Menu
Amazon Elastic Container Service
Developer Guide (API Version 2014-11-13)

Amazon ECS Managed Policies and Trust Relationships

Amazon ECS provides several managed policies and trust relationships that you can attach to IAM users, EC2 instances, or Amazon ECS tasks that allow differing levels of control over Amazon ECS resources and API operations. You can apply these policies directly, or you can use them as starting points for creating your own policies. For more information about each API operation mentioned in these policies, see Actions in the Amazon Elastic Container Service API Reference.

AmazonECS_FullAccess

This managed policy provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and AWS CloudFormation stacks.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:Describe*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotFleetRequests", "ec2:CreateInternetGateway", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:Describe*", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RequestSpotFleet", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup" ], "Resource": [ "*" ], "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": [ "arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*" ], "Condition": { "StringLike": { "iam:AWSServiceName": "ecs.amazonaws.com" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInstanceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": ["ec2.amazonaws.com", "ec2.amazonaws.com.cn"] } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsAutoscaleRole*" ], "Condition": { "StringLike": { "iam:PassedToService": ["application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com.cn"] } } } ] }

AmazonEC2ContainerServiceFullAccess

This managed policy allows full administrator access to Amazon ECS.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:GetMetricStatistics", "ec2:Describe*", "elasticloadbalancing:*", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceforEC2Role

This managed policy allows Amazon ECS container instances to make calls to AWS on your behalf. For more information, see Amazon ECS Container Instance IAM Role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceRole

This managed policy allows Elastic Load Balancing load balancers to register and deregister Amazon ECS container instances on your behalf. For more information, see Amazon ECS Service Scheduler IAM Role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceAutoscaleRole

This managed policy allows Application Auto Scaling to scale your Amazon ECS service's desired count up and down in response to CloudWatch alarms on your behalf. For more information, see Amazon ECS Service Auto Scaling IAM Role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1456535218000", "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Resource": [ "*" ] }, { "Sid": "Stmt1456535243000", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }

AmazonEC2ContainerServiceTaskRole

This IAM trust relationship policy allows containers in your Amazon ECS tasks to make calls to the AWS APIs on your behalf. For more information, see Amazon EC2 Container Service Task Role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

AmazonEC2ContainerServiceEventsRole

This policy allows CloudWatch Events to run tasks on your behalf. For more information, see Scheduled Tasks (cron).

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "*" ] } ] }