Menu
Amazon EC2 Container Service
Developer Guide (API Version 2014-11-13)

Amazon ECS Managed Policies

Amazon ECS provides several managed policies that you can attach to IAM users or EC2 instances that allow differing levels of control over Amazon ECS resources and API operations. You can apply these policies directly, or you can use them as starting points for creating your own polices. For more information about each API operation mentioned in these policies, see Actions in the Amazon EC2 Container Service API Reference.

AmazonEC2ContainerServiceFullAccess

This policy allows full administrator access to Amazon ECS.

Copy to clipboard
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:GetMetricStatistics", "ec2:Describe*", "elasticloadbalancing:*", "ecs:*", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceforEC2Role

This policy allows Amazon ECS container instances to make calls to AWS on your behalf. For more information, see Amazon ECS Container Instance IAM Role.

Copy to clipboard
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceRole

This policy allows Elastic Load Balancing load balancers to register and deregister Amazon ECS container instances on your behalf. For more information, see Amazon ECS Service Scheduler IAM Role.

Copy to clipboard
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceAutoscaleRole

This policy allows Application Auto Scaling to scale your Amazon ECS service's desired count up and down in response to CloudWatch alarms on your behalf. For more information, see Amazon ECS Service Auto Scaling IAM Role.

Copy to clipboard
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1456535218000", "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Resource": [ "*" ] }, { "Sid": "Stmt1456535243000", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }

AmazonEC2ContainerServiceTaskRole

This policy allows containers in your Amazon ECS tasks to make calls to the AWS APIs on your behalf. For more information, see Amazon EC2 Container Service Task Role.

Copy to clipboard
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }