Actions, resources, and condition keys for Amazon WorkMail
Amazon WorkMail (service prefix:
workmail
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service .
-
View a list of the API operations available for this service .
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon WorkMail
You can specify the following actions in the
Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The
Resource types
column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table .
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AddMembersToGroup [permission only] | Grants permission to add a list of members (users or groups) to a group | Write | |||
AssociateDelegateToResource | Grants permission to add a member (user or group) to the resource's set of delegates | Write | |||
AssociateMemberToGroup | Grants permission to add a member (user or group) to the group's set | Write | |||
CancelMailboxExportJob | Grants permission to cancel a currently running mailbox export job | Write | |||
CreateAlias | Grants permission to add an alias to the set of a given member (user or group) of WorkMail | Write | |||
CreateGroup | Grants permission to create a group that can be used in WorkMail by calling the RegisterToWorkMail operation | Write | |||
CreateInboundMailFlowRule [permission only] | Grants permission to create an inbound email flow rule which will apply to all email sent to an organization | Write | |||
CreateMailDomain [permission only] | Grants permission to create a mail domain | Write | |||
CreateMailUser [permission only] | Grants permission to create a user in the directory | Write | |||
CreateMobileDeviceAccessRule | Grants permission to create a new mobile device access rule | Write | |||
CreateOrganization | Grants permission to create a new Amazon WorkMail organization | Write | |||
CreateOutboundMailFlowRule [permission only] | Grants permission to create an outbound email flow rule which will apply to all email sent from an organization | Write | |||
CreateResource | Grants permission to create a new WorkMail resource | Write | |||
CreateSmtpGateway [permission only] | Grants permission to register an SMTP gateway to a WorkMail organization | Write | |||
CreateUser | Grants permission to create a user, which can be enabled afterwards by calling the RegisterToWorkMail operation | Write | |||
DeleteAccessControlRule | Grants permission to delete an access control rule | Write | |||
DeleteAlias | Grants permission to remove one or more specified aliases from a set of aliases for a given user | Write | |||
DeleteGroup | Grants permission to delete a group from WorkMail | Write | |||
DeleteInboundMailFlowRule [permission only] | Grants permission to remove an inbound email flow rule to no longer apply to emails sent to an organization | Write | |||
DeleteMailDomain [permission only] | Grants permission to remove an unused mail domain from an organization | Write | |||
DeleteMailboxPermissions | Grants permission to delete permissions granted to a member (user or group) | Write | |||
DeleteMobileDevice [permission only] | Grants permission to remove a mobile device from a user | Write | |||
DeleteMobileDeviceAccessRule | Grants permission to delete a mobile device access rule | Write | |||
DeleteOrganization | Grants permission to delete an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization | Write | |||
DeleteOutboundMailFlowRule [permission only] | Grants permission to remove an outbound email flow rule so that it no longer applies to emails sent from an organization | Write | |||
DeleteResource | Grants permission to delete the specified resource | Write | |||
DeleteRetentionPolicy | Grants permission to delete the retention policy based on the supplied organization and policy identifiers | Write | |||
DeleteSmtpGateway [permission only] | Grants permission to remove an SMTP gateway from an organization | Write | |||
DeleteUser | Grants permission to delete a user from WorkMail and all subsequent systems | Write | |||
DeregisterFromWorkMail | Grants permission to mark a user, group, or resource as no longer used in WorkMail | Write | |||
DescribeDirectories [permission only] | Grants permission to show a list of directories available for use in creating an organization | List | |||
DescribeGroup | Grants permission to read the details for a group | List | |||
DescribeInboundMailFlowRule [permission only] | Grants permission to read the details of an inbound mail flow rule configured for an organization | Read | |||
DescribeKmsKeys [permission only] | Grants permission to show a list of KMS Keys available for use in creating an organization | List | |||
DescribeMailDomains [permission only] | Grants permission to show the details of all mail domains associated with the organization | List | |||
DescribeMailGroups [permission only] | Grants permission to show the details of all groups associated with the organization | List | |||
DescribeMailUsers [permission only] | Grants permission to show the details of all users associated with the organization | List | |||
DescribeMailboxExportJob | Grants permission to retrieve details of a mailbox export job | Read | |||
DescribeOrganization | Grants permission to read details of an organization | List | |||
DescribeOrganizations [permission only] | Grants permission to show a summary of all organizations associated with the account | List | |||
DescribeOutboundMailFlowRule [permission only] | Grants permission to read the details of an outbound mail flow rule configured for an organization | Read | |||
DescribeResource | Grants permission to read the details for a resource | List | |||
DescribeSmtpGateway [permission only] | Grants permission to read the details of an SMTP gateway registered to an organization | Read | |||
DescribeUser | Grants permission to read details for a user | List | |||
DisableMailGroups [permission only] | Grants permission to disable a mail group when it is not being used, in order to allow it to be deleted | Write | |||
DisableMailUsers [permission only] | Grants permission to disable a user mailbox when it is no longer being used, in order to allow it to be deleted | Write | |||
DisassociateDelegateFromResource | Grants permission to remove a member from the resource's set of delegates | Write | |||
DisassociateMemberFromGroup | Grants permission to remove a member from a group | Write | |||
EnableMailDomain [permission only] | Grants permission to enable a mail domain in the organization | Write | |||
EnableMailGroups [permission only] | Grants permission to enable a mail group after it has been created to allow it to receive mail | Write | |||
EnableMailUsers [permission only] | Grants permission to enable a user's mailbox after it has been created to allow it to receive mail | Write | |||
GetAccessControlEffect | Grants permission to get the effects of access control rules as they apply to a specified IPv4 address, access protocol action, or user ID | Read | |||
GetDefaultRetentionPolicy | Grants permission to retrieve the retention policy associated at an organizational level | Read | |||
GetJournalingRules [permission only] | Grants permission to read the configured journaling and fallback email addresses for email journaling | Read | |||
GetMailDomainDetails [permission only] | Grants permission to get the details of the mail domain | Read | |||
GetMailGroupDetails [permission only] | Grants permission to get the details of the mail group | Read | |||
GetMailUserDetails [permission only] | Grants permission to get the details of the user's mailbox and account | Read | |||
GetMailboxDetails | Grants permission to read the details of the user's mailbox | Read | |||
GetMobileDeviceAccessEffect | Grants permission to simulate the effect of the mobile device access rules for the given attributes of a sample access event | Read | |||
GetMobileDeviceDetails [permission only] | Grants permission to get the details of the mobile device | Read | |||
GetMobileDevicesForUser [permission only] | Grants permission to get a list of the mobile devices associated with the user | Read | |||
GetMobilePolicyDetails [permission only] | Grants permission to get the details of the mobile device policy associated with the organization | Read | |||
ListAccessControlRules | Grants permission to list the access control rules | List | |||
ListAliases | Grants permission to list the aliases associated with a given entity | List | |||
ListGroupMembers | Grants permission to read an overview of the members of a group. Users and groups can be members of a group | List | |||
ListGroups | Grants permission to list summaries of the organization's groups | List | |||
ListInboundMailFlowRules [permission only] | Grants permission to list inbound mail flow rules configured for an organization | List | |||
ListMailboxExportJobs | Grants permission to list mailbox export jobs | List | |||
ListMailboxPermissions | Grants permission to list the mailbox permissions associated with a user, group, or resource mailbox | List | |||
ListMembersInMailGroup [permission only] | Grants permission to get a list of all the members in a mail group | Read | |||
ListMobileDeviceAccessRules | Grants permission to list the mobile device access rules | List | |||
ListOrganizations | Grants permission to list the non-deleted organizations | List | |||
ListOutboundMailFlowRules [permission only] | Grants permission to list outbound mail flow rules configured for an organization | List | |||
ListResourceDelegates | Grants permission to list the delegates associated with a resource | List | |||
ListResources | Grants permission to list the organization's resources | List | |||
ListSmtpGateways [permission only] | Grants permission to list SMTP gateways registered to the organization | List | |||
ListTagsForResource | Grants permission to list the tags applied to an Amazon WorkMail organization resource | List | |||
ListUsers | Grants permission to list the organization's users | List | |||
PutAccessControlRule | Grants permission to add a new access control rule | Write | |||
PutMailboxPermissions | Grants permission to set permissions for a user, group, or resource, replacing any existing permissions | Write | |||
PutRetentionPolicy | Grants permission to add or update the retention policy | Write | |||
RegisterToWorkMail | Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities | Write | |||
RemoveMembersFromGroup [permission only] | Grants permission to remove members from a mail group | Write | |||
ResetPassword | Grants permission to allow the administrator to reset the password for a user | Write | |||
ResetUserPassword [permission only] | Grants permission to reset the password for a user's account | Write | |||
SearchMembers [permission only] | Grants permission to perform a prefix search to find a specific user in a mail group | Read | |||
SetAdmin [permission only] | Grants permission to mark a user as being an administrator | Write | |||
SetDefaultMailDomain [permission only] | Grants permission to set the default mail domain for the organization | Write | |||
SetJournalingRules [permission only] | Grants permission to set journaling and fallback email addresses for email journaling | Write | |||
SetMailGroupDetails [permission only] | Grants permission to set the details of the mail group which has just been created | Write | |||
SetMailUserDetails [permission only] | Grants permission to set the details for the user account which has just been created | Write | |||
SetMobilePolicyDetails [permission only] | Grants permission to set the details of a mobile policy associated with the organization | Write | |||
StartMailboxExportJob | Grants permission to start a new mailbox export job | Write | |||
TagResource | Grants permission to tag the specified Amazon WorkMail organization resource | Tagging | |||
TestInboundMailFlowRules [permission only] | Grants permission to test what inbound rules will apply to an email with a given sender and recipient | Write | |||
TestOutboundMailFlowRules [permission only] | Grants permission to test what outbound rules will apply to an email with a given sender and recipient | Write | |||
UntagResource | Grants permission to untag the specified Amazon WorkMail organization resource | Tagging | |||
UpdateInboundMailFlowRule [permission only] | Grants permission to update the details of an inbound email flow rule which will apply to all email sent to an organization | Write | |||
UpdateMailboxQuota | Grants permission to update the maximum size (in MB) of the user's mailbox | Write | |||
UpdateMobileDeviceAccessRule | Grants permission to update an mobile device access rule | Write | |||
UpdateOutboundMailFlowRule [permission only] | Grants permission to update the details of an outbound email flow rule which will apply to all email sent from an organization | Write | |||
UpdatePrimaryEmailAddress | Grants permission to update the primary email for a user, group, or resource | Write | |||
UpdateResource | Grants permission to update details for the resource | Write | |||
UpdateSmtpGateway [permission only] | Grants permission to update the details of an existing SMTP gateway registered to an organization | Write | |||
WipeMobileDevice [permission only] | Grants permission to remotely wipe the mobile device associated with a user's account | Write |
Resource types defined by Amazon WorkMail
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the
Actions table
identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see
The resource types table
.
Resource types | ARN | Condition keys |
---|---|---|
organization |
arn:$
{
Partition}:workmail:$
{
Region}:$
{
Account}:organization/$
{
ResourceId}
|
Condition keys for Amazon WorkMail
Amazon WorkMail defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see
The condition keys table
.
To view the global condition keys that are available to all services, see Available global condition keys .
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters actions based on the presence of tag key-value pairs in the request | String |
aws:ResourceTag/${TagKey} | Filters actions based on tag key-value pairs attached to the resource | String |
aws:TagKeys | Filters actions based on the presence of tag keys in the request | String |