# Actions, resources, and condition keys for Amazon CloudFront
Amazon CloudFront (service prefix: `cloudfront`) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
+ Learn how to [configure this service](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/).
+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/cloudfront/latest/APIReference/).
+ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/auth-and-access-control.html) permission policies.
**Topics**
+ [Actions defined by Amazon CloudFront](#amazoncloudfront-actions-as-permissions)
+ [Resource types defined by Amazon CloudFront](#amazoncloudfront-resources-for-iam-policies)
+ [Condition keys for Amazon CloudFront](#amazoncloudfront-policy-keys)
## Actions defined by Amazon CloudFront
You can specify the following actions in the `Action` element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The **Access level** column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see [Access levels in policy summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html).
The **Resource types** column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("\*") to which the policy applies in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (\*). If you limit resource access with the `Resource` element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The **Condition keys** column of the Actions table includes keys that you can specify in a policy statement's `Condition` element. For more information on the condition keys that are associated with resources for the service, see the **Condition keys** column of the Resource types table.
The **Dependent actions** column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.
**Note**
Resource condition keys are listed in the [Resource types](#amazoncloudfront-resources-for-iam-policies) table. You can find a link to the resource type that applies to an action in the **Resource types (\*required)** column of the Actions table. The resource type in the Resource types table includes the **Condition keys** column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see [Actions table](reference_policies_actions-resources-contextkeys.html#actions_table).
****
- ** [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-V2-service-specific](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-V2-service-specific) [permission only]**
- **Description:** Grants permission to configure vended log delivery for a distribution
- **Access level:** Permissions management
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AssociateAlias.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AssociateAlias.html) **
- **Description:** Grants permission to associate an alias to a CloudFront distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AssociateDistributionTenantWebACL.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AssociateDistributionTenantWebACL.html) **
- **Description:** Grants permission to associate a distribution tenant with an AWS WAF web ACL
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AssociateDistributionWebACL.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AssociateDistributionWebACL.html) **
- **Description:** Grants permission to associate a distribution with an AWS WAF web ACL
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CopyDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CopyDistribution.html) **
- **Description:** Grants permission to copy an existing distribution and create a new web distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:** cloudfront:CopyDistribution
cloudfront:CreateDistribution
cloudfront:GetDistribution
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateAnycastIpList.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateAnycastIpList.html) **
- **Description:** Grants permission to create an Anycast static IP list
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateCachePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateCachePolicy.html) **
- **Description:** Grants permission to add a new cache policy to CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateCloudFrontOriginAccessIdentity.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateCloudFrontOriginAccessIdentity.html) **
- **Description:** Grants permission to create a new CloudFront origin access identity
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateConnectionFunction.html) **
- **Description:** Grants permission to create a connection function
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateConnectionGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateConnectionGroup.html) **
- **Description:** Grants permission to create a connection group
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateContinuousDeploymentPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateContinuousDeploymentPolicy.html) **
- **Description:** Grants permission to add a new continuous-deployment policy to CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html) **
- **Description:** Grants permission to create a new web distribution
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:** cloudfront:CreateConnectionGroup
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistributionTenant.html) **
- **Description:** Grants permission to create a distribution tenant
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateFieldLevelEncryptionConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateFieldLevelEncryptionConfig.html) **
- **Description:** Grants permission to create a new field-level encryption configuration
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateFieldLevelEncryptionProfile.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateFieldLevelEncryptionProfile.html) **
- **Description:** Grants permission to create a field-level encryption profile
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateFunction.html) **
- **Description:** Grants permission to create a CloudFront function
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateInvalidation.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateInvalidation.html) **
- **Description:** Grants permission to create a new invalidation batch request
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateInvalidationForDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateInvalidationForDistributionTenant.html) **
- **Description:** Grants permission to create an invalidation for a distribution tenant
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateKeyGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateKeyGroup.html) **
- **Description:** Grants permission to add a new key group to CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateKeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateKeyValueStore.html) **
- **Description:** Grants permission to create a CloudFront KeyValueStore
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateMonitoringSubscription.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateMonitoringSubscription.html) **
- **Description:** Grants permission to enable additional CloudWatch metrics for the specified CloudFront distribution. The additional metrics incur an additional cost
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateOriginAccessControl.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateOriginAccessControl.html) **
- **Description:** Grants permission to create a new origin access control
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateOriginRequestPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateOriginRequestPolicy.html) **
- **Description:** Grants permission to add a new origin request policy to CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreatePublicKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreatePublicKey.html) **
- **Description:** Grants permission to add a new public key to CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateRealtimeLogConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateRealtimeLogConfig.html) **
- **Description:** Grants permission to create a real-time log configuration
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateResponseHeadersPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateResponseHeadersPolicy.html) **
- **Description:** Grants permission to add a new response headers policy to CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to create a new savings plan
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateStreamingDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateStreamingDistribution.html) **
- **Description:** Grants permission to create a new RTMP distribution
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateStreamingDistributionWithTags.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateStreamingDistributionWithTags.html) **
- **Description:** Grants permission to create a new RTMP distribution with tags
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateTrustStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateTrustStore.html) **
- **Description:** Grants permission to create a trust store
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateVpcOrigin.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateVpcOrigin.html) **
- **Description:** Grants permission to create a VPC origin
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys)
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteAnycastIpList.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteAnycastIpList.html) **
- **Description:** Grants permission to delete an Anycast static IP list
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-anycast-ip-list](#amazoncloudfront-anycast-ip-list)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteCachePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteCachePolicy.html) **
- **Description:** Grants permission to delete a cache policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-cache-policy](#amazoncloudfront-cache-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteCloudFrontOriginAccessIdentity.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteCloudFrontOriginAccessIdentity.html) **
- **Description:** Grants permission to delete a CloudFront origin access identity
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-origin-access-identity](#amazoncloudfront-origin-access-identity)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteConnectionFunction.html) **
- **Description:** Grants permission to delete a connection function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteConnectionGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteConnectionGroup.html) **
- **Description:** Grants permission to delete a connection group
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteContinuousDeploymentPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteContinuousDeploymentPolicy.html) **
- **Description:** Grants permission to delete a continuous-deployment policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-continuous-deployment-policy](#amazoncloudfront-continuous-deployment-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteDistribution.html) **
- **Description:** Grants permission to delete a web distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteDistributionTenant.html) **
- **Description:** Grants permission to delete a distribution tenant
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteFieldLevelEncryptionConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteFieldLevelEncryptionConfig.html) **
- **Description:** Grants permission to delete a field-level encryption configuration
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-config](#amazoncloudfront-field-level-encryption-config)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteFieldLevelEncryptionProfile.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteFieldLevelEncryptionProfile.html) **
- **Description:** Grants permission to delete a field-level encryption profile
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-profile](#amazoncloudfront-field-level-encryption-profile)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteFunction.html) **
- **Description:** Grants permission to delete a CloudFront function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteKeyGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteKeyGroup.html) **
- **Description:** Grants permission to delete a key group
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteKeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteKeyValueStore.html) **
- **Description:** Grants permission to delete a CloudFront KeyValueStore
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-key-value-store](#amazoncloudfront-key-value-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteMonitoringSubscription.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteMonitoringSubscription.html) **
- **Description:** Grants permission to disable additional CloudWatch metrics for the specified CloudFront distribution
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteOriginAccessControl.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteOriginAccessControl.html) **
- **Description:** Grants permission to delete an origin access control
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-origin-access-control](#amazoncloudfront-origin-access-control)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteOriginRequestPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteOriginRequestPolicy.html) **
- **Description:** Grants permission to delete an origin request policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-origin-request-policy](#amazoncloudfront-origin-request-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeletePublicKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeletePublicKey.html) **
- **Description:** Grants permission to delete a public key from CloudFront
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteRealtimeLogConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteRealtimeLogConfig.html) **
- **Description:** Grants permission to delete a real-time log configuration
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-realtime-log-config](#amazoncloudfront-realtime-log-config)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteResourcePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteResourcePolicy.html) **
- **Description:** Grants permission to delete a resource's policy document
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteResponseHeadersPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteResponseHeadersPolicy.html) **
- **Description:** Grants permission to delete a response headers policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-response-headers-policy](#amazoncloudfront-response-headers-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteStreamingDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteStreamingDistribution.html) **
- **Description:** Grants permission to delete an RTMP distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-streaming-distribution](#amazoncloudfront-streaming-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteTrustStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteTrustStore.html) **
- **Description:** Grants permission to delete a trust store
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteVpcOrigin.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DeleteVpcOrigin.html) **
- **Description:** Grants permission to delete a VPC origin
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DescribeConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DescribeConnectionFunction.html) **
- **Description:** Grants permission to get a connection function summary
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DescribeFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DescribeFunction.html) **
- **Description:** Grants permission to get a CloudFront function summary
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DescribeKeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DescribeKeyValueStore.html) **
- **Description:** Grants permission to get a CloudFront KeyValueStore summary
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-key-value-store](#amazoncloudfront-key-value-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DisassociateDistributionTenantWebACL.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DisassociateDistributionTenantWebACL.html) **
- **Description:** Grants permission to disassociate a distribution tenant from an AWS WAF web ACL
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DisassociateDistributionWebACL.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DisassociateDistributionWebACL.html) **
- **Description:** Grants permission to disassociate a distribution from an AWS WAF web ACL
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetAnycastIpList.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetAnycastIpList.html) **
- **Description:** Grants permission to get an Anycast static IP list
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-anycast-ip-list](#amazoncloudfront-anycast-ip-list)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCachePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCachePolicy.html) **
- **Description:** Grants permission to get the cache policy
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-cache-policy](#amazoncloudfront-cache-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCachePolicyConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCachePolicyConfig.html) **
- **Description:** Grants permission to get the cache policy configuration
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-cache-policy](#amazoncloudfront-cache-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCloudFrontOriginAccessIdentity.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCloudFrontOriginAccessIdentity.html) **
- **Description:** Grants permission to get the information about a CloudFront origin access identity
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-origin-access-identity](#amazoncloudfront-origin-access-identity)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCloudFrontOriginAccessIdentityConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetCloudFrontOriginAccessIdentityConfig.html) **
- **Description:** Grants permission to get the configuration information about a Cloudfront origin access identity
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-origin-access-identity](#amazoncloudfront-origin-access-identity)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetConnectionFunction.html) **
- **Description:** Grants permission to get a connection function's code
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetConnectionGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetConnectionGroup.html) **
- **Description:** Grants permission to get information about a connection group
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetConnectionGroupByRoutingEndpoint.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetConnectionGroupByRoutingEndpoint.html) **
- **Description:** Grants permission to get information about a connection group by the specified routing endpoint
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetContinuousDeploymentPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetContinuousDeploymentPolicy.html) **
- **Description:** Grants permission to get the continuous-deployment policy
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-continuous-deployment-policy](#amazoncloudfront-continuous-deployment-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetContinuousDeploymentPolicyConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetContinuousDeploymentPolicyConfig.html) **
- **Description:** Grants permission to get the continuous-deployment policy configuration
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-continuous-deployment-policy](#amazoncloudfront-continuous-deployment-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistribution.html) **
- **Description:** Grants permission to get the information about a web distribution
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistributionConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistributionConfig.html) **
- **Description:** Grants permission to get the configuration information about a distribution
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistributionTenant.html) **
- **Description:** Grants permission to get information about a distribution tenant
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistributionTenantByDomain.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetDistributionTenantByDomain.html) **
- **Description:** Grants permission to get information about a distribution tenant by the associated domain
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryption.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryption.html) **
- **Description:** Grants permission to get the field-level encryption configuration information
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-config](#amazoncloudfront-field-level-encryption-config)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryptionConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryptionConfig.html) **
- **Description:** Grants permission to get the field-level encryption configuration information
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-config](#amazoncloudfront-field-level-encryption-config)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryptionProfile.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryptionProfile.html) **
- **Description:** Grants permission to get the field-level encryption configuration information
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-profile](#amazoncloudfront-field-level-encryption-profile)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryptionProfileConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFieldLevelEncryptionProfileConfig.html) **
- **Description:** Grants permission to get the field-level encryption profile configuration information
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-profile](#amazoncloudfront-field-level-encryption-profile)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetFunction.html) **
- **Description:** Grants permission to get a CloudFront function's code
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetInvalidation.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetInvalidation.html) **
- **Description:** Grants permission to get the information about an invalidation
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetInvalidationForDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetInvalidationForDistributionTenant.html) **
- **Description:** Grants permission to get information about an invalidation for a distribution tenant
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetKeyGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetKeyGroup.html) **
- **Description:** Grants permission to get a key group
- **Access level:** Read
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetKeyGroupConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetKeyGroupConfig.html) **
- **Description:** Grants permission to get a key group configuration
- **Access level:** Read
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetManagedCertificateDetails.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetManagedCertificateDetails.html) **
- **Description:** Grants permission to get details about a CloudFront managed certificate
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetMonitoringSubscription.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetMonitoringSubscription.html) **
- **Description:** Grants permission to get information about whether additional CloudWatch metrics are enabled for the specified CloudFront distribution
- **Access level:** Read
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginAccessControl.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginAccessControl.html) **
- **Description:** Grants permission to get the origin access control
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-origin-access-control](#amazoncloudfront-origin-access-control)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginAccessControlConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginAccessControlConfig.html) **
- **Description:** Grants permission to get the origin access control configuration
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-origin-access-control](#amazoncloudfront-origin-access-control)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginRequestPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginRequestPolicy.html) **
- **Description:** Grants permission to get the origin request policy
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-origin-request-policy](#amazoncloudfront-origin-request-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginRequestPolicyConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetOriginRequestPolicyConfig.html) **
- **Description:** Grants permission to get the origin request policy configuration
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-origin-request-policy](#amazoncloudfront-origin-request-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetPublicKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetPublicKey.html) **
- **Description:** Grants permission to get the public key information
- **Access level:** Read
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetPublicKeyConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetPublicKeyConfig.html) **
- **Description:** Grants permission to get the public key configuration information
- **Access level:** Read
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetRealtimeLogConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetRealtimeLogConfig.html) **
- **Description:** Grants permission to get a real-time log configuration
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-realtime-log-config](#amazoncloudfront-realtime-log-config)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetResourcePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetResourcePolicy.html) **
- **Description:** Grants permission to get the information about a resource's policy document
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetResponseHeadersPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetResponseHeadersPolicy.html) **
- **Description:** Grants permission to get the response headers policy
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-response-headers-policy](#amazoncloudfront-response-headers-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetResponseHeadersPolicyConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetResponseHeadersPolicyConfig.html) **
- **Description:** Grants permission to get the response headers policy configuration
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-response-headers-policy](#amazoncloudfront-response-headers-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to get a savings plan
- **Access level:** Read
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetStreamingDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetStreamingDistribution.html) **
- **Description:** Grants permission to get the information about an RTMP distribution
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-streaming-distribution](#amazoncloudfront-streaming-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetStreamingDistributionConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetStreamingDistributionConfig.html) **
- **Description:** Grants permission to get the configuration information about a streaming distribution
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-streaming-distribution](#amazoncloudfront-streaming-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetTrustStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetTrustStore.html) **
- **Description:** Grants permission to get information about a trust store
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetVpcOrigin.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_GetVpcOrigin.html) **
- **Description:** Grants permission to get the information about a VPC origin
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListAnycastIpLists.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListAnycastIpLists.html) **
- **Description:** Grants permission to list your Anycast static IP lists
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListCachePolicies.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListCachePolicies.html) **
- **Description:** Grants permission to list all cache policies that have been created in CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListCloudFrontOriginAccessIdentities.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListCloudFrontOriginAccessIdentities.html) **
- **Description:** Grants permission to list your CloudFront origin access identities
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListConflictingAliases.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListConflictingAliases.html) **
- **Description:** Grants permission to list all aliases that conflict with the given alias in CloudFront
- **Access level:** List
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListConnectionFunctions.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListConnectionFunctions.html) **
- **Description:** Grants permission to list the connection functions in your AWS account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListConnectionGroups.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListConnectionGroups.html) **
- **Description:** Grants permission to list the connection groups in your AWS account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListContinuousDeploymentPolicies.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListContinuousDeploymentPolicies.html) **
- **Description:** Grants permission to list all continuous-deployment policies in the account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionTenants.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionTenants.html) **
- **Description:** Grants permission to list the distribution tenants in your AWS account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionTenantsByCustomization.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionTenantsByCustomization.html) **
- **Description:** Grants permission to list the distribution tenants by the customization that you specify
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributions.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributions.html) **
- **Description:** Grants permission to list the distributions associated with your AWS account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByAnycastIpListId.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByAnycastIpListId.html) **
- **Description:** Grants permission to list the distributions in your account that are associated with the specified AnycastIpListId
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByCachePolicyId.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByCachePolicyId.html) **
- **Description:** Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByConnectionFunction.html) **
- **Description:** Grants permission to list summaries for distributions associated with the specified connection function
- **Access level:** List
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByConnectionMode.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByConnectionMode.html) **
- **Description:** Grants permission to list the distributions by the specified connection mode
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByKeyGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByKeyGroup.html) **
- **Description:** Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified key group
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to list the distributions associated a Lambda function
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByOriginRequestPolicyId.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByOriginRequestPolicyId.html) **
- **Description:** Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByRealtimeLogConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByRealtimeLogConfig.html) **
- **Description:** Grants permission to get a list of distributions that have a cache behavior that's associated with the specified real-time log configuration
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByResponseHeadersPolicyId.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByResponseHeadersPolicyId.html) **
- **Description:** Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified response headers policy
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByTrustStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByTrustStore.html) **
- **Description:** Grants permission to list summaries for distributions associated with the specified trust store
- **Access level:** List
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByVpcOriginId.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByVpcOriginId.html) **
- **Description:** Grants permission to list IDs for distributions associated with the specified VPC origin
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDistributionsByWebACLId.html) **
- **Description:** Grants permission to list the distributions associated with your AWS account with given AWS WAF web ACL
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDomainConflicts.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListDomainConflicts.html) **
- **Description:** Grants permission to list domain conflicts for a specified domain
- **Access level:** List
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant) / **Condition keys:** / **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListFieldLevelEncryptionConfigs.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListFieldLevelEncryptionConfigs.html) **
- **Description:** Grants permission to list all field-level encryption configurations that have been created in CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListFieldLevelEncryptionProfiles.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListFieldLevelEncryptionProfiles.html) **
- **Description:** Grants permission to list all field-level encryption profiles that have been created in CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListFunctions.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListFunctions.html) **
- **Description:** Grants permission to get a list of CloudFront functions
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListInvalidations.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListInvalidations.html) **
- **Description:** Grants permission to list your invalidation batches
- **Access level:** List
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListInvalidationsForDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListInvalidationsForDistributionTenant.html) **
- **Description:** Grants permission to list the invalidations for a distribution tenant
- **Access level:** List
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListKeyGroups.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListKeyGroups.html) **
- **Description:** Grants permission to list all key groups that have been created in CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListKeyValueStores.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListKeyValueStores.html) **
- **Description:** Grants permission to get a list of CloudFront KeyValueStores
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListOriginAccessControls.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListOriginAccessControls.html) **
- **Description:** Grants permission to list all origin access controls in the account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListOriginRequestPolicies.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListOriginRequestPolicies.html) **
- **Description:** Grants permission to list all origin request policies that have been created in CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListPublicKeys.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListPublicKeys.html) **
- **Description:** Grants permission to list all public keys that have been added to CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to list CloudFront rate cards for the account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListRealtimeLogConfigs.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListRealtimeLogConfigs.html) **
- **Description:** Grants permission to get a list of real-time log configurations
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListResponseHeadersPolicies.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListResponseHeadersPolicies.html) **
- **Description:** Grants permission to list all response headers policies that have been created in CloudFront for this account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to list savings plans in the account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListStreamingDistributions.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListStreamingDistributions.html) **
- **Description:** Grants permission to list your RTMP distributions
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListTagsForResource.html) **
- **Description:** Grants permission to list tags for a CloudFront resource
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-anycast-ip-list](#amazoncloudfront-anycast-ip-list) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-key-value-store](#amazoncloudfront-key-value-store) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin) / **Condition keys:** / **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListTrustStores.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListTrustStores.html) **
- **Description:** Grants permission to list the trust stores in your AWS account
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to list CloudFront usage
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListVpcOrigins.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ListVpcOrigins.html) **
- **Description:** Grants permission to list VPC origins
- **Access level:** List
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_PublishConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_PublishConnectionFunction.html) **
- **Description:** Grants permission to publish a connection function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_PublishFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_PublishFunction.html) **
- **Description:** Grants permission to publish a CloudFront function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_PutResourcePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_PutResourcePolicy.html) **
- **Description:** Grants permission to update or create a resource's policy document
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_TagResource.html) **
- **Description:** Grants permission to add tags to a CloudFront resource
- **Access level:** Tagging
- **Resource types (\*required):** [#amazoncloudfront-anycast-ip-list](#amazoncloudfront-anycast-ip-list) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-key-value-store](#amazoncloudfront-key-value-store) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-streaming-distribution](#amazoncloudfront-streaming-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** / **Condition keys:** [#amazoncloudfront-aws_RequestTag___TagKey_](#amazoncloudfront-aws_RequestTag___TagKey_)
[#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys) / **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_TestConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_TestConnectionFunction.html) **
- **Description:** Grants permission to test a connection function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_TestFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_TestFunction.html) **
- **Description:** Grants permission to test a CloudFront function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UntagResource.html) **
- **Description:** Grants permission to remove tags from a CloudFront resource
- **Access level:** Tagging
- **Resource types (\*required):** [#amazoncloudfront-anycast-ip-list](#amazoncloudfront-anycast-ip-list) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-key-value-store](#amazoncloudfront-key-value-store) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-streaming-distribution](#amazoncloudfront-streaming-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** / **Condition keys:** [#amazoncloudfront-aws_TagKeys](#amazoncloudfront-aws_TagKeys) / **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateAnycastIpList.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateAnycastIpList.html) **
- **Description:** Grants permission to update an Anycast static IP list
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-anycast-ip-list](#amazoncloudfront-anycast-ip-list)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateCachePolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateCachePolicy.html) **
- **Description:** Grants permission to update a cache policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-cache-policy](#amazoncloudfront-cache-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateCloudFrontOriginAccessIdentity.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateCloudFrontOriginAccessIdentity.html) **
- **Description:** Grants permission to set the configuration for a CloudFront origin access identity
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-origin-access-identity](#amazoncloudfront-origin-access-identity)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateConnectionFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateConnectionFunction.html) **
- **Description:** Grants permission to update a connection function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-connection-function](#amazoncloudfront-connection-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateConnectionGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateConnectionGroup.html) **
- **Description:** Grants permission to update a connection group
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-connection-group](#amazoncloudfront-connection-group)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateContinuousDeploymentPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateContinuousDeploymentPolicy.html) **
- **Description:** Grants permission to update a continuous-deployment policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-continuous-deployment-policy](#amazoncloudfront-continuous-deployment-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html) **
- **Description:** Grants permission to update the configuration for a web distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistributionTenant.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistributionTenant.html) **
- **Description:** Grants permission to update a distribution tenant
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistributionWithStagingConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistributionWithStagingConfig.html) **
- **Description:** Grants permission to copy the configuration from a staging web distribution to its corresponding primary web distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDomainAssociation.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDomainAssociation.html) **
- **Description:** Grants permission to update a domain association
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-distribution](#amazoncloudfront-distribution) / **Condition keys:** / **Dependent actions:**
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant) / **Condition keys:** / **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateFieldLevelEncryptionConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateFieldLevelEncryptionConfig.html) **
- **Description:** Grants permission to update a field-level encryption configuration
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateFieldLevelEncryptionProfile.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateFieldLevelEncryptionProfile.html) **
- **Description:** Grants permission to update a field-level encryption profile
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-field-level-encryption-profile](#amazoncloudfront-field-level-encryption-profile)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateFunction.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateFunction.html) **
- **Description:** Grants permission to update a CloudFront function
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-function](#amazoncloudfront-function)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateKeyGroup.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateKeyGroup.html) **
- **Description:** Grants permission to update a key group
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateKeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateKeyValueStore.html) **
- **Description:** Grants permission to update a CloudFront KeyValueStore
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-key-value-store](#amazoncloudfront-key-value-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateOriginAccessControl.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateOriginAccessControl.html) **
- **Description:** Grants permission to update an origin access control
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-origin-access-control](#amazoncloudfront-origin-access-control)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateOriginRequestPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateOriginRequestPolicy.html) **
- **Description:** Grants permission to update an origin request policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-origin-request-policy](#amazoncloudfront-origin-request-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdatePublicKey.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdatePublicKey.html) **
- **Description:** Grants permission to update public key information
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateRealtimeLogConfig.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateRealtimeLogConfig.html) **
- **Description:** Grants permission to update a real-time log configuration
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-realtime-log-config](#amazoncloudfront-realtime-log-config)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateResponseHeadersPolicy.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateResponseHeadersPolicy.html) **
- **Description:** Grants permission to update a response headers policy
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-response-headers-policy](#amazoncloudfront-response-headers-policy)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html) [permission only]**
- **Description:** Grants permission to update a savings plan
- **Access level:** Write
- **Resource types (\*required):**
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateStreamingDistribution.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateStreamingDistribution.html) **
- **Description:** Grants permission to update the configuration for an RTMP distribution
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-streaming-distribution](#amazoncloudfront-streaming-distribution)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateTrustStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateTrustStore.html) **
- **Description:** Grants permission to update a trust store
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-trust-store](#amazoncloudfront-trust-store)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateVpcOrigin.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateVpcOrigin.html) **
- **Description:** Grants permission to update a VPC origin
- **Access level:** Write
- **Resource types (\*required):** [#amazoncloudfront-vpcorigin](#amazoncloudfront-vpcorigin)
- **Condition keys:**
- **Dependent actions:**
- ** [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_VerifyDnsConfiguration.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_VerifyDnsConfiguration.html) **
- **Description:** Grants permission to verify the DNS configuration for a specified domain
- **Access level:** Read
- **Resource types (\*required):** [#amazoncloudfront-distribution-tenant](#amazoncloudfront-distribution-tenant)
- **Condition keys:**
- **Dependent actions:**
## Resource types defined by Amazon CloudFront
The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements. Each action in the [Actions table](#amazoncloudfront-actions-as-permissions) identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see [Resource types table](reference_policies_actions-resources-contextkeys.html#resources_table).
****
| Resource types | ARN | Condition keys |
| --- | --- | --- |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html) | arn:${Partition}:cloudfront::${Account}:distribution/${DistributionId} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html) | arn:${Partition}:cloudfront::${Account}:streaming-distribution/${DistributionId} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-overview](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-overview) | arn:${Partition}:cloudfront::${Account}:origin-access-identity/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html) | arn:${Partition}:cloudfront::${Account}:field-level-encryption-config/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html) | arn:${Partition}:cloudfront::${Account}:field-level-encryption-profile/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-key-create-cache-policy.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-key-create-cache-policy.html) | arn:${Partition}:cloudfront::${Account}:cache-policy/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html) | arn:${Partition}:cloudfront::${Account}:origin-request-policy/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html) | arn:${Partition}:cloudfront::${Account}:realtime-log-config/${Name} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html) | arn:${Partition}:cloudfront::${Account}:function/${Name} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html) | arn:${Partition}:cloudfront::${Account}:key-value-store/${Name} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html) | arn:${Partition}:cloudfront::${Account}:response-headers-policy/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-origin.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-origin.html) | arn:${Partition}:cloudfront::${Account}:origin-access-control/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/working-with-staging-distribution-continuous-deployment-policy.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/working-with-staging-distribution-continuous-deployment-policy.html) | arn:${Partition}:cloudfront::${Account}:continuous-deployment-policy/${Id} | |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html) | arn:${Partition}:cloudfront::${Account}:anycast-ip-list/${Id} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html) | arn:${Partition}:cloudfront::${Account}:vpcorigin/${Id} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html) | arn:${Partition}:cloudfront::${Account}:distribution-tenant/${Id} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-connection-group.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-connection-group.html) | arn:${Partition}:cloudfront::${Account}:connection-group/${Id} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/trust-stores-certificate-management.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/trust-stores-certificate-management.html) | arn:${Partition}:cloudfront::${Account}:trust-store/${Id} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
| [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/connection-functions.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/connection-functions.html) | arn:${Partition}:cloudfront::${Account}:connection-function/${Id} | [#amazoncloudfront-aws_ResourceTag___TagKey_](#amazoncloudfront-aws_ResourceTag___TagKey_) |
## Condition keys for Amazon CloudFront
Amazon CloudFront defines the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see [Condition keys table](reference_policies_actions-resources-contextkeys.html#context_keys_table).
To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
****
| Condition keys | Description | Type |
| --- | --- | --- |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters access by the presence of tag key-value pairs in the request | String |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters access by tag key-value pairs attached to the resource | String |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | Filters access by the presence of tag keys in the request | ArrayOfString |