Menu
AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)

Service Roles, Instance Profiles, and User Policies

When you create an environment, AWS Elastic Beanstalk prompts you to provide two AWS Identity and Access Management (IAM) roles, a service role and an instance profile. The service role is assumed by Elastic Beanstalk to use other AWS services on your behalf. The instance profile is applied to the instances in your environment and allows them to upload logs to Amazon S3 and perform other tasks that vary depending on the environment type and platform.

The best way to get a properly configured service role and instance profile is to create an environment running a sample application in the Elastic Beanstalk console or by using the Elastic Beanstalk Command Line Interface (EB CLI). When you create an environment, the clients create the required roles and assign them managed policies that include all of the necessary permissions.

In addition to the two roles that you assign to your environment, you can also create user policies and apply them to IAM users and groups in your account to allow users to create and manage Elastic Beanstalk applications and environments. Elastic Beanstalk provides managed policies for full access and read-only access.

You can create your own instance profiles and user policies for advanced scenarios. If your instances need to access services that are not included in the default policies, you can add additional policies to the default or create a new one. You can also create more restrictive user policies if the managed policy is too permissive. See the AWS Identity and Access Management User Guide for in-depth coverage of AWS permissions.

Elastic Beanstalk Service Role

A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. For example, Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources for enhanced health monitoring.

The AWSElasticBeanstalkEnhancedHealth managed policy contains all of the permissions that Elastic Beanstalk needs to monitor environment health:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeInstanceHealth",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:GetConsoleOutput",
        "ec2:AssociateAddress",
        "ec2:DescribeAddresses",
        "ec2:DescribeSecurityGroups",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DescribeNotificationConfigurations"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This policy also includes Amazon SQS actions to allow Elastic Beanstalk to monitor queue activity for worker environments.

When you create an environment with the Elastic Beanstalk console, Elastic Beanstalk prompts you to create a service role named aws-elasticbeanstalk-service-role with the default set of permissions and a trust policy that allows Elastic Beanstalk to assume the service role. If you enable managed platform updates, Elastic Beanstalk attaches another policy with permissions that enable that feature.

For more information about service roles, see Managing Elastic Beanstalk Service Roles.

Elastic Beanstalk Instance Profile

An instance profile is an IAM role that is applied to instances launched in your Elastic Beanstalk environment. When creating an Elastic Beanstalk environment, you specify the instance profile that is used when your instances:

  • Write logs to Amazon Simple Storage Service

  • In AWS X-Ray integrated environments, upload debugging data to X-Ray

  • In multicontainer Docker environments, coordinate container deployments with Amazon EC2 Container Service

  • In worker environments, read from an Amazon Simple Queue Service (Amazon SQS) queue

  • In worker environments, perform leader election with Amazon DynamoDB

  • In worker environments, publish instance health metrics to Amazon CloudWatch

The AWSElasticBeanstalkWebTier managed policy contains statements that allow instances in your environment to upload logs to Amazon S3 and send debugging information to X-Ray:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketAccess",
      "Action": [
        "s3:Get*",
        "s3:List*",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::elasticbeanstalk-*",
        "arn:aws:s3:::elasticbeanstalk-*/*"
      ]
    },
    {
      "Sid": "XRayAccess",
      "Action":[
        "xray:PutTraceSegments",
        "xray:PutTelemetryRecords"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchLogsAccess",
      "Action": [
        "logs:PutLogEvents",
        "logs:CreateLogStream"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
      ]
    }
  ]
}

Elastic Beanstalk also provides managed policies named AWSElasticBeanstalkWorkerTier and AWSElasticBeanstalkMulticontainerDocker for the other use cases. Elastic Beanstalk attaches all of these policies to the default instance profile, aws-elasticbeanstalk-ec2-role, when you create an environment with the console or EB CLI.

If your web application requires access to any other AWS services, add statements or managed policies to the instance profile that allow access to those services.

For more information about instance profiles, see Managing Elastic Beanstalk Instance Profiles.

Elastic Beanstalk User Policy

Create IAM users for each person who uses Elastic Beanstalk to avoid using your root account or sharing credentials. For increased security, only grant these users permission to access services and features that they need.

Elastic Beanstalk requires permissions not only for its own API actions, but for several other AWS services as well. Elastic Beanstalk uses user permissions to launch all of the resources in an environment, including EC2 instances, an Elastic Load Balancing load balancer, and an Auto Scaling group. Elastic Beanstalk also uses user permissions to save logs and templates to Amazon S3, send notifications to Amazon SNS, assign instance profiles, and publish metrics to CloudWatch. Elastic Beanstalk requires AWS CloudFormation permissions to orchestrate resource deployments and updates. It also requires Amazon RDS permissions to create databases when needed, and Amazon SQS permissions to create queues for worker environments.

The following policy allows access to the actions used to create and manage Elastic Beanstalk environments. This policy is available in the IAM console as a managed policy named AWSElasticBeanstalkFullAccess. You can apply the managed policy to an IAM user or group to grant permission to use Elastic Beanstalk, or create your own policy that excludes permissions that are not needed by your users.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:*",
                "ec2:*",
                "ecs:*",
                "ecr:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "cloudformation:*",
                "dynamodb:*",
                "rds:*",
                "sqs:*",
                "logs:*",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:PassRole",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListRoles",
                "iam:ListServerCertificates",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "codebuild:CreateProject",
                "codebuild:DeleteProject",
                "codebuild:BatchGetBuilds",
                "codebuild:StartBuild"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-elasticbeanstalk*",
                "arn:aws:iam::*:instance-profile/aws-elasticbeanstalk*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PolicyArn": [
                        "arn:aws:iam::aws:policy/AWSElasticBeanstalk*",
                        "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalk*"
                    ]
                }
            }
        }
    ]
}

Elastic Beanstalk also provides a read-only managed policy named AWSElasticBeanstalkReadOnlyAccess. This policy allows a user to view, but not modify or create, Elastic Beanstalk environments.

For more information about user policies, see Controlling Access to Elastic Beanstalk.