| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Example Policies Based on Policy Templates
This section walks through a use case for controlling user access to AWS Elastic Beanstalk and sample policies that support the use case. These policies use the AWS Elastic Beanstalk policy templates as a starting point. For information about attaching policies to users and groups, go to Managing IAM Policies in Using AWS Identity and Access Management.
In our use case, Example Corp. is a software company with three teams responsible for their website: administrators who manage the infrastructure, developers who build the software for the website, and a QA team that tests the website. To help manage permissions to their AWS Elastic Beanstalk assets, Example Corp. creates groups that contain the members of each team: Admins, Developers, and Testers. Example Corp. wants to enable the Admins group to have full access to all applications, environments, and their underlying resources so that they can create, troubleshoot, and delete all of their AWS Elastic Beanstalk assets. Developers require permissions to view all AWS Elastic Beanstalk assets and to create and deploy application versions. Developers should not be able to create new applications or environments and cannot terminate running environments since they are not part of the Admins group. Testers need to view all AWS Elastic Beanstalk resources in order to monitor and test applications so that they can run automated tests and access the web application. However, the Testers group should not be able to make changes to any AWS Elastic Beanstalk resources.
Example 1: Allow the Admins group to use all AWS Elastic Beanstalk and related service APIs
The following policy gives permissions for all actions required to use AWS Elastic Beanstalk. This policy includes actions for Auto Scaling, Amazon S3, Amazon EC2, Amazon CloudWatch, Amazon SNS, Elastic Load Balancing, Amazon RDS, and AWS CloudFormation (for non-legacy container types), as well as for all AWS Elastic Beanstalk actions. AWS Elastic Beanstalk relies on these additional services to provision underlying resources when creating an environment. For a list of supported non-legacy container types, see Why are some container types marked legacy?.
Note
The following policy is an example. It gives a broad set of permissions to the AWS products that AWS Elastic Beanstalk uses to manage applications
and environments. For example, ec2:* allows an IAM user to perform any action on any Amazon EC2 resource in the AWS account. These
permissions are not limited to the resources that you use with AWS Elastic Beanstalk. As a best practice, you should grant individuals only the permissions
they need to perform their duties.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*"
],
"Resource": "*"
}
]
}Example 2: Allow the Developers group to do all actions except highly privileged operations such as creating applications and environments
The following policy denies permission to create applications and environments but allows all other AWS Elastic Beanstalk actions.
Note
The following policy is an example. It gives a broad set of permissions to the AWS products that AWS Elastic Beanstalk uses to manage applications
and environments. For example, ec2:* allows an IAM user to perform any action on any Amazon EC2 resource in the AWS account. These
permissions are not limited to the resources that you use with AWS Elastic Beanstalk. As a best practice, you should grant individuals only the permissions
they need to perform their duties.
{
"Statement":[
{
"Action":["elasticbeanstalk:CreateApplication",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DeleteApplication",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:TerminateEnvironment"],
"Effect":"Deny",
"Resource":"*"
},
{
"Action":["elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*"],
"Effect":"Allow",
"Resource":"*"
}
]
}Example 3: Allow the Testers group to view all AWS Elastic Beanstalk assets but not to perform any actions.
The following policy allows read-only access to all applications, application versions, events, and environments.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"rds:Describe*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*"
],
"Resource": "*"
}
]
}
