You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: service_owned_resources.md
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,4 +47,11 @@ The following table contains service-owned resources that AWS services use to pe
47
47
| AWS Lambda layer | Multiple | `arn:aws:lambda:*:<service-account-id>:layer:*` | Services such as Amazon CloudWatch and AWS AppConfig maintain AWS Lambda extensions owned by Amazon that you can add as layers to you functions. For example, [CloudWatch Lambda Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights.html) and [AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions.html).See [Available versions of the Lambda Insights extension](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html) and [Understanding available versions of the AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions-versions.html) for more details. Note that `<service-account-id>` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[lambda_endpoint_policy](vpc_endpoint_policies/lambda_endpoint_policy.json)* |
48
48
| AWS Systems Manager parameter | Multiple |`arn:aws:ssm:*::parameter/*`| Some AWS services publish information about common artifacts as [AWS Systems Manager public parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters.html). For example, Amazon EC2 publishes information about Amazon Machine Images (AMIs) as public parameters. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)*|
49
49
| AWS Systems Manager document | Multiple |`arn:aws:ssm:*::document/*`| Systems Manager maintains pre-configured [documents owned by Amazon](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) that you can use to automate maintenance and deployment tasks. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)*|
50
-
| AWS Systems Manager automation definition | Multiple |`arn:aws:ssm:*::automation-definition/*`| Systems Manager maintains pre-defined [Automation runbooks owned by Amazon](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html), such as AWS-ConfigureMaintenanceWindows, that you can use to deploy, configure, and manage AWS resources at scale. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details.|[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)*|
50
+
| AWS Systems Manager automation definition | Multiple |`arn:aws:ssm:*::automation-definition/*`| Systems Manager maintains pre-defined [Automation runbooks owned by Amazon](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html), such as AWS-ConfigureMaintenanceWindows, that you can use to deploy, configure, and manage AWS resources at scale. See [How AWS Systems Manager works with IAM](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions) for more details.|[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[ssm_endpoint_policy.json](vpc_endpoint_policies/ssm_endpoint_policy.json)*|
51
+
| Amazon S3 bucket | Amazon Athena |`arn:aws:s3:::athena-examples-<region>` <br /><br />`arn:aws:s3:::athena-examples-<region>/*`| Amazon Athena maintains sample data in a service-owned S3 bucket that you can use for the getting started tutorials. See [Get Started with Athena](https://docs.aws.amazon.com/athena/latest/ug/getting-started.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
52
+
| Amazon S3 bucket | AWS CloudFormation |`arn:aws:s3:::cloudformation-examples/*`| AWS CloudFormation maintains helper scripts that you can use to install software and start services on an Amazon EC2 instance that you create as part of your stack in a service-owned S3 bucket. See [CloudFormation helper scripts reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/cfn-helper-scripts-reference.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
53
+
| Amazon S3 bucket | AWS Schema Conversion Tool |`arn:aws:s3:::awssupportdatasvcs.com/*` <br /><br />`arn:aws:s3:::redshift-downloads/*`| AWS Schema Conversion Tool maintains JDBC drivers in service-owned S3 bucket that you can use for your source and target database engines. See [Installing JDBC drivers for AWS Schema Conversion Tool](https://docs.aws.amazon.com/SchemaConversionTool/latest/userguide/CHAP_Installing.JDBCDrivers.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
54
+
| Amazon S3 bucket | AWS Systems Manager |`arn:aws:s3:::session-manager-downloads/*`| AWS Systems Manager maintains Session manager plugins in service-owned S3 bucket that you can use for your Session Manager setup. See [Install the Session Manager plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-linux.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
55
+
| Amazon S3 bucket | AWS Systems Manager |`arn:aws:s3:::ssm-document-categories/*`| AWS Systems Manager maintains JSON files with document category definitions and metadata used when you view SSM Documents in the Systems Manager console or when using APIs that retrieve document metadata and categories in service-owned S3 bucket. See [Data perimeters in AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/data-perimeters.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
56
+
| Amazon S3 bucket | AWS Data Provider for SAP |`arn:aws:s3:::aws-sap-data-provider/*` <br /><br />`arn:aws:s3:::aws-sap-dataprovider-<region>/*`| AWS Data Provider for SAP maintains JSON files with document category definitions and metadata in a service-owned S3 bucket used for AWS Launch Wizard startup. See [AWS Launch Wizard userguide](https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-sap-launch-artifacts-cloudformation.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
57
+
| Amazon S3 bucket | AWS Backint Agent for SAP |`arn:aws:s3:::awssap-backint-agent/*`| AWS Backint maintains installation files in a service-owned S3 bucket that you can use when installing and configuring AWS Backint Agent for SAP HANA. See [Install and configure AWS Backint Agent for SAP HANA](https://docs.aws.amazon.com/sap/latest/sap-hana/aws-backint-agent-s3-installing-configuring.html) for more details. |[resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)|
0 commit comments