AWS Step Functions ステートマシンで実行されるタスクはそれぞれセッションプリンシパルが異なる
同じロールだけど都度 AssumeRole されている
コンバンハ、千葉(幸)です。
今回学んだことは以下です。
AWS StepFunctions ステートマシンのワークフローでは、実行する作業をタスクとして定義できます。タスクにはいくつか種別がありますが、今回は「対応した AWS サービスの API を呼び出す」タイプを想定します。
タスクとして API 実行するために必要な権限は、ステートマシンに割り当てられた IAM ロールを引き受けることで得るのが基本です。(最近のアップデートでクロスアカウントを想定してタスクごとに IAM ロールを指定できるようになりました。今回は特にこのパターンは考慮しないことにします。)
ここで、ワークフローの一連の流れで複数のタスクが実行される際、タスク間で共通した Assumed-role セッションプリンシパルを使用しているわけではありません。言い換えると、タスクごとに都度 AssumeRole しているということです。引き受ける IAM ロールは同じものであっても、セッションプリンシパルとしては別物ということです。
これを気にすべきケースはそうそうないと思いますが、たまたまわたしがやりたいことには差し支えがあったので、学びとして共有します。
今回やりたかったこと
以下の API を順に実行したかったです。
- GenerateServiceLastAccessedDetails - AWS Identity and Access Management
- GetServiceLastAccessedDetails - AWS Identity and Access Management
これは簡単に言えばマネジメントコンソールにおけるアクセスアドバイザーの機能を API で実行するものです。
これを AWS 管理ポリシーAdministratorAccess
に対して実行することで、その時点で有効な AWS サービス(サービス名前空間基準)を確認する、ということをよくやっています。
普段は以下のような形で AWS CLI を手動で実行しているのですが、自動で定期的に実行できないかなと思い、StepFunctions の利用を検討しました。
% JOBID=$(aws iam generate-service-last-accessed-details --arn arn:aws:iam::aws:policy/AdministratorAccess --output text) sleep 5 aws iam get-service-last-accessed-details --job-id $JOBID --max-items 1000\ | jq -r '.ServicesLastAccessed[] | [.ServiceName,.ServiceNamespace] |@csv' | nl 1 "AWS App2Container","a2c" 2 "Alexa for Business","a4b" 3 "AWS IAM Access Analyzer","access-analyzer" 4 "AWS Account Management","account" 5 "AWS Certificate Manager","acm" 6 "AWS Private Certificate Authority","acm-pca" 7 "AWS Activate","activate" 8 "Amazon Managed Workflows for Apache Airflow","airflow" 9 "AWS Amplify","amplify" ...
ステートマシンを作って動かしてみた
以下のようなシンプルなワークフローを持つステートマシンを作ってみました。
定義の詳細はこんな感じ。
{ "Comment": "A description of my state machine", "StartAt": "GenerateServiceLastAccessedDetails", "States": { "GenerateServiceLastAccessedDetails": { "Type": "Task", "Parameters": { "Arn": "arn:aws:iam::aws:policy/AdministratorAccess" }, "Resource": "arn:aws:states:::aws-sdk:iam:generateServiceLastAccessedDetails", "Next": "GetServiceLastAccessedDetails" }, "GetServiceLastAccessedDetails": { "Type": "Task", "End": true, "Parameters": { "JobId.$": "$.JobId" }, "Resource": "arn:aws:states:::aws-sdk:iam:getServiceLastAccessedDetails" } } }
1 つめのタスクでジョブ ID を生成し、2 つめのタスクでそれを引数として実行する、という流れです。
これを実行してみると、2 つめのタスクでエラーが発生しました。
1 つめのタスクの実行結果を確認すると以下の通り。出力としてジョブ ID がきちんと生成できています。
{ "resourceType": "aws-sdk:iam", "resource": "generateServiceLastAccessedDetails", "output": "{\"JobId\":\"d6c259b1-f4b8-d375-b411-88da4d27e630\"}", "outputDetails": { "truncated": false } }
2 つめのタスクの実行結果は以下の通り。Job d6c259b1-f4b8-d375-b411-88da4d27e630 does not exist.
となっています。
{ "resourceType": "aws-sdk:iam", "resource": "getServiceLastAccessedDetails", "error": "Iam.NoSuchEntityException", "cause": "Job d6c259b1-f4b8-d375-b411-88da4d27e630 does not exist. (Service: Iam, Status Code: 404, Request ID: ce5ffd9d-23a5-486a-ab4b-ca3fd897f3d7)" }
1 つめのタスクで正常に生成できているのに存在しないとは何故?となりました。
エラーの詳細を確認する
いろいろ試行錯誤した結果、これはGetServiceLastAccessedDetails
の仕様によるものだということが分かりました。
API のリファレンスを確認すると、以下の記述があります。
The
JobId
returned byGenerateServiceLastAccessedDetail
must be used by the same role within a session, or by the same user when used to callGetServiceLastAccessedDetail
.
引数として渡されるジョブ ID は、GetServiceLastAccessedDetail
を実行する IAM エンティティによって生成されたものでなければならない、とあります。同じ IAM ロールを引き受けていても、セッションが異なれば別のエンティティ扱いになります。
それぞれのタスクによる API 実行を CloudTrail イベントから確認すると、以下のようになっています。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAQ3BIIH73V5QJW4FG3:rfjBySWofEImHOTYHKAKuyveFgkeXIWC", "arn": "arn:aws:sts::012345678910:assumed-role/StepFunctions-IAMcheck-role-e4fbfe1e/rfjBySWofEImHOTYHKAKuyveFgkeXIWC", "accountId": "012345678910", "accessKeyId": "ASIAQ3BIIH73WAJCN4YZ", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAQ3BIIH73V5QJW4FG3", "arn": "arn:aws:iam::012345678910:role/service-role/StepFunctions-IAMcheck-role-e4fbfe1e", "accountId": "012345678910", "userName": "StepFunctions-IAMcheck-role-e4fbfe1e" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-11-27T11:12:44Z", "mfaAuthenticated": "false" } }, "invokedBy": "states.amazonaws.com" }, "eventTime": "2022-11-27T11:12:45Z", "eventSource": "iam.amazonaws.com", "eventName": "GenerateServiceLastAccessedDetails", "awsRegion": "us-east-1", "sourceIPAddress": "states.amazonaws.com", "userAgent": "states.amazonaws.com", "requestParameters": { "arn": "arn:aws:iam::aws:policy/AdministratorAccess" }, "responseElements": null, "requestID": "94a76d17-35ab-4815-9c58-155ac54d66fc", "eventID": "b5beade9-55a8-4996-8c2a-6eb12d9349b3", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "012345678910", "eventCategory": "Management" }
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAQ3BIIH73V5QJW4FG3:JNvDqqIjhRImKYoMpXLWYYRflOhbIHDW", "arn": "arn:aws:sts::012345678910:assumed-role/StepFunctions-IAMcheck-role-e4fbfe1e/JNvDqqIjhRImKYoMpXLWYYRflOhbIHDW", "accountId": "012345678910", "accessKeyId": "ASIAQ3BIIH73V33IPDGL", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAQ3BIIH73V5QJW4FG3", "arn": "arn:aws:iam::012345678910:role/service-role/StepFunctions-IAMcheck-role-e4fbfe1e", "accountId": "012345678910", "userName": "StepFunctions-IAMcheck-role-e4fbfe1e" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-11-27T11:12:45Z", "mfaAuthenticated": "false" } }, "invokedBy": "states.amazonaws.com" }, "eventTime": "2022-11-27T11:12:46Z", "eventSource": "iam.amazonaws.com", "eventName": "GetServiceLastAccessedDetails", "awsRegion": "us-east-1", "sourceIPAddress": "states.amazonaws.com", "userAgent": "states.amazonaws.com", "errorCode": "NoSuchEntityException", "errorMessage": "Job e4c25c65-104a-3c0e-95ad-d1f587c439b0 does not exist.", "requestParameters": { "jobId": "e4c25c65-104a-3c0e-95ad-d1f587c439b0" }, "responseElements": null, "requestID": "3c0f194b-5f18-4e22-80c4-da6fa5f30b69", "eventID": "288e13de-ef09-4d66-9ee3-f15bdf6b609a", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "012345678910", "eventCategory": "Management" }
引き受けている IAM ロールはどちらもステートマシンに割り当てたStepFunctions-IAMcheck-role-e4fbfe1e
ですが、セッション名が異なり、別のセッションプリンシパルであることが分かります。
2 つめのタスクのセッションプリンシパルとしては自身が解釈できるジョブ ID が存在しない、ということでした。タスクを同一セッションで実行できる術があればよかったのですが、方式が思い当たらなかったので断念しました。StepFunctions 以外の方法を検討したいと思います。
終わりに
AWS StepFunctions ステートマシン内のタスクはそれぞれ別の Assumed-role セッションプリンシパルとして実行される、という話でした。
API を跨いで同一セッションであることが求められるというのはあまり聞いたことがないので、あまり意識する必要がない部分ではあると思います。ただ、タスクにはそういった仕様があることや、そういった API もある、ということを覚えておくとどこかで役に立つかもしれません。
以上、 チバユキ (@batchicchi) がお送りしました。
おまけ
残念ながら自動での定期実行の実装に至らなかったのですが、AWS CLI で手動で実行した結果を載せておきます。re:Invent の期間中にどのくらい増えるか楽しみですね。
% JOBID=$(aws iam generate-service-last-accessed-details --arn arn:aws:iam::aws:policy/AdministratorAccess --output text) sleep 5 aws iam get-service-last-accessed-details --job-id $JOBID --max-items 1000\ | jq -r '.ServicesLastAccessed[] | [.ServiceName,.ServiceNamespace] |@csv' | nl 1 "AWS App2Container","a2c" 2 "Alexa for Business","a4b" 3 "AWS IAM Access Analyzer","access-analyzer" 4 "AWS Account Management","account" 5 "AWS Certificate Manager","acm" 6 "AWS Private Certificate Authority","acm-pca" 7 "AWS Activate","activate" 8 "Amazon Managed Workflows for Apache Airflow","airflow" 9 "AWS Amplify","amplify" 10 "AWS Amplify Admin","amplifybackend" 11 "AWS Amplify UI Builder","amplifyuibuilder" 12 "Manage - Amazon API Gateway","apigateway" 13 "Amazon AppIntegrations","app-integrations" 14 "AWS AppConfig","appconfig" 15 "Amazon AppFlow","appflow" 16 "AWS Application Auto Scaling","application-autoscaling" 17 "AWS Application Cost Profiler Service","application-cost-profiler" 18 "Amazon CloudWatch Application Insights","applicationinsights" 19 "AWS App Mesh","appmesh" 20 "AWS App Mesh Preview","appmesh-preview" 21 "AWS App Runner","apprunner" 22 "Amazon AppStream 2.0","appstream" 23 "AWS AppSync","appsync" 24 "Amazon Managed Service for Prometheus","aps" 25 "Application Discovery Arsenal","arsenal" 26 "AWS Artifact","artifact" 27 "Amazon Athena","athena" 28 "AWS Audit Manager","auditmanager" 29 "Amazon EC2 Auto Scaling","autoscaling" 30 "AWS Auto Scaling","autoscaling-plans" 31 "AWS Marketplace","aws-marketplace" 32 "AWS Marketplace Management Portal","aws-marketplace-management" 33 "AWS Billing Console","aws-portal" 34 "AWS Connector Service","awsconnector" 35 "AWS Backup","backup" 36 "AWS Backup Gateway","backup-gateway" 37 "AWS Backup storage","backup-storage" 38 "AWS Batch","batch" 39 "AWS Billing ","billing" 40 "AWS Billing Conductor","billingconductor" 41 "Amazon Braket","braket" 42 "AWS Budget Service","budgets" 43 "AWS BugBust","bugbust" 44 "Amazon Connect Cases","cases" 45 "Amazon Keyspaces (for Apache Cassandra)","cassandra" 46 "AWS Cost Explorer Service","ce" 47 "AWS Chatbot","chatbot" 48 "Amazon Chime","chime" 49 "AWS Cloud9","cloud9" 50 "Amazon Cloud Directory","clouddirectory" 51 "AWS CloudFormation","cloudformation" 52 "Amazon CloudFront","cloudfront" 53 "AWS CloudHSM","cloudhsm" 54 "Amazon CloudSearch","cloudsearch" 55 "AWS CloudShell","cloudshell" 56 "AWS CloudTrail","cloudtrail" 57 "Amazon CloudWatch","cloudwatch" 58 "AWS CodeArtifact","codeartifact" 59 "AWS CodeBuild","codebuild" 60 "AWS CodeCommit","codecommit" 61 "AWS CodeDeploy","codedeploy" 62 "AWS CodeDeploy secure host commands service","codedeploy-commands-secure" 63 "Amazon CodeGuru","codeguru" 64 "Amazon CodeGuru Profiler","codeguru-profiler" 65 "Amazon CodeGuru Reviewer","codeguru-reviewer" 66 "AWS CodePipeline","codepipeline" 67 "AWS CodeStar","codestar" 68 "AWS CodeStar Connections","codestar-connections" 69 "AWS CodeStar Notifications","codestar-notifications" 70 "Amazon Cognito Identity","cognito-identity" 71 "Amazon Cognito User Pools","cognito-idp" 72 "Amazon Cognito Sync","cognito-sync" 73 "Amazon Comprehend","comprehend" 74 "Amazon Comprehend Medical","comprehendmedical" 75 "AWS Compute Optimizer","compute-optimizer" 76 "AWS Config","config" 77 "Amazon Connect","connect" 78 "High-volume outbound communications","connect-campaigns" 79 "AWS Control Tower","controltower" 80 "AWS Cost and Usage Report","cur" 81 "AWS Glue DataBrew","databrew" 82 "AWS Data Exchange","dataexchange" 83 "AWS Data Pipeline","datapipeline" 84 "AWS DataSync","datasync" 85 "Amazon DynamoDB Accelerator (DAX)","dax" 86 "Database Query Metadata Service","dbqms" 87 "AWS DeepComposer","deepcomposer" 88 "AWS DeepLens","deeplens" 89 "AWS DeepRacer","deepracer" 90 "Amazon Detective","detective" 91 "AWS Device Farm","devicefarm" 92 "Amazon DevOps Guru","devops-guru" 93 "AWS Direct Connect","directconnect" 94 "AWS Application Discovery Service","discovery" 95 "Amazon Data Lifecycle Manager","dlm" 96 "AWS Database Migration Service","dms" 97 "AWS Elastic Disaster Recovery","drs" 98 "AWS Directory Service","ds" 99 "Amazon DynamoDB","dynamodb" 100 "Amazon Elastic Block Store","ebs" 101 "Amazon EC2","ec2" 102 "Amazon EC2 Instance Connect","ec2-instance-connect" 103 "Amazon Message Delivery Service","ec2messages" 104 "Amazon Elastic Container Registry","ecr" 105 "Amazon Elastic Container Registry Public","ecr-public" 106 "Amazon Elastic Container Service","ecs" 107 "Amazon Elastic Kubernetes Service","eks" 108 "Amazon Elastic Inference","elastic-inference" 109 "Amazon ElastiCache","elasticache" 110 "AWS Elastic Beanstalk","elasticbeanstalk" 111 "Amazon Elastic File System","elasticfilesystem" 112 "Elastic Load Balancing","elasticloadbalancing" 113 "Amazon Elastic MapReduce","elasticmapreduce" 114 "Amazon Elastic Transcoder","elastictranscoder" 115 "AWS Elemental Appliances and Software Activation Service","elemental-activations" 116 "AWS Elemental Appliances and Software","elemental-appliances-software" 117 "AWS Elemental Support Cases","elemental-support-cases" 118 "AWS Elemental Support Content","elemental-support-content" 119 "Amazon EMR on EKS (EMR Containers)","emr-containers" 120 "Amazon EMR Serverless","emr-serverless" 121 "Amazon OpenSearch Service","es" 122 "Amazon EventBridge","events" 123 "Amazon CloudWatch Evidently","evidently" 124 "Amazon API Gateway","execute-api" 125 "Amazon FinSpace","finspace" 126 "Amazon Kinesis Firehose","firehose" 127 "AWS Fault Injection Simulator","fis" 128 "AWS Firewall Manager","fms" 129 "Amazon Forecast","forecast" 130 "Amazon Fraud Detector","frauddetector" 131 "Amazon FreeRTOS","freertos" 132 "Amazon FSx","fsx" 133 "Amazon GameLift","gamelift" 134 "Amazon GameSparks","gamesparks" 135 "Amazon Location","geo" 136 "Amazon S3 Glacier","glacier" 137 "AWS Global Accelerator","globalaccelerator" 138 "AWS Glue","glue" 139 "Amazon Managed Grafana","grafana" 140 "AWS IoT Greengrass","greengrass" 141 "AWS Ground Station","groundstation" 142 "Amazon GroundTruth Labeling","groundtruthlabeling" 143 "Amazon GuardDuty","guardduty" 144 "AWS Health APIs and Notifications","health" 145 "Amazon HealthLake","healthlake" 146 "Amazon Honeycode","honeycode" 147 "AWS Identity and Access Management","iam" 148 "AWS Identity Sync","identity-sync" 149 "AWS Identity Store","identitystore" 150 "AWS Identity Store Auth","identitystore-auth" 151 "Amazon EC2 Image Builder","imagebuilder" 152 "AWS Import Export","importexport" 153 "Amazon Inspector","inspector" 154 "Amazon Inspector2","inspector2" 155 "AWS IoT","iot" 156 "AWS IoT Device Tester","iot-device-tester" 157 "AWS IoT 1-Click","iot1click" 158 "AWS IoT Analytics","iotanalytics" 159 "AWS IoT Core Device Advisor","iotdeviceadvisor" 160 "AWS IoT Events","iotevents" 161 "AWS IoT Fleet Hub for Device Management","iotfleethub" 162 "AWS IoT FleetWise","iotfleetwise" 163 "AWS IoT Jobs DataPlane","iotjobsdata" 164 "AWS IoT RoboRunner","iotroborunner" 165 "AWS IoT SiteWise","iotsitewise" 166 "AWS IoT TwinMaker","iottwinmaker" 167 "AWS IoT Core for LoRaWAN","iotwireless" 168 "AWS IQ","iq" 169 "AWS IQ Permissions","iq-permission" 170 "Amazon Interactive Video Service","ivs" 171 "Amazon Interactive Video Service Chat","ivschat" 172 "Amazon Managed Streaming for Apache Kafka","kafka" 173 "Apache Kafka APIs for Amazon MSK clusters","kafka-cluster" 174 "Amazon Managed Streaming for Kafka Connect","kafkaconnect" 175 "Amazon Kendra","kendra" 176 "Amazon Kinesis","kinesis" 177 "Amazon Kinesis Analytics","kinesisanalytics" 178 "Amazon Kinesis Video Streams","kinesisvideo" 179 "AWS Key Management Service","kms" 180 "AWS Lake Formation","lakeformation" 181 "AWS Lambda","lambda" 182 "Launch Wizard","launchwizard" 183 "Amazon Lex","lex" 184 "AWS License Manager","license-manager" 185 "AWS License Manager User Subscriptions","license-manager-user-subscriptions" 186 "Amazon Lightsail","lightsail" 187 "Amazon CloudWatch Logs","logs" 188 "Amazon Lookout for Equipment","lookoutequipment" 189 "Amazon Lookout for Metrics","lookoutmetrics" 190 "Amazon Lookout for Vision","lookoutvision" 191 "AWS Mainframe Modernization Service","m2" 192 "Amazon Machine Learning","machinelearning" 193 "Amazon Macie","macie2" 194 "Amazon Managed Blockchain","managedblockchain" 195 "AWS Marketplace Commerce Analytics Service","marketplacecommerceanalytics" 196 "Amazon Mechanical Turk","mechanicalturk" 197 "AWS Elemental MediaConnect","mediaconnect" 198 "AWS Elemental MediaConvert","mediaconvert" 199 "AmazonMediaImport","mediaimport" 200 "AWS Elemental MediaLive","medialive" 201 "AWS Elemental MediaPackage","mediapackage" 202 "AWS Elemental MediaPackage VOD","mediapackage-vod" 203 "AWS Elemental MediaStore","mediastore" 204 "AWS Elemental MediaTailor","mediatailor" 205 "Amazon MemoryDB","memorydb" 206 "AWS Migration Hub","mgh" 207 "AWS Application Migration Service","mgn" 208 "AWS Migration Hub Orchestrator","migrationhub-orchestrator" 209 "AWS Migration Hub Strategy Recommendations","migrationhub-strategy" 210 "Amazon Mobile Analytics","mobileanalytics" 211 "AWS Mobile Hub","mobilehub" 212 "Amazon Pinpoint","mobiletargeting" 213 "Amazon Monitron","monitron" 214 "Amazon MQ","mq" 215 "Amazon Neptune","neptune-db" 216 "AWS Network Firewall","network-firewall" 217 "AWS Network Manager","networkmanager" 218 "Amazon Nimble Studio","nimble" 219 "Amazon CloudWatch Observability Access Manager","oam" 220 "AWS OpsWorks","opsworks" 221 "AWS OpsWorks Configuration Management","opsworks-cm" 222 "AWS Organizations","organizations" 223 "AWS Outposts","outposts" 224 "AWS Panorama","panorama" 225 "Amazon Personalize","personalize" 226 "AWS Performance Insights","pi" 227 "Amazon Polly","polly" 228 "AWS Price List","pricing" 229 "AWS service providing managed private networks","private-networks" 230 "Amazon Connect Customer Profiles","profile" 231 "AWS Proton","proton" 232 "AWS Purchase Orders Console","purchase-orders" 233 "Amazon QLDB","qldb" 234 "Amazon QuickSight","quicksight" 235 "AWS Resource Access Manager","ram" 236 "AWS Recycle Bin","rbin" 237 "Amazon RDS","rds" 238 "Amazon RDS Data API","rds-data" 239 "Amazon RDS IAM Authentication","rds-db" 240 "Amazon Redshift","redshift" 241 "Amazon Redshift Data API","redshift-data" 242 "Amazon Redshift Serverless","redshift-serverless" 243 "AWS Migration Hub Refactor Spaces","refactor-spaces" 244 "Amazon Rekognition","rekognition" 245 "AWS Resilience Hub Service","resiliencehub" 246 "AWS Tag Editor","resource-explorer" 247 "AWS Resource Explorer","resource-explorer-2" 248 "AWS Resource Groups","resource-groups" 249 "Amazon RHEL Knowledgebase Portal","rhelkb" 250 "AWS RoboMaker","robomaker" 251 "AWS Identity and Access Management Roles Anywhere","rolesanywhere" 252 "Amazon Route 53","route53" 253 "Amazon Route 53 Recovery Cluster","route53-recovery-cluster" 254 "Amazon Route 53 Recovery Controls","route53-recovery-control-config" 255 "Amazon Route 53 Recovery Readiness","route53-recovery-readiness" 256 "Amazon Route 53 Domains","route53domains" 257 "Amazon Route 53 Resolver","route53resolver" 258 "AWS CloudWatch RUM","rum" 259 "Amazon S3","s3" 260 "Amazon S3 Object Lambda","s3-object-lambda" 261 "Amazon S3 on Outposts","s3-outposts" 262 "Amazon SageMaker","sagemaker" 263 "Amazon SageMaker Ground Truth Synthetic","sagemaker-groundtruth-synthetic" 264 "AWS Savings Plans","savingsplans" 265 "Amazon EventBridge Scheduler","scheduler" 266 "Amazon EventBridge Schemas","schemas" 267 "Amazon SimpleDB","sdb" 268 "AWS Secrets Manager","secretsmanager" 269 "AWS Security Hub","securityhub" 270 "AWS Serverless Application Repository","serverlessrepo" 271 "AWS Service Catalog","servicecatalog" 272 "AWS Cloud Map","servicediscovery" 273 "AWS Microservice Extractor for .NET","serviceextract" 274 "Service Quotas","servicequotas" 275 "Amazon SES","ses" 276 "AWS Shield","shield" 277 "AWS Signer","signer" 278 "AWS Server Migration Service","sms" 279 "Amazon Pinpoint SMS Voice V2","sms-voice" 280 "AWS Snow Device Management","snow-device-management" 281 "AWS Snowball","snowball" 282 "Amazon SNS","sns" 283 "AWS SQL Workbench","sqlworkbench" 284 "Amazon SQS","sqs" 285 "AWS Systems Manager","ssm" 286 "AWS Systems Manager Incident Manager Contacts","ssm-contacts" 287 "AWS Systems Manager GUI Connect","ssm-guiconnect" 288 "AWS Systems Manager Incident Manager","ssm-incidents" 289 "AWS Systems Manager for SAP","ssm-sap" 290 "Amazon Session Manager Message Gateway Service","ssmmessages" 291 "AWS IAM Identity Center (successor to AWS Single Sign-On)","sso" 292 "AWS IAM Identity Center (successor to AWS Single Sign-On) directory","sso-directory" 293 "AWS Step Functions","states" 294 "AWS Storage Gateway","storagegateway" 295 "AWS Security Token Service","sts" 296 "Amazon Sumerian","sumerian" 297 "AWS Support","support" 298 "AWS Support App in Slack","supportapp" 299 "AWS Support Plans","supportplans" 300 "AWS Sustainability","sustainability" 301 "Amazon Simple Workflow Service","swf" 302 "Amazon CloudWatch Synthetics","synthetics" 303 "Amazon Resource Group Tagging API","tag" 304 "AWS Tax Settings","tax" 305 "Amazon Textract","textract" 306 "Amazon Timestream","timestream" 307 "AWS Tiros","tiros" 308 "Amazon Transcribe","transcribe" 309 "AWS Transfer Family","transfer" 310 "Amazon Translate","translate" 311 "AWS Trusted Advisor","trustedadvisor" 312 "AWS Marketplace Vendor Insights","vendor-insights" 313 "Amazon Connect Voice ID","voiceid" 314 "AWS WAF","waf" 315 "AWS WAF Regional","waf-regional" 316 "AWS WAF V2","wafv2" 317 "Amazon WorkSpaces Application Manager","wam" 318 "AWS Well-Architected Tool","wellarchitected" 319 "Amazon Connect Wisdom","wisdom" 320 "Amazon WorkDocs","workdocs" 321 "Amazon WorkLink","worklink" 322 "Amazon WorkMail","workmail" 323 "Amazon WorkMail Message Flow","workmailmessageflow" 324 "Amazon WorkSpaces","workspaces" 325 "Amazon WorkSpaces Web","workspaces-web" 326 "AWS X-Ray","xray"