Menu
Amazon Elastic Container Service
Developer Guide (API Version 2014-11-13)

Amazon ECS IAM Policy Examples

The following examples show policy statements that you could use to control the permissions that IAM users have to Amazon ECS.

Amazon ECS First Run Wizard

The Amazon ECS first run wizard simplifies the process of creating a cluster and running your tasks and services. However, users require permissions to many API operations from multiple AWS services to complete the wizard. The policy below shows the required permissions to complete the Amazon ECS first run wizard.

Note

If you want to create an Amazon ECR repository in the first run wizard, tag and push an image to that repository, and use that image in an Amazon ECS task definition, then your user also needs the permissions listed in the AmazonEC2ContainerRegistryFullAccess managed policy. For more information, see Amazon ECR Managed Policies.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeAutoScalingNotificationTypes", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "autoscaling:DescribeTriggers", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DescribeStack*", "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeNetworkInterface", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifyVpcAttribute", "ec2:RunInstances", "ec2:TerminateInstances", "ecr:*", "ecs:*", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteLoadBalancerPolicy", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole" ], "Resource": "*" } ] }

Clusters

The following IAM policy allows permission to create and list clusters. The CreateCluster and ListClusters actions do not accept any resources, so the resource definition is set to * for all resources.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:ListClusters" ], "Resource": [ "*" ] } ] }

The following IAM policy allows permission to describe and delete a specific cluster. The DescribeCluster and DeleteCluster actions accept cluster ARNs as resources.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCluster", "ecs:DeleteCluster" ], "Resource": [ "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/<cluster_name>" ] } ] }

The following IAM policy can be attached to a user or group that would only allow that user or group to perform operations on a specific cluster.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:Describe*", "ecs:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:ListContainerInstances", "ecs:RegisterContainerInstance", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange" ], "Effect": "Allow", "Resource": "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/default" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "ecs:ListTasks", "ecs:UpdateContainerAgent", "ecs:StartTask", "ecs:StopTask", "ecs:RunTask" ], "Effect": "Allow", "Resource": "*", "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/default" } } } ] }

Container Instances

Container instance registration is handled by the Amazon ECS agent, but there may be times where you want to allow a user to deregister an instance manually from a cluster. Perhaps the container instance was accidentally registered to the wrong cluster, or the instance was terminated with tasks still running on it.

The following IAM policy allows a user to list and deregister container instances in a specified cluster:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterContainerInstance", "ecs:ListContainerInstances" ], "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" ] } ] }

The following IAM policy allows a user to describe a specified container instance in a specified cluster. To open this permission up to all container instances in a cluster, you can replace the container instance UUID with *.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeContainerInstance" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:container-instance/<container_instance_UUID>" ] } ] }

Task Definitions

Task definition IAM policies do not support resource-level permissions, but the following IAM policy allows a user to register, list, and describe task definitions:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", "ecs:ListTaskDefinitions", "ecs:DescribeTaskDefinition" ], "Resource": [ "*" ] } ] }

Run Tasks

The resources for RunTask are task definitions. To limit which clusters a user can run task definitions on, you can specify them in the Condition block. The advantage is that you don't have to list both task definitions and clusters in your resources to allow appropriate access. You can apply one, the other, or both.

The following IAM policy allows permission to run any revision of a specific task definition on a specific cluster:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task-definition/<task_family>:*" ] } ] }

Start Tasks

The resources for StartTask are task definitions. To limit which clusters and container instances a user can start task definitions on, you can specify them in the Condition block. The advantage is that you don't have to list both task definitions and clusters in your resources to allow appropriate access. You can apply one, the other, or both.

The following IAM policy allows permission to start any revision of a specific task definition on a specific cluster and specific container instance:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>", "ecs:container-instances" : [ "arn:aws:ecs:<region>:<aws_account_id>:container-instance/<container_instance_UUID>" ] } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task-definition/<task_family>:*" ] } ] }

List and Describe Tasks

The following IAM policy allows a user to list tasks for a specified cluster:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListTasks" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "*" ] } ] }

The following IAM policy allows a user to describe a specified task in a specified cluster:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task/<task_UUID>" ] } ] }

Create Services

The following IAM policy allows a user to create Amazon ECS services in the AWS Management Console:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "ecs:List*", "ecs:Describe*", "ecs:CreateService", "elasticloadbalancing:Describe*", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers" ], "Resource": [ "*" ] } ] }

Update Services

The following IAM policy allows a user to update Amazon ECS services in the AWS Management Console:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "ecs:List*", "ecs:Describe*", "ecs:UpdateService", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers" ], "Resource": [ "*" ] } ] }