Menu
Auto Scaling
User Guide

Controlling Access to Your Auto Scaling Resources

Auto Scaling integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:

  • Create users and groups under your organization's AWS account

  • Assign unique security credentials to each user under your AWS account

  • Control each user's permissions to perform tasks using AWS resources

  • Allow the users in another AWS account to share your AWS resources

  • Create roles for your AWS account and define the users or services that can assume them

  • Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources

For example, you can create an IAM policy that grants the Managers group permission to use only the DescribeAutoScalingGroups, DescribeLaunchConfigurations, DescribeScalingActivities, and DescribePolicies API operations. Users in the Managers group could then use those operations with any Auto Scaling groups and launch configurations.

You can also create IAM policies that restrict access to a particular Auto Scaling group or launch configuration.

For more information, see Identity and Access Management (IAM) or the IAM User Guide.

Auto Scaling Actions

You can specify any and all Auto Scaling actions in an IAM policy. Use the following prefix with the name of the action: autoscaling:. For example:

"Action": "autoscaling:CreateAutoScalingGroup"

To specify multiple actions in a single statement, enclose them in square brackets and separate them with commas, as follows:

"Action": [
    "autoscaling:CreateAutoScalingGroup",
    "autoscaling:UpdateAutoScalingGroup"
]

You can also use wildcards. For example, use autoscaling:* to specify all Auto Scaling actions.

"Action": "autoscaling:*"

Use Describe:* to specify all actions whose names start with Describe.

"Action": "autoscaling:Describe*"

For more information, see Auto Scaling Actions in the Auto Scaling API Reference.

Auto Scaling Resources

For actions that support resource-level permissions, you can control the Auto Scaling group or launch configuration that users are allowed to access.

To specify an Auto Scaling group, you must specify its Amazon Resource Name (ARN) as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:uuid:autoScalingGroupName/asg-name"

To specify an Auto Scaling group with CreateAutoScalingGroup, you must replace the UUID with * as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:*:autoScalingGroupName/asg-name"

To specify a launch configuration, you must specify its ARN as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:uuid:launchConfigurationName/lc-name"

To specify a launch configuration with CreateLaunchConfiguration, you must replace the UUID with * as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:*:launchConfigurationName/lc-name"

The following Auto Scaling actions do not support resource-level permissions:

  • DescribeAccountLimits

  • DescribeAdjustmentTypes

  • DescribeAutoScalingGroups

  • DescribeAutoScalingInstances

  • DescribeAutoScalingNotificationTypes

  • DescribeLaunchConfigurations

  • DescribeLifecycleHooks

  • DescribeLifecycleHookTypes

  • DescribeLoadBalancers

  • DescribeLoadBalancerTargetGroups

  • DescribeMetricCollectionTypes

  • DescribeNotificationConfigurations

  • DescribePolicies

  • DescribeScalingActivities

  • DescribeScalingProcessTypes

  • DescribeScheduledActions

  • DescribeTags

  • DescribeTerminationPolicyTypes

For actions that don't support resource-level permissions, you must use "*" as the resource.

"Resource": "*"

Auto Scaling Condition Keys

When you create a policy, you can specify the conditions when the policy should take effect. To express conditions, use predefined condition keys. There are condition keys that are specific to Auto Scaling, plus AWS-wide condition keys.

The following condition keys are specific to Auto Scaling:

  • autoscaling:ImageId

  • autoscaling:InstanceType

  • autoscaling:LaunchConfigurationName

  • autoscaling:LoadBalancerNames

  • autoscaling:MaxSize

  • autoscaling:MinSize

  • autoscaling:ResourceTag/key

  • autoscaling:SpotPrice

  • autoscaling:TargetGroupARNs

  • autoscaling:VPCZoneIdentifiers

For a list of context keys supported by each AWS service and a list of AWS-wide policy keys, see AWS Service Actions and Condition Context Keys and Available Keys for Conditions in the IAM User Guide.

Supported Resource-Level Permissions

The following table describes the Auto Scaling API actions that support resource-level permissions, as well as the supported condition keys and resources for each action.

API Action Condition Keys Resource ARN
AttachInstances autoscaling:ResourceTag/key Auto Scaling group
AttachLoadBalancers

autoscaling:LoadBalancerNames, autoscaling:ResourceTag/key

Auto Scaling group
AttachLoadBalancerTargetGroups

autoscaling:ResourceTag/key, autoscaling:TargetGroupARNs

Auto Scaling group
CompleteLifecycleAction autoscaling:ResourceTag/key Auto Scaling group
CreateAutoScalingGroup

autoscaling:LaunchConfigurationName, autoscaling:LoadBalancerNames, autoscaling:MaxSize, autoscaling:MinSize, autoscaling:ResourceTag/key, autoscaling:TargetGroupARNs, autoscaling:VPCZoneIdentifiers, aws:RequestTag/key, aws:TagKeys

Auto Scaling group (replace UUID with *)
CreateLaunchConfiguration

autoscaling:ImageId, autoscaling:InstanceId, autoscaling:SpotPrice

Launch configuration (replace UUID with *)
CreateOrUpdateTags

autoscaling:ResourceTag/key, aws:RequestTag/key, aws:TagKeys

Auto Scaling group
DeleteAutoScalingGroup autoscaling:ResourceTag/key Auto Scaling group
DeleteLaunchConfiguration Launch configuration
DeleteLifecycleHook autoscaling:ResourceTag/key Auto Scaling group
DeleteNotificationConfiguration autoscaling:ResourceTag/key Auto Scaling group
DeletePolicy autoscaling:ResourceTag/key Auto Scaling group
DeleteScheduledAction autoscaling:ResourceTag/key Auto Scaling group
DeleteTags

autoscaling:ResourceTag/key, aws:RequestTag/key, aws:TagKeys

Auto Scaling group
DetachInstances autoscaling:ResourceTag/key Auto Scaling group
DetachLoadBalancers

autoscaling:LoadBalancerNames, autoscaling:ResourceTag/key

Auto Scaling group
DetachLoadBalancerTargetGroups

autoscaling:ResourceTag/key, autoscaling:TargetGroupARNs

Auto Scaling group
DisableMetricsCollection autoscaling:ResourceTag/key Auto Scaling group
EnableMetricsCollection autoscaling:ResourceTag/key Auto Scaling group
EnterStandby autoscaling:ResourceTag/key Auto Scaling group
ExecutePolicy autoscaling:ResourceTag/key Auto Scaling group
ExitStandby autoscaling:ResourceTag/key Auto Scaling group
PutLifecycleHook autoscaling:ResourceTag/key Auto Scaling group
PutNotificationConfiguration autoscaling:ResourceTag/key Auto Scaling group
PutScalingPolicy autoscaling:ResourceTag/key Auto Scaling group
PutScheduledUpdateGroupAction

autoscaling:MaxSize, autoscaling:MinSize, autoscaling:ResourceTag/key

Auto Scaling group
RecordLifecycleActionHeartbeat autoscaling:ResourceTag/key Auto Scaling group
ResumeProcesses autoscaling:ResourceTag/key Auto Scaling group
SetDesiredCapacity autoscaling:ResourceTag/key Auto Scaling group
SetInstanceHealth autoscaling:ResourceTag/key Auto Scaling group
SetInstanceProtection autoscaling:ResourceTag/key Auto Scaling group
SuspendProcesses autoscaling:ResourceTag/key Auto Scaling group
TerminateInstancesInAutoScalingGroup autoscaling:ResourceTag/key Auto Scaling group
UpdateAutoScalingGroup

autoscaling:LaunchConfigurationName, autoscaling:MaxSize, autoscaling:MinSize, autoscaling:ResourceTag/key, autoscaling:VPCZoneIdentifiers

Auto Scaling group

Predefined AWS Managed Policies

The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users. The following are the AWS managed policies for Auto Scaling.

  • AutoScalingConsoleFullAccess — Grants access to all API actions used by the console for Auto Scaling resources. This includes all API actions for Auto Scaling, and selected API actions for Amazon EC2, CloudWatch, Elastic Load Balancing, and Amazon SNS.

  • AutoScalingConsoleReadOnlyAccess — Grants access to the read-only API actions used by the console for Auto Scaling resources. This includes all read-only API actions for Auto Scaling, and selected read-only API actions for Amazon EC2, CloudWatch, Elastic Load Balancing, and Amazon SNS

  • AutoScalingFullAccess — Grants access to all Auto Scaling API actions.

  • AutoScalingReadOnlyAccess — Grants access to the read-only Auto Scaling API actions.

Customer Managed Policies

You can create custom IAM policies that grant your IAM users permissions to perform specific actions on specific resources. The following are example policies for Auto Scaling.

Example: Create and Manage Launch Configurations

The following policy grants users permission to use all Auto Scaling actions that include the string LaunchConfiguration in their names. Alternatively, you can list each action explicitly instead of using wildcards. However, the policy would not automatically apply to any new Auto Scaling actions with LaunchConfiguration in their names.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*LaunchConfiguration*", "Resource": "*" }] }

The following policy grants users permission to create a launch configuration if the instance type is t2.micro and the name of the launch configuration starts with t2micro-, and specify a launch configuration for an Auto Scaling group only if its name starts with t2micro-.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "autoscaling:CreateLaunchConfiguration", "Resource": [ "arn:aws:autoscaling:us-west-2:123456789012:launchConfiguration:*:launchConfigurationName/t2micro-*" ], "Condition": { "StringEquals": { "autoscaling:InstanceType": "t2.micro" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "autoscaling:LaunchConfigurationName": "t2micro-*" } } }] }

Example: Create and Manage Auto Scaling Groups and Scaling Policies

The following policy grants users permission to use all Auto Scaling actions that include the string Scaling in their names.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*" }] }

The following policy grants users permission to use all Auto Scaling actions that include the string Scaling in their names, as long as the Auto Scaling group has the tag purpose=webserver. Because the Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/purpose": "webserver" } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }

The following policy grants users permission to use all Auto Scaling actions that include the string Scaling in their names, as long as they don't specify a minimum size less than 1 or a maximum size greater than 10. Because the Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "NumericGreaterThanEqualsIfExists": { "autoscaling:MinSize": 1 }, "NumericLessThanEqualsIfExists": { "autoscaling:MaxSize": 10 } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }

Example: Control Access Using Tags

To grant users permission to create or tag an Auto Scaling group only if they specify specific tags, use the aws:RequestTag condition key. To allow only specific tag keys, use the aws:TagKeys condition key with the ForAnyValue modifier.

The following policy requires users to tag any Auto Scaling groups with the tags purpose=webserver and cost-center=cc123, and allows only the purpose and cost-center tags (no other tags can be specified).

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "webserver", "aws:RequestTag/cost-center": "cc123" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["purpose", "cost-center"] } } }] }

The following policy requires users to specify a tag with the key environment in the request.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/environment": "*" } } }] }

The following policy requires users to specify at least one tag in the request, and allows only the cost-center and owner keys.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["cost-center", "owner"] } } }] }

The following policy grants users access to Auto Scaling groups with the tag allowed=true and allows them to apply only the tag environment=test. Because launch configurations do not support tags and Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*Scaling*", "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/allowed": "true" }, "StringEqualsIfExists": { "aws:RequestTag/environment": "test" }, "ForAllValues:StringEquals": { "aws:TagKeys": "environment" } } }, { "Effect": "Allow", "Action": [ "autoscaling:*LaunchConfiguration*", "autoscaling:Describe*" ], "Resource": "*" }] }

Example: Change the Capacity of Auto Scaling Groups

The following policy grants users permission to use the SetDesiredCapacity action to change the capacity of any Auto Scaling group.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": "*" }] }

The following policy grants users permission to use the SetDesiredCapacity action to change the capacity of the specified Auto Scaling groups. Note that including the UUID ensures that access is granted to the specific Auto Scaling group. If you were to delete an Auto Scaling group and create a new one with the same name, the UUID for the new group would be different than the UUID for the original group.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:7fe02b8e-7442-4c9e-8c8e-85fa99e9b5d9:autoScalingGroupName/group-1", "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:9d8e8ea4-22e1-44c7-a14d-520f8518c2b9:autoScalingGroupName/group-2", "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:60d6b363-ae8b-467c-947f-f1d308935521:autoScalingGroupName/group-3" ] }] }

The following policy grants users permission to use the SetDesiredCapacity action to change the capacity of any Auto Scaling group whose name begins with group-.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:*:autoScalingGroupName/group-*" ] }] }