First, the namespace: despite the informal shorthand "anthropic actions," the IAM service prefix, SigV4 service name, and action namespace are all aws-external-anthropic. The service defines 65 actions in AWS's standard VerbNoun convention (CreateInference, ListModels, …) against a single resource type, the workspace. Its ARN format is:
arn:aws:aws-external-anthropic:{region}:{account-id}:workspace/{workspace-id}
The region is always populated and matches the workspace's bound region; the resource segment is the same tagged wrkspc_... ID your application sends in the anthropic-workspace-id header. In a deny-by-default account, that gives you a clean pattern: Allow the actions a role needs, on the ARN of exactly the workspace it serves.
Actions by resource family
| Family | Actions | Notes |
|---|---|---|
| Inference | CreateInference, CountTokens | POST /v1/messages and token counting |
| Batches | CreateBatchInference, GetBatchInference, ListBatchInferences, CancelBatchInference, DeleteBatchInference | GetBatchInference covers metadata and results download |
| Models | GetModel, ListModels | Read-only |
| Files | CreateFile, GetFile, ListFiles, DeleteFile | GetFile covers metadata and content download |
| Skills | CreateSkill, GetSkill, ListSkills, UpdateSkill, DeleteSkill | UpdateSkill includes version create and version delete |
| Agents | CreateAgent, GetAgent, ListAgents, UpdateAgent, ArchiveAgent | Archive only — no hard delete |
| Sessions | CreateSession, GetSession, ListSessions, UpdateSession, ArchiveSession, DeleteSession | GetSession includes full conversation history |
| Environments | CreateEnvironment, GetEnvironment, ListEnvironments, UpdateEnvironment, ArchiveEnvironment, DeleteEnvironment, ProcessEnvironmentWork | ProcessEnvironmentWork = self-hosted sandbox worker routes |
| Vaults | CreateVault, GetVault, ListVaults, UpdateVault, ArchiveVault, DeleteVault | Credential secret fields are write-only, never returned |
| Memory stores | CreateMemoryStore, GetMemoryStore, ListMemoryStores, UpdateMemoryStore, ArchiveMemoryStore, DeleteMemoryStore | GetMemoryStore includes memory contents |
| Webhooks | CreateWebhook, GetWebhook, ListWebhooks, UpdateWebhook, DeleteWebhook, RotateWebhookSecret | Signing secret is write-only; GetWebhook never returns it |
| User profiles | CreateUserProfile, GetUserProfile, ListUserProfiles, UpdateUserProfile | |
| Workspaces | CreateWorkspace, GetWorkspace, ListWorkspaces, UpdateWorkspace, ArchiveWorkspace | Archive only; create/list are account-scoped |
| Route-less | CallWithBearerToken, AssumeConsole | Authentication-layer actions, not tied to an API route |
Two actions deserve a closer look. CallWithBearerToken authorizes API-key (bearer) authentication instead of SigV4 — grant it alongside the route-mapped actions the key holder needs. AssumeConsole authorizes the "Open Claude Console" federation flow from the AWS Console; the Console role itself (Admin or Developer) is assigned separately by an Anthropic account representative. Neither binds to a workspace ARN, so grant both on Resource: "*". The same is true of CreateWorkspace and ListWorkspaces, which are account-scoped.
Wildcard traps in a deny-by-default account
Get* and List* produce a clean read-only boundary, and beta variants of a route (invoked with the anthropic-beta header) need no separate action. But several patterns over- or under-match:
Suffix wildcards over-match. *File matches CreateFile, GetFile, and DeleteFile — but not ListFiles — and it also matches CreateUserProfile, GetUserProfile, and UpdateUserProfile, because "Profile" ends in "file" and matching is case-insensitive. Enumerate Files actions explicitly.
Deny lists miss escape hatches. Denying Delete* does not stop skill-version deletion (that's UpdateSkill) and does not block ArchiveAgent. RotateWebhookSecret and ProcessEnvironmentWork are matched by none of the Create*/Update*/Delete*/Archive* wildcards.
Blocking inference takes two denies. CreateInference and CreateBatchInference are separate actions; to prevent all model calls, deny both.
Get*/List* grant includes file bytes, skill content, batch results, session conversation history, and memory contents — only vault secrets and webhook signing secrets are exempt (write-only by design). "Read-only" is not the same as "harmless" here.Finally, the route-to-action table in the official reference is exhaustive in both directions: routes not listed there are simply not available on Claude Platform on AWS — the gateway denies unlisted routes by default. For auditing, workspace, vault, and webhook actions surface as CloudTrail Management events (logged by default); inference, batch, file, skill, and the remaining Managed Agents actions are Data events that require explicitly enabling (paid) data-event logging.
Where to go next
Ready-made policy documents built from these actions are in Copy-Paste IAM Policies. For the auditing side, see CloudTrail logging, and for the signing layer these actions authorize, SigV4 under the hood.