-marketplace.amazonaws.com | - |
| AWS Migration Hub | mgh.amazonaws.com | - |
| AWS Application Migration Service | mgn.amazonaws.com | Documentation |
| AWS Migration Hub Orchestrator | migrationhub-orchestrator.amazonaws.com | Documentation |
| AWS Migration Hub Strategy Recommendations | migrationhub-strategy.amazonaws.com | Documentation |
| AWS Migration Hub | migrationhub.amazonaws.com | - |
| Amazon Mobile Analytics | mobileanalytics.amazonaws.com | - |
| AWS Mobile Hub | mobilehub.amazonaws.com | - |
| Amazon Pinpoint | mobiletargeting.amazonaws.com | - |
| Amazon CloudWatch | monitoring.amazonaws.com | - |
| RDS Enhanced Monitoring | monitoring.rds.amazonaws.com | - |
| Amazon Monitron | monitron.amazonaws.com | - |
| Multi-party approval | mpa.amazonaws.com | - |
| Amazon MQ | mq.amazonaws.com | Documentation |
| Amazon Neptune | neptune-db.amazonaws.com | - |
| Amazon Neptune Analytics | neptune-graph.amazonaws.com | - |
| AWS Network Firewall | network-firewall.amazonaws.com | Documentation |
| AWS Shield network security director | network-security-director.amazonaws.com | - |
| Network Flow Monitor | networkflowmonitor.amazonaws.com | - |
| AWS Network Manager Chat | networkmanager-chat.amazonaws.com | - |
| AWS Network Manager | networkmanager.amazonaws.com | Documentation |
| Amazon CloudWatch Network Synthetic Monitor | networkmonitor.amazonaws.com | - |
| Amazon Nimble Studio | nimble.amazonaws.com | - |
| AWS User Notifications Contacts | notifications-contacts.amazonaws.com | - |
| AWS User Notifications | notifications.amazonaws.com | - |
| Amazon Nova Act | nova-act.amazonaws.com | - |
| Amazon CloudWatch Observability Access Manager | oam.amazonaws.com | - |
| Amazon OpenSearch Serverless | observability.aoss.amazonaws.com | Documentation |
| Amazon CloudWatch Observability Admin Service | observabilityadmin.amazonaws.com | - |
| AWS Service - Oracle Database@AWS | odb.amazonaws.com | - |
| AWS HealthOmics | omics.amazonaws.com | - |
| Amazon One Enterprise | one.amazonaws.com | - |
| Amazon OpenSearch | opensearch.amazonaws.com | - |
| AWS Cost Explorer | opensearchservice.amazonaws.com | - |
| Amazon API Gateway | ops.apigateway.amazonaws.com | Documentation |
| Amazon EMR Serverless | ops.emr-serverless.amazonaws.com | Documentation |
| AWS Systems Manager | opsdatasync.ssm.amazonaws.com | - |
| AWS OpsWorks Configuration Management | opsworks-cm.amazonaws.com | - |
| AWS OpsWorks | opsworks.amazonaws.com | - |
| AWS Organizations | organizations.amazonaws.com | - |
| AWS Service Catalog | orgsdatasync.servicecatalog.amazonaws.com | - |
| Amazon OpenSearch Ingestion | osis.amazonaws.com | Documentation |
| AWS Outposts | outposts.amazonaws.com | Documentation |
| AWS Panorama | panorama.amazonaws.com | Documentation |
| AWS Partner central account management | partnercentral-account-management.amazonaws.com | - |
| AWS Partner Central | partnercentral.amazonaws.com | - |
| AWS Payment Cryptography | payment-cryptography.amazonaws.com | - |
| AWS Payments | payments.amazonaws.com | - |
| AWS Private CA Connector for Active Directory | pca-connector-ad.amazonaws.com | - |
| AWS Private CA Connector for SCEP | pca-connector-scep.amazonaws.com | - |
| AWS Parallel Computing Service | pcs.amazonaws.com | Documentation |
| AWS IQ | permission.iq.amazonaws.com | Documentation |
| Amazon Personalize | personalize.amazonaws.com | - |
| AWS Performance Insights | pi.amazonaws.com | - |
| Amazon Pinpoint | pinpoint.amazonaws.com | - |
| Amazon OpenSearch Service | pipes.amazonaws.com | - |
| Amazon Polly | polly.amazonaws.com | - |
| Amazon Route 53 Recovery Readiness | practice-run.arc-zonal-shift.amazonaws.com | Documentation |
| AWS Price List | pricing.amazonaws.com | - |
| AWS PricingPlanManager Service | pricingplanmanager.amazonaws.com | - |
| AWS service providing managed private networks | private-networks.amazonaws.com | - |
| Amazon Connect Customer Customer Profiles | profile.amazonaws.com | Documentation |
| AWS Proton | proton.amazonaws.com | - |
| Amazon ECR | pullthroughcache.ecr.amazonaws.com | - |
| AWS Purchase Orders Console | purchase-orders.amazonaws.com | - |
| Purchaseorders | purchaseorders.amazonaws.com | - |
| Amazon Q | q.amazonaws.com | - |
| Amazon Q Business Q Apps | qapps.amazonaws.com | Documentation |
| Amazon Q Business | qbusiness.amazonaws.com | Documentation |
| Amazon Q Developer | qdeveloper.amazonaws.com | - |
| Amazon QLDB | qldb.amazonaws.com | - |
| Amazon QuickSight | quicksight.amazonaws.com | - |
| AWS Resource Access Manager (RAM) | ram.amazonaws.com | - |
| AWS Recycle Bin | rbin.amazonaws.com | - |
| Amazon RDS Data API | rds-data.amazonaws.com | - |
| Amazon RDS IAM Authentication | rds-db.amazonaws.com | - |
| Rds Preview | rds-preview.amazonaws.com | - |
| Amazon Relational Database Service (Amazon RDS) ( Info ) | rds.amazonaws.com | Documentation |
| Application Auto Scaling | rds.application-autoscaling.amazonaws.com | - |
| Reachabilityanalyzer Networkinsights | reachabilityanalyzer.networkinsights.amazonaws.com | - |
| Amazon Redshift Data API | redshift-data.amazonaws.com | - |
| Amazon Redshift Serverless | redshift-serverless.amazonaws.com | - |
| Amazon Redshift | redshift.amazonaws.com | Documentation |
| AWS Migration Hub Refactor Spaces | refactor-spaces.amazonaws.com | Documentation |
| Amazon ElastiCache | region.elasticache-snapshot.amazonaws.com | - |
| Amazon Rekognition | rekognition.amazonaws.com | - |
| AWS Config | remediation.config.amazonaws.com | - |
| Amazon Keyspaces | replication.cassandra.amazonaws.com | - |
| DynamoDB Global Tables | replication.dynamodb.amazonaws.com | - |
| Amazon ECR | replication.ecr.amazonaws.com | - |
| Amazon Lex | replication.lexv2.amazonaws.com | - |
| Lambda Replicator | replicator.lambda.amazonaws.com | - |
| AWS Trusted Advisor | reporting.trustedadvisor.amazonaws.com | - |
| AWS CodeStar Connections | repository.sync.codeconnections.amazonaws.com | Documentation |
| AWS re:Post Private | repostspace.amazonaws.com | Documentation |
| Amazon Bio Discovery | researchstudio.amazonaws.com | - |
| AWS Resilience Hub | resiliencehub.amazonaws.com | - |
| AWS Resource Explorer | resource-explorer-2.amazonaws.com | Documentation |
| Resource Explorer | resource-explorer.amazonaws.com | - |
| AWS Resource Groups | resource-groups.amazonaws.com | - |
| AWS CloudFormation | resource.cloudformation.amazonaws.com | - |
| AWS Resource Groups | resourcegroups.amazonaws.com | Documentation |
| AWS CloudFormation | resources.cloudformation.amazonaws.com | - |
| AWS Backup | restore-testing.backup.amazonaws.com | - |
| Amazon RHEL Knowledgebase Portal | rhelkb.amazonaws.com | - |
| AWS RoboMaker | robomaker.amazonaws.com | - |
| AWS Identity and Access Management Roles Anywhere | rolesanywhere.amazonaws.com | Documentation |
| Amazon Route 53 Recovery Cluster | route53-recovery-cluster.amazonaws.com | - |
| Amazon Route 53 Recovery Controls | route53-recovery-control-config.amazonaws.com | - |
| Amazon Route 53 Recovery Readiness | route53-recovery-readiness.amazonaws.com | - |
| Amazon Route 53 | route53.amazonaws.com | - |
| Amazon Route 53 Domains | route53domains.amazonaws.com | - |
| AWS Route53 Global Resolver | route53globalresolver.amazonaws.com | - |
| Amazon OpenSearch Service | route53profiles.amazonaws.com | - |
| Amazon Route 53 Resolver | route53resolver.amazonaws.com | - |
| AWS RTB Fabric | rtbfabric.amazonaws.com | Documentation |
| AWS CloudWatch RUM | rum.amazonaws.com | - |
| Amazon S3 Object Lambda | s3-object-lambda.amazonaws.com | - |
| Amazon Simple Storage Service (Amazon S3) on AWS Outposts | s3-outposts.amazonaws.com | Documentation |
| Amazon S3 | s3.amazonaws.com | - |
| Amazon FSx | s3.data-source.lustre.fsx.amazonaws.com | - |
| Amazon S3 Express | s3express.amazonaws.com | - |
| Amazon S3 Files | s3files.amazonaws.com | - |
| Amazon S3 Tables | s3tables.amazonaws.com | - |
| Amazon S3 Vectors | s3vectors.amazonaws.com | - |
| Amazon SageMaker data science assistant | sagemaker-data-science-assistant.amazonaws.com | - |
| Amazon SageMaker geospatial capabilities | sagemaker-geospatial.amazonaws.com | - |
| Sagemaker Groundtruth Synthetic | sagemaker-groundtruth-synthetic.amazonaws.com | - |
| Amazon SageMaker with MLflow | sagemaker-mlflow.amazonaws.com | - |
| Amazon SageMaker Unified Studio MCP | sagemaker-unified-studio-mcp.amazonaws.com | - |
| Amazon SageMaker | sagemaker.amazonaws.com | - |
| Application Auto Scaling | sagemaker.application-autoscaling.amazonaws.com | - |
| AWS Savings Plans | savingsplans.amazonaws.com | - |
| Amazon EventBridge Scheduler | scheduler.amazonaws.com | - |
| Amazon EventBridge Schema Registry | schemas.amazonaws.com | - |
| AWS Supply Chain | scn.amazonaws.com | - |
| Scraper Aps | scraper.aps.amazonaws.com | - |
| Amazon SimpleDB | sdb.amazonaws.com | - |
| AWS Secrets Manager | secretsmanager.amazonaws.com | - |
| AWS Security Incident Response | security-ir.amazonaws.com | Documentation |
| AWS Security Agent | securityagent.amazonaws.com | - |
| AWS Security Hub CSPM | securityhub.amazonaws.com | Documentation |
| Amazon Security Lake | securitylake.amazonaws.com | - |
| AWS Serverless Application Repository | serverlessrepo.amazonaws.com | - |
| AWS Service Catalog AppRegistry | servicecatalog-appregistry.amazonaws.com | - |
| AWS Service Catalog | servicecatalog.amazonaws.com | - |
| AWS Cloud Map | servicediscovery.amazonaws.com | - |
| AWS Microservice Extractor for .NET | serviceextract.amazonaws.com | - |
| Service Quotas | servicequotas.amazonaws.com | - |
| Amazon Simple Email Service (Amazon SES) v2 | ses.amazonaws.com | Documentation |
| AWS Shield | shield.amazonaws.com | Documentation |
| AWS Signer | signer.amazonaws.com | - |
| AWS Sign-In | signin.amazonaws.com | - |
| AWS SimSpace Weaver | simspaceweaver.amazonaws.com | - |
| AWS End User Messaging SMS and Voice V2 | sms-voice.amazonaws.com | Documentation |
| AWS Server Migration Service | sms.amazonaws.com | - |
| AWS Migration Hub | smsintegration.migrationhub.amazonaws.com | - |
| AWS Snow Device Management | snow-device-management.amazonaws.com | - |
| AWS Snowball | snowball.amazonaws.com | - |
| Amazon SNS | sns.amazonaws.com | - |
| AWS End User Messaging Social | social-messaging.amazonaws.com | Documentation |
| Spot | spot.amazonaws.com | - |
| Amazon EC2 Spot Fleet | spotfleet.amazonaws.com | - |
| AWS SQL Workbench | sqlworkbench.amazonaws.com | - |
| Amazon SQS | sqs.amazonaws.com | - |
| AWS Systems Manager Incident Manager Contacts | ssm-contacts.amazonaws.com | - |
| AWS Systems Manager GUI Connect | ssm-guiconnect.amazonaws.com | - |
| AWS Systems Manager Incident Manager | ssm-incidents.amazonaws.com | Documentation |
| AWS Systems Manager Quick Setup | ssm-quicksetup.amazonaws.com | - |
| AWS Systems Manager for SAP | ssm-sap.amazonaws.com | - |
| AWS Systems Manager | ssm.amazonaws.com | - |
| Amazon Message Gateway Service | ssmmessages.amazonaws.com | - |
| AWS IAM Identity Center directory | sso-directory.amazonaws.com | - |
| AWS IAM Identity Center OIDC service | sso-oauth.amazonaws.com | - |
| AWS IAM Identity Center | sso.amazonaws.com | Documentation |
| AWS CloudFormation | stacksets.cloudformation.amazonaws.com | - |
| AWS Step Functions | states.amazonaws.com | - |
| Amazon S3 | storage-lens.s3.amazonaws.com | - |
| AWS Storage Gateway | storagegateway.amazonaws.com | - |
| Amazon CloudWatch | streams.metrics.cloudwatch.amazonaws.com | - |
| AWS Security Token Service | sts.amazonaws.com | - |
| AWS Support Console | support-console.amazonaws.com | - |
| AWS Support | support.amazonaws.com | Documentation |
| AWS Support App in Slack | supportapp.amazonaws.com | - |
| AWS Support Plans | supportplans.amazonaws.com | - |
| Supportrecommendations | supportrecommendations.amazonaws.com | - |
| AWS Sustainability | sustainability.amazonaws.com | - |
| Amazon Simple Workflow Service | swf.amazonaws.com | - |
| AWS Proton | sync.proton.amazonaws.com | - |
| Amazon CloudWatch Synthetics | synthetics.amazonaws.com | - |
| Amazon Resource Group Tagging API | tag.amazonaws.com | - |
| AWS Resource Groups Tagging | tagging.amazonaws.com | - |
| Tagpolicies Tag | tagpolicies.tag.amazonaws.com | - |
| AWS App Runner | tasks.apprunner.amazonaws.com | - |
| AWS Tax Settings | tax.amazonaws.com | - |
| Amazon Textract | textract.amazonaws.com | - |
| Amazon WorkSpaces Thin Client | thinclient.amazonaws.com | - |
| Amazon Timestream InfluxDB | timestream-influxdb.amazonaws.com | - |
| Amazon Timestream | timestream.amazonaws.com | - |
| Amazon Timestream Influxdb | timestreamforinfluxdb.amazonaws.com | Documentation |
| AWS Tiros | tiros.amazonaws.com | - |
| AWS Telco Network Builder | tnb.amazonaws.com | - |
| Amazon Transcribe | transcribe.amazonaws.com | - |
| AWS Transfer Family | transfer.amazonaws.com | - |
| AWS Transform custom | transform-custom.amazonaws.com | - |
| AWS Transform | transform.amazonaws.com | - |
| AWS Transit Gateway | transitgateway.amazonaws.com | - |
| Amazon Translate | translate.amazonaws.com | - |
| AWS Trusted Advisor | trustedadvisor.amazonaws.com | Documentation |
| AWS Diagnostic tools | ts.amazonaws.com | - |
| Tts | tts.amazonaws.com | - |
| AWS User Subscriptions | user-subscriptions.amazonaws.com | - |
| AWS User Experience Customization | uxc.amazonaws.com | - |
| AWS Marketplace Vendor Insights | vendor-insights.amazonaws.com | - |
| AWS Verified Access | verified-access.amazonaws.com | - |
| Amazon Verified Permissions | verifiedpermissions.amazonaws.com | - |
| Vmie | vmie.amazonaws.com | - |
| Amazon Connect Voice ID | voiceid.amazonaws.com | - |
| VPC Flow Logs | vpc-flow-logs.amazonaws.com | - |
| Amazon VPC Lattice Services | vpc-lattice-svcs.amazonaws.com | - |
| Amazon VPC Lattice | vpc-lattice.amazonaws.com | Documentation |
| AWS PrivateLink | vpce.amazonaws.com | - |
| Amazon CloudFront | vpcorigin.cloudfront.amazonaws.com | Documentation |
| AWS WAF Regional | waf-regional.amazonaws.com | - |
| AWS WAF Regional | waf.amazonaws.com | Documentation |
| AWS WAF V2 | wafv2.amazonaws.com | Documentation |
| Amazon WorkSpaces Application Manager | wam.amazonaws.com | - |
| AWS Well-Architected Tool | wellarchitected.amazonaws.com | - |
| AWS Wickr | wickr.amazonaws.com | - |
| Amazon Q in Connect | wisdom.amazonaws.com | - |
| Amazon WorkDocs | workdocs.amazonaws.com | - |
| Amazon WorkLink | worklink.amazonaws.com | - |
| Amazon WorkMail | workmail.amazonaws.com | - |
| Amazon WorkMail Message Flow | workmailmessageflow.amazonaws.com | - |
| AWS WorkSpaces Managed Instances | workspaces-instances.amazonaws.com | - |
| Amazon WorkSpaces Secure Browser | workspaces-web.amazonaws.com | - |
| Amazon WorkSpaces | workspaces.amazonaws.com | - |
| AWS X-Ray | xray.amazonaws.com | - |
What is an AWS service principal?
A service principal is an identifier that represents an AWS service in IAM policies. When you see something like lambda.amazonaws.com or ec2.amazonaws.comin a policy's Principal element, that's a service principal. These identifiers allow AWS services to assume IAM roles and perform actions on your behalf.
Think of service principals as the identity card that AWS services present when they need to access resources in your account. Without the correct service principal in your trust policy, an AWS service cannot assume the role you created for it.
The service principal is defined by AWS itself. You cannot create custom service principals or use wildcards like "Service": "*" in IAM policies. Each AWS service has its own specific identifier.
How to use this service principal list
- Search for the AWS service name, such as
Lambda,ECS Tasks,CloudTrail, orCodeBuild. - Copy the exact service principal value, for example
lambda.amazonaws.comorecs-tasks.amazonaws.com. - Add it to the
Principal.Servicefield in your IAM role trust policy or resource-based policy. - Use the documentation link when you need AWS service-specific trust policy requirements.
- Add
aws:SourceAccountoraws:SourceArnconditions whenever the target AWS service supports them.
The most common mistake is copying a service name instead of the service principal. IAM needs the exact principal string in the policy, not the marketing name of the AWS service.
Service principal format and structure
The standard service principal format is:
service-name.amazonaws.comCommon examples include:
lambda.amazonaws.comfor AWS Lambdaec2.amazonaws.comfor Amazon EC2s3.amazonaws.comfor Amazon S3ecs-tasks.amazonaws.comfor Amazon ECS taskscodebuild.amazonaws.comfor AWS CodeBuild
When multiple services need to assume the same role, specify them as an array:
"Principal": {
"Service": [
"ecs.amazonaws.com",
"elasticloadbalancing.amazonaws.com"
]
}This syntax is useful when you need a shared role for services that work together. For a deeper CDK example, read the guide on creating IAM roles with multiple principals using AWS CDK.
How service principals enable service-to-service access
- An AWS service, such as Lambda, needs to access resources in your account.
- The service presents its service principal and calls
sts:AssumeRole. - IAM checks the role's trust policy to verify the service principal is allowed.
- If authorized, IAM returns temporary security credentials.
- The service uses these credentials to access your resources.
This mechanism ensures that only the intended AWS services can assume roles in your account. The trust policy acts as the gatekeeper, and the service principal is the key.
Trust policies for IAM roles
Trust policies define which principals can assume an IAM role. For service roles, you specify the AWS service principal that should be able to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}This trust policy allows AWS Lambda to assume the role. When Lambda needs to execute your function, it presents its service principal and calls sts:AssumeRole. IAM validates the trust policy and issues temporary credentials.
Resource-based policies
Service principals also appear in resource-based policies attached to AWS resources like S3 buckets, SNS topics, or SQS queues. These policies allow AWS services to access your resources directly.
For example, an S3 bucket policy that allows CloudTrail to write logs uses the cloudtrail.amazonaws.com service principal. Add aws:SourceAccount or aws:SourceArn conditions whenever possible so another account cannot misuse the service principal to write to your resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-cloudtrail-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "CloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-cloudtrail-bucket/AWSLogs/111122223333/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
}
]
}Service-linked roles
Service-linked roles are a special type of service role that's predefined by an AWS service. These roles include the permissions the service needs to operate, and only that specific service can assume them.
- AWS defines the permissions and trust policy for the role.
- Many services create the role automatically when you first use the service.
- You usually cannot delete the role until the dependent service resources are removed.
- The role name typically follows the
AWSServiceRoleForServiceNamepattern.
| Service | Service-linked role name | Service principal |
|---|---|---|
| Amazon RDS | AWSServiceRoleForRDS | rds.amazonaws.com |
| AWS Lambda | AWSServiceRoleForLambda | lambda.amazonaws.com |
| Amazon API Gateway | AWSServiceRoleForAPIGateway | ops.apigateway.amazonaws.com |
| AWS Systems Manager | AWSServiceRoleForAmazonSSM | ssm.amazonaws.com |
Regionalized service principals
Most service principals work globally across all AWS regions. For opt-in regions launched after March 20, 2019, service principal behavior changes for cross-region requests.
Common opt-in regions include:
| Region name | Region code |
|---|---|
| Africa (Cape Town) | af-south-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Hyderabad) | ap-south-2 |
| Europe (Milan) | eu-south-1 |
| Middle East (UAE) | me-central-1 |
- Same-region requests normally use
service-name.amazonaws.com. - Cross-region requests from opt-in regions use
service-name.region.amazonaws.com. - For IAM role trust policies, AWS recommends the non-regionalized format because IAM is global.
Example: an S3 bucket in ap-east-1 sending notifications to an SNS topic in another region may need s3.ap-east-1.amazonaws.com instead of s3.amazonaws.com.
{
"Effect": "Allow",
"Principal": {
"Service": "s3.ap-east-1.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-1:111122223333:MyTopic",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::my-bucket-*"
}
}
}Confused deputy protection
The confused deputy problem occurs when an entity without permission tricks a more privileged service into performing actions on its behalf. With service principals, this usually appears in cross-service access.
Use these condition keys in resource policies where supported:
| Condition key | Purpose |
|---|---|
aws:SourceArn | Limits access to a specific source resource. |
aws:SourceAccount | Limits access to a specific AWS account. |
aws:SourceOrgID | Limits access to your AWS Organization. |
aws:SourceOrgPaths | Limits access to specific OU paths. |
For multi-account environments, Resource Control Policies can enforce this centrally. The pattern below denies S3 access by AWS service principals unless the request comes from your AWS Organization:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceConfusedDeputyProtection",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:*"],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceOrgID": "o-abc123xyz"
},
"Null": {
"aws:SourceAccount": "false"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
]
}Infrastructure as code examples
AWS CDK provides the ServicePrincipal class for trust policies:
import * as iam from 'aws-cdk-lib/aws-iam';
const lambdaRole = new iam.Role(this, 'LambdaExecutionRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Execution role for Lambda function',
});In CloudFormation, define service principals in the AssumeRolePolicyDocument:
Resources:
CloudFormationServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action: sts:AssumeRoleTroubleshooting service principal errors
- Invalid principal in policy: check the service principal format, avoid wildcards in the Service element, and verify the service principal exists in the table.
- Access Denied when a service assumes a role: verify the trust policy includes the correct service principal and allows
sts:AssumeRole. - Cross-region requests failing: check whether the source is in an opt-in region and needs the regionalized service principal format.
- Service-linked role cannot be deleted: remove the resources that depend on the service-linked role first.
IDE autocomplete
If you prefer working directly in your IDE, the IAM Service Principal Snippets extension autocompletes service principals directly in IAM policies.
Related tools
Amazon Resource Names (ARNs) Reference
Search AWS service prefixes and Amazon Resource Name formats for IAM policies and resource references.
CloudFormation Resource Attributes Reference
Search AWS CloudFormation resource types and the attributes available through Fn::GetAtt for each resource.
CloudFormation Resource Properties Reference
Search AWS CloudFormation resource types and their configurable properties with direct AWS documentation links.
Next step
Want AWS engineering that feels this practical?
I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.