Actions, resources, and condition keys for Amazon CloudFront - Service Authorization Reference

Actions, resources, and condition keys for Amazon CloudFront

Amazon CloudFront (service prefix: cloudfront ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon CloudFront

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateCachePolicy This action adds a new cache policy to CloudFront. Write
CreateCloudFrontOriginAccessIdentity This action creates a new CloudFront origin access identity. Write

origin-access-identity*

CreateDistribution This action creates a new web distribution. Write

distribution*

CreateDistributionWithTags This action creates a new web distribution with tags. Tagging

distribution*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFieldLevelEncryptionConfig This action creates a new field-level encryption configuration. Write
CreateFieldLevelEncryptionProfile This action creates a field-level encryption profile. Write
CreateFunction This action creates a CloudFront function Write
CreateInvalidation This action creates a new invalidation batch request. Write

distribution*

CreateKeyGroup This action adds a new key group to CloudFront Write
CreateMonitoringSubscription This action enables additional CloudWatch metrics for the specified CloudFront distribution. The additional metrics incur an additional cost Write
CreateOriginRequestPolicy This action adds a new origin request policy to CloudFront. Write
CreatePublicKey This action adds a new public key to CloudFront. Write
CreateRealtimeLogConfig This action creates a real-time log configuration Write
CreateStreamingDistribution This action creates a new RTMP distribution. Write

streaming-distribution*

CreateStreamingDistributionWithTags This action creates a new RTMP distribution with tags. Tagging

streaming-distribution*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteCachePolicy This action deletes a cache policy. Write
DeleteCloudFrontOriginAccessIdentity This action deletes a CloudFront origin access identity. Write

origin-access-identity*

DeleteDistribution This action deletes a web distribution. Write

distribution*

DeleteFieldLevelEncryptionConfig This action deletes a field-level encryption configuration. Write
DeleteFieldLevelEncryptionProfile This action deletes a field-level encryption profile. Write
DeleteFunction This action deletes a CloudFront function Write
DeleteKeyGroup This action deletes a key group Write
DeleteMonitoringSubscription This action disables additional CloudWatch metrics for the specified CloudFront distribution Write
DeleteOriginRequestPolicy This action deletes an origin request policy. Write
DeletePublicKey This action deletes a public key from CloudFront. Write
DeleteRealtimeLogConfig This action deletes a real-time log configuration Write
DeleteStreamingDistribution This action deletes an RTMP distribution. Write

streaming-distribution*

DescribeFunction This action gets a CloudFront function summary Read
GetCachePolicy Get the cache policy Read
GetCachePolicyConfig Get the cache policy configuration Read
GetCloudFrontOriginAccessIdentity Get the information about a CloudFront origin access identity. Read

origin-access-identity*

GetCloudFrontOriginAccessIdentityConfig Get the configuration information about a Cloudfront origin access identity. Read

origin-access-identity*

GetDistribution Get the information about a web distribution. Read

distribution*

GetDistributionConfig Get the configuration information about a distribution. Read

distribution*

GetFieldLevelEncryption Get the field-level encryption configuration information. Read
GetFieldLevelEncryptionConfig Get the field-level encryption configuration information. Read
GetFieldLevelEncryptionProfile Get the field-level encryption configuration information. Read
GetFieldLevelEncryptionProfileConfig Get the field-level encryption profile configuration information. Read
GetFunction This action gets a CloudFront function's code Read
GetInvalidation Get the information about an invalidation. Read

distribution*

GetKeyGroup This action gets a key group Read
GetKeyGroupConfig This action gets a key group configuration Read
GetMonitoringSubscription This action gets information about whether additional CloudWatch metrics are enabled for the specified CloudFront distribution Read
GetOriginRequestPolicy Get the origin request policy Read
GetOriginRequestPolicyConfig Get the origin request policy configuration Read
GetPublicKey Get the public key information. Read
GetPublicKeyConfig Get the public key configuration information. Read
GetRealtimeLogConfig This action gets a real-time log configuration Read
GetStreamingDistribution Get the information about an RTMP distribution. Read

streaming-distribution*

GetStreamingDistributionConfig Get the configuration information about a streaming distribution. Read

streaming-distribution*

ListCachePolicies List all cache policies that have been created in CloudFront for this account. List
ListCloudFrontOriginAccessIdentities List your CloudFront origin access identities. List
ListDistributions List the distributions associated with your AWS account. List
ListDistributionsByCachePolicyId List distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy. List
ListDistributionsByKeyGroup This action lists distribution IDs for distributions that have a cache behavior that's associated with the specified key group List
ListDistributionsByOriginRequestPolicyId List distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy. List
ListDistributionsByRealtimeLogConfig This action gets a list of distributions that have a cache behavior that’s associated with the specified real-time log configuration List
ListDistributionsByWebACLId List the distributions associated with your AWS account with given AWS WAF web ACL. List
ListFieldLevelEncryptionConfigs List all field-level encryption configurations that have been created in CloudFront for this account. List
ListFieldLevelEncryptionProfiles List all field-level encryption profiles that have been created in CloudFront for this account. List
ListFunctions This action gets a list of CloudFront functions List
ListInvalidations List your invalidation batches. List

distribution*

ListKeyGroups This action lists all key groups that have been created in CloudFront for this account List
ListOriginRequestPolicies List all origin request policies that have been created in CloudFront for this account. List
ListPublicKeys List all public keys that have been added to CloudFront for this account. List
ListRealtimeLogConfigs This action gets a list of real-time log configurations List
ListStreamingDistributions List your RTMP distributions. List
ListTagsForResource List tags for a CloudFront resource. Read

distribution

streaming-distribution

PublishFunction This action publishes a CloudFront function Write
TagResource Add tags to a CloudFront resource. Tagging

distribution

streaming-distribution

aws:RequestTag/${TagKey}

aws:TagKeys

TestFunction This action tests a CloudFront function Write
UntagResource Remove tags from a CloudFront resource. Tagging

distribution

streaming-distribution

aws:TagKeys

UpdateCachePolicy This action updates a cache policy. Write
UpdateCloudFrontOriginAccessIdentity This action sets the configuration for a CloudFront origin access identity. Write

origin-access-identity*

UpdateDistribution This action updates the configuration for a web distribution. Write

distribution*

UpdateFieldLevelEncryptionConfig This action updates a field-level encryption configuration. Write
UpdateFieldLevelEncryptionProfile This action updates a field-level encryption profile. Write
UpdateFunction This action updates a CloudFront function Write
UpdateKeyGroup This action updates a key group Write
UpdateOriginRequestPolicy This action updates an origin request policy. Write
UpdatePublicKey This action updates public key information. Write
UpdateRealtimeLogConfig This action updates a real-time log configuration Write
UpdateStreamingDistribution This action updates the configuration for an RTMP distribution. Write

streaming-distribution*

Resource types defined by Amazon CloudFront

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
distribution arn:$ { Partition}:cloudfront::$ { Account}:distribution/$ { DistributionId}

aws:ResourceTag/${TagKey}

streaming-distribution arn:$ { Partition}:cloudfront::$ { Account}:streaming-distribution/$ { DistributionId}

aws:ResourceTag/${TagKey}

origin-access-identity arn:$ { Partition}:cloudfront::$ { Account}:origin-access-identity/$ { Id}
field-level-encryption arn:$ { Partition}:cloudfront::$ { Account}:field-level-encryption/$ { Id}
field-level-encryption-profile arn:$ { Partition}:cloudfront::$ { Account}:field-level-encryption-profile/$ { Id}
cache-policy arn:$ { Partition}:cloudfront::$ { Account}:cache-policy/$ { Id}
origin-request-policy arn:$ { Partition}:cloudfront::$ { Account}:origin-request-policy/$ { Id}
realtime-log-config arn:$ { Partition}:cloudfront::$ { Account}:realtime-log-config/$ { Name}
function arn:$ { Partition}:cloudfront::$ { Account}:function/$ { Name}

Condition keys for Amazon CloudFront

Amazon CloudFront defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String