AmazonECS_FullAccess AmazonECSInfrastructureRolePolicyForVolumes AmazonEC2ContainerServiceforEC2Role AmazonEC2ContainerServiceEventsRole AmazonECSTaskExecutionRolePolicy AmazonECSServiceRolePolicy AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity AWSApplicationAutoscalingECSServicePolicy AWSCodeDeployRoleForECS AWSCodeDeployRoleForECSLimited AmazonECSInfrastructureRolePolicyForVpcLattice Policy updates

AWS managed policies for Amazon Elastic Container Service

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

Amazon ECS and Amazon ECR provide several managed policies and trust relationships that you can attach to users, groups, roles, Amazon EC2 instances, and Amazon ECS tasks that allow differing levels of control over resources and API operations. You can apply these policies directly, or you can use them as starting points for creating your own policies. For more information about the Amazon ECR managed policies, see Amazon ECR managed policies.

AmazonECS_FullAccess

You can attach the AmazonECS_FullAccess policy to your IAM identities. This policy grants administrative access to Amazon ECS resources and grants an IAM identity (such as a user, group, or role) access to the AWS services that Amazon ECS is integrated with to use all of Amazon ECS features. Using this policy allows access to all of Amazon ECS features that are available in the AWS Management Console.

To view the permissions for this policy, see AmazonECS_FullAccess in the AWS Managed Policy Reference.

AmazonECSInfrastructureRolePolicyForVolumes

You can attach the AmazonECSInfrastructureRolePolicyForVolumes managed policy to your IAM entities.

The policy grants the permissions that are needed by Amazon ECS to make AWS API calls on your behalf. You can attach this policy to the IAM role that you provide with your volume configuration when launching Amazon ECS tasks and services. The role enables Amazon ECS to manage volumes attached to your tasks. For more information, see Amazon ECS infrastructure IAM role.

To view the permissions for this policy, see AmazonECSInfrastructureRolePolicyForVolumes in the AWS Managed Policy Reference.

AmazonEC2ContainerServiceforEC2Role

You can attach the AmazonEC2ContainerServiceforEC2Role policy to your IAM identities. This policy grants administrative permissions that allow Amazon ECS container instances to make calls to AWS on your behalf. For more information, see Amazon ECS container instance IAM role.

Amazon ECS attaches this policy to a service role that allows Amazon ECS to perform actions on your behalf against Amazon EC2 instances or external instances.

To view the permissions for this policy, see AmazonEC2ContainerServiceforEC2Role in the AWS Managed Policy Reference.

Considerations

You should consider the following recommendations and considerations when using the AmazonEC2ContainerServiceforEC2Role managed IAM policy.

Following the standard security advice of granting least privilege, you can modify the AmazonEC2ContainerServiceforEC2Role managed policy to fit your specific needs. If any of the permissions granted in the managed policy aren't needed for your use case, create a custom policy and add only the permissions that you require. For example, the UpdateContainerInstancesState permission is provided for Spot Instance draining. If that permission isn't needed for your use case, exclude it using a custom policy.
Containers that are running on your container instances have access to all of the permissions that are supplied to the container instance role through instance metadata. We recommend that you limit the permissions in your container instance role to the minimal list of permissions that are provided in the managed AmazonEC2ContainerServiceforEC2Role policy. If the containers in your tasks need extra permissions that aren't listed, we recommend providing those tasks with their own IAM roles. For more information, see Amazon ECS task IAM role.

You can prevent containers on the docker0 bridge from accessing the permissions supplied to the container instance role. You can do this while still allowing the permissions that are provided by Amazon ECS task IAM role by running the following iptables command on your container instances. Containers can't query instance metadata with this rule in effect. This command assumes the default Docker bridge configuration and it doesn't work with containers that use the host network mode. For more information, see Network mode.
```
sudo yum install -y iptables-services; sudo iptables --insert DOCKER USER 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP
```
You must save this iptables rule on your container instance for it to survive a reboot. For the Amazon ECS-optimized AMI, use the following command. For other operating systems, consult the documentation for that OS.
- For the Amazon ECS-optimized Amazon Linux 2 AMI:
```
sudo iptables-save | sudo tee /etc/sysconfig/iptables && sudo systemctl enable --now iptables
```
- For the Amazon ECS-optimized Amazon Linux AMI:
```
sudo service iptables save
```

AmazonEC2ContainerServiceEventsRole

You can attach the AmazonEC2ContainerServiceEventsRole policy to your IAM identities. This policy grants permissions that allow Amazon EventBridge (formerly CloudWatch Events) to run tasks on your behalf. This policy can be attached to the IAM role that's specified when you create scheduled tasks. For more information, see Amazon ECS EventBridge IAM Role.

To view the permissions for this policy, see AmazonEC2ContainerServiceEventsRole in the AWS Managed Policy Reference.

AmazonECSTaskExecutionRolePolicy

The AmazonECSTaskExecutionRolePolicy managed IAM policy grants the permissions that are needed by the Amazon ECS container agent and AWS Fargate container agents to make AWS API calls on your behalf. This policy can be added to your task execution IAM role. For more information, see Amazon ECS task execution IAM role.

To view the permissions for this policy, see AmazonECSTaskExecutionRolePolicy in the AWS Managed Policy Reference.

AmazonECSServiceRolePolicy

The AmazonECSServiceRolePolicy managed IAM policy enables Amazon Elastic Container Service to manage your cluster. This policy can be added to your task execution IAM role. For more information, see Amazon ECS task execution IAM role.

To view the permissions for this policy, see AmazonECSServiceRolePolicy in the AWS Managed Policy Reference.

`AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity`

You can attach the AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity policy to your IAM entities. This policy grants administrative access to AWS Private Certificate Authority, Secrets Manager and other AWS Services required to manage Amazon ECS Service Connect TLS features on your behalf.

To view the permissions for this policy, see AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity in the AWS Managed Policy Reference.

`AWSApplicationAutoscalingECSServicePolicy`

You can't attach AWSApplicationAutoscalingECSServicePolicy to your IAM entities. This policy is attached to a service-linked role that allows Application Auto Scaling to perform actions on your behalf. For more information, see Service-linked roles for Application Auto Scaling.

To view the permissions for this policy, see AWSApplicationAutoscalingECSServicePolicy in the AWS Managed Policy Reference.

`AWSCodeDeployRoleForECS`

You can't attach AWSCodeDeployRoleForECS to your IAM entities. This policy is attached to a service-linked role that allows CodeDeploy to perform actions on your behalf. For more information, see Create a service role for CodeDeploy in the AWS CodeDeploy User Guide.

To view the permissions for this policy, see AWSCodeDeployRoleForECS in the AWS Managed Policy Reference.

`AWSCodeDeployRoleForECSLimited`

You can't attach AWSCodeDeployRoleForECSLimited to your IAM entities. This policy is attached to a service-linked role that allows CodeDeploy to perform actions on your behalf. For more information, see Create a service role for CodeDeploy in the AWS CodeDeploy User Guide.

To view the permissions for this policy, see AWSCodeDeployRoleForECSLimited in the AWS Managed Policy Reference.

`AmazonECSInfrastructureRolePolicyForVpcLattice`

You can attach the AmazonECSInfrastructureRolePolicyForVpcLattice policy to your IAM entities. This policy Provides access to other AWS service resources required to manage VPC Lattice feature in Amazon ECS workloads on your behalf.

To view the permissions for this policy, see AmazonECSInfrastructureRolePolicyForVpcLattice in the AWS Managed Policy Reference.

Provides access to other AWS service resources required to manage VPC Lattice feature in Amazon ECS workloads on your behalf.

Amazon ECS updates to AWS managed policies

View details about updates to AWS managed policies for Amazon ECS since this service started tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECS Document history page.

Change	Description	Date
Add new AmazonECSInfrastructureRolePolicyForVpcLattice	Provides access to other AWS service resources required to manage VPC Lattice feature in Amazon ECS workloads on your behalf.	November 18, 2024
Add permissions to AmazonECSInfrastructureRolePolicyForVolumes	The `AmazonECSInfrastructureRolePolicyForVolumes` policy has been updated to allow customers to create an Amazon EBS volume from a snapshot.	October 10, 2024
Added permissions to AmazonECS_FullAccess	The `AmazonECS_FullAccess` policy was updated to add `iam:PassRole` permissions for IAM roles for a role named `ecsInfrastructureRole`. This is the default IAM role created by the AWS Management Console that is intended to be used as an ECS infrastructure role that allows Amazon ECS to manage Amazon EBS volumes attached to ECS tasks.	August 13, 2024
Add new AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity policy	Added new AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity policy that provides administrative access to AWS KMS, AWS Private Certificate Authority, Secrets Manager and enables Amazon ECS Service Connect TLS features to work properly.	January 22, 2024
Add new policy AmazonECSInfrastructureRolePolicyForVolumes	The `AmazonECSInfrastructureRolePolicyForVolumes` policy was added. The policy grants the permissions that are needed by Amazon ECS to make AWS API calls to manage Amazon EBS volumes associated with Amazon ECS workloads.	January 11, 2024
Add permissions to AmazonECSServiceRolePolicy	The `AmazonECSServiceRolePolicy` managed IAM policy was updated with new `events` permissions and additional `autoscaling` and `autoscaling-plans` permissions.	December 4, 2023
Add permissions to AmazonEC2ContainerServiceEventsRole	The `AmazonECSServiceRolePolicy` managed IAM policy was updated to allow access to the AWS Cloud Map `DiscoverInstancesRevision` API operation.	October 4, 2023
Add permissions to AmazonEC2ContainerServiceforEC2Role	The `AmazonEC2ContainerServiceforEC2Role` policy was modified to add the `ecs:TagResource` permission, which includes a condition that limits the permission only to newly created clusters and registered container instances.	March 6, 2023
Add permissions to AmazonECS_FullAccess	The `AmazonECS_FullAccess` policy was modified to add the `elasticloadbalancing:AddTags` permission, which includes a condition that limits the permission only to newly created load balancers, target groups, rules, and listeners created. This permission doesn't allow tags to be added to any already created Elastic Load Balancing resources.	January 4, 2023
Amazon ECS started tracking changes	Amazon ECS started tracking changes for its AWS managed policies.	June 8, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

AWS managed policies that are phased out for Amazon ECS