Menu
Auto Scaling
User Guide

Controlling Access to Your Auto Scaling Resources

Auto Scaling integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:

  • Create users and groups under your organization's AWS account

  • Assign unique security credentials to each user under your AWS account

  • Control each user's permissions to perform tasks using AWS resources

  • Allow the users in another AWS account to share your AWS resources

  • Create roles for your AWS account and define the users or services that can assume them

  • Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources

For example, you could create an IAM policy that grants the Managers group permission to use only the DescribeAutoScalingGroups, DescribeLaunchConfigurations, DescribeScalingActivities, and DescribePolicies API operations. Users in the Managers group could then use those operations with any Auto Scaling groups and launch configurations. Note that you can't restrict access to a particular Auto Scaling group or launch configuration.

For more information, see Identity and Access Management (IAM) or the IAM User Guide.

Auto Scaling Actions

In an IAM policy, you can specify any and all Auto Scaling actions. For Auto Scaling, use the following prefix with the name of the action: autoscaling:. For example: autoscaling:CreateAutoScalingGroup and autoscaling:CreateLaunchConfiguration. You can also use wildcards. For example, use autoscaling:* to indicate all Auto Scaling actions.

For more information, see Auto Scaling Actions in the Auto Scaling API Reference.

Auto Scaling Resources

When writing an IAM policy to control access to Auto Scaling actions, you must use "*" as the resource. There are no supported Amazon Resource Names (ARNs) for Auto Scaling resources.

Auto Scaling Keys

For a list of context keys supported by each AWS service and a list of AWS-wide policy keys, see AWS Service Actions and Condition Context Keys and Available Keys for Conditions in the IAM User Guide.

Predefined AWS Managed Policies

The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users. The following are the AWS managed policies for Auto Scaling.

  • AutoScalingConsoleFullAccess — Grants access to all API actions used by the console for Auto Scaling resources. This includes all API actions for Auto Scaling, and selected API actions for Amazon EC2, CloudWatch, Elastic Load Balancing, and Amazon SNS.

  • AutoScalingConsoleReadOnlyAccess — Grants access to the read-only API actions used by the console for Auto Scaling resources. This includes all read-only API actions for Auto Scaling, and selected read-only API actions for Amazon EC2, CloudWatch, Elastic Load Balancing, and Amazon SNS

  • AutoScalingFullAccess — Grants access to all Auto Scaling API actions.

  • AutoScalingReadOnlyAccess — Grants access to the read-only Auto Scaling API actions.

Customer Managed Policies

You can create custom IAM policies that grant your IAM users permissions to perform specific actions on specific resources. The following are example policies for Auto Scaling. Note that the resource is always "*", because you can't specify a particular Auto Scaling resource in a policy.

Example 1: Create and manage Auto Scaling launch configurations

The following policy grants users permission to use all Auto Scaling actions that include the string LaunchConfiguration in their names.

Alternatively, you can list each action explicitly instead of using wildcards. If you list each action separately, the policy would not automatically apply to any new Auto Scaling actions introduced by AWS that included the string LaunchConfiguration in their names.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*LaunchConfiguration*", "Resource": "*" } ] }

Example 2: Create and manage Auto Scaling groups and policies.

The following policy grants users permission to use all Auto Scaling actions that include the string Scaling in their names.

Alternatively, you can list each action explicitly instead of using wildcards. If you list each action separately, the policy would not automatically apply to any new Auto Scaling actions introduced by AWS that included the string Scaling in their names.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*" } ] }

Example 3: Change the capacity of Auto Scaling groups.

The following policy grants users permission to use the SetDesiredCapacity action to change the capacity of Auto Scaling groups.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": "*" } ] }