AWS managed policies for Amazon Elastic Container Service
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
Amazon ECS and Amazon ECR provide several managed policies and trust relationships that you can attach to users, groups, roles, Amazon EC2 instances, and Amazon ECS tasks that allow differing levels of control over resources and API operations. You can apply these policies directly, or you can use them as starting points for creating your own policies. For more information about the Amazon ECR managed policies, see Amazon ECR managed policies.
AmazonECS_FullAccess
You can attach the AmazonECS_FullAccess policy to your IAM
identities.
This policy grants administrative access to Amazon ECS resources and grants an IAM identity (such as a user, group, or role) access to the AWS services that Amazon ECS is integrated with to use all of Amazon ECS features. Using this policy allows access to all of Amazon ECS features that are available in the AWS Management Console.
Permissions details
The AmazonECS_FullAccess managed IAM policy includes the following
permissions. Following the best practice of granting least privilege, you can use
the AmazonECS_FullAccess managed policy as a template for creating you
own custom policy. That way, you can take away or add permissions to and from the
managed policy based on your specific requirements.
-
ecs– Allows principals full access to all Amazon ECS APIs. -
application-autoscaling– Allows principals to create, describe, and manage Application Auto Scaling resources. This is required when enabling service auto scaling for your Amazon ECS services. -
appmesh– Allows principals to list App Mesh service meshes and virtual nodes and describe App Mesh virtual nodes. This is required when integrating your Amazon ECS services with App Mesh. -
autoscaling– Allows principals to create, manage, and describe Amazon EC2 Auto Scaling resources. This is required when managing Amazon EC2 auto scaling groups when using the cluster auto scaling feature. -
cloudformation– Allows principals to create and manage AWS CloudFormation stacks. This is required when creating Amazon ECS clusters using the AWS Management Console and the subsequent managing of those clusters. -
cloudwatch– Allows principals to create, manage, and describe Amazon CloudWatch alarms. -
codedeploy– Allows principals to create and manage application deployments as well as view their configurations, revisions, and deployment targets. -
sns– Allows principals to view a list of Amazon SNS topics. -
lambda– Allows principals to view a list of AWS Lambda functions and their version specific configurations. -
ec2– Allows principals run Amazon EC2 instances as well as create and manage routes, route tables, internet gateways, launch groups, security groups, virtual private clouds, spot fleets, and subnets. -
elasticloadbalancing– Allows principals to create, describe, and delete Elastic Load Balancing load balancers. Principals will also be able to add tags to newly created target groups, listeners, and listener rules for load balancers. -
events– Allows principals to create, manage, and delete Amazon EventBridge rules and their targets. -
iam– Allows principals to list IAM roles and their attached policies. Principals can also list instance profiles available to your Amazon EC2 instances. -
logs– Allows principals to create and describe Amazon CloudWatch Logs log groups. Principals can also list log events for these log groups. -
route53– Allows principals to create, manage, and delete Amazon Route 53 hosted zones. Principals can also view Amazon Route 53 health check configuration and information. For more information about hosted zones, see Working with hosted zones. -
servicediscovery– Allows principals to create, manage, and delete AWS Cloud Map services and create private DNS namespaces.
The following is an example AmazonECS_FullAccess policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "appmesh:DescribeVirtualGateway", "appmesh:DescribeVirtualNode", "appmesh:ListMeshes", "appmesh:ListVirtualGateways", "appmesh:ListVirtualNodes", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetApplications", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:ContinueDeployment", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetApplicationRevision", "codedeploy:GetDeployment", "codedeploy:GetDeploymentConfig", "codedeploy:GetDeploymentGroup", "codedeploy:GetDeploymentTarget", "codedeploy:ListApplicationRevisions", "codedeploy:ListApplications", "codedeploy:ListDeploymentConfigs", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:ListDeploymentTargets", "codedeploy:RegisterApplicationRevision", "codedeploy:StopDeployment", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotFleetRequests", "ec2:CreateInternetGateway", "ec2:CreateLaunchTemplate", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:DeleteLaunchTemplate", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:Describe*", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RequestSpotFleet", "ec2:RunInstances", "ecs:*", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "events:DeleteRule", "events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "fsx:DescribeFileSystems", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "lambda:ListFunctions", "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:FilterLogEvents", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHostedZonesByName", "servicediscovery:CreatePrivateDnsNamespace", "servicediscovery:CreateService", "servicediscovery:DeleteService", "servicediscovery:GetNamespace", "servicediscovery:GetOperation", "servicediscovery:GetService", "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:UpdateService", "sns:ListTopics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup" ], "Resource": [ "*" ], "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInstanceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsAutoscaleRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com.cn" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "autoscaling.amazonaws.com", "ecs.amazonaws.com", "ecs.application-autoscaling.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags" ], "Resource": "*", "Condition": { "StringEquals": { "elasticloadbalancing:CreateAction": [ "CreateTargetGroup", "CreateRule", "CreateListener", "CreateLoadBalancer" ] } } } ] }
AmazonECSTaskExecutionRolePolicy
The AmazonECSTaskExecutionRolePolicy managed IAM policy grants the
permissions that are needed by the Amazon ECS container agent and AWS Fargate container
agents to make AWS API calls on your behalf. This policy can be added to your task
execution IAM role. For more information, see Amazon ECS task execution IAM role.
Permissions details
The AmazonECSTaskExecutionRolePolicy managed IAM policy includes
the following permissions. Following the standard security advice of granting least
privilege, the AmazonECSTaskExecutionRolePolicy managed policy can be
used as a guide. If any of the permissions that are granted in the managed policy
aren't needed for your use case, create a custom policy and add only the
permissions that you require.
-
ecr:GetAuthorizationToken– Allows a principal to retrieve an authorization token. The authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that the IAM principal has access to. The authorization token received is valid for 12 hours. -
ecr:BatchCheckLayerAvailability– When a container image is pushed to an Amazon ECR private repository, each image layer is checked to verify if it's already pushed. If it's pushed, then the image layer is skipped. -
ecr:GetDownloadUrlForLayer– When a container image is pulled from an Amazon ECR private repository, this API is called once for each image layer that's not already cached. -
ecr:BatchGetImage– When a container image is pulled from an Amazon ECR private repository, this API is called once to retrieve the image manifest. -
logs:CreateLogStream– Allows a principal to create a CloudWatch Logs log stream for a specified log group. -
logs:PutLogEvents– Allows a principal to upload a batch of log events to a specified log stream.
The following is an example AmazonECSTaskExecutionRolePolicy
policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
AWSApplicationAutoscalingECSServicePolicy
You can't attach AWSApplicationAutoscalingECSServicePolicy to your IAM
entities. This policy is attached to a service-linked role that allows Application Auto Scaling to
perform actions on your behalf. For more information, see Service-linked roles for Application Auto Scaling.
AWSCodeDeployRoleForECS
You can't attach AWSCodeDeployRoleForECS to your IAM entities. This
policy is attached to a service-linked role that allows CodeDeploy to perform actions on your
behalf. For more information, see Create a
service role for CodeDeploy in the AWS CodeDeploy User Guide.
AWSCodeDeployRoleForECSLimited
You can't attach AWSCodeDeployRoleForECSLimited to your IAM entities.
This policy is attached to a service-linked role that allows CodeDeploy to perform actions on
your behalf. For more information, see Create a
service role for CodeDeploy in the AWS CodeDeploy User Guide.
Amazon ECS updates to AWS managed policies
View details about updates to AWS managed policies for Amazon ECS since this service started tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECS Document history page.
| Change | Description | Date |
|---|---|---|
|
Add permissions to AmazonEC2ContainerServiceEventsRole |
The AmazonEC2ContainerServiceEventsRole policy was
modified to add the ecs:TagResource permission which allows
a prinicipal in a service to add tags when they call the Amazon ECS RunTask
API. |
March 6, 2023 |
|
Add permissions to AmazonEC2ContainerServiceforEC2Role |
The AmazonEC2ContainerServiceforEC2Role policy was
modified to add the ecs:TagResource permission which
includes a condition which limits the permission only to newly created
clusters and registered container instances. |
March 6, 2023 |
|
Add permissions to AmazonECS_FullAccess |
The AmazonECS_FullAccess policy was modified to add the
elasticloadbalancing:AddTags permission which includes
a condition which limits the permission only to newly created load
balancers, target groups, rules, and listeners created. This permission
doesn't allow tags to be added to any already created Elastic Load Balancing
resources. |
January 4, 2023 |
|
Amazon ECS started tracking changes |
Amazon ECS started tracking changes for its AWS managed policies. |
June 8, 2021 |
