Example Policies - AWS OpsWorks

Example Policies

Important

AWS OpsWorks Stacks is no longer accepting new customers. Existing customers will be able to use the OpsWorks console, API, CLI, and CloudFormation resources as normal until May 26, 2024, at which time they will be discontinued. To prepare for this transition, we recommend you transition your stacks to AWS Systems Manager as soon as possible. For more information, see AWS OpsWorks Stacks End of Life FAQs and Migrating your AWS OpsWorks Stacks applications to AWS Systems Manager Application Manager.

This section describes example IAM policies that can be applied to AWS OpsWorks Stacks users.

Administrative Permissions

Use the IAM console, https://console.aws.amazon.com/iam/, to access the AWSOpsWorks_FullAccess policy, Attach this policy to a user to grant them permissions to perform all AWS OpsWorks Stacks actions. The IAM permissions are required, among other things, to allow an administrative user to import users.

You must create an IAM roles that allows AWS OpsWorks Stacks to act on your behalf to access other AWS resources, such as Amazon EC2 instances. You typically handle this task by having an administrative user create the first stack, and letting AWS OpsWorks Stacks create the role for you. You can then use that role for all subsequent stacks. For more information, see Allowing AWS OpsWorks Stacks to Act on Your Behalf.

The administrative user who creates the first stack must have permissions for some IAM actions that are not included in the AWSOpsWorks_FullAccess policy. Add the following permissions to the Actions section of the policy. For proper JSON syntax, be sure to add commas between actions and remove the trailing comma at the end of the list of actions.

"iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:CreateRole"

Manage Permissions

The Manage permissions level allows a user to perform a variety of stack management actions, including adding or deleting layers. This topic describes several policies that you can use to Manage users to augment or restrict the standard permissions.

Deny a Manage user the ability to add or delete layers

You can restrict the Manage permissions level to allow a user perform all Manage actions except adding or deleting layers by using the following IAM policy. Replace region, account_id, and stack_id with values appropriate to your configuration.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "opsworks:CreateLayer", "opsworks:DeleteLayer" ], "Resource": "arn:aws:opsworks:region:account_id:stack/stack_id/" } ] }
Allow a Manage user to create or clone stacks

The Manage permissions level doesn't allow users to create or clone stacks. You can change the Manage permissions to allow a user to create or clone stacks by applying the following IAM policy. Replace region and account_id with values appropriate to your configuration.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRolePolicy", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:ListUsers", "opsworks:DescribeUserProfiles", "opsworks:CreateUserProfile", "opsworks:DeleteUserProfile" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:opsworks::account_id:stack/*/", "Condition": { "StringEquals": { "iam:PassedToService": "opsworks.amazonaws.com" } } } ] }
Deny a Manage user the ability to register or deregister resources

The Manage permissions level allows the user to register and deregister Amazon EBS and Elastic IP address resources with the stack. You can restrict the Manage permissions to allow the user to perform all Manage actions except registering resources by applying the following policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "opsworks:RegisterVolume", "opsworks:RegisterElasticIp" ], "Resource": "*" } ] }
Allow a Manage user to import users

The Manage permissions level doesn't allow users to import users into AWS OpsWorks Stacks. You can augment the Manage permissions to allow a user to import and delete users by applying the following IAM policy. Replace region and account_id with values appropriate to your configuration.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRolePolicy", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:ListUsers", "iam:PassRole", "opsworks:DescribeUserProfiles", "opsworks:CreateUserProfile", "opsworks:DeleteUserProfile" ], "Resource": "arn:aws:iam:region:account_id:user/*", "Condition": { "StringEquals": { "iam:PassedToService": "opsworks.amazonaws.com" } } } ] }

Deploy Permissions

The Deploy permissions level doesn't allow users to create or delete apps. You can augment the Deploy permissions to allow a user to create and delete apps by applying the following IAM policy. Replace region, account_id, and stack_id with values appropriate to your configuration.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "opsworks:CreateApp", "opsworks:DeleteApp" ], "Resource": "arn:aws:opsworks:region:account_id:stack/stack_id/" } ] }