# Security in Amazon Lightsail Security Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud: + **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. To learn about the compliance programs, and which services they apply to, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using Amazon Lightsail. The following topics show you how to configure Amazon Lightsail to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon Lightsail resources. # Infrastructure security in Amazon Lightsail Infrastructure security As a managed service, Amazon Lightsail is protected by the AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*. You use AWS published API calls to access Lightsail through the network. Clients must support the following: + Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. + Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests. # Resilience in Amazon Lightsail Resilience The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). In addition to the AWS global infrastructure, Amazon Lightsail offers several features to help support your data resiliency and backup needs. + Copying instance and disk snapshots across Regions. For more information, see [Snapshots](understanding-snapshots-in-amazon-lightsail.md). + Automating instance and disk snapshots. For more information, see [Snapshots](understanding-snapshots-in-amazon-lightsail.md). + Distributing incoming traffic across multiple instances in a single Availability Zone or multiple Availability Zones using a load balancer. For more information, see [Load balancers](understanding-lightsail-load-balancers.md). # Identity and access management for Amazon Lightsail Identity and access management ## Audience How you use AWS Identity and Access Management (IAM) differs, depending on the work you do in Amazon Lightsail. **Service user** – If you use the Amazon Lightsail service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more Amazon Lightsail features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in Amazon Lightsail, see [Troubleshoot Identity and Access Management (IAM)](security_iam_troubleshoot.md). **Service administrator** – If you're in charge of Amazon Lightsail resources at your company, you probably have full access to Amazon Lightsail. It's your job to determine which Amazon Lightsail features and resources your employees should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Amazon Lightsail, see [How Amazon Lightsail Works with IAM](security_iam_service-with-iam.md). **IAM administrator** – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Amazon Lightsail. To view example Amazon Lightsail identity-based policies that you can use in IAM, see [Amazon Lightsail Identity-Based Policy Examples](security_iam_id-based-policy-examples.md). ## Authenticating With Identities Authentication is how you sign in to AWS using your identity credentials. For more information about signing in using the AWS Management Console, see [The IAM Console and Sign-in Page](https://docs.aws.amazon.com/IAM/latest/UserGuide/console.html) in the *IAM User Guide*. You must be *authenticated* (signed in to AWS) as the AWS account root user, an IAM user, or by assuming an IAM role. You can also use your company's single sign-on authentication, or even sign in using Google or Facebook. In these cases, your administrator previously set up identity federation using IAM roles. When you access AWS using credentials from another company, you are assuming a role indirectly. To sign in directly to the [AWS Management Console](https://console.aws.amazon.com/), use your password with your root user email or your IAM user name. You can access AWS programmatically using your root user or IAM user access keys. AWS provides SDK and command line tools to cryptographically sign your request using your credentials. If you don’t use AWS tools, you must sign the request yourself. Do this using *Signature Version 4*, a protocol for authenticating inbound API requests. For more information about authenticating requests, see [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) in the *AWS General Reference*. Regardless of the authentication method that you use, you might also be required to provide additional security information. For example, AWS recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see [Using Multi-Factor Authentication (MFA) in AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*. ### AWS account root user When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ### IAM Users and Groups An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ### IAM Roles An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. IAM roles with temporary credentials are useful in the following situations: + **Temporary IAM user permissions** – An IAM user can assume an IAM role to temporarily take on different permissions for a specific task. + **Federated user access** – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see [ Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see [ Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*. + **Cross-account access** – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see [How IAM roles differ from resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html) in the *IAM User Guide*. + **Cross-service access** – Some AWS services use features in other AWS services. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3. A service might do this using the calling principal's permissions, using a service role, or using a service-linked role. + **Forward access sessions (FAS)** – When you use an IAM user or role to perform actions in AWS, you are considered a principal. Policies grant permissions to a principal. When you use some services, you might perform an action that then triggers another action in a different service. In this case, you must have permissions to perform both actions. To see whether an action requires additional dependent actions in a policy, see [Actions, Resources, and Condition Keys for Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html) in the *Service Authorization Reference*. + **Service role** – A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. + **Service-linked role** – A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. + **Applications running on Amazon EC2** – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see [Use an IAM role to grant permissions to applications running on Amazon EC2 instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) in the *IAM User Guide*. To learn whether to use IAM roles or IAM users, see [When to create an IAM role (instead of a user)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_which-to-choose_role) in the *IAM User Guide*. ## Managing Access Using Policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. Every IAM entity (user or role) starts with no permissions. In other words, by default, users can do nothing, not even change their own password. To give a user permission to do something, an administrator must attach a permissions policy to a user. Or the administrator can add the user to a group that has the intended permissions. When an administrator gives permissions to a group, all users in that group are granted those permissions. IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, suppose that you have a policy that allows the `iam:GetRole` action. A user with that policy can get role information from the AWS Management Console, the AWS CLI, or the AWS API. ### Identity-Based Policies Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*. Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. ### Resource-Based Policies Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy. Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services. ### Access Control Lists (ACLs) Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*. Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. ### Other Policy Types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. + **Permissions boundaries** – A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity (IAM user or role). You can set a permissions boundary for an entity. The resulting permissions are the intersection of entity's identity-based policies and its permissions boundaries. Resource-based policies that specify the user or role in the `Principal` field are not limited by the permissions boundary. An explicit deny in any of these policies overrides the allow. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each AWS account root user. For more information about Organizations and SCPs, see [How SCPs work](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html) in the *AWS Organizations User Guide*. + **Session policies** – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The resulting session's permissions are the intersection of the user or role's identity-based policies and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ### Multiple Policy Types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. **Topics** + [ ## Audience ](#security_iam_audience) + [ ## Authenticating With Identities ](#security_iam_authentication) + [ ## Managing Access Using Policies ](#security_iam_access-manage) + [AWS managed policies](security-iam-awsmanpol.md) + [Lightsail policies and roles](security_iam_service-with-iam.md) + [Manage IAM user access](amazon-lightsail-managing-access-for-an-iam-user.md) # AWS managed policies for Amazon Lightsail AWS managed policies To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions. Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. ## AWS managed policy: LightsailExportAccess LightsailExportAccess You can't attach LightsailExportAccess to your IAM entities. This policy is attached to a service-linked role that allows Lightsail to perform actions on your behalf. For more information, see [Service-linked roles](amazon-lightsail-using-service-linked-roles.md). This policy grants permissions that allow Lightsail to export your instance and disk snapshots to Amazon Elastic Compute Cloud, and get the current account-level Block Public Access configuration from Amazon Simple Storage Service (Amazon S3). **Permissions details** This policy includes the following permissions. + `ec2` – Allows access to list and copy instance images and disk snapshots. + `iam` – Allows access to delete service-linked roles and retrieve the status of your service-linked role deletion. + `s3` – Allows access to retrieve the `PublicAccessBlock` configuration for an AWS account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*" }, { "Effect": "Allow", "Action": [ "ec2:CopySnapshot", "ec2:DescribeSnapshots", "ec2:CopyImage", "ec2:DescribeImages" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock" ], "Resource": "*" } ] } ``` ------ ## Lightsail updates to AWS managed policies Policy updates + Edit to the `LightsailExportAccess` managed policy Added the `s3:GetAccountPublicAccessBlock` action to the `LightsailExportAccess` managed policy. It allows Lightsail to get the current account-level Block Public Access configuration from Amazon S3. January 14, 2022 + Lightsail started tracking changes Lightsail started tracking changes for its AWS managed policies. January 14, 2022 # How Amazon Lightsail works with IAM Lightsail policies and roles Before you use IAM to manage access to Lightsail, you should understand what IAM features are available to use with Lightsail. To get a high-level view of how Lightsail and other AWS services work with IAM, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. ## Lightsail Identity-Based Policies With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Lightsail supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. ### Actions Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. Policy actions in Lightsail use the following prefix before the action: `lightsail:`. For example, to grant someone permission to run a Lightsail instance with the Lightsail `CreateInstances` API operation, you include the `lightsail:CreateInstances` action in their policy. Policy statements must include either an `Action` or `NotAction` element. Lightsail defines its own set of actions that describe tasks that you can perform with this service. To specify multiple actions in a single statement, separate them with commas as follows: ``` "Action": [ "lightsail:action1", "lightsail:action2" ``` You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Create`, include the following action: ``` "Action": "lightsail:Create*" ``` To see a list of Lightsail actions, see [Actions Defined by Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html#amazonlightsail-actions-as-permissions) in the *IAM User Guide*. ### Resources Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources. ``` "Resource": "*" ``` **Important** Lightsail does not support resource-level permissions for some API actions. For more information, see [Support for resource-level permissions and authorization based on tags](resource-level-permissions-and-auth-based-on-tags-support.md). The Lightsail instance resource has the following ARN: ``` arn:${Partition}:lightsail:${Region}:${Account}:Instance/${InstanceId} ``` For more information about the format of ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). For example, to specify the `ea123456-e6b9-4f1d-b518-3ad1234567e6` instance in your statement, use the following ARN: ``` "Resource": "arn:aws:lightsail:us-east-1:123456789012:Instance/ea123456-e6b9-4f1d-b518-3ad1234567e6" ``` To specify all instances that belong to a specific account, use the wildcard (\$1): ``` "Resource": "arn:aws:lightsail:us-east-1:123456789012:Instance/*" ``` Some Lightsail actions, such as those for creating resources, cannot be performed on a specific resource. In those cases, you must use the wildcard (\$1). ``` "Resource": "*" ``` Many Lightsail API actions involve multiple resources. For example, `AttachDisk` attaches a Lightsail block storage disk to an instance, so an IAM user must have permissions to use the disk and the instance. To specify multiple resources in a single statement, separate the ARNs with commas. ``` "Resource": [ "resource1", "resource2" ``` To see a list of Lightsail resource types and their ARNs, see [Resources Defined by Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html#amazonlightsail-resources-for-iam-policies) in the *IAM User Guide*. To learn with which actions you can specify the ARN of each resource, see [Actions Defined by Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html#amazonlightsail-actions-as-permissions). ### Condition Keys Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. Lightsail does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. To see a list of Lightsail condition keys, see [Condition Keys for Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html#amazonlightsail-policy-keys) in the *IAM User Guide*. To learn with which actions and resources you can use a condition key, see [Actions Defined by Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html#amazonlightsail-actions-as-permissions). ### Examples To view examples of Lightsail identity-based policies, see [Amazon Lightsail Identity-Based Policy Examples](security_iam_id-based-policy-examples.md). ## Lightsail Resource-Based Policies Lightsail does not support resource-based policies. ## Access Control Lists (ACLs) Lightsail does not support Access Control Lists (ACLs). ## Authorization Based on Lightsail Tags You can attach tags to Lightsail resources or pass tags in a request to Lightsail. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `lightsail:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. **Important** Lightsail does not support authorization based on tags for some API actions. For more information, see [Support for resource-level permissions and authorization based on tags](resource-level-permissions-and-auth-based-on-tags-support.md). For more information about tagging Lightsail resources, see [Tags](amazon-lightsail-tags.md). To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see [Allowing Creation and Deletion of Lightsail Resources Based on Tags](https://lightsail.aws.amazon.com/ls/docs/en_us/articles/security_iam_id-based-policy-examples#security_iam_id-based-policy-examples-view-widget-tags). ## Lightsail IAM Roles An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions. ### Using Temporary Credentials with Lightsail You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html). Lightsail supports using temporary credentials. ### Service-Linked Roles [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles. Lightsail supports service-linked roles. For details about creating or managing Lightsail service-linked roles, see [Service-linked roles](amazon-lightsail-using-service-linked-roles.md). ### Service Roles Lightsail does not support service roles. **Topics** + [ ## Lightsail Identity-Based Policies ](#security_iam_service-with-iam-id-based-policies) + [ ## Lightsail Resource-Based Policies ](#security_iam_service-with-iam-resource-based-policies) + [ ## Access Control Lists (ACLs) ](#security_iam_service-with-iam-acls) + [ ## Authorization Based on Lightsail Tags ](#security_iam_service-with-iam-tags) + [ ## Lightsail IAM Roles ](#security_iam_service-with-iam-roles) + [Identity-based policy examples](security_iam_id-based-policy-examples.md) + [Resource-level permissions policy examples](security_iam_resource-based-policy-examples.md) + [Use service-linked roles](amazon-lightsail-using-service-linked-roles.md) + [Manage buckets with IAM](amazon-lightsail-bucket-management-policies.md) # Grant least-privilege permissions with IAM identity policies in Lightsail Identity-based policy examples By default, IAM users and roles don't have permission to create or modify Lightsail resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating Policies on the JSON Tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. ## Policy Best Practices Identity-based policies determine whether someone can create, access, or delete Amazon Lightsail resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Using the Lightsail Console Using the Console To access the Amazon Lightsail console, you must have full-access permission to all Lightsail actions and resources. These permissions must allow you to list and view details about the Lightsail resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions (i.e., that is not full-access), the console won't function as intended for entities (IAM users or roles) with that policy. To ensure that those entities can use the Lightsail console, attach the following policy to the entities. For more information, see [Adding Permissions to a User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lightsail:*" ], "Resource": "*" } ] } ``` ------ You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform. ## Allow Users to View Their Own Permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ``` ## Allowing Creation and Deletion of Lightsail Resources Based on Tags You can use conditions in your identity-based policy to control access to Lightsail resources based on tags. This example shows how you might create a policy that restricts users from creating new Lightsail resources unless a key tag of `allow` and a value of `true` is defined with the create request. This policy also restricts users from deleting resources unless they have the `allow/true` key-value tag. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lightsail:Create*", "lightsail:TagResource", "lightsail:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/allow": "true" } } }, { "Effect": "Allow", "Action": [ "lightsail:Delete*", "lightsail:TagResource", "lightsail:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/allow": "true" } } } ] } ``` ------ The following example restricts users from changing the tag for resources that have a key-value tag that is not `allow/false`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "lightsail:TagResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceTag/allow": "false" } } } ] } ``` ------ You can attach these policies to the IAM users in your account. For more information, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. # Grant access to specific Lightsail resources using IAM policies Resource-level permissions policy examples The term *resource-level permissions* refers to the ability to specify which resources users are allowed to perform actions on. Amazon Lightsail supports resource-level permissions. This means that for certain Lightsail actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use or edit. For example, you can grant users permissions to manage an instance or database with a specific Amazon Resource Name (ARN). **Important** Lightsail does not support resource-level permissions for some API actions. For more information, see [Support for resource-level permissions and authorization based on tags](resource-level-permissions-and-auth-based-on-tags-support.md). For more information about the resources that are created or modified by the Lightsail actions, and the ARNs and Lightsail condition keys that you can use in an IAM policy statement, see [Actions, Resources, and Condition Keys for Amazon Lightsail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonlightsail.html) in the *IAM User Guide*. ## Allow management of a specific instance The following policy grants access to reboot/start/stop an instance, manage instance ports, and create instance snapshots for a specific instance. It also provides read-only access to other instance-related information and resources in the Lightsail account. In the policy, replace *InstanceARN* with the Amazon Resource Name (ARN) of your instance. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lightsail:GetActiveNames", "lightsail:GetAlarms", "lightsail:GetAutoSnapshots", "lightsail:GetBlueprints", "lightsail:GetBundles", "lightsail:GetCertificates", "lightsail:GetCloudFormationStackRecords", "lightsail:GetContactMethods", "lightsail:GetDisk", "lightsail:GetDisks", "lightsail:GetDiskSnapshot", "lightsail:GetDiskSnapshots", "lightsail:GetDistributionBundles", "lightsail:GetDistributionLatestCacheReset", "lightsail:GetDistributionMetricData", "lightsail:GetDistributions", "lightsail:GetDomain", "lightsail:GetDomains", "lightsail:GetExportSnapshotRecords", "lightsail:GetInstance", "lightsail:GetInstanceAccessDetails", "lightsail:GetInstanceMetricData", "lightsail:GetInstancePortStates", "lightsail:GetInstances", "lightsail:GetInstanceSnapshot", "lightsail:GetInstanceSnapshots", "lightsail:GetInstanceState", "lightsail:GetKeyPair", "lightsail:GetKeyPairs", "lightsail:GetLoadBalancer", "lightsail:GetLoadBalancerMetricData", "lightsail:GetLoadBalancers", "lightsail:GetLoadBalancerTlsCertificates", "lightsail:GetOperation", "lightsail:GetOperations", "lightsail:GetOperationsForResource", "lightsail:GetRegions", "lightsail:GetRelationalDatabase", "lightsail:GetRelationalDatabaseBlueprints", "lightsail:GetRelationalDatabaseBundles", "lightsail:GetRelationalDatabaseEvents", "lightsail:GetRelationalDatabaseLogEvents", "lightsail:GetRelationalDatabaseLogStreams", "lightsail:GetRelationalDatabaseMetricData", "lightsail:GetRelationalDatabaseParameters", "lightsail:GetRelationalDatabases", "lightsail:GetRelationalDatabaseSnapshot", "lightsail:GetRelationalDatabaseSnapshots", "lightsail:GetStaticIp", "lightsail:GetStaticIps", "lightsail:IsVpcPeered" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "lightsail:CloseInstancePublicPorts", "lightsail:CreateInstanceSnapshot", "lightsail:OpenInstancePublicPorts", "lightsail:PutInstancePublicPorts", "lightsail:RebootInstance", "lightsail:StartInstance", "lightsail:StopInstance" ], "Resource": "arn:aws:lightsail:us-east-2:123456789012:Instance/244ad76f-8aad-4741-809f-12345EXAMPLE" } ] } ``` ------ To get the ARN for your instance, use the `GetInstance` Lightsail API action, and specify the name of the instance using the `instanceName` parameter. Your instance ARN will be listed in the results of that action as shown in the following example. For more information, see [GetInstance](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetInstance.html) in the *Amazon Lightsail API Reference*. ![\[An instance ARN in the GetInstance results.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-instance-arn.png) ## Allow management of a specific database The following policy grants access to reboot/start/stop and update a specific database. It also provides read-only access to other database-related information and resources in the Lightsail account. In the policy, replace *DatabaseARN* with the Amazon Resource Name (ARN) of your database. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lightsail:GetActiveNames", "lightsail:GetAlarms", "lightsail:GetAutoSnapshots", "lightsail:GetBlueprints", "lightsail:GetBundles", "lightsail:GetCertificates", "lightsail:GetCloudFormationStackRecords", "lightsail:GetContactMethods", "lightsail:GetDisk", "lightsail:GetDisks", "lightsail:GetDiskSnapshot", "lightsail:GetDiskSnapshots", "lightsail:GetDistributionBundles", "lightsail:GetDistributionLatestCacheReset", "lightsail:GetDistributionMetricData", "lightsail:GetDistributions", "lightsail:GetDomain", "lightsail:GetDomains", "lightsail:GetExportSnapshotRecords", "lightsail:GetInstance", "lightsail:GetInstanceAccessDetails", "lightsail:GetInstanceMetricData", "lightsail:GetInstancePortStates", "lightsail:GetInstances", "lightsail:GetInstanceSnapshot", "lightsail:GetInstanceSnapshots", "lightsail:GetInstanceState", "lightsail:GetKeyPair", "lightsail:GetKeyPairs", "lightsail:GetLoadBalancer", "lightsail:GetLoadBalancerMetricData", "lightsail:GetLoadBalancers", "lightsail:GetLoadBalancerTlsCertificates", "lightsail:GetOperation", "lightsail:GetOperations", "lightsail:GetOperationsForResource", "lightsail:GetRegions", "lightsail:GetRelationalDatabase", "lightsail:GetRelationalDatabaseBlueprints", "lightsail:GetRelationalDatabaseBundles", "lightsail:GetRelationalDatabaseEvents", "lightsail:GetRelationalDatabaseLogEvents", "lightsail:GetRelationalDatabaseLogStreams", "lightsail:GetRelationalDatabaseMetricData", "lightsail:GetRelationalDatabaseParameters", "lightsail:GetRelationalDatabases", "lightsail:GetRelationalDatabaseSnapshot", "lightsail:GetRelationalDatabaseSnapshots", "lightsail:GetStaticIp", "lightsail:GetStaticIps", "lightsail:IsVpcPeered" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "lightsail:RebootRelationalDatabase", "lightsail:StartRelationalDatabase", "lightsail:StopRelationalDatabase", "lightsail:UpdateRelationalDatabase" ], "Resource": "arn:aws:lightsail:us-east-2:123456789012:RelationalDatabase/244ad76f-8aad-4741-809f-12345EXAMPLE" } ] } ``` ------ To get the ARN for your database, use the `GetRelationalDatabase` Lightsail API action, and specify the name of the database using the `relationalDatabaseName` parameter. Your database ARN will be listed in the results of that action as shown in the following example. For more information, see [GetRelationalDatabase](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetRelationalDatabase.html) in the *Amazon Lightsail API Reference*. ![\[A database ARN in the GetRelationalDatabase results.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-database-arn.png) # Use service-linked roles for Amazon Lightsail Use service-linked roles Amazon Lightsail uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon Lightsail. Service-linked roles are predefined by Amazon Lightsail and include all the permissions that Lightsail requires to call other AWS services on your behalf. A service-linked role makes setting up Amazon Lightsail easier because you don’t have to manually add the necessary permissions. Amazon Lightsail defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Lightsail can assume its roles. The defined permissions include the trust policy and the permissions policy, which cannot be attached to any other IAM entity. You can delete a service-linked role only after first deleting their related resources. This protects your Amazon Lightsail resources because you can't inadvertently remove permission to access the resources. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. ## Service-Linked Role Permissions for Amazon Lightsail Amazon Lightsail uses the service-linked role named **AWSServiceRoleForLightsail** – Role to export Lightsail instance and block storage disk snapshots to Amazon Elastic Compute Cloud (Amazon EC2), and to get the current account-level Block Public Access configuration from Amazon Simple Storage Service (Amazon S3). The AWSServiceRoleForLightsail service-linked role trusts the following services to assume the role: + `lightsail.amazonaws.com` The role permissions policy allows Amazon Lightsail to complete the following actions on the specified resources: + Action: `ec2:CopySnapshot` on all AWS resources. + Action: `ec2:DescribeSnapshots` on all AWS resources. + Action: `ec2:CopyImage` on all AWS resources. + Action: `ec2:DescribeImages` on all AWS resources. + Action: `cloudformation:DescribeStacks` on all AWS CloudFormation stacks. + Action: `s3:GetAccountPublicAccessBlock` on all AWS resources. ### Service-Linked Role Permissions You must configure permissions to allow an IAM entity (such as a user, group, or role) to create or edit the description of a service-linked role. **To allow an IAM entity to create a specific service-linked role** Add the following policy to the IAM entity that needs to create the service-linked role. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*", "Condition": {"StringLike": {"iam:AWSServiceName": "lightsail.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*" } ] } ``` ------ **To allow an IAM entity to create any service-linked role** Add the following statement to the permissions policy for the IAM entity that needs to create a service-linked role, or any service role that includes the needed policies. This policy attaches a policy to the role. ``` { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/*" } ``` **To allow an IAM entity to edit the description of any service roles** Add the following statement to the permissions policy for the IAM entity that needs to edit the description of a service-linked role, or any service role. ``` { "Effect": "Allow", "Action": "iam:UpdateRoleDescription", "Resource": "arn:aws:iam::*:role/aws-service-role/*" } ``` **To allow an IAM entity to delete a specific service-linked role** Add the following statement to the permissions policy for the IAM entity that needs to delete the service-linked role. ``` { "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*" } ``` **To allow an IAM entity to delete any service role** Add the following statement to the permissions policy for the IAM entity that needs to delete a service-linked role, or any service-role. ``` { "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/*" } ``` Alternatively, you can use an AWS managed policy to provide full access to the service. ## Creating a Service-Linked Role for Amazon Lightsail You don't need to manually create a service-linked role. When you export your Lightsail instance or block storage disk snapshot to Amazon EC2, or create or update a Lightsail bucket in the AWS AWS Management Console, the AWS CLI, or the AWS API, Amazon Lightsail creates the service-linked role for you. If you delete this service-linked role and need to create it again, you can use the same process to recreate the role in your account. When you export your Lightsail instance or block storage disk snapshot to Amazon EC2, or create or update a Lightsail bucket, Amazon Lightsail creates the service-linked role for you again. **Important** You must configure IAM permissions to allow Amazon Lightsail to create the service-linked role. To do this, complete the steps that are in the following *Service-Linked Role Permissions* section. ## Editing a Service-Linked Role for Amazon Lightsail Amazon Lightsail does not allow you to edit the AWSServiceRoleForLightsail service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a Service-Linked Role for Amazon Lightsail If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must confirm that there are no Amazon Lightsail instance or disk snapshots in a pending copy state before you can delete the AWSServiceRoleForLightsail service-linked role. For more information, see [Export snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots-to-amazon-ec2.md). **To manually delete the service-linked role using IAM** Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForLightsail service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for Amazon Lightsail Service-Linked Roles Amazon Lightsail supports using service-linked roles in all of the regions where the service is available. For more information about the regions that Lightsail is available in, see [Amazon Lightsail Regions](https://docs.aws.amazon.com/general/latest/gr/rande.html#lightsail_region). # Manage Lightsail buckets with an IAM policy Manage buckets with IAM The following policy grants a user access to manage a specific bucket in the Amazon Lightsail object storage service. This policy grants access to buckets through the Lightsail console, the AWS Command Line Interface (AWS CLI), AWS API, and AWS SDKs. In the policy, replace ** with the name of the bucket to manage. For more information about IAM policies, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *AWS Identity and Access Management User Guide*. For more information about creating IAM users and user groups, see [Creating your first IAM delegated user and user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-delegated-user.html) in the *AWS Identity and Access Management User Guide*. **Important** Users who don't have this policy will experience errors when viewing the **Objects** tab of the bucket management page in the Lightsail console. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "LightsailAccess", "Effect": "Allow", "Action": "lightsail:*", "Resource": "*" }, { "Sid": "S3BucketAccess", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::/*", "arn:aws:s3:::" ] } ] } ``` ------ ## Manage buckets and objects These are the general steps to manage your Lightsail object storage bucket: 1. Learn about objects and buckets in the Amazon Lightsail object storage service. For more information, see [Object storage in Amazon Lightsail](buckets-in-amazon-lightsail.md). 1. Learn about the names that you can give your buckets in Amazon Lightsail. For more information, see [Bucket naming rules in Amazon Lightsail](bucket-naming-rules-in-amazon-lightsail.md). 1. Get started with the Lightsail object storage service by creating a bucket. For more information, see [Creating buckets in Amazon Lightsail](amazon-lightsail-creating-buckets.md). 1. Learn about security best practices for buckets and the access permissions that you can configure for your bucket. You can make all objects in your bucket public or private, or you can choose to make individual objects public. You can also grant access to your bucket by creating access keys, attaching instances to your bucket, and granting access to other AWS accounts. For more information, see [Security Best Practices for Amazon Lightsail object storage](amazon-lightsail-bucket-security-best-practices.md) and [Understanding bucket permissions in Amazon Lightsail](amazon-lightsail-understanding-bucket-permissions.md). After learning about bucket access permissions, see the following guides to grant access to your bucket: + [Block public access for buckets in Amazon Lightsail](amazon-lightsail-block-public-access-for-buckets.md) + [Configuring bucket access permissions in Amazon Lightsail](amazon-lightsail-configuring-bucket-permissions.md) + [Configuring access permissions for individual objects in a bucket in Amazon Lightsail](amazon-lightsail-configuring-individual-object-access.md) + [Creating access keys for a bucket in Amazon Lightsail](amazon-lightsail-creating-bucket-access-keys.md) + [Configuring resource access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-resource-access.md) + [Configuring cross-account access for a bucket in Amazon Lightsail](amazon-lightsail-configuring-bucket-cross-account-access.md) 1. Learn how to enable access logging for your bucket, and how to use access logs to audit the security of your bucket. For more information, see the following guides. + [Access logging for buckets in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-logs.md) + [Access log format for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-bucket-access-log-format.md) + [Enabling access logging for a bucket in the Amazon Lightsail object storage service](amazon-lightsail-enabling-bucket-access-logs.md) + [Using access logs for a bucket in Amazon Lightsail to identify requests](amazon-lightsail-using-bucket-access-logs.md) 1. Create an IAM policy that grants a user the ability to manage a bucket in Lightsail. For more information, see [IAM policy to manage buckets in Amazon Lightsail](#amazon-lightsail-bucket-management-policies). 1. Learn about the way that objects in your bucket are labeled and identified. For more information, see [Understanding object key names in Amazon Lightsail](understanding-bucket-object-key-names-in-amazon-lightsail.md). 1. Learn how to upload files and manage objects in your buckets. For more information, see the following guides. + [Uploading files to a bucket in Amazon Lightsail](amazon-lightsail-uploading-files-to-a-bucket.md) + [Uploading files to a bucket in Amazon Lightsail using multipart upload](amazon-lightsail-uploading-files-to-a-bucket-using-multipart-upload.md) + [Viewing objects in a bucket in Amazon Lightsail](amazon-lightsail-viewing-objects-in-a-bucket.md) + [Copying or moving objects in a bucket in Amazon Lightsail](amazon-lightsail-copying-moving-bucket-objects.md) + [Downloading objects from a bucket in Amazon Lightsail](amazon-lightsail-downloading-bucket-objects.md) + [Filtering objects in a bucket in Amazon Lightsail](amazon-lightsail-filtering-bucket-objects.md) + [Tagging objects in a bucket in Amazon Lightsail](amazon-lightsail-tagging-bucket-objects.md) + [Deleting objects in a bucket in Amazon Lightsail](amazon-lightsail-deleting-bucket-objects.md) 1. Enable object versioning to preserve, retrieve, and restore every version of every object stored in your bucket. For more information, see [Enabling and suspending object versioning in a bucket in Amazon Lightsail](amazon-lightsail-managing-bucket-object-versioning.md). 1. After enabling object versioning, you can restore previous versions of objects in your bucket. For more information, see [Restoring previous versions of objects in a bucket in Amazon Lightsail](amazon-lightsail-restoring-bucket-object-versions.md). 1. Monitor the utilization of your bucket. For more information, see [Viewing metrics for your bucket in Amazon Lightsail](amazon-lightsail-viewing-bucket-metrics.md). 1. Configure an alarm for bucket metrics to be notified when the utilization of your bucket crosses a threshold. For more information, see [Creating bucket metric alarms in Amazon Lightsail](amazon-lightsail-adding-bucket-metric-alarms.md). 1. Change the storage plan of your bucket if it's running low on storage and network transfer. For more information, see [Changing the plan of your bucket in Amazon Lightsail](amazon-lightsail-changing-bucket-plans.md). 1. Learn how to connect your bucket to other resources. For more information, see the following tutorials. + [Tutorial: Connecting a WordPress instance to an Amazon Lightsail bucket](amazon-lightsail-connecting-buckets-to-wordpress.md) + [Tutorial: Using an Amazon Lightsail bucket with a Lightsail content delivery network distribution](amazon-lightsail-using-distributions-with-buckets.md) 1. Delete your bucket if you're no longer using it. For more information, see [Deleting buckets in Amazon Lightsail](amazon-lightsail-deleting-buckets.md). # Grant Lightsail access for an IAM user Manage IAM user access As an [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html), or an AWS Identity and Access Management (IAM) user with administrator access, you can create one or more IAM users in your AWS account, and those users can be configured with different levels of access to services offered by AWS. For Amazon Lightsail, you might want to create an IAM user who can access only the Lightsail service. You do this when someone joins your team who requires access to view, create, edit, or delete Lightsail resources but doesn’t need access to other services offered by AWS. To configure this, you must first create an IAM policy that grants access to Lightsail, then create an IAM group, and attach the policy to the group. You then create IAM users and make them members of the group, which gives them access to Lightsail. When someone leaves your team, you can remove the user from the Lightsail access group to revoke their access to Lightsail, if for example, they left your team but still work at your company. Or you can delete the user from IAM, if for example, they left your company and will not require access again. **Warning** This scenario requires IAM users with programmatic access and long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed. Access keys can be updated if necessary. For more information, see [Update access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id-credentials-access-keys-update.html) in the *IAM User Guide*. **Contents** + [Create an IAM policy for Lightsail access](#create-an-iam-policy-for-lightsail-access) + [Create an IAM group for Lightsail access and attach the Lightsail access policy](#create-an-iam-group-for-lightsail-access) + [Create an IAM user and add the user to the Lightsail access group](#create-an-iam-user-for-lightsail-access) ## Create an IAM policy for Lightsail access Follow these steps to create an IAM policy for Lightsail access. For more information, see [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the IAM documentation. 1. Sign in to the [IAM console](https://console.aws.amazon.com/iam/). 1. Choose **Policies** in the left navigation pane. 1. Choose **Create Policy**. 1. In the **Create Policy** page, choose the **JSON** tab. ![\[The JSON tab in the IAM console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-iam-policy-json.png) 1. Highlight the contents of the text box, and then copy and paste the following policy configuration text. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lightsail:*" ], "Resource": "*" } ] } ``` ------ The result should look like the following example: ![\[The JSON tab in the IAM console populated with a policy for Lightsail access.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-iam-policy-json-added.png) This grants access to all Lightsail actions and resources. Actions that require access to other services offered by AWS, such as enabling VPC peering, exporting Lightsail snapshots to Amazon EC2, or creating Amazon EC2 resources using Lightsail, require additional permissions not included in this policy. For more information, see the following guides: + [Set up Amazon VPC peering to work with AWS resources outside of Amazon Lightsail](lightsail-how-to-set-up-vpc-peering-with-aws-resources.md) + [Exporting Amazon Lightsail snapshots to Amazon EC2](amazon-lightsail-exporting-snapshots-to-amazon-ec2.md) + [Creating Amazon EC2 instances from exported snapshots in Lightsail](amazon-lightsail-creating-ec2-instances-from-exported-snapshots.md) For examples of action-specific and resource-specific permissions that you can grant, see [Amazon Lightsail Resource-Level Permissions Policy Examples](security_iam_resource-based-policy-examples.md). 1. Choose **Review Policy**. 1. In the **Review Policy** page, name the policy. Give it a descriptive name; for example, `LightsailFullAccessPolicy`. 1. Add a description, and review the policy settings. If you need to make changes, choose **Previous** to modify the policy. ![\[The Review Policy page in the IAM console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-iam-policy-review.png) 1. After you confirm the policy settings are correct, choose **Create Policy**. The policy is now created and can be added to an existing IAM group, or you can create a new IAM group using the steps in the following section of this guide. ## Create an IAM group for Lightsail access and attach the Lightsail access policy Follow these steps to create an IAM group for Lightsail access, then attach the Lightsail access policy created in the previous section of this guide. For more information, see [Creating IAM Groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html) and [Attaching a Policy to an IAM Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html) in the IAM documentation. 1. In the [IAM console](https://console.aws.amazon.com/iam/), choose **Groups** in the left navigation pane. 1. Choose **Create New Group**. 1. In the **Set Group Name** page, name the group. Give it a descriptive name; for example, `LightsailFullAccessGroup`. 1. In the **Attach Policy** page, search for the Lightsail policy you created earlier in this guide; for example, `LightsailFullAccessPolicy`. 1. Add a checkmark next to the policy, then choose **Next step**. 1. Review the group settings. If you need to make changes, choose **Previous** to modify the group policies. 1. After you confirm the group settings are correct, choose **Create Group**. The group is now created, and users added to the group will have access to Lightsail actions and resources. You can add existing IAM users to the group, or you can create new IAM users using the steps in the following section of this guide. ## Create an IAM user and add the user to the Lightsail access group Follow these steps to create an IAM user and add the user to the Lightsail access group. For more information, see [Creating an IAM User in Your AWS Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) and [Adding and Removing Users in an IAM Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html) in the IAM documentation. 1. In the [IAM console](https://console.aws.amazon.com/iam/), choose **Users** in the left navigation pane. 1. Choose **Add user**. 1. In the **Set user details** section of the page, name the user. 1. Under the **Select AWS access type** section of the page, choose from the following options: 1. Choose **Programmatic Access** to enable an access key ID and a secret access key for the AWS API, CLI, SDK, and other development tools, which can be used for Lightsail actions and resources. For more information, see [Configure the AWS CLI to work with Lightsail](lightsail-how-to-set-up-and-configure-aws-cli.md). 1. Choose **AWS Management Console access** to enable a password that allows the user to sign in to the AWS Management Console, and thereby the Lightsail console. The following password options appear when this option is selected: 1. Choose **Autogenerated password** to have IAM generate the password, or choose Custom password to enter your own password. 1. Choose **Require password reset** to have the user create a new password (reset their password) at the next sign in. **Note** If you choose the **Programmatic Access** option only, the user will not be able to sign in to the AWS console, and the Lightsail console. 1. Choose **Next: Permissions**. 1. Under the **Set permissions** section of the page, choose **Add user to group**, and then select the Lightsail access group you created earlier in this guide; for example, `LightsailFullAccessGroup`. ![\[Add user to a group in the IAM console.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-iam-user-set-permissions.png) 1. Choose **Next: Tags**. 1. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM Entities. 1. Choose **Next: Review**. 1. Review the user settings. If you need to make changes, choose **Previous** to modify the user’s groups or policies. 1. After you confirm the user settings are correct, choose **Create user**. The user is created, and the user will have access to Lightsail. To revoke the user’s Lightsail access, remove the user from the Lightsail access group. For more information, see [Adding and Removing Users in an IAM Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html) in the IAM documentation. 1. To get the user’s credentials, choose the following options: 1. Choose **Download .csv** to download a file containing the user name, password, access key ID, secret access key, and the AWS console login link for your account. 1. Choose **Show** under **Secret access key** to view the access key that can be used to access Lightsail programmatically (using the AWS API, CLI, SDK, and other development tools). **Important** This is your only opportunity to view or download the secret access keys, and you must provide this information to your users before they can use the AWS API. Save the user's new access key ID and secret access key in a safe and secure place. You will not have access to the secret keys again after this step. 1. Choose **Show** under **Password** to view the user’s password if it was generated by IAM. You should provide the password to the user so that they can sign in for the first time. 1. Choose **Send email** to send an email to the user letting them know they now have access to Lightsail. ![\[Confirmation that an IAM user was successfully created.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-iam-user-successfully-created.png) # Keep Lightsail instances and containers secure with update management Update management Amazon Web Services (AWS), Amazon Lightsail, and third-party application vendors periodically update and patch the instance images (also known as *blueprints*) that are available on Lightsail. AWS and Lightsail do not update or patch the operating system or applications on instances after you create them. Lightsail also does not update or patch the operating system and software that you configure on your Lightsail container services. Therefore, we recommend that you regularly update, patch, and secure the operating system and applications on your Amazon Lightsail instances and container services. For more information, see the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/). ## Instance blueprint software support The following list of Amazon Lightsail platforms and blueprints links to each vendor’s support page. There, you can view information such as how-to guides, and keeping your operating system and application up to date. You can use any automatic update service or recommended process for installing updates that are provided by the application vendor. **Windows** + [Windows Server 2022, Windows Server 2019, Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/) + [Microsoft SQL Server](https://docs.microsoft.com/en-us/sql/) **Linux and Unix** – Operating system only + [Amazon Linux 2023](https://aws.amazon.com/linux/amazon-linux-2023/) + [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2) + [https://ubuntu.com/support/community-support](https://ubuntu.com/support/community-support) + [https://www.debian.org/support](https://www.debian.org/support) + [https://www.freebsd.org/community](https://www.freebsd.org/community) + [https://en.opensuse.org/](https://en.opensuse.org/) + [https://docs.centos.org/](https://docs.centos.org/) **Linux and Unix** – Operating system plus application + [Plesk Hosting Stack on Ubuntu](https://support.plesk.com/) + [cPanel & WHM for Linux](https://cpanel.com/support) + [WordPress](https://docs.bitnami.com/general/apps/wordpress) + [WordPress Multisite](https://docs.bitnami.com/general/apps/wordpress-multisite) + [LAMP (PHP 8)](https://docs.bitnami.com/general/infrastructure/lamp) + [Node.js](https://docs.bitnami.com/general/infrastructure/nodejs) + [Joomla\$1](https://docs.bitnami.com/general/apps/joomla) + [Magento](https://docs.bitnami.com/general/apps/magento) + [MEAN](https://docs.bitnami.com/general/infrastructure/mean) + [Drupal](https://docs.bitnami.com/general/apps/drupal) + [GitLab CE](https://docs.bitnami.com/general/apps/gitlab) + [Redmine](https://docs.bitnami.com/general/apps/redmine) + [Nginx](https://docs.bitnami.com/general/infrastructure/nginx) + [Ghost](https://docs.bitnami.com/general/apps/ghost) + [Django](https://docs.bitnami.com/general/infrastructure/django) + [PrestaShop](https://docs.bitnami.com/general/apps/prestashop) # Validate compliance for Amazon Lightsail resources Compliance validation AWS provides the following resources to help with compliance: + [Security and Compliance Quick Start Guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS. + [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location. + [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* – The AWS Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations. + [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices. # Access Amazon Lightsail using an interface endpoint (AWS PrivateLink) AWS PrivateLink You can use AWS PrivateLink to create a private connection between your VPC and Amazon Lightsail. You can access Amazon Lightsail as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon Lightsail. You establish this private connection by creating an *interface endpoint*, powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon Lightsail. For more information, see [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) in the *AWS PrivateLink Guide*. ## Considerations for Amazon Lightsail Considerations Before you set up an interface endpoint for Amazon Lightsail, you must have a virtual private cloud (VPC) created. For more information, see [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon Virtual Private Cloud User Guide*. Additionally, review the [Considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *AWS PrivateLink Guide*. Amazon Lightsail supports making calls to all of its API actions through the interface endpoint. For more information on the API actions available for Lightsail, see the [Amazon Lightsail API reference](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Operations.html). ## Create an interface endpoint for Amazon Lightsail Create an interface endpoint You can create an interface endpoint for Amazon Lightsail using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *AWS PrivateLink Guide*. Create an interface endpoint for Amazon Lightsail using the following service name: ``` com.amazonaws.region.lightsail ``` If you enable private DNS for the interface endpoint, you can make API requests to Amazon Lightsail using its default Regional DNS name. For example, `lightsail.us-east-1.amazonaws.com`. For the Region codes that you can use, see [Regions and Availability Zones for Lightsail](understanding-regions-and-availability-zones-in-amazon-lightsail.md). ## AWS CLI examples To access Lightsail using the interface endpoints, use the `--region` and `--endpoint-url` parameters with your AWS CLI commands. For a list of operations that you can perform in Lightsail, see [Actions](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_Operations.html) in the *Amazon Lightsail API Reference*. In the following examples, replace AWS Region *`us-east-1`* and DNS name of the VPC endpoint ID *`vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com`* with your own information. **Example: Use an endpoint URL to list Lightsail instances** The following example lists your instances using an interface endpoint. ``` aws lightsail get-instances --region us-east-1 --endpoint-url https://vpce-1a2b3c4d-5e6f.lightsail.us-east-1.vpce.amazonaws.com ``` **Example: Use an endpoint URL to list Lightsail disks** The following example lists your disks using an interface endpoint. ``` aws lightsail get-disks --region us-east-1 --endpoint-url https://vpce-1a2b3c4d-5e6f.lightsail.us-east-1.vpce.amazonaws.com ``` ## Create an endpoint policy for your interface endpoint Create an endpoint policy An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Amazon Lightsail through the interface endpoint. To control the access allowed to Amazon Lightsail from your VPC, attach a custom endpoint policy to the interface endpoint. An endpoint policy specifies the following information: + The principals that can perform actions (AWS accounts, IAM users, and IAM roles). + The actions that can be performed. + The resources on which the actions can be performed. For more information, see [Control access to services using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *AWS PrivateLink Guide*. **Example: VPC endpoint policy for Amazon Lightsail actions** The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it denies everyone permission to delete block storage disks in Lightsail through the endpoint and grants everyone permission to perform all other Lightsail actions. ``` { "Statement": [ { "Action": "lightsail:*", "Effect": "Allow", "Principal": "*", "Resource": "*" }, { "Action": "lightsail:DeleteDisk", "Effect": "Deny", "Principal": "*", "Resource": "*" } ] } ```