CloudTrail

Browse the CloudTrail mappings on this page, download the mappings (in CSV/STIX format), or visualize the sensor coverage in ATT&CK Navigator.

Download CSV Download STIX Open in ATT&CK Navigator

Enterprise

EVENT ID

EVENT DESCRIPTION

ATT&CK DATA SOURCE

ATT&CK DATA COMPONENT

AddClientIDToOpenIDConnectProvider

Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource.

Active Directory

Active Directory Object Modification

AddRoleToInstanceProfile

Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile.

Instance

Instance Metadata

AddUserToGroup

A user has been added to a group.

Group

Group Modification

AttachGroupPolicy

A managed policy has been added to an IAM group.

Group

Group Modification

AttachRolePolicy

A managed policy has been added to an IAM role.

User Account

User Account Metadata

AttachUserPolicy

A managed policy has been added to an IAM user.

User Account

User Account Metadata

ChangePassword

A password for an IAM user has been changed. Changes the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console. The AWS account root user password is not affected by this operation.

User Account

User Account Metadata

ConsoleLogin

A user has signed into AWS Management Console. That user could be an account owner, a federated user or an IAM user.

Logon Session

Logon Session Creation

CreateAccessKey

A new AWS secret access key and access key ID has been created.

User Account

User Account Metadata

CreateAccountAlias

Creates an alias for your AWS account.

User Account

User Account Metadata

CreateGroup

A new group has been created.

Group

Group Creation

CreateImage

Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.

Image

Image Creation

CreateInstanceProfile

Creates a new instance profile.

Instance

Instance Metadata

CreateLoginProfile

A new password has been created for a user to access AWS services through the management console.

User Account

User Account Metadata

CreateOpenIDConnectProvider

Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC). The OIDC provider that you create with this operation can be used as a principal in a role’s trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.

Active Directory

Active Directory Object Creation

CreatePolicy

A new managed policy has been created for an AWS account.

User Account

User Account Metadata

CreatePolicyVersion

Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version.

User Account

User Account Metadata

CreateRole

A new role for an AWS account has been created.

User Account

User Account Metadata

CreateSAMLProvider

Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0. The SAML provider resource that you create with this operation can be used as a principal in an IAM role’s trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS. When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP.

Active Directory

Active Directory Object Metadata

CreateServiceLinkedRole

Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state.

User Account

User Account Metadata

CreateServiceSpecificCredential

Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service. You can have a maximum of two sets of service-specific credentials for each supported service per user.

User Account

User Account Metadata

CreateSnapshot

Creates a snapshot of an EBS volume and stores it in Amazon S3.

Snapshot

Snapshot Creation

CreateUser

A new IAM user has been created for an AWS account.

User Account

User Account Creation

CreateVirtualMFADevice

Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user.

User Account

User Account Authentication

CreateVolume

Creates an EBS volume that can be attached to an instance in the same Availability Zone.

Volume

Volume Creation

DeactivateMFADevice

Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.

User Account

User Account Authentication

DeleteAccessKey

An access key pair for an IAM user has been deleted.

User Account

User Account Metadata

DeleteAccountAlias

An AWS account alias has been deleted.

User Account

User Account Metadata

DeleteAccountPasswordPolicy

A password policy for an account has been deleted.

User Account

User Account Metadata

DeleteGroup

An IAM group has been deleted. The group won’t have contained any users or policies at time of deletion.

Group

Group Deletion

DeleteGroupPolicy

An inline policy for an IAM group has been deleted.

Group

Group Metadata

DeleteInstanceProfile

Deletes the specified instance profile. The instance profile must not have an associated role.

Instance

Instance Metadata

DeleteLoginProfile

A password for an IAM user has been deleted thus removing that user’s ability to access services through the console.

User Account

User Account Metadata

DeleteOpenIDConnectProvider

Deletes an OpenID Connect identity provider (IdP) resource object in IAM. Deleting an IAM OIDC provider resource does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a deleted provider fails.

Active Directory

Active Directory Object Deletion

DeletePolicyVersion

A version of a policy has been deleted.

User Account

User Account Metadata

DeleteRole

A role has been deleted. The role will not have had any policies attached if it was able to be deleted.

User Account

User Account Metadata

DeleteRolePermissionsBoundary

Deletes the permissions boundary for the specified IAM role. You cannot set the boundary for a service-linked role.

User Account

User Account Metadata

DeleteRolePolicy

An inline policy for an IAM role has been deleted.

User Account

User Account Metadata

DeleteSAMLProvider

Deletes a SAML provider resource in IAM. Deleting the provider resource from IAM does not update any roles that reference the SAML provider resource’s ARN as a principal in their trust policies. Any attempt to assume a role that references a non-existent provider resource ARN fails.

Active Directory

Active Directory Object Deletion

DeleteSSHPublicKey

An SSH public key has been deleted. The SSH public key deleted by this operation is used only for authenticating the associated IAM user to an CodeCommit repository.

User Account

User Account Metadata

DeleteServerCertificate

A server certificate has been deleted.

Certificate

Certificate Deletion

DeleteServiceLinkedRole

Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted.

Cloud Service Account

Cloud Service Account Metadata

DeleteServiceSpecificCredential

Deletes the specified service-specific credential.

User Account

User Account Metadata

DeleteSigningCertificate

A signing certificate has been deleted.

User Account

User Account Metadata

DeleteSnapshot

Deletes the specified snapshot.

Snapshot

Snapshot Deletion

DeleteUser

A user has been deleted.

User Account

User Account Deletion

DeleteUserPermissionsBoundary

Deletes the permissions boundary for the specified IAM user.

User Account

User Account Metadata

DeleteUserPolicy

An inline policy for an IAM user has been deleted.

User Account

User Account Metadata

DeleteVirtualMFADevice

Deletes a virtual MFA device.

User Account

User Account Authentication

DetachGroupPolicy

Removes the specified managed policy from the specified IAM group.

Group

Group Metadata

DetachRolePolicy

A managed policy has been removed from a role.

User Account

User Account Metadata

DetachUserPolicy

A managed policy has been removed from a user.

User Account

User Account Metadata

DetachVolume

Detaches an EBS volume from an instance.

Volume

Volume Modification

EnableMFADevice

Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device.

User Account

User Account Authentication

GenerateCredentialReport

Retrieves a credential report for the AWS account.

User Account

User Account Metadata

GenerateOrganizationsAccessReport

Generates a report for service last accessed data for AWS Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization. To call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions.

Cloud Service Account

Cloud Service Account Metadata

GenerateServiceLastAccessedDetails

Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.

Cloud Service

Cloud Service Metadata

GetAccountAuthorizationDetails

Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.

User Account

User Account Metadata

GetAccountPasswordPolicy

Retrieves the password policy for the AWS account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account.

User Account

User Account Metadata

GetAccountSummary

Retrieves information about IAM entity usage and IAM quotas in the AWS account.

User Account

User Account Access

GetContextKeysForCustomPolicy

Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.

User Account

User Account Metadata

GetContextKeysForPrincipalPolicy

Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.

Group

Group Metadata

GetContextKeysForPrincipalPolicy

Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.

User Account

User Account Metadata

GetCredentialReport

Retrieves a credential report for the AWS account.

User Account

User Account Metadata

GetGroup

Returns a list of IAM users that are in the specified IAM group.

Group

Group Access

GetGroupPolicy

Retrieves the specified inline policy document that is embedded in the specified IAM group.

Group

Group Metadata

GetInstanceProfile

Retrieves information about the specified instance profile, including the instance profile’s path, GUID, ARN, and role.

Instance

Instance Metadata

GetLoginprofile

Retrieves the user name and password-creation date for the specified IAM user.

User Account

User Account Metadata

GetMFADevice

Retrieves information about an MFA device for a specified user.

User Account

User Account Authentication

GetOpenIDConnectProvider

Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM.

Active Directory

Active Directory Object Access

GetOrganizationsAccessReport

Retrieves the service last accessed data report for AWS Organizations that was previously generated using the GenerateOrganizationsAccessReport operation. This operation retrieves the status of your report job and the report contents. .. To call this operation, you must be signed in to the management account in your organization. SCPs must be enabled for your organization root. You must have permissions to perform this operation. For each service that principals in an account (root user, IAM users, or IAM roles) could access using SCPs, the operation returns details about the most recent access attempt.

Cloud Service Account

Cloud Service Account Access

GetPolicy

Retrieves information about the specified managed policy, including the policy’s default version and the total number of IAM users, groups, and roles to which the policy is attached.

User Account

User Account Metadata

GetPolicyVersion

Retrieves information about the specified version of the specified managed policy, including the policy document.

User Account

User Account Metadata

GetRole

Retrieves information about the specified role, including the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role.

User Account

User Account Metadata

GetRolePolicy

Retrieves the specified inline policy document that is embedded with the specified IAM role.

User Account

User Account Metadata

GetSSHPublicKey

Retrieves the specified SSH public key, including metadata about the key. The SSH public key retrieved by this operation is used only for authenticating the associated IAM user to an CodeCommit repository.

User Account

User Account Access

GetServerCertificate

Retrieves information about the specified server certificate stored in IAM.

Certificate

Certificate Access

GetServiceLastAccessedDetails

Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.

Cloud Service Account

Cloud Service Account Metadata

GetServiceLastAccessedDetailsWithEntities

After you generate a group or policy report using the GenerateServiceLastAccessedDetails operation, you can use the JobId parameter in GetServiceLastAccessedDetailsWithEntities. This operation retrieves the status of your report job and a list of entities that could have used group or policy permissions to access the specified service. Group – For a group report, this operation returns a list of users in the group that could have used the group’s policies in an attempt to access the service. Policy – For a policy report, this operation returns a list of entities (users or roles) that could have used the policy in an attempt to access the service. You can also use this operation for user or role reports to retrieve details about those entities.

Cloud Service Account

Cloud Service Account Metadata

GetServiceLinkedRoleDeletionStatus

Retrieves the status of your service-linked role deletion.

Cloud Service Account

Cloud Service Account Access

GetUser

Retrieves information about the specified IAM user, including the user’s creation date, path, unique ID, and ARN.

User Account

User Account Access

GetUserPolicy

Retrieves the specified inline policy document that is embedded in the specified IAM user.

User Account

User Account Metadata

ListAccessKeys

Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list.

User Account

User Account Enumeration

ListAccountAliases

Lists the account alias associated with the AWS account (Note: you can have only one).

User Account

User Account Enumeration

ListAttachedGroupPolicies

Lists all managed policies that are attached to the specified IAM group.

Group

Group Enumeration

ListAttachedRolePolicies

Lists all managed policies that are attached to the specified IAM role.

User Account

User Account Metadata

ListAttachedUserPolicies

Lists all managed policies that are attached to the specified IAM user.

User Account

User Account Enumeration

ListEntitiesForPolicy

Lists all IAM users, groups, and roles that the specified managed policy is attached to.

Group

Group Metadata

ListEntitiesForPolicy

Lists all IAM users, groups, and roles that the specified managed policy is attached to.

User Account

User Account Metadata

ListGroupPolicies

Lists the names of the inline policies that are embedded in the specified IAM group.

Group

Group Enumeration

ListGroups

Lists the IAM groups that have the specified path prefix.

Group

Group Enumeration

ListGroupsForUser

Lists the IAM groups that the specified IAM user belongs to.

Group

Group Enumeration

ListInstanceProfileTags

Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.

Instance

Instance Metadata

ListInstanceProfiles

Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.

Instance

Instance Metadata

ListInstanceProfilesForRole

Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list.

Instance

Instance Metadata

ListMFADeviceTags

Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key.

User Account

User Account Authentication

ListMFADevices

Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this operation.

User Account

User Account Authentication

ListOpenIDConnectProviderTags

Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key.

Active Directory

Active Directory Object Enumeration

ListOpenIDConnectProviders

Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.

Active Directory

Active Directory Object Enumeration

ListPolicies

Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.

User Account

User Account Enumeration

ListPoliciesGrantingServiceAccess

Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service. The list of policies returned by the operation depends on the ARN of the identity that you provide.

Group

Group Metadata

ListPoliciesGrantingServiceAccess

Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service. The list of policies returned by the operation depends on the ARN of the identity that you provide.

User Account

User Account Metadata

ListPolicyTags

Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key.

User Account

User Account Metadata

ListPolicyVersions

Lists information about the versions of the specified managed policy, including the version that is currently set as the policy’s default version.

User Account

User Account Metadata

ListRolePolicies

Lists the names of the inline policies that are embedded in the specified IAM role.

User Account

User Account Metadata

ListRoleTags

Lists the tags that are attached to the specified role. The returned list of tags is sorted by tag key.

User Account

User Account Metadata

ListRoles

Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list.

User Account

User Account Metadata

ListSAMLProviderTags

Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key.

Active Directory

Active Directory Object Enumeration

ListSAMLProviders

Lists the SAML provider resource objects defined in IAM in the account.

Active Directory

Active Directory Object Enumeration

ListSSHPublicKeys

Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list.

User Account

User Account Enumeration

ListServerCertificates

Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list.

Certificate

Certificate Enumeration

ListServiceSpecificCredentials

Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service.

User Account

User Account Enumeration

ListSigningCertificates

Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list.

User Account

User Account Enumeration

ListUserPolicies

Lists the names of the inline policies embedded in the specified IAM user.

User Account

User Account Enumeration

ListUserTags

Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key.

User Account

User Account Enumeration

ListUsers

Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.

User Account

User Account Enumeration

ListVirtualMFADevices

Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices.

User Account

User Account Authentication

ModifyImageAttribute

Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.

Image

Image Modification

ModifySnapshotAttribute

Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot’s list of create volume permissions, but you cannot do both in a single operation.

Snapshot

Snapshot Modification

ModifyVolume

You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity.

Volume

Volume Modification

PutGroupPolicy

A policy for an IAM group has been added or updated.

Group

Group Metadata

PutGroupPolicy

Adds or updates an inline policy document that is embedded in the specified IAM group.

Group

Group Metadata

PutRolePermissionsBoundary

Adds or updates the policy that is specified as the IAM role’s permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role.

User Account

User Account Metadata

PutRolePolicy

A policy for an IAM role has been added or updated.

User Account

User Account Metadata

PutRolePolicy

Adds or updates an inline policy document that is embedded in the specified IAM role.

User Account

User Account Metadata

PutUserPermissionsBoundary

Adds or updates the policy that is specified as the IAM user’s permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user.

User Account

User Account Metadata

PutUserPolicy

A policy for an IAM user has been added or updated.

User Account

User Account Metadata

PutUserPolicy

Adds or updates an inline policy document that is embedded in the specified IAM role.

User Account

User Account Metadata

RemoveClientIDFromOpenIDConnectProvider

Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object.

Active Directory

Active Directory Object Modification

RemoveRoleFromInstanceProfile

An IAM role has been removed from an EC2 instance profile.

Instance

Instance Metadata

RemoveUserFromGroup

A user has been removed from an IAM group.

Group

Group Modification

ResetServiceSpecificCredential

Resets the password for a service-specific credential. The new password is AWS generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user.

Cloud Service Account

Cloud Service Account Metadata

ResyncMFADevice

Synchronizes the specified MFA device with its IAM resource object on the AWS servers.

User Account

User Account Authentication

RunInstances

An Instance has been launched. From the associated metadata you’ll be able to determine who the owner is, what regions the resources are in, the InstanceType and more.

Instance

Instance Start

SetDefaultPolicyVersion

A version of a policy has been set as a default. This can apply to users, groups and roles. To find specifics, use the ListEntitiesForPolicy API.

User Account

User Account Metadata

SetSecurityTokenPreferences

Sets the specified version of the global endpoint token as the token version used for the AWS account.

User Account

User Account Modification

SimulateCustomPolicy

Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies’ effective permissions. The policies are provided as strings.

User Account

User Account Metadata

SimulatePrincipalPolicy

Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies’ effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don’t exist in your account.

User Account

User Account Metadata

StartInstances

An instance has been started. Similar metadata to RunInstances will give you an insight into more detail.

Instance

Instance Start

StopInstances

Stops an Amazon EBS-backed instance. Similar to StartInstances and RunInstances.

Instance

Instance Stop

StopLogging

CloudTrail has stopped recording CloudTrail Events. This is a significant red flag and should almost always be avoided.

Cloud Service

Cloud Service Disable

TagInstanceProfile

Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value.

Instance

Instance Metadata

TagMFADevice

Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value.

User Account

User Account Authentication

TagOpenIDConnectProvider

Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider.

Active Directory

Active Directory Object Modification

TagPolicy

Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value.

User Account

User Account Metadata

TagRole

Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value.

User Account

User Account Metadata

TagSAMLProvider

Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider.

Active Directory

Active Directory Object Modification

TagServerCertificate

Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value.

Certificate

Certificate Modification

TagUser

Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value.

User Account

User Account Modification

Untag Policy

Removes the specified tags from the customer managed policy.

User Account

User Account Metadata

UntagInstanceProfile

Removes the specified tags from the IAM instance profile.

Instance

Instance Metadata

UntagMFADevice

Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device.

User Account

User Account Authentication

UntagOpenIDConnectProvider

Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM.

Active Directory

Active Directory Object Modification

UntagRole

Removes the specified tags from the role.

User Account

User Account Metadata

UntagSAMLProvider

Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM.

Active Directory

Active Directory Object Modification

UntagServerCertificate

Removes the specified tags from the IAM server certificate.

Certificate

Certificate Modification

UntagUser

Removes the specified tags from the user.

User Account

User Account Modification

UpdateAccessKey

Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user’s key as part of a key rotation workflow.

User Account

User Account Modification

UpdateAccountPasswordPolicy

Updates the password policy settings for the AWS account.

User Account

User Account Metadata

UpdateAssumeRolePolicy

Updates the policy that grants an IAM entity permission to assume a role.

User Account

User Account Metadata

UpdateGroup

Updates the name and/or the path of the specified IAM group.

Group

Group Modification

UpdateLoginProfile

Changes the password for the specified IAM user.

User Account

User Account Metadata

UpdateOpenIDConnectProviderThumbprint

Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints.

Active Directory

Active Directory Object Modification

UpdateRole

Updates the description or maximum session duration setting of a role.

User Account

User Account Metadata

UpdateSAMLProvider

Updates the metadata document for an existing SAML provider resource object.

Active Directory

Active Directory Object Modification

UpdateSSHPublicKey

Sets the status of an IAM user’s SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user’s SSH public key as part of a key rotation work flow.

User Account

User Account Modification

UpdateServerCertificate

Updates the name and/or the path of the specified server certificate stored in IAM.

Certificate

Certificate Modification

UpdateServiceSpecificCredential

Sets the status of a service-specific credential to Active or Inactive. Service-specific credentials that are inactive cannot be used for authentication to the service. This operation can be used to disable a user’s service-specific credential as part of a credential rotation work flow.

User Account

User Account Modification

UpdateSigningCertificate

Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user’s signing certificate as part of a certificate rotation work flow.

User Account

User Account Modification

UpdateUser

Updates the name and/or the path of the specified IAM user.

User Account

User Account Modification

UploadSSHPublicKey

Uploads an SSH public key and associates it with the specified IAM user.

User Account

User Account Modification

UploadServerCertificate

Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.

User Account

User Account Modification

UploadSigningCertificate

Uploads an X.509 signing certificate and associates it with the specified IAM user.

User Account

User Account Modification