AWS managed policies for Amazon Elastic Container Service
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
Amazon ECS and Amazon ECR provide several managed policies and trust relationships that you can attach to users, groups, roles, Amazon EC2 instances, and Amazon ECS tasks that allow differing levels of control over resources and API operations. You can apply these policies directly, or you can use them as starting points for creating your own policies. For more information about the Amazon ECR managed policies, see Amazon ECR managed policies.
AmazonECS_FullAccess
You can attach the AmazonECS_FullAccess
policy to your IAM
identities.
This policy grants administrative access to Amazon ECS resources and grants an IAM identity (such as a user, group, or role) access to the AWS services that Amazon ECS is integrated with to use all of Amazon ECS features. Using this policy allows access to all of Amazon ECS features that are available in the AWS Management Console.
Permissions details
The AmazonECS_FullAccess
managed IAM policy includes the following
permissions. Following the best practice of granting least privilege, you can use
the AmazonECS_FullAccess
managed policy as a template for creating you
own custom policy. That way, you can take away or add permissions to and from the
managed policy based on your specific requirements.
-
ecs
– Allows principals full access to all Amazon ECS API operations. -
application-autoscaling
– Allows principals to create, describe, and manage Application Auto Scaling resources. This is required when enabling service auto scaling for your Amazon ECS services. -
appmesh
– Allows principals to list App Mesh service meshes and virtual nodes and describe App Mesh virtual nodes. This is required when integrating your Amazon ECS services with App Mesh. -
autoscaling
– Allows principals to create, manage, and describe Amazon EC2 Auto Scaling resources. This is required when managing Amazon EC2 Auto Scaling groups when using the cluster auto scaling feature. -
cloudformation
– Allows principals to create and manage AWS CloudFormation stacks. This is required when creating Amazon ECS clusters using the AWS Management Console and the subsequent managing of those clusters. -
cloudwatch
– Allows principals to create, manage, and describe Amazon CloudWatch alarms. -
codedeploy
– Allows principals to create and manage application deployments and view their configurations, revisions, and deployment targets. -
sns
– Allows principals to view a list of Amazon SNS topics. -
lambda
– Allows principals to view a list of AWS Lambda functions and their version specific configurations. -
ec2
– Allows principals to run Amazon EC2 instances and create and manage routes, route tables, internet gateways, launch groups, security groups, virtual private clouds, Spot Fleets, and subnets. -
elasticloadbalancing
– Allows principals to create, describe, and delete Elastic Load Balancing load balancers. Principals will also be able to add tags to newly created target groups, listeners, and listener rules for load balancers. -
events
– Allows principals to create, manage, and delete Amazon EventBridge rules and their targets. -
iam
– Allows principals to list IAM roles and their attached policies. Principals can pass roles to Amazon ECS for delegating management of Amazon EBS volumes attached to ECS tasks. Principals can also list instance profiles available to your Amazon EC2 instances. -
logs
– Allows principals to create and describe Amazon CloudWatch Logs log groups. Principals can also list log events for these log groups. -
route53
– Allows principals to create, manage, and delete Amazon Route 53 hosted zones. Principals can also view Amazon Route 53 health check configuration and information. For more information about hosted zones, see Working with hosted zones. -
servicediscovery
– Allows principals to create, manage, and delete AWS Cloud Map services and create private DNS namespaces.
The following is an example AmazonECS_FullAccess
policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECSIntegrationsManagementPolicy", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "appmesh:DescribeVirtualGateway", "appmesh:DescribeVirtualNode", "appmesh:ListMeshes", "appmesh:ListVirtualGateways", "appmesh:ListVirtualNodes", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetApplications", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:ContinueDeployment", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetApplicationRevision", "codedeploy:GetDeployment", "codedeploy:GetDeploymentConfig", "codedeploy:GetDeploymentGroup", "codedeploy:GetDeploymentTarget", "codedeploy:ListApplicationRevisions", "codedeploy:ListApplications", "codedeploy:ListDeploymentConfigs", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:ListDeploymentTargets", "codedeploy:RegisterApplicationRevision", "codedeploy:StopDeployment", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotFleetRequests", "ec2:CreateInternetGateway", "ec2:CreateLaunchTemplate", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:DeleteLaunchTemplate", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:Describe*", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RequestSpotFleet", "ec2:RunInstances", "ecs:*", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "events:DeleteRule", "events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "fsx:DescribeFileSystems", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "lambda:ListFunctions", "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:FilterLogEvents", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHostedZonesByName", "servicediscovery:CreatePrivateDnsNamespace", "servicediscovery:CreateService", "servicediscovery:DeleteService", "servicediscovery:GetNamespace", "servicediscovery:GetOperation", "servicediscovery:GetService", "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:UpdateService", "sns:ListTopics" ], "Resource": [ "*" ] }, { "Sid": "SSMPolicy", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*" }, { "Sid": "ManagedCloudformationResourcesCleanupPolicy", "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup" ], "Resource": [ "*" ], "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*" } } }, { "Sid": "TasksPassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }, { "Sid": "InfrastructurePassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInfrastructureRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ecs.amazonaws.com" } } }, { "Sid": "InstancePassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInstanceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } }, { "Sid": "AutoScalingPassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsAutoscaleRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com.cn" ] } } }, { "Sid": "ServiceLinkedRoleCreationPolicy", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "ecs.amazonaws.com", "autoscaling.amazonaws.com", "ecs.application-autoscaling.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com" ] } } }, { "Sid": "ELBTaggingPolicy", "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags" ], "Resource": "*", "Condition": { "StringEquals": { "elasticloadbalancing:CreateAction": [ "CreateTargetGroup", "CreateRule", "CreateListener", "CreateLoadBalancer" ] } } } ] }
AmazonECSInfrastructureRolePolicyForVolumes
The AmazonECSInfrastructureRolePolicyForVolumes
managed IAM policy
grants the permissions that are needed by Amazon ECS to make AWS API calls on your behalf.
You can attach this policy to the IAM role that you provide with your volume
configuration when launching Amazon ECS tasks and services. The role enables Amazon ECS to manage
volumes attached to your tasks. For more information, see Amazon ECS
infrastructure IAM role.
Permissions details
The AmazonECSInfrastructureRolePolicyForVolumes
managed IAM policy
includes the following permissions. Following the standard security advice of
granting least privilege, you can use the
AmazonECSInfrastructureRolePolicyForVolumes
managed policy as a
template for creating your own custom policy that includes only the permissions that
you require.
-
ec2:CreateVolume
– Allows a principal to create an Amazon EBS volume from a snapshot. -
ec2:CreateVolume
– Allows a principal to create an Amazon EBS volume if and only if they are tagged with theAmazonECSCreated
andAmazonECSManaged
tags. This permission is required to create Amazon EBS volumes that are attached to Amazon ECS tasks and minimize permissions provided to Amazon ECS by this policy. -
ec2:CreateTags
– Allows a principal to add tags to an Amazon EBS volume as part ofec2:CreateVolume
. This permission is required by Amazon ECS to add customer specified tags to Amazon EBS volumes created on your behalf. -
ec2:AttachVolume
– Allows a principal to attach an Amazon EBS volume to an Amazon EC2 instance. This permission is required by Amazon ECS to attach Amazon EBS volumes to the Amazon EC2 instance hosting the associated Amazon ECS task. -
ec2:DescribeVolume
– Allows a principal to retrieve information about Amazon EBS volumes. This permission is required to manage the lifecycle of Amazon EBS volumes. -
ec2:DescribeAvailabilityZones
– Allows a principal to retrieve information about Availability Zones in your account. This is required to manage the lifecycle of EBS Volumes. -
ec2:DetachVolume
– Allows a principal to detach an Amazon EBS volume from an Amazon EC2 instance. This permission is required by Amazon ECS to detach the Amazon EBS volume from the Amazon EC2 instance that's hosting the associated Amazon ECS task when the task terminates. -
ec2:DeleteVolume
– Allows a principal to delete an Amazon EBS volume. This permission is required by Amazon ECS to delete Amazon EBS volumes that are no longer used by the Amazon ECS task. -
ec2:DeleteTags
– Allows a principal to delete theAmazonECSManaged
tag from an Amazon EBS volume. This permission is required by Amazon ECS to remove access to an Amazon EBS volume after it is no longer associated with an Amazon ECS workload. This is only applicable when an Amazon EBS volume is not deleted after task shutdown.
The following is an example
AmazonECSInfrastructureRolePolicyForVolumes
policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateEBSManagedVolume", "Effect": "Allow", "Action": "ec2:CreateVolume", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "ArnLike": { "aws:RequestTag/AmazonECSCreated": "arn:aws:ecs:*:*:task/*" }, "StringEquals": { "aws:RequestTag/AmazonECSManaged": "true" } } }, { "Sid": "CreateEBSManagedVolumeFromSnapshot", "Effect": "Allow", "Action": "ec2:CreateVolume", "Resource": "arn:aws:ec2:*:*:snapshot/*" }, { "Sid": "TagOnCreateVolume", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "ArnLike": { "aws:RequestTag/AmazonECSCreated": "arn:aws:ecs:*:*:task/*" }, "StringEquals": { "ec2:CreateAction": "CreateVolume", "aws:RequestTag/AmazonECSManaged": "true" } } }, { "Sid": "DescribeVolumesForLifecycle", "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "ec2:DescribeAvailabilityZones" ], "Resource": "*" }, { "Sid": "ManageEBSVolumeLifecycle", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonECSManaged": "true" } } }, { "Sid": "ManageVolumeAttachmentsForEC2", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*" }, { "Sid": "DeleteEBSManagedVolume", "Effect": "Allow", "Action": "ec2:DeleteVolume", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "ArnLike": { "aws:ResourceTag/AmazonECSCreated": "arn:aws:ecs:*:*:task/*" }, "StringEquals": { "aws:ResourceTag/AmazonECSManaged": "true" } } } ] }
AmazonEC2ContainerServiceforEC2Role
Amazon ECS attaches this policy to a service role that allows Amazon ECS to perform actions on your behalf against Amazon EC2 instances or external instances.
This policy grants administrative permissions that allow Amazon ECS container instances to make calls to AWS on your behalf. For more information, see Amazon ECS container instance IAM role.
Considerations
You should consider the following recommendations and considerations when using
the AmazonEC2ContainerServiceforEC2Role
managed IAM policy.
-
Following the standard security advice of granting least privilege, you can modify the
AmazonEC2ContainerServiceforEC2Role
managed policy to fit your specific needs. If any of the permissions granted in the managed policy aren't needed for your use case, create a custom policy and add only the permissions that you require. For example, theUpdateContainerInstancesState
permission is provided for Spot Instance draining. If that permission isn't needed for your use case, exclude it using a custom policy. For more information, see Permissions details. -
Containers that are running on your container instances have access to all of the permissions that are supplied to the container instance role through instance metadata. We recommend that you limit the permissions in your container instance role to the minimal list of permissions that are provided in the managed
AmazonEC2ContainerServiceforEC2Role
policy. If the containers in your tasks need extra permissions that aren't listed, we recommend providing those tasks with their own IAM roles. For more information, see Amazon ECS task IAM role.You can prevent containers on the
docker0
bridge from accessing the permissions supplied to the container instance role. You can do this while still allowing the permissions that are provided by Amazon ECS task IAM role by running the following iptables command on your container instances. Containers can't query instance metadata with this rule in effect. This command assumes the default Docker bridge configuration and it doesn't work with containers that use thehost
network mode. For more information, see Network mode.sudo yum install -y iptables-services; sudo iptables --insert DOCKER USER 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP
You must save this iptables rule on your container instance for it to survive a reboot. For the Amazon ECS-optimized AMI, use the following command. For other operating systems, consult the documentation for that OS.
-
For the Amazon ECS-optimized Amazon Linux 2 AMI:
sudo iptables-save | sudo tee /etc/sysconfig/iptables && sudo systemctl enable --now iptables
-
For the Amazon ECS-optimized Amazon Linux AMI:
sudo service iptables save
-
Permissions details
The AmazonEC2ContainerServiceforEC2Role
managed IAM policy includes
the following permissions. Following the standard security advice of granting least
privilege, the AmazonEC2ContainerServiceforEC2Role
managed policy can
be used as a guide. If you don't need any of the permissions that are granted in the
managed policy for your use case, create a custom policy and add only the
permissions that you need.
-
ec2:DescribeTags
– Allows a principal to describe the tags that are associated with an Amazon EC2 instance. This permission is used by the Amazon ECS container agent to support resource tag propagation. For more information, see How resources are tagged. -
ecs:CreateCluster
– Allows a principal to create an Amazon ECS cluster. This permission is used by the Amazon ECS container agent to create adefault
cluster, if one doesn't already exist. -
ecs:DeregisterContainerInstance
– Allows a principal to deregister an Amazon ECS container instance from a cluster. The Amazon ECS container agent doesn't call this API operation, but this permission remains to help ensure backwards compatibility. -
ecs:DiscoverPollEndpoint
– This action returns endpoints that the Amazon ECS container agent uses to poll for updates. -
ecs:Poll
– Allows the Amazon ECS container agent to communicate with the Amazon ECS control plane to report task state changes. -
ecs:RegisterContainerInstance
– Allows a principal to register a container instance with a cluster. This permission is used by the Amazon ECS container agent to register the Amazon EC2 instance with a cluster and to support resource tag propagation. -
ecs:StartTelemetrySession
– Allows the Amazon ECS container agent to communicate with the Amazon ECS control plane to report health information and metrics for each container and task. -
ecs:TagResource
– Allows the Amazon ECS container agent to tag cluster on creation and to tag container instances when they are registered to a cluster. -
ecs:UpdateContainerInstancesState
– Allows a principal to modify the status of an Amazon ECS container instance. This permission is used by the Amazon ECS container agent for Spot Instance draining. -
ecs:Submit*
– This includes theSubmitAttachmentStateChanges
,SubmitContainerStateChange
, andSubmitTaskStateChange
API actions. They're used by the Amazon ECS container agent to report state changes for each resource to the Amazon ECS control plane. TheSubmitContainerStateChange
permission is no longer used by the Amazon ECS container agent but remains to help ensure backwards compatibility. -
ecr:GetAuthorizationToken
– Allows a principal to retrieve an authorization token. The authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that the IAM principal has access to. The authorization token received is valid for 12 hours. -
ecr:BatchCheckLayerAvailability
– When a container image is pushed to an Amazon ECR private repository, each image layer is checked to verify if it's already pushed. If it is, then the image layer is skipped. -
ecr:GetDownloadUrlForLayer
– When a container image is pulled from an Amazon ECR private repository, this API is called once for each image layer that's not already cached. -
ecr:BatchGetImage
– When a container image is pulled from an Amazon ECR private repository, this API is called once to retrieve the image manifest. -
logs:CreateLogStream
– Allows a principal to create a CloudWatch Logs log stream for a specified log group. -
logs:PutLogEvents
– Allows a principal to upload a batch of log events to a specified log stream.
The following is an example AmazonEC2ContainerServiceforEC2Role
policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:UpdateContainerInstancesState", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": "*", "Condition": { "StringEquals": { "ecs:CreateAction": [ "CreateCluster", "RegisterContainerInstance" ] } } } ] }
AmazonEC2ContainerServiceEventsRole
This policy grants permissions that allow Amazon EventBridge (formerly CloudWatch Events) to run tasks on your behalf. This policy can be attached to the IAM role that's specified when you create scheduled tasks. For more information, see Amazon ECS EventBridge IAM Role.
Permissions details
This policy includes the following permissions.
-
ecs
– Allows a principal in a service to call the Amazon ECS RunTask API. Allows a principal in a service to add tags (TagResource
) when they call the Amazon ECS RunTask API. -
iam
– Allows passing any IAM service role to any Amazon ECS tasks.
The following is an example AmazonEC2ContainerServiceEventsRole
policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ecs:RunTask"], "Resource": ["*"] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": ["*"], "Condition": { "StringLike": {"iam:PassedToService": "ecs-tasks.amazonaws.com"} } }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": "*", "Condition": { "StringEquals": { "ecs:CreateAction": ["RunTask"] } } } ] }
AmazonECSTaskExecutionRolePolicy
The AmazonECSTaskExecutionRolePolicy
managed IAM policy grants the
permissions that are needed by the Amazon ECS container agent and AWS Fargate container
agents to make AWS API calls on your behalf. This policy can be added to your task
execution IAM role. For more information, see Amazon ECS task execution IAM role.
Permissions details
The AmazonECSTaskExecutionRolePolicy
managed IAM policy includes
the following permissions. Following the standard security advice of granting least
privilege, the AmazonECSTaskExecutionRolePolicy
managed policy can be
used as a guide. If any of the permissions that are granted in the managed policy
aren't needed for your use case, create a custom policy and add only the
permissions that you require.
-
ecr:GetAuthorizationToken
– Allows a principal to retrieve an authorization token. The authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that the IAM principal has access to. The authorization token received is valid for 12 hours. -
ecr:BatchCheckLayerAvailability
– When a container image is pushed to an Amazon ECR private repository, each image layer is checked to verify if it's already pushed. If it's pushed, then the image layer is skipped. -
ecr:GetDownloadUrlForLayer
– When a container image is pulled from an Amazon ECR private repository, this API is called once for each image layer that's not already cached. -
ecr:BatchGetImage
– When a container image is pulled from an Amazon ECR private repository, this API is called once to retrieve the image manifest. -
logs:CreateLogStream
– Allows a principal to create a CloudWatch Logs log stream for a specified log group. -
logs:PutLogEvents
– Allows a principal to upload a batch of log events to a specified log stream.
The following is an example AmazonECSTaskExecutionRolePolicy
policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
AmazonECSServiceRolePolicy
The AmazonECSServiceRolePolicy
managed IAM policy enables Amazon Elastic Container Service to
manage your cluster. This policy can be added to your task execution IAM role. For
more information, see Amazon ECS task execution IAM role.
Permissions details
The AmazonECSServiceRolePolicy
managed IAM policy includes the
following permissions. Following the standard security advice of granting least
privilege, the AmazonECSServiceRolePolicy
managed policy can be used as
a guide. If any of the permissions that are granted in the managed policy
aren't needed for your use case, create a custom policy and add only the
permissions that you require.
-
autoscaling
– Allows principals to create, manage, and describe Amazon EC2 Auto Scaling resources. This is required when managing Amazon EC2 Auto Scaling groups when using the cluster auto scaling feature. -
autoscaling-plans
– Allows principals to create, delete, and describe autoscaling plans. -
cloudwatch
– Allows principals to create, manage, and describe Amazon CloudWatch alarms. -
ec2
– Allows principals run to Amazon EC2 instances and create and manage network interfaces and tags. -
elasticloadbalancing
– Allows principals to create, describe, and delete Elastic Load Balancing load balancers. Principals will also be able to add and describe target groups. -
logs
– Allows principals to create and describe Amazon CloudWatch Logs log groups. Principals can also list log events for these log groups. -
route53
– Allows principals to create, manage, and delete Amazon Route 53 hosted zones. Principals can also view Amazon Route 53 health check configuration and information. For more information about hosted zones, see Working with hosted zones. -
servicediscovery
– Allows principals to create, manage, and delete AWS Cloud Map services and create private DNS namespaces. -
events
– Allows principals to create, manage, and delete Amazon EventBridge rules and their targets.
The following is an example AmazonECSServiceRolePolicy
policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECSTaskManagement", "Effect": "Allow", "Action": [ "ec2:AttachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:Describe*", "ec2:DetachNetworkInterface", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:DeleteHealthCheck", "route53:Get*", "route53:List*", "route53:UpdateHealthCheck", "servicediscovery:DeregisterInstance", "servicediscovery:Get*", "servicediscovery:List*", "servicediscovery:RegisterInstance", "servicediscovery:UpdateInstanceCustomHealthStatus" ], "Resource": "*" }, { "Sid": "AutoScaling", "Effect": "Allow", "Action": [ "autoscaling:Describe*" ], "Resource": "*" }, { "Sid": "AutoScalingManagement", "Effect": "Allow", "Action": [ "autoscaling:DeletePolicy", "autoscaling:PutScalingPolicy", "autoscaling:SetInstanceProtection", "autoscaling:UpdateAutoScalingGroup", "autoscaling:PutLifecycleHook", "autoscaling:DeleteLifecycleHook", "autoscaling:CompleteLifecycleAction", "autoscaling:RecordLifecycleActionHeartbeat" ], "Resource": "*", "Condition": { "Null": { "autoscaling:ResourceTag/AmazonECSManaged": "false" } } }, { "Sid": "AutoScalingPlanManagement", "Effect": "Allow", "Action": [ "autoscaling-plans:CreateScalingPlan", "autoscaling-plans:DeleteScalingPlan", "autoscaling-plans:DescribeScalingPlans", "autoscaling-plans:DescribeScalingPlanResources" ], "Resource": "*" }, { "Sid": "EventBridge", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/ecs-managed-*" }, { "Sid": "EventBridgeRuleManagement", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "ecs.amazonaws.com" } } }, { "Sid": "CWAlarmManagement", "Effect": "Allow", "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "arn:aws:cloudwatch:*:*:alarm:*" }, { "Sid": "ECSTagging", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:network-interface/*" }, { "Sid": "CWLogGroupManagement", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:PutRetentionPolicy" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/ecs/*" }, { "Sid": "CWLogStreamManagement", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/ecs/*:log-stream:*" }, { "Sid": "ExecuteCommandSessionManagement", "Effect": "Allow", "Action": [ "ssm:DescribeSessions" ], "Resource": "*" }, { "Sid": "ExecuteCommand", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ecs:*:*:task/*", "arn:aws:ssm:*:*:document/AmazonECS-ExecuteInteractiveCommand" ] }, { "Sid": "CloudMapResourceCreation", "Effect": "Allow", "Action": [ "servicediscovery:CreateHttpNamespace", "servicediscovery:CreateService" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "AmazonECSManaged" ] } } }, { "Sid": "CloudMapResourceTagging", "Effect": "Allow", "Action": "servicediscovery:TagResource", "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/AmazonECSManaged": "*" } } }, { "Sid": "CloudMapResourceDeletion", "Effect": "Allow", "Action": [ "servicediscovery:DeleteService" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AmazonECSManaged": "false" } } }, { "Sid": "CloudMapResourceDiscovery", "Effect": "Allow", "Action": [ "servicediscovery:DiscoverInstances", "servicediscovery:DiscoverInstancesRevision" ], "Resource": "*" } ] }
AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity
Provides administrative access to AWS Private Certificate Authority, Secrets Manager and other AWS Services required to manage Amazon ECS Service Connect TLS features on your behalf.
Permissions details
The
AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity
managed IAM policy includes the following permissions. Following the standard
security advice of granting least privilege, the
AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity
managed policy can be used as a guide. If any of the permissions that are granted in
the managed policy aren't needed for your use case, create a custom policy and
add only the permissions that you require.
-
secretsmanager:CreateSecret
– Allows principal to create the secret. It's required for Service Connect TLS, Amazon ECS keeps the customer’s private key in the customer’s Secrets Manager secret. -
secretsmanager:TagResource
– Allows principal to attach tag on the created secret. It is required for Service Connect TLS, because Amazon ECS creates the secret on behalf of the customer and attaches tag with resource. These tags provide an easier way for the customer to identify the managed secret and restrict actions on these secrets. -
secretsmanager:DescribeSecret
– Allow principal to describe the secret and retrieve the current version stage. It is required for Amazon ECS to do Amazon ECS Service Connect TLS materials rotation. -
secretsmanager:UpdateSecret
– Allow principal to update the secret. It is required for Amazon ECS to do Amazon ECS Service Connect TLS materials rotation and update the secret with new materials. -
secretsmanager:GetSecretValue
– Allow principal to get the secret value. It is required for Amazon ECS to do Amazon ECS Service Connect TLS materials rotation. -
secretsmanager:PutSecretValue
– Allow principal to put the secret value. It is required for Amazon ECS to do Amazon ECS Service Connect TLS materials rotation. -
secretsmanager:UpdateSecretVersionStage
– Allow principal to update the secret version stage. It is required for Amazon ECS to do Amazon ECS Service Connect TLS materials rotation. -
acm-pca:IssueCertificate
– Allow principal to call IssueCertificate forEnd entity certificate
for Amazon ECS Service Connect TLS. It required for ECS to generate certificate for customer’s upstream service. -
acm-pca:GetCertificate
– Allow principal to call GetCertificate forEnd entity certificate
for Amazon ECS Service Connect TLS. -
acm-pca:GetCertificateAuthorityCertificate
– Allow principal to get certificate authorities certificate. It’s required for Amazon ECS Service Connect TLS so that customer’s downstream service can trust the upstream end entity certificate. -
acm-pca:DescribeCertificateAuthority
– Allow principal to get details about the certificate authority. It is required for Amazon ECS Service Connect TLS to reuse information like signing algorithm to create the CSR (Certificate Signing Request).
The following is an example
AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity
policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateSecret", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "arn:aws:secretsmanager:*:*:secret:ecs-sc!*", "Condition": { "ArnLike": { "aws:RequestTag/AmazonECSCreated": [ "arn:aws:ecs:*:*:service/*/*", "arn:aws:ecs:*:*:task-set/*/*" ] }, "StringEquals": { "aws:RequestTag/AmazonECSManaged": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "TagOnCreateSecret", "Effect": "Allow", "Action": "secretsmanager:TagResource", "Resource": "arn:aws:secretsmanager:*:*:secret:ecs-sc!*", "Condition": { "ArnLike": { "aws:RequestTag/AmazonECSCreated": [ "arn:aws:ecs:*:*:service/*/*", "arn:aws:ecs:*:*:task-set/*/*" ] }, "StringEquals": { "aws:RequestTag/AmazonECSManaged": "true", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "RotateTLSCertificateSecret", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:UpdateSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:DeleteSecret", "secretsmanager:RotateSecret", "secretsmanager:UpdateSecretVersionStage" ], "Resource": "arn:aws:secretsmanager:*:*:secret:ecs-sc!*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "ecs-sc", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManagePrivateCertificateAuthority", "Effect": "Allow", "Action": [ "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:DescribeCertificateAuthority" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonECSManaged": "true" } } }, { "Sid": "ManagePrivateCertificateAuthorityForIssuingEndEntityCertificate", "Effect": "Allow", "Action": [ "acm-pca:IssueCertificate" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonECSManaged": "true", "acm-pca:TemplateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1" } } } ] }
AWSApplicationAutoscalingECSServicePolicy
You can't attach AWSApplicationAutoscalingECSServicePolicy
to your IAM
entities. This policy is attached to a service-linked role that allows Application Auto Scaling to
perform actions on your behalf. For more information, see Service-linked roles for Application Auto Scaling.
AWSCodeDeployRoleForECS
You can't attach AWSCodeDeployRoleForECS
to your IAM entities. This
policy is attached to a service-linked role that allows CodeDeploy to perform actions on your
behalf. For more information, see Create a
service role for CodeDeploy in the AWS CodeDeploy User Guide.
AWSCodeDeployRoleForECSLimited
You can't attach AWSCodeDeployRoleForECSLimited
to your IAM entities.
This policy is attached to a service-linked role that allows CodeDeploy to perform actions on
your behalf. For more information, see Create a
service role for CodeDeploy in the AWS CodeDeploy User Guide.
Amazon ECS updates to AWS managed policies
View details about updates to AWS managed policies for Amazon ECS since this service started tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECS Document history page.
Change | Description | Date |
---|---|---|
Add permissions to AmazonECSInfrastructureRolePolicyForVolumes |
The AmazonECSInfrastructureRolePolicyForVolumes policy
has been updated to allow customers to create an Amazon EBS volume from a snapshot. |
October 10, 2024 |
Added permissions to AmazonECS_FullAccess |
The AmazonECS_FullAccess policy was updated to add
iam:PassRole permissions for IAM roles for a role named
ecsInfrastructureRole . This is the default IAM role
created by the AWS Management Console that is intended to be used as an ECS
infrastructure role that allows Amazon ECS to manage Amazon EBS volumes attached
to ECS tasks. |
August 13, 2024 |
Add new AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity policy |
Added new AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity policy that provides administrative access to AWS KMS, AWS Private Certificate Authority, Secrets Manager and enables Amazon ECS Service Connect TLS features to work properly. |
January 22, 2024 |
Add new policy AmazonECSInfrastructureRolePolicyForVolumes |
The AmazonECSInfrastructureRolePolicyForVolumes policy
was added. The policy grants the permissions that are needed by Amazon ECS to
make AWS API calls to manage Amazon EBS volumes associated with Amazon ECS
workloads. |
January 11, 2024 |
Add permissions to AmazonECSServiceRolePolicy |
The AmazonECSServiceRolePolicy managed IAM policy was
updated with new events permissions and additional
autoscaling and autoscaling-plans
permissions. |
December 4, 2023 |
Add permissions to AmazonEC2ContainerServiceEventsRole |
The AmazonECSServiceRolePolicy managed IAM policy was
updated to allow access to the AWS Cloud Map
DiscoverInstancesRevision API operation. |
October 4, 2023 |
Add permissions to AmazonEC2ContainerServiceforEC2Role |
The AmazonEC2ContainerServiceforEC2Role policy was
modified to add the ecs:TagResource permission, which
includes a condition that limits the permission only to newly created
clusters and registered container instances. |
March 6, 2023 |
Add permissions to AmazonECS_FullAccess |
The AmazonECS_FullAccess policy was modified to add the
elasticloadbalancing:AddTags permission, which includes
a condition that limits the permission only to newly created load
balancers, target groups, rules, and listeners created. This permission
doesn't allow tags to be added to any already created Elastic Load Balancing
resources. |
January 4, 2023 |
Amazon ECS started tracking changes |
Amazon ECS started tracking changes for its AWS managed policies. |
June 8, 2021 |