IAM Coverage

This page lists the IAM Enforcement Feature Coverage for LocalStack’s emulation of AWS services.

Supported Services

In principle, LocalStack supports all operations. However, not all services and their operations have been tested yet. The table below lists all IAM services and operations that have been tested, noting if they were ever denied or allowed during testing. It only includes operations performed with a principal, not as root, so test setups are excluded.

NameoperationAccess deniedAccess allowed
acmListCertificatesYesYes
apigatewayDeleteRestApiNoYes
apigatewayCreateRestApiYesYes
backupDescribeBackupVaultYesYes
batchCreateComputeEnvironmentNoYes
cloudformationListStacksYesYes
cloudwatchPutMetricDataYesYes
dynamodbDescribeTableNoYes
dynamodbCreateTableYesYes
dynamodbDeleteTableNoYes
ecrDescribeImagesYesNo
efsDescribeFileSystemsYesYes
esDescribeElasticsearchDomainsYesYes
eventsDeleteEventBusNoYes
eventsPutEventsYesYes
eventsCreateEventBusYesYes
kinesisCreateStreamYesYes
kinesisDeleteStreamNoYes
kmsCreateKeyYesYes
kmsDescribeKeyYesYes
lambdaDeleteFunctionNoYes
lambdaInvokeYesYes
lambdaGetLayerVersionYesYes
lambdaCreateFunctionYesYes
logsCreateLogGroupYesYes
logsPutLogEventsNoYes
logsCreateLogStreamNoYes
logsDeleteLogGroupNoYes
redshiftDescribeClustersYesYes
redshift-dataListDatabasesYesYes
s3UploadPartNoYes
s3GetObjectYesYes
s3DeleteBucketNoYes
s3CreateBucketYesYes
s3ListBucketsYesYes
s3CreateMultipartUploadYesYes
s3CompleteMultipartUploadNoYes
s3DeleteObjectNoYes
s3ListObjectsYesYes
s3PutObjectYesYes
secretsmanagerCreateSecretYesYes
secretsmanagerGetSecretValueYesYes
secretsmanagerDeleteSecretNoYes
snsPublishNoYes
sqsGetQueueAttributesYesNo
sqsCreateQueueYesYes
sqsSendMessageYesYes
sqsReceiveMessageYesYes
sqsDeleteQueueNoYes
stepfunctionsDeleteStateMachineNoYes
stepfunctionsCreateStateMachineYesYes
stsGetCallerIdentityNoYes

Inter Service Enforcement

Source ServiceTarget ServiceFeatureOperationImplementedTested
snssqsSNS subscriptionsqs.SendMessageYesYes
snslambdaSNS subscriptionlambda.InvokeYesYes
lambdasqsEvent destinationssqs.SendMessageYesYes
lambdalogsStoring Lambda logslogs.CreateLogGroup, logs.CreateLogStream, logs.PutLogEventsYesNo
lambdasnsEvent destinationssns.PublishYesNo
lambdasqsEvent source mappingYesYes
lambdakinesisEvent source mappingYesYes
lambdadynamodbEvent source mappingYesYes
lambdakafkaEvent source mappingNoNo
eventslambdaEvent rule targetYesYes
snssesSNS subscriptionYesYes
snsfirehoseSNS subscriptionYesYes
eventssnsEvent rule targetYesYes
eventssqsEvent rule targetYesYes
eventslogsEvent rule targetYesYes
eventsfirehoseEvent rule targetYesYes
eventseventsEvent rule targetYesYes
eventskinesisEvent rule targetYesYes
eventsstepfunctionsEvent rule targetYesYes
apigatewaylambdaAPI integrationYesYes
apigatewaydynamodbAPI integrationYesYes
apigatewaykinesisAPI integrationYesYes
apigateways3API integrationNoNo
apigatewaysnsAPI integrationNoYes
apigatewaysqsAPI integrationYesYes
apigatewaystepfunctionsAPI integrationNoNo
apigatewayappsyncAPI integrationNoNo
cloudformation*Resource ModificationNoNo
lambdastsAssuming execution roleYesYes
s3sqsBucket notificationYesYes
s3snsBucket notificationYesYes

Supported Policy Types

Permission TypeDetails
Identity Based Permissions
- Roles
- Users
Resource Based Permissions
- Lambda
- ECR (Elastic Container Registry)
- EFS (Elastic File System)
- SQS (Simple Queue Service)
- SNS (Simple Notification Service)
- KMS (Key Management Service)
- S3 (Simple Storage Service)
- Backup
- Events
- Secrets Manager
- IAM/STS (Identity and Access Management/Security Token Service)
Permission Boundaries
- Roles
- Users

Supported Policy Features

CategoryDescription
VersionNot evaluated, but only "2012-10-17" supported/tested.
IdThe policy ID is currently ignored.
StatementsSupported with the following policy elements:
EffectFully supported. Allow + Deny
SidCurrently ignored
Action, NotActionSupported including placeholder *
Principal, NotPrincipalSupported principals:
- Service
- (Assumed) role (ARN only)
- User (ARN only)
Organizations, Federated, CanonicalUsers etc. are currently not supported
Resource, NotResourceIn general supported, including placeholders * and ?.
No support for policy variables
ConditionSupported condition operators:
- StringEquals
- StringEqualsIgnoreCase
- StringLike
- ArnLike/ArnEquals
Supported condition keys:
- aws:SourceArn

Known Issues

  • CloudFormation stack permissions do not work as expected.
Last modified May 14, 2024: add IAM coverage map (#1209) (3e574a1dc)