Actions, resources, and condition keys for Amazon Elasticsearch Service - Service Authorization Reference

Actions, resources, and condition keys for Amazon Elasticsearch Service

Amazon Elasticsearch Service (service prefix: es ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Elasticsearch Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptInboundCrossClusterSearchConnection Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request Write
AddTags Grants permission to attach resource tags to an Amazon ES domain. Tagging

domain*

AssociatePackage Grants permission to associate a package with an Amazon ES domain Write

domain*

CancelElasticsearchServiceSoftwareUpdate Grants permission to cancel elastic search software update of a domain to given version Write

domain*

CreateElasticsearchDomain Grants permission to create an Amazon ES domain. Write

domain

CreateElasticsearchServiceRole Grants permission to create the service-linked role required for Amazon ES domains that use VPC access. Write
CreateOutboundCrossClusterSearchConnection Grants permission to create a new cross-cluster search connection from a source domain to a destination domain Write

domain*

CreatePackage Grants permission to add a package for use with Amazon ES domains Write
DeleteElasticsearchDomain Grants permission to delete an Amazon ES domain and all of its data. Write

domain*

DeleteElasticsearchServiceRole Grants permission to delete the service-linked role required for Amazon ES domains that use VPC access. Write
DeleteInboundCrossClusterSearchConnection Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection Write
DeleteOutboundCrossClusterSearchConnection Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection Write
DeletePackage Grants permission to delete a package from Amazon ES. The package must not be associated with any Amazon ES domain. Write
DescribeElasticsearchDomain Grants permission to view a description of the domain configuration for the specified Amazon ES domain, including the domain ID, domain service endpoint, and domain ARN. Read

domain*

DescribeElasticsearchDomainConfig Grants permission to view a description of the configuration options and status of an Amazon ES domain. Read

domain*

DescribeElasticsearchDomains Grants permission to view a description of the domain configuration for up to five specified Amazon ES domains. List

domain*

DescribeElasticsearchInstanceTypeLimits Grants permission to view the instance count, storage, and master node limits for a given Elasticsearch version and instance type. List
DescribeInboundCrossClusterSearchConnections Grants permission to list all the inbound cross-cluster search connections for a destination domain List
DescribeOutboundCrossClusterSearchConnections Grants permission to list all the outbound cross-cluster search connections for a source domain List
DescribePackages Grants permission to describe all packages available to Amazon ES domain Read
DescribeReservedElasticsearchInstanceOfferings Grants permission to fetch reserved instance offerings for ES List
DescribeReservedElasticsearchInstances Grants permission to fetch ES reserved instances already purchased by customer List
DissociatePackage Grants permission to remove a package from the specified Amazon ES domain Write

domain*

ESCrossClusterGet Grants permission to send cross-cluster requests to a destination domain. Read

domain

ESHttpDelete Grants permission to send HTTP DELETE requests to the Elasticsearch APIs. Write

domain

ESHttpGet Grants permission to send HTTP GET requests to the Elasticsearch APIs. Read

domain

ESHttpHead Grants permission to send HTTP HEAD requests to the Elasticsearch APIs. Read

domain

ESHttpPatch Grants permission to send HTTP PATCH requests to the Elasticsearch APIs. Write

domain

ESHttpPost Grants permission to send HTTP POST requests to the Elasticsearch APIs. Write

domain

ESHttpPut Grants permission to send HTTP PUT requests to the Elasticsearch APIs. Write

domain

GetCompatibleElasticsearchVersions Grants permission to fetch list of compatible elastic search versions to which Amazon ES domain can be upgraded List

domain*

GetPackageVersionHistory Grants permission to fetch the version history for a package Read
GetUpgradeHistory Grants permission to fetch upgrade history for given ES domain Read

domain*

GetUpgradeStatus Grants permission to fetch upgrade status for given ES domain Read

domain*

ListDomainNames Grants permission to display the names of all Amazon ES domains that the current user owns. List
ListDomainsForPackage Grants permission to list all Amazon ES domains that a package is associated with List
ListElasticsearchInstanceTypeDetails Grants permission to list all instance types and available features for a given Elasticsearch version. List
ListElasticsearchInstanceTypes Grants permission to list all Elasticsearch instance types that are supported for a given Elasticsearch version. List
ListElasticsearchVersions Grants permission to list all supported Elasticsearch versions on Amazon ES. List
ListPackagesForDomain Grants permission to list all packages associated with the Amazon ES domain List

domain*

ListTags Grants permission to display all of the tags for an Amazon ES domain. Read

domain*

PurchaseReservedElasticsearchInstanceOffering Grants permission to purchase ES reserved instances Write
RejectInboundCrossClusterSearchConnection Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request Write
RemoveTags Grants permission to remove tags from Amazon ES domains. Tagging

domain*

StartElasticsearchServiceSoftwareUpdate Grants permission to start elastic search software update of a domain to given version Write

domain*

UpdateElasticsearchDomainConfig Grants permission to modify the configuration of an Amazon ES domain, such as the instance type or number of instances. Write

domain*

UpdatePackage Grants permission to update a package for use with Amazon ES domains Write
UpgradeElasticsearchDomain Grants permission to initiate upgrade of elastic search domain to given version Write

domain*

Resource types defined by Amazon Elasticsearch Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
domain arn:$ { Partition}:es:$ { Region}:$ { Account}:domain/$ { DomainName}

Condition keys for Amazon Elasticsearch Service

Elasticsearch Service has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions .