Actions, resources, and condition keys for Amazon WorkMail
Amazon WorkMail (service prefix: workmail) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon WorkMail
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AllowVendedLogDeliveryForResource [permission only] | Grants permission to configure vended log delivery for WorkMail audit logs | Write | |||
| AssociateDelegateToResource | Grants permission to add a member (user or group) to the resource's set of delegates | Write | |||
| AssociateMemberToGroup | Grants permission to add a member (user or group) to the group's set | Write | |||
| AssumeImpersonationRole | Grants permission to assume an impersonation role for the given Amazon WorkMail organization | Write | |||
| CancelMailboxExportJob | Grants permission to cancel a currently running mailbox export job | Write | |||
| CreateAlias | Grants permission to add an alias to the set of a given member (user or group) of WorkMail | Write | |||
| CreateAvailabilityConfiguration | Grants permission to create an AvailabilityConfiguration for the given Amazon WorkMail organization and domain | Write | |||
| CreateGroup | Grants permission to create a group that can be used in WorkMail by calling the RegisterToWorkMail operation | Write | |||
| CreateImpersonationRole | Grants permission to create an impersonation role for the given Amazon WorkMail organization | Write | |||
| CreateInboundMailFlowRule [permission only] | Grants permission to create an inbound email flow rule which will apply to all email sent to an organization | Write | |||
| CreateMailDomain [permission only] | Grants permission to create a mail domain | Write | |||
| CreateMobileDeviceAccessRule | Grants permission to create a new mobile device access rule | Write | |||
| CreateOrganization | Grants permission to create a new Amazon WorkMail organization | Write | |||
| CreateOutboundMailFlowRule [permission only] | Grants permission to create an outbound email flow rule which will apply to all email sent from an organization | Write | |||
| CreateResource | Grants permission to create a new WorkMail resource | Write | |||
| CreateSmtpGateway [permission only] | Grants permission to register an SMTP gateway to a WorkMail organization | Write | |||
| CreateUser | Grants permission to create a user, which can be enabled afterwards by calling the RegisterToWorkMail operation | Write | |||
| DeleteAccessControlRule | Grants permission to delete an access control rule | Write | |||
| DeleteAlias | Grants permission to remove one or more specified aliases from a set of aliases for a given user | Write | |||
| DeleteAvailabilityConfiguration | Grants permission to delete the AvailabilityConfiguration for the given Amazon WorkMail organization and domain | Write | |||
| DeleteEmailMonitoringConfiguration | Grants permission to delete the email monitoring configuration for an organization | Write | |||
| DeleteGroup | Grants permission to delete a group from WorkMail | Write | |||
| DeleteImpersonationRole | Grants permission to delete an impersonation role for the given Amazon WorkMail organization | Write | |||
| DeleteInboundMailFlowRule [permission only] | Grants permission to remove an inbound email flow rule to no longer apply to emails sent to an organization | Write | |||
| DeleteMailDomain [permission only] | Grants permission to remove an unused mail domain from an organization | Write | |||
| DeleteMailboxPermissions | Grants permission to delete permissions granted to a member (user or group) | Write | |||
| DeleteMobileDevice [permission only] | Grants permission to remove a mobile device from a user | Write | |||
| DeleteMobileDeviceAccessOverride | Grants permission to delete a mobile device access override | Write | |||
| DeleteMobileDeviceAccessRule | Grants permission to delete a mobile device access rule | Write | |||
| DeleteOrganization | Grants permission to delete an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization | Write | |||
| DeleteOutboundMailFlowRule [permission only] | Grants permission to remove an outbound email flow rule so that it no longer applies to emails sent from an organization | Write | |||
| DeleteResource | Grants permission to delete the specified resource | Write | |||
| DeleteRetentionPolicy | Grants permission to delete the retention policy based on the supplied organization and policy identifiers | Write | |||
| DeleteSmtpGateway [permission only] | Grants permission to remove an SMTP gateway from an organization | Write | |||
| DeleteUser | Grants permission to delete a user from WorkMail and all subsequent systems | Write | |||
| DeregisterFromWorkMail | Grants permission to mark a user, group, or resource as no longer used in WorkMail | Write | |||
| DeregisterMailDomain | Grants permission to deregister a mail domain from an organization | Write | |||
| DescribeEmailMonitoringConfiguration | Grants permission to retrieve the email monitoring configuration for an organization | Read | |||
| DescribeEntity | Grants permission to read details of an entity | Read | |||
| DescribeGroup | Grants permission to read the details for a group | List | |||
| DescribeInboundDmarcSettings | Grants permission to read the settings in a DMARC policy for a specified organization | Read | |||
| DescribeInboundMailFlowRule [permission only] | Grants permission to read the details of an inbound mail flow rule configured for an organization | Read | |||
| DescribeMailDomains [permission only] | Grants permission to show the details of all mail domains associated with the organization | List | |||
| DescribeMailboxExportJob | Grants permission to retrieve details of a mailbox export job | Read | |||
| DescribeOrganization | Grants permission to read details of an organization | List | |||
| DescribeOutboundMailFlowRule [permission only] | Grants permission to read the details of an outbound mail flow rule configured for an organization | Read | |||
| DescribeResource | Grants permission to read the details for a resource | List | |||
| DescribeSmtpGateway [permission only] | Grants permission to read the details of an SMTP gateway registered to an organization | Read | |||
| DescribeUser | Grants permission to read details for a user | List | |||
| DisassociateDelegateFromResource | Grants permission to remove a member from the resource's set of delegates | Write | |||
| DisassociateMemberFromGroup | Grants permission to remove a member from a group | Write | |||
| EnableMailDomain [permission only] | Grants permission to enable a mail domain in the organization | Write | |||
| GetAccessControlEffect | Grants permission to get the effects of access control rules as they apply to a specified IPv4 address, access protocol action, or user ID | Read | |||
| GetDefaultRetentionPolicy | Grants permission to retrieve the retention policy associated at an organizational level | Read | |||
| GetImpersonationRole | Grants permission to retrieve an impersonation role for the given Amazon WorkMail organization | Read | |||
| GetImpersonationRoleEffect | Grants permission to get the effect of the rules associated to an impersonation role for a specific user | Read | |||
| GetJournalingRules [permission only] | Grants permission to read the configured journaling and fallback email addresses for email journaling | Read | |||
| GetMailDomain | Grants permission to retrieve details of a given mail domain in an organization | Read | |||
| GetMailDomainDetails [permission only] | Grants permission to get the details of the mail domain | Read | |||
| GetMailboxDetails | Grants permission to read the details of the user's mailbox | Read | |||
| GetMobileDeviceAccessEffect | Grants permission to simulate the effect of the mobile device access rules for the given attributes of a sample access event | Read | |||
| GetMobileDeviceAccessOverride | Grants permission to retrieve a mobile device access override | Read | |||
| GetMobileDeviceDetails [permission only] | Grants permission to get the details of the mobile device | Read | |||
| GetMobileDevicesForUser [permission only] | Grants permission to get a list of the mobile devices associated with the user | Read | |||
| GetMobilePolicyDetails [permission only] | Grants permission to get the details of the mobile device policy associated with the organization | Read | |||
| ListAccessControlRules | Grants permission to list the access control rules | Read | |||
| ListAliases | Grants permission to list the aliases associated with a given entity | List | |||
| ListAvailabilityConfigurations | Grants permission to list all the AvailabilityConfiguration's for the given Amazon WorkMail organization | Read | |||
| ListGroupMembers | Grants permission to read an overview of the members of a group. Users and groups can be members of a group | List | |||
| ListGroups | Grants permission to list summaries of the organization's groups | List | |||
| ListGroupsForEntity | Grants permission to list the groups to which an entity belongs | List | |||
| ListImpersonationRoles | Grants permission to list the impersonation roles for the given Amazon WorkMail organization | List | |||
| ListInboundMailFlowRules [permission only] | Grants permission to list inbound mail flow rules configured for an organization | List | |||
| ListMailDomains | Grants permission to list the mail domains for a given organization | List | |||
| ListMailboxExportJobs | Grants permission to list mailbox export jobs | List | |||
| ListMailboxPermissions | Grants permission to list the mailbox permissions associated with a user, group, or resource mailbox | List | |||
| ListMobileDeviceAccessOverrides | Grants permission to list the mobile device access overrides | Read | |||
| ListMobileDeviceAccessRules | Grants permission to list the mobile device access rules | Read | |||
| ListOrganizations | Grants permission to list the non-deleted organizations | List | |||
| ListOutboundMailFlowRules [permission only] | Grants permission to list outbound mail flow rules configured for an organization | List | |||
| ListResourceDelegates | Grants permission to list the delegates associated with a resource | List | |||
| ListResources | Grants permission to list the organization's resources | List | |||
| ListSmtpGateways [permission only] | Grants permission to list SMTP gateways registered to the organization | List | |||
| ListTagsForResource | Grants permission to list the tags applied to an Amazon WorkMail organization resource | List | |||
| ListUsers | Grants permission to list the organization's users | List | |||
| PutAccessControlRule | Grants permission to add a new access control rule | Write | |||
| PutEmailMonitoringConfiguration | Grants permission to add or update the email monitoring configuration for an organization | Write | |||
| PutInboundDmarcSettings | Grants permission to enable or disable a DMARC policy for a given organization | Write | |||
| PutMailboxPermissions | Grants permission to set permissions for a user, group, or resource, replacing any existing permissions | Write | |||
| PutMobileDeviceAccessOverride | Grants permission to add or update a mobile device access override | Write | |||
| PutRetentionPolicy | Grants permission to add or update the retention policy | Write | |||
| RegisterMailDomain | Grants permission to register a new mail domain in an organization | Write | |||
| RegisterToWorkMail | Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities | Write | |||
| ResetPassword | Grants permission to allow the administrator to reset the password for a user | Write | |||
| SearchMembers [permission only] | Grants permission to perform a prefix search to find a specific user in a mail group | Read | |||
| SetDefaultMailDomain [permission only] | Grants permission to set the default mail domain for the organization | Write | |||
| SetJournalingRules [permission only] | Grants permission to set journaling and fallback email addresses for email journaling | Write | |||
| SetMobilePolicyDetails [permission only] | Grants permission to set the details of a mobile policy associated with the organization | Write | |||
| StartMailboxExportJob | Grants permission to start a new mailbox export job | Write | |||
| TagResource | Grants permission to tag the specified Amazon WorkMail organization resource | Tagging | |||
| TestAvailabilityConfiguration | Grants permission to performs a test on an availability provider to ensure that access is allowed | Read | |||
| TestInboundMailFlowRules [permission only] | Grants permission to test what inbound rules will apply to an email with a given sender and recipient | Write | |||
| TestOutboundMailFlowRules [permission only] | Grants permission to test what outbound rules will apply to an email with a given sender and recipient | Write | |||
| UntagResource | Grants permission to untag the specified Amazon WorkMail organization resource | Tagging | |||
| UpdateAvailabilityConfiguration | Grants permission to update an existing AvailabilityConfiguration for the given Amazon WorkMail organization and domain | Write | |||
| UpdateDefaultMailDomain | Grants permission to update which domain is the default domain for an organization | Write | |||
| UpdateGroup | Grants permission to update details of a group | Write | |||
| UpdateImpersonationRole | Grants permission to update an existing impersonation role for the given Amazon WorkMail organization | Write | |||
| UpdateInboundMailFlowRule [permission only] | Grants permission to update the details of an inbound email flow rule which will apply to all email sent to an organization | Write | |||
| UpdateMailboxQuota | Grants permission to update the maximum size (in MB) of the user's mailbox | Write | |||
| UpdateMobileDeviceAccessRule | Grants permission to update a mobile device access rule | Write | |||
| UpdateOutboundMailFlowRule [permission only] | Grants permission to update the details of an outbound email flow rule which will apply to all email sent from an organization | Write | |||
| UpdatePrimaryEmailAddress | Grants permission to update the primary email for a user, group, or resource | Write | |||
| UpdateResource | Grants permission to update details for the resource | Write | |||
| UpdateSmtpGateway [permission only] | Grants permission to update the details of an existing SMTP gateway registered to an organization | Write | |||
| UpdateUser | Grants permission to update details of a user | Write | |||
| WipeMobileDevice [permission only] | Grants permission to remotely wipe the mobile device associated with a user's account | Write |
Resource types defined by Amazon WorkMail
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| organization |
arn:${Partition}:workmail:${Region}:${Account}:organization/${ResourceId}
|
Condition keys for Amazon WorkMail
Amazon WorkMail defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the tag key-value pairs that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
