AWS IAM Tracker

This project collects IAM actions, AWS APIs and managed policies from various public sources.

You can explore the data collected using the static site.

Collected data is published to the policies and services folders in this repo.

Thank you to alanakirby/aktion for originally having this idea and being gracious about me shamelessly ripping it off.

Stats

• Unique services: 452
• Unique actions: 20907
• Managed policies: 1468

Most common managed policy name prefixes:

| Policy ARN | Count | | ------ | ----- | | arn:aws:iam::aws:policy/AWS* | 399 | | arn:aws:iam::aws:policy/Amazon* | 358 | | arn:aws:iam::aws:policy/aws-service-role/* | 336 | | arn:aws:iam::aws:policy/service-role/* | 217 | | arn:aws:iam::aws:policy/job-function/* | 8 | | Other | 150 |

The following table summarises the AWS APIs.

• The first column is the name of the API as far as IAM policies are concerned.
• The second column is IAM actions that exactly match the names of invokable APIs exposed by AWS.
• The third column is invokable APIs that don't have a corresponding IAM action.
• The fourth column is IAM actions that don't have a corresponding invokable API.

| Service | Action/API pairs | APIs without actions | Actions without APIs | | ------ | ----- | ----- | ----- | | ec2 | 625 | 0 | 155 | | sagemaker | 351 | 0 | 61 | | iot | 262 | 3 | 28 | | chime | 259 | 0 | 57 | | connect | 256 | 0 | 106 | | glue | 214 | 4 | 87 | | ses | 193 | 0 | 33 | | quicksight | 174 | 3 | 97 | | rds | 162 | 0 | 7 | | lightsail | 161 | 0 | 0 | | iam | 159 | 0 | 28 | | ssm | 140 | 0 | 16 | | lex | 139 | 2 | 13 | | redshift | 133 | 0 | 33 | | datazone | 123 | 0 | 106 | | mobiletargeting | 122 | 0 | 1 | | servicecatalog | 114 | 0 | 3 | | s3 | 113 | 60 | 55 | | iotwireless | 112 | 0 | 1 | | greengrass | 111 | 0 | 1 | | cloudfront | 110 | 1 | 63 | | gamelift | 108 | 0 | 11 | | cognito-idp | 103 | 0 | 18 | | deadline | 102 | 0 | 13 | | bedrock | 97 | 2 | 138 | | dms | 92 | 14 | 32 | | medialive | 92 | 0 | 33 | | config | 92 | 0 | 5 | | backup | 91 | 0 | 27 | | storagegateway | 90 | 0 | 7 | | workspaces | 88 | 0 | 10 | | es | 87 | 0 | 33 | | proton | 87 | 0 | 24 | | sms-voice | 87 | 0 | 8 | | networkmanager | 85 | 0 | 10 | | comprehend | 85 | 0 | 0 | | workmail | 84 | 0 | 42 | | iotsitewise | 84 | 0 | 22 | | cloudformation | 82 | 0 | 20 | | omics | 82 | 0 | 18 | | waf-regional | 81 | 0 | 0 | | macie2 | 81 | 0 | 0 | | securityhub | 79 | 0 | 36 | | codecommit | 79 | 0 | 11 | | personalize | 78 | 0 | 5 | | waf | 77 | 0 | 0 | | devicefarm | 77 | 0 | 0 | | cleanrooms | 76 | 0 | 16 | | appstream | 75 | 0 | 14 | | elasticache | 75 | 0 | 2 | | rekognition | 75 | 0 | 1 | | logs | 74 | 0 | 48 | | guardduty | 74 | 0 | 14 | | opsworks | 74 | 0 | 0 | | sso | 73 | 0 | 53 | | imagebuilder | 73 | 0 | 4 | | frauddetector | 73 | 0 | 1 | | wellarchitected | 72 | 0 | 1 | | mgn | 70 | 0 | 64 | | route53 | 70 | 0 | 1 | | athena | 68 | 0 | 13 | | route53resolver | 68 | 0 | 0 | | ds | 67 | 0 | 24 | | elasticloadbalancing | 66 | 0 | 11 | | kendra | 66 | 0 | 0 | | clouddirectory | 66 | 0 | 0 | | forecast | 65 | 0 | 5 | | autoscaling | 65 | 0 | 3 | | appsync | 64 | 0 | 23 | | lambda | 63 | 3 | 25 | | ivs | 63 | 0 | 8 | | directconnect | 63 | 0 | 0 | | auditmanager | 62 | 0 | 0 | | transfer | 60 | 0 | 11 | | datasync | 60 | 0 | 6 | | geo | 60 | 0 | 0 | | inspector2 | 59 | 0 | 16 | | workspaces-web | 58 | 0 | 17 | | events | 57 | 0 | 3 | | robomaker | 57 | 0 | 2 | | dynamodb | 56 | 5 | 22 | | elasticmapreduce | 56 | 0 | 27 | | eks | 56 | 0 | 12 | | ecs | 56 | 0 | 11 | | globalaccelerator | 56 | 0 | 0 | | qbusiness | 55 | 0 | 38 | | redshift-serverless | 55 | 0 | 13 | | resiliencehub | 55 | 0 | 8 | | organizations | 55 | 0 | 8 | | lakeformation | 54 | 1 | 7 | | wafv2 | 54 | 0 | 3 | | kms | 52 | 1 | 3 | | profile | 52 | 0 | 50 | | kafka | 52 | 0 | 7 | | vpc-lattice | 51 | 1 | 24 | | mediaconnect | 51 | 0 | 29 | | iotfleetwise | 50 | 2 | 6 | | drs | 50 | 0 | 40 | | codebuild | 50 | 0 | 17 | | license-manager | 50 | 0 | 12 | | finspace | 50 | 0 | 9 | | nimble | 49 | 0 | 2 | | lookoutequipment | 49 | 0 | 0 | | cloudtrail | 48 | 1 | 18 | | codeartifact | 48 | 0 | 3 | | wisdom | 47 | 0 | 46 | | ecr | 47 | 0 | 13 | | elasticbeanstalk | 47 | 0 | 3 | | codedeploy | 47 | 0 | 1 | | transcribe | 46 | 0 | 5 | | fsx | 45 | 0 | 11 | | appconfig | 45 | 0 | 2 | | workdocs | 44 | 0 | 17 | | mediatailor | 44 | 0 | 0 | | databrew | 44 | 0 | 0 | | codepipeline | 43 | 0 | 1 | | fms | 42 | 0 | 0 | | sns | 41 | 1 | 0 | | ce | 41 | 0 | 18 | | kinesisvideo | 40 | 0 | 6 | | iottwinmaker | 40 | 0 | 0 | | swf | 39 | 0 | 12 | | ssm-contacts | 39 | 0 | 1 | | mechanicalturk | 39 | 0 | 0 | | cloudwatch | 38 | 0 | 21 | | memorydb | 38 | 0 | 9 | | appmesh | 38 | 0 | 4 | | iotevents | 38 | 0 | 1 | | evidently | 38 | 0 | 0 | | aoss | 37 | 0 | 12 | | apprunner | 37 | 0 | 5 | | amplify | 37 | 0 | 4 | | states | 37 | 0 | 2 | | inspector | 37 | 0 | 0 | | network-firewall | 36 | 0 | 43 | | entityresolution | 36 | 0 | 4 | | shield | 36 | 0 | 3 | | sms | 35 | 0 | 2 | | cases | 34 | 0 | 7 | | m2 | 34 | 0 | 3 | | panorama | 34 | 0 | 2 | | ram | 34 | 0 | 1 | | route53domains | 34 | 0 | 0 | | iotanalytics | 34 | 0 | 0 | | access-analyzer | 33 | 2 | 2 | | groundstation | 33 | 0 | 2 | | worklink | 33 | 0 | 1 | | kinesisanalytics | 33 | 0 | 1 | | applicationinsights | 33 | 0 | 1 | | tnb | 33 | 0 | 0 | | glacier | 33 | 0 | 0 | | kinesis | 32 | 0 | 8 | | route53-recovery-readiness | 32 | 0 | 0 | | billingconductor | 32 | 0 | 0 | | payment-cryptography | 31 |