iam:ListRoles
Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.
Policies (any)
141
Allow (Action)
141
Deny (Action)
0
NotAction
2
Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).
Action reference
SAR-style (unofficial)Service: AWS Identity and Access Management (IAM)
Access level
ListDescription
Grants permission to list the IAM roles that have the specified path prefix
Allow (Action)
- AIDevOpsAgentAccessPolicy
- AIOpsAssistantPolicy
- AIOpsConsoleAdminPolicy
- AWSAuditManagerAdministratorAccess
- AWSAuditManagerServiceRolePolicy
- AWSBackupAdminPolicy
- AWSBackupFullAccess
- AWSBackupOperatorAccess
- AWSBackupOperatorPolicy
- AWSBatchFullAccess
- AWSBudgetsActionsWithAWSResourceControlAccess
- AWSCleanRoomsFullAccess
- AWSCleanRoomsFullAccessNoQuerying
- AWSCleanRoomsMLFullAccess
- AWSCloudTrailFullAccess
- AWSCloudTrail_FullAccess
- AWSCodePipelineReadOnlyAccess
- AWSCodePipeline_FullAccess
- AWSCodeStarServiceRole
- AWSConfigServiceRolePolicy
- AWSControlTowerServiceRolePolicy
- AWSDataPipeline_FullAccess
- AWSDataPipeline_PowerUser
- AWSDataSyncFullAccess
- AWSDataSyncReadOnlyAccess
- AWSDirectoryServiceFullAccess
- AWSElasticBeanstalkFullAccess
- AWSElasticBeanstalkReadOnly
- AWSElasticBeanstalkService
- AWSElasticDisasterRecoveryConsoleFullAccess
- AWSElasticDisasterRecoveryConsoleFullAccess_v2
- AWSElasticDisasterRecoveryReadOnlyAccess
- AWSEntityResolutionConsoleFullAccess
- AWSGlueConsoleFullAccess
- AWSGlueConsoleSageMakerNotebookFullAccess
- AWSGrafanaAccountAdministrator
- AWSImageBuilderFullAccess
- AWSIoTDeviceTesterForFreeRTOSFullAccess
- AWSKeyManagementServicePowerUser
- AWSLakeFormationDataAdmin
- AWSLambdaFullAccess
- AWSLambdaReadOnlyAccess
- AWSLambda_FullAccess
- AWSLambda_ReadOnlyAccess
- AWSMarketplaceFullAccess
- AWSMarketplaceRead-only
- AWSMigrationHubOrchestratorConsoleFullAccess
- AWSOpsWorksFullAccess
- AWSOpsWorksRole
- AWSOpsWorks_FullAccess
- AWSOrganizationsServiceTrustPolicy
- AWSPanoramaFullAccess
- AWSPartnerCentralFullAccess
- AWSQuickSetupCFGCPacksPermissionsBoundary
- AWSQuickSetupDevOpsGuruPermissionsBoundary
- AWSQuickSetupDistributorPermissionsBoundary
- AWSQuickSetupPatchPolicyPermissionsBoundary
- AWSQuickSetupSSMHostMgmtPermissionsBoundary
- AWSQuickSetupSchedulerPermissionsBoundary
- AWSRefactoringToolkitFullAccess
- AWSResourceExplorerServiceRolePolicy
- AWSSSOServiceRolePolicy
- AWSSecurityHubV2ServiceRolePolicy
- AWSServiceCatalogAdminFullAccess
- AWSServiceCatalogAdminReadOnlyAccess
- AWSStepFunctionsConsoleFullAccess
- AWSSystemsManagerEnableExplorerExecutionPolicy
- AWSTransferConsoleFullAccess
- AWS_ConfigRole
- AccessAnalyzerServiceRolePolicy
- AdministratorAccess-AWSElasticBeanstalk
- AmazonAppFlowFullAccess
- AmazonAppStreamFullAccess
- AmazonBedrockFullAccess
- AmazonBedrockLimitedAccess
- AmazonBraketFullAccess
- AmazonBraketJobsExecutionPolicy
- AmazonCloudWatchEvidentlyFullAccess
- AmazonCodeCatalystFullAccess
- AmazonCodeGuruProfilerFullAccess
- AmazonCodeGuruProfilerReadOnlyAccess
- AmazonCognitoPowerUser
- AmazonCognitoReadOnly
- AmazonDataZoneEnvironmentRolePermissionsBoundary
- AmazonDataZoneFullAccess
- AmazonDataZonePreviewConsoleFullAccess
- AmazonDataZoneProjectRolePermissionsBoundary
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- AmazonDynamoDBFullAccess
- AmazonDynamoDBFullAccess_v2
- AmazonDynamoDBFullAccesswithDataPipeline
- AmazonDynamoDBReadOnlyAccess
- AmazonEC2ContainerServiceFullAccess
- AmazonECS_FullAccess
- AmazonEMRFullAccessPolicy_v2
- AmazonElasticMapReduceFullAccess
- AmazonElasticTranscoder_FullAccess
- AmazonElasticTranscoder_JobsSubmitter
- AmazonElasticTranscoder_ReadOnlyAccess
- AmazonFISServiceRolePolicy
- AmazonFraudDetectorFullAccessPolicy
- AmazonHealthLakeFullAccess
- AmazonKendraFullAccess
- AmazonKinesisAnalyticsFullAccess
- AmazonKinesisAnalyticsReadOnly
- AmazonLexFullAccess
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerFullAccess
- AmazonSecurityLakeAdministrator
- AmazonTimestreamConsoleFullAccess
- AmazonWorkMailFullAccess
- AmazonWorkMailReadOnlyAccess
- AutoScalingConsoleFullAccess
- AwsGlueDataBrewFullAccessPolicy
- BedrockAgentCoreFullAccess
- CloudFrontFullAccess
- CloudWatchOpenSearchDashboardAccess
- CloudWatchOpenSearchDashboardsFullAccess
- CloudWatchSyntheticsFullAccess
- ComprehendFullAccess
- DataScientist
- DatabaseAdministrator
- IAMAccessAdvisorReadOnly
- NeptuneConsoleFullAccess
- NetworkAdministrator
- PartnerCentralAccountManagementUserRoleAssociation
- PowerUserAccess
- ROSASRESupportPolicy
- SageMakerStudioAdminIAMConsolePolicy
- SageMakerStudioAdminIAMDefaultExecutionPolicy
- SageMakerStudioAdminIAMPermissiveExecutionPolicy
- SageMakerStudioFullAccess
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- SageMakerStudioUserIAMConsolePolicy
- SageMakerStudioUserIAMDefaultExecutionPolicy
- SageMakerStudioUserIAMPermissiveExecutionPolicy
- ServerMigrationServiceConsoleFullAccess
- ServiceCatalogAdminReadOnlyAccess
- SystemAdministrator
- TranslateFullAccess
Deny (Action)
None
Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.
Definitions bundle generated 4/7/2026, 3:29:24 AM