Validated IAM Service Principal List for AWS China Regions.

Service Name	Description	IAM Service Principal
API Gateway	Allows API Gateway to push logs to CloudWatch Logs.	apigateway.amazonaws.com
EC2	Allows EC2 instances to call AWS services on your behalf.	ec2.amazonaws.com.cn
EC2 Role for AWS Systems Manager	Allows EC2 instances to call AWS services like CloudWatch and Systems Manager on your behalf.	ec2.amazonaws.com.cn
Lambda	Allows Lambda functions to call AWS services on your behalf.	lambda.amazonaws.com
AWS Greengrass Role	Allows AWS Greengrass to call AWS Services on your behalf.	greengrass.amazonaws.com
EC2 - Fleet	Allows EC2 Fleet to launch and manage EC2 instances on your behalf.	ec2fleet.amazonaws.com
MediaConvert	Allows MediaConvert service to call S3 APIs and API Gateway on your behalf.	mediaconvert.amazonaws.com
AWS Support	Allows AWS Support to access AWS resources to provide billing, administrative, and support services.	support.amazonaws.com
EC2 Auto Scaling	Allows EC2 Auto Scaling to use or manage AWS services and resources on your behalf.	autoscaling.amazonaws.com
EC2 Auto Scaling Notification Access	Allows EC2 Auto Scaling to publish to SNS and SQS notification targets in your account.	autoscaling.amazonaws.com.cn autoscaling.amazonaws.com
RDS - Add Role to Database	Allows you to grant RDS access to additional resources on your behalf.	rds.amazonaws.com
RDS - Directory Service	Allows RDS to manage Directory Service resources on your behalf.	rds.amazonaws.com directoryservice.rds.amazonaws.com
RDS - Operations	Allows RDS to perform operations using AWS resources on your behalf.	rds.amazonaws.com
RDS Role for Enhanced Monitoring	Allows RDS to manage CloudWatch Logs resources for Enhanced Monitoring on your behalf.	monitoring.rds.amazonaws.com
Application Auto Scaling - AppStream	Allows Application Auto Scaling to call AppStream and CloudWatch on your behalf.	appstream.application-autoscaling.amazonaws.com
Application Auto Scaling - Custom Resource	Allows Application Auto Scaling to call API Gateway and CloudWatch to manage scaling of a custom resource on your behalf.	custom-resource.application-autoscaling.amazonaws.com
Application Auto Scaling - DynamoDB	Allows Application Auto Scaling to call DynamoDB and CloudWatch on your behalf.	dynamodb.application-autoscaling.amazonaws.com
Application Auto Scaling - EC2 Spot Fleet	Allows Application Auto Scaling to call EC2 Spot Fleet and CloudWatch on your behalf.	ec2.application-autoscaling.amazonaws.com
Application Auto Scaling - ECS	Allows Application Auto Scaling to call ECS and CloudWatch on your behalf.	ecs.application-autoscaling.amazonaws.com
EMR	Allows Elastic MapReduce to call AWS services such as EC2 on your behalf.	elasticmapreduce.amazonaws.com.cn
EMR - Cleanup	Allows EMR to terminate instances and delete resources from EC2 on your behalf.	elasticmapreduce.amazonaws.com.cn
EMR Role for EC2	Allows EC2 instances in an Elastic MapReduce cluster to call AWS services such as S3 on your behalf.	ec2.amazonaws.com.cn
Redshift	Allows Redshift clusters to call AWS services on your behalf.	redshift.amazonaws.com
Redshift - Scheduler	Allow Redshift Scheduler to call Redshift on your behalf.	scheduler.redshift.amazonaws.com
CloudFormation	Allows CloudFormation to create and manage AWS stacks and resources on your behalf.	cloudformation.amazonaws.com
ElastiCache	Allows ElastiCache to manage AWS resources for your cache on your behalf.	elasticache.amazonaws.com
S3	Allows S3 to call AWS services on your behalf.	s3.amazonaws.com
S3 Batch Operations	Allows S3 Batch Operations to call AWS services on your behalf.	batchoperations.s3.amazonaws.com
CloudWatch - EC2 Actions	Allows CloudWatch to manage EC2 instances on your behalf.	events.amazonaws.com
Elastic Beanstalk	Allows Elastic Beanstalk to create and manage AWS resources on your behalf.	elasticbeanstalk.amazonaws.com
SMS	Allows Server Migration Service to create and manage AWS resources on your behalf.	sms.amazonaws.com
CodeBuild	Allows CodeBuild to call AWS services on your behalf.	codebuild.amazonaws.com
EC2 Role for Elastic Container Service	Allows EC2 instances in an ECS cluster to access ECS.	ec2.amazonaws.com.cn
Elastic Container Service	Allows ECS to create and manage AWS resources on your behalf.	ecs.amazonaws.com
Elastic Container Service Autoscale	Allows Auto Scaling to access and update ECS services.	application-autoscaling.amazonaws.com.cn
Elastic Container Service Task	Allows ECS tasks to call AWS services on your behalf.	ecs-tasks.amazonaws.com
SWF	Allows SWF workflows to invoke Lambda functions on your behalf.	swf.amazonaws.com
CodeDeploy	Allows CodeDeploy to call AWS services such as Auto Scaling on your behalf.	codedeploy.amazonaws.com
CodeDeployRoleForECS	Allows CodeDeploy service wide access to perform an ECS blue or green deployment on your behalf.	codedeploy.amazonaws.com
CodeDeployRoleForLambda	Provides CodeDeploy service access to perform a Lambda deployment on your behalf.	codedeploy.amazonaws.com
Elastic Load Balancing	Allows ELB to call AWS services on your behalf.	elasticloadbalancing.amazonaws.com
Step Functions	Allows Step Functions to access AWS resources on your behalf.	states.amazonaws.com
Config	Allows Config to call AWS services and collect resource configurations on your behalf.	config.amazonaws.com
Config - Customizable	Allows Config to call AWS services and collect resource configurations on your behalf.	config.amazonaws.com.cn
IoT	Allows IoT to call AWS services on your behalf.	iot.amazonaws.com
Storage Gateway	Allows Storage Gateway to call AWS services on your behalf.	storagegateway.amazonaws.com
DMS	Allows Database Migration Service to call AWS services on your behalf.	dms.amazonaws.com
Kinesis Firehose	Allows Kinesis Firehose to transform and deliver data to your destinations using CloudWatch Logs, Lambda, and S3 on your behalf.	firehose.amazonaws.com
Trusted Advisor	Allows Trusted Advisor to access AWS services on your behalf.	trustedadvisor.amazonaws.com