Claude Platform on AWS in Practice

Claude Platform IAM Actions: The Full Reference

Claude Platform on AWS defines 65 IAM actions under one service prefix. Knowing how they group — and where the wildcard traps are — is what makes least-privilege policies practical.

Claude 3P 101 · Updated July 2026 · Unofficial guide

First, the namespace: despite the informal shorthand "anthropic actions," the IAM service prefix, SigV4 service name, and action namespace are all aws-external-anthropic. The service defines 65 actions in AWS's standard VerbNoun convention (CreateInference, ListModels, …) against a single resource type, the workspace. Its ARN format is:

arn:aws:aws-external-anthropic:{region}:{account-id}:workspace/{workspace-id}

The region is always populated and matches the workspace's bound region; the resource segment is the same tagged wrkspc_... ID your application sends in the anthropic-workspace-id header. In a deny-by-default account, that gives you a clean pattern: Allow the actions a role needs, on the ARN of exactly the workspace it serves.

Actions by resource family

FamilyActionsNotes
InferenceCreateInference, CountTokensPOST /v1/messages and token counting
BatchesCreateBatchInference, GetBatchInference, ListBatchInferences, CancelBatchInference, DeleteBatchInferenceGetBatchInference covers metadata and results download
ModelsGetModel, ListModelsRead-only
FilesCreateFile, GetFile, ListFiles, DeleteFileGetFile covers metadata and content download
SkillsCreateSkill, GetSkill, ListSkills, UpdateSkill, DeleteSkillUpdateSkill includes version create and version delete
AgentsCreateAgent, GetAgent, ListAgents, UpdateAgent, ArchiveAgentArchive only — no hard delete
SessionsCreateSession, GetSession, ListSessions, UpdateSession, ArchiveSession, DeleteSessionGetSession includes full conversation history
EnvironmentsCreateEnvironment, GetEnvironment, ListEnvironments, UpdateEnvironment, ArchiveEnvironment, DeleteEnvironment, ProcessEnvironmentWorkProcessEnvironmentWork = self-hosted sandbox worker routes
VaultsCreateVault, GetVault, ListVaults, UpdateVault, ArchiveVault, DeleteVaultCredential secret fields are write-only, never returned
Memory storesCreateMemoryStore, GetMemoryStore, ListMemoryStores, UpdateMemoryStore, ArchiveMemoryStore, DeleteMemoryStoreGetMemoryStore includes memory contents
WebhooksCreateWebhook, GetWebhook, ListWebhooks, UpdateWebhook, DeleteWebhook, RotateWebhookSecretSigning secret is write-only; GetWebhook never returns it
User profilesCreateUserProfile, GetUserProfile, ListUserProfiles, UpdateUserProfile
WorkspacesCreateWorkspace, GetWorkspace, ListWorkspaces, UpdateWorkspace, ArchiveWorkspaceArchive only; create/list are account-scoped
Route-lessCallWithBearerToken, AssumeConsoleAuthentication-layer actions, not tied to an API route

Two actions deserve a closer look. CallWithBearerToken authorizes API-key (bearer) authentication instead of SigV4 — grant it alongside the route-mapped actions the key holder needs. AssumeConsole authorizes the "Open Claude Console" federation flow from the AWS Console; the Console role itself (Admin or Developer) is assigned separately by an Anthropic account representative. Neither binds to a workspace ARN, so grant both on Resource: "*". The same is true of CreateWorkspace and ListWorkspaces, which are account-scoped.

Wildcard traps in a deny-by-default account

Get* and List* produce a clean read-only boundary, and beta variants of a route (invoked with the anthropic-beta header) need no separate action. But several patterns over- or under-match:

Suffix wildcards over-match. *File matches CreateFile, GetFile, and DeleteFile — but not ListFiles — and it also matches CreateUserProfile, GetUserProfile, and UpdateUserProfile, because "Profile" ends in "file" and matching is case-insensitive. Enumerate Files actions explicitly.

Deny lists miss escape hatches. Denying Delete* does not stop skill-version deletion (that's UpdateSkill) and does not block ArchiveAgent. RotateWebhookSecret and ProcessEnvironmentWork are matched by none of the Create*/Update*/Delete*/Archive* wildcards.

Blocking inference takes two denies. CreateInference and CreateBatchInference are separate actions; to prevent all model calls, deny both.

Read wildcards read everything: a Get*/List* grant includes file bytes, skill content, batch results, session conversation history, and memory contents — only vault secrets and webhook signing secrets are exempt (write-only by design). "Read-only" is not the same as "harmless" here.

Finally, the route-to-action table in the official reference is exhaustive in both directions: routes not listed there are simply not available on Claude Platform on AWS — the gateway denies unlisted routes by default. For auditing, workspace, vault, and webhook actions surface as CloudTrail Management events (logged by default); inference, batch, file, skill, and the remaining Managed Agents actions are Data events that require explicitly enabling (paid) data-event logging.

Where to go next

Ready-made policy documents built from these actions are in Copy-Paste IAM Policies. For the auditing side, see CloudTrail logging, and for the signing layer these actions authorize, SigV4 under the hood.

Sources