Permissions required for the Amazon ECS console
Following the best practice of granting least privilege, you can use the
AmazonECS_FullAccess
managed policy as a template for creating you own
custom policy. That way, you can take away or add permissions to and from the managed policy
based on your specific requirements. For more information, see see AmazonECS_FullAccess in the AWS Managed Policy Reference.
Permissions for creating IAM roles
The following actions require additional permissions in order to complete the operation:
-
Registering an external instance - for more information, see Amazon ECS Anywhere IAM role
-
Registering a task definition - for more information, see Amazon ECS task execution IAM role
-
Creating an EventBridge rule to use for scheduling tasks - for more information, see Amazon ECS EventBridge IAM Role
You can add these permissions by creating a role in IAM before you use them in the Amazon ECS console. If you do not create the roles, the Amazon ECS console creates then on your behalf.
Permissions required for registering an external instance to a cluster
You need additional permissions when you register an external instance to a cluster
and you want to create a new external instance
(ecsExternalInstanceRole
) role.
The following additional permissions are required:
-
iam
– Allows principals to create and list IAM roles and their attached policies. -
ssm
– Allows principals to register the external instance with Systems Manager.
Note
In order to choose an existing ecsExternalInstanceRole
, you must have the
iam:GetRole
and iam:PassRole
permissions.
The following policy contains the required permissions, and limits the actions to the
ecsExternalInstanceRole
role.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" }, { "Effect": "Allow", "Action": ["iam:PassRole","ssm:CreateActivation"], "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" } ] }
Permissions required for registering a task definition
You need additional permissions when you register a task definition and you want to
create a new task execution (ecsTaskExecutionRole
) role.
The following additional permissions are required:
-
iam
– Allows principals to create and list IAM roles and their attached policies.
Note
In order to choose an existing ecsTaskExecutionRole
, you must have the
iam:GetRole
permission.
The following policy contains the required permissions, and limits the actions to the
ecsTaskExecutionRole
role.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsTaskExecutionRole" } ] }
Permissions required for creating an EventBridge rule for scheduled tasks
You need additional permissions when you schedule a task and you want to create a new
CloudWatch Events role (ecsEventsRole
) role.
The following additional permissions are required:
-
iam
– Allows principals to create and list IAM roles and their attached policies, and to allow Amazon ECS to pass the role to other services to assume the role.
Note
In order to choose an existing ecsEventsRole
, you must have the
iam:GetRole
and iam:PassRole
permissions.
The following policy contains the required permissions, and limits the actions to the
ecsEventsRole
role.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole", "iam: PassRole" ], "Resource": "arn:aws:iam::*:role/ecsEventsRole" } ] }
Permissions required for viewing service deployments
When you follow the best practice of granting least privilege, you need to add additional permssions in order to view service deployments in the console.
You need access to the following actions:
ListServiceDeployments
DescribeServiceDeployments
DescribeServiceRevisions
You need access to the following resources:
Service
Service deployment
Service revision
The following example policy contains the required permissions, and limits the actions to a specified service.
Replace the account
, cluster-name
, and service-name
with your values.
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceDeployments", "ecs:DescribeServiceDeployments", "ecs:DescribeServiceRevisions" ], "Resource": [ "arn:aws:ecs:us-east-1:123456789012:service/cluster-name/service-name", "arn:aws:ecs:us-east-1:123456789012:service-deployment/cluster-name/service-name/*", "arn:aws:ecs:us-east-1:123456789012:service-revision/cluster-name/service-name/*" ] } ] }