End of support notice: On October 7, 2026, AWS will end support for AWS Proton. After October
7, 2026, you will no longer be able to access the AWS Proton console or AWS Proton resources. Your deployed infrastructure
will remain intact. For more information, see AWS Proton Service Deprecation and Migration
Guide.
Condition-key based policy examples for AWS Proton
The following example IAM policy denies access to AWS Proton actions that match the templates specified in the Condition
block. Note that these condition keys are only supported by the actions listed at Actions, resources, and condition keys for AWS Proton. To manage
permissions on other actions, such as DeleteEnvironmentTemplate, you must use Resource-level access control.
Example policy that denies AWS Proton template actions on a specific templates:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["proton:*"],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"proton:EnvironmentTemplate": ["arn:aws:proton:region_id:123456789012:environment-template/my-environment-template"]
}
}
},
{
"Effect": "Deny",
"Action": ["proton:*"],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"proton:ServiceTemplate": ["arn:aws:proton:region_id:123456789012:service-template/my-service-template"]
}
}
}
]
}
In the next example policy, the first Resource-level statement denies access to AWS Proton template actions, other than
ListServiceTemplates, that match the service template listed in the Resource block. The second statement denies
access to AWS Proton actions that match the template listed in the Condition block.
Example policy that denies AWS Proton actions that match a specific template:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"proton:*"
],
"Resource": "arn:aws:proton:us-east-1:123456789012:service-template/my-service-template"
},
{
"Effect": "Deny",
"Action": [
"proton:*"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"proton:ServiceTemplate": [
"arn:aws:proton:us-east-1:123456789012:service-template/my-service-template"
]
}
}
}
]
}
The final policy example allows developer AWS Proton actions that match the specific service template listed in the Condition
block.
Example policy to allow AWS Proton developer actions that match a specific template:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"proton:ListServiceTemplates",
"proton:ListServiceTemplateVersions",
"proton:ListServices",
"proton:ListServiceInstances",
"proton:ListEnvironments",
"proton:GetServiceTemplate",
"proton:GetServiceTemplateVersion",
"proton:GetService",
"proton:GetServiceInstance",
"proton:GetEnvironment",
"proton:CreateService",
"proton:UpdateService",
"proton:UpdateServiceInstance",
"proton:UpdateServicePipeline",
"proton:DeleteService",
"codestar-connections:ListConnections"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"proton:ServiceTemplate": "arn:aws:proton:region_id:123456789012:service-template/my-service-template"
}
}
},
{
"Effect": "Allow",
"Action": [
"codestar-connections:PassConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*",
"Condition": {
"StringEquals": {
"codestar-connections:PassedToService": "proton.amazonaws.com"
}
}
}
]
}
