Actions, resources, and condition keys for Amazon EC2 Auto Scaling
Amazon EC2 Auto Scaling (service prefix: autoscaling) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon EC2 Auto Scaling
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AttachInstances | Grants permission to attach one or more EC2 instances to the specified Auto Scaling group | Write | |||
| AttachLoadBalancerTargetGroups | Grants permission to attach one or more target groups to the specified Auto Scaling group | Write | |||
| AttachLoadBalancers | Grants permission to attach one or more load balancers to the specified Auto Scaling group | Write | |||
| AttachTrafficSources | Grants permission to attach one or more traffic sources to an Auto Scaling group | Write | |||
| BatchDeleteScheduledAction | Grants permission to delete the specified scheduled actions | Write | |||
| BatchPutScheduledUpdateGroupAction | Grants permission to create or update multiple scheduled scaling actions for an Auto Scaling group | Write | |||
| CancelInstanceRefresh | Grants permission to cancel an instance refresh operation in progress | Write | |||
| CompleteLifecycleAction | Grants permission to complete the lifecycle action for the specified token or instance with the specified result | Write | |||
| CreateAutoScalingGroup | Grants permission to create an Auto Scaling group with the specified name and attributes | Write |
iam:CreateServiceLinkedRole iam:PassRole |
||
|
autoscaling:LaunchConfigurationName autoscaling:LaunchTemplateVersionSpecified autoscaling:TrafficSourceIdentifiers |
|||||
| CreateLaunchConfiguration | Grants permission to create a launch configuration | Write | |||
|
autoscaling:MetadataHttpTokens |
|||||
| CreateOrUpdateTags | Grants permission to create or update tags for the specified Auto Scaling group | Tagging | |||
| DeleteAutoScalingGroup | Grants permission to delete the specified Auto Scaling group | Write | |||
| DeleteLaunchConfiguration | Grants permission to delete the specified launch configuration | Write | |||
| DeleteLifecycleHook | Grants permission to deletes the specified lifecycle hook | Write | |||
| DeleteNotificationConfiguration | Grants permission to delete the specified notification | Write | |||
| DeletePolicy | Grants permission to delete the specified Auto Scaling policy | Write | |||
| DeleteScheduledAction | Grants permission to delete the specified scheduled action | Write | |||
| DeleteTags | Grants permission to delete the specified tags | Tagging | |||
| DeleteWarmPool | Grants permission to delete the warm pool associated with the Auto Scaling group | Write | |||
| DescribeAccountLimits | Grants permission to describe the current Auto Scaling resource limits for your AWS account | List | |||
| DescribeAdjustmentTypes | Grants permission to describe the policy adjustment types for use with PutScalingPolicy | List | |||
| DescribeAutoScalingGroups | Grants permission to describe one or more Auto Scaling groups. If a list of names is not provided, the call describes all Auto Scaling groups | List | |||
| DescribeAutoScalingInstances | Grants permission to describe one or more Auto Scaling instances. If a list is not provided, the call describes all instances | List | |||
| DescribeAutoScalingNotificationTypes | Grants permission to describe the notification types that are supported by Auto Scaling | List | |||
| DescribeInstanceRefreshes | Grants permission to describe one or more instance refreshes for an Auto Scaling group | List | |||
| DescribeLaunchConfigurations | Grants permission to describe one or more launch configurations. If you omit the list of names, then the call describes all launch configurations | List | |||
| DescribeLifecycleHookTypes | Grants permission to describe the available types of lifecycle hooks | List | |||
| DescribeLifecycleHooks | Grants permission to describe the lifecycle hooks for the specified Auto Scaling group | List | |||
| DescribeLoadBalancerTargetGroups | Grants permission to describe the target groups for the specified Auto Scaling group | List | |||
| DescribeLoadBalancers | Grants permission to describe the load balancers for the specified Auto Scaling group | List | |||
| DescribeMetricCollectionTypes | Grants permission to describe the available CloudWatch metrics for Auto Scaling | List | |||
| DescribeNotificationConfigurations | Grants permission to describe the notification actions associated with the specified Auto Scaling group | List | |||
| DescribePolicies | Grants permission to describe the policies for the specified Auto Scaling group | List | |||
| DescribeScalingActivities | Grants permission to describe one or more scaling activities for the specified Auto Scaling group | List | |||
| DescribeScalingProcessTypes | Grants permission to describe the scaling process types for use with ResumeProcesses and SuspendProcesses | List | |||
| DescribeScheduledActions | Grants permission to describe the actions scheduled for your Auto Scaling group that haven't run | List | |||
| DescribeTags | Grants permission to describe the specified tags | Read | |||
| DescribeTerminationPolicyTypes | Grants permission to describe the termination policies supported by Auto Scaling | List | |||
| DescribeTrafficSources | Grants permission to describe the target groups for the specified Auto Scaling group | List | |||
| DescribeWarmPool | Grants permission to describe the warm pool associated with the Auto Scaling group | List | |||
| DetachInstances | Grants permission to remove one or more instances from the specified Auto Scaling group | Write | |||
| DetachLoadBalancerTargetGroups | Grants permission to detach one or more target groups from the specified Auto Scaling group | Write | |||
| DetachLoadBalancers | Grants permission to remove one or more load balancers from the specified Auto Scaling group | Write | |||
| DetachTrafficSources | Grants permission to detach one or more traffic sources from an Auto Scaling group | Write | |||
| DisableMetricsCollection | Grants permission to disable monitoring of the specified metrics for the specified Auto Scaling group | Write | |||
| EnableMetricsCollection | Grants permission to enable monitoring of the specified metrics for the specified Auto Scaling group | Write | |||
| EnterStandby | Grants permission to move the specified instances into Standby mode | Write | |||
| ExecutePolicy | Grants permission to execute the specified policy | Write | |||
| ExitStandby | Grants permission to move the specified instances out of Standby mode | Write | |||
| GetPredictiveScalingForecast | Grants permission to retrieve the forecast data for a predictive scaling policy | List | |||
| PutLifecycleHook | Grants permission to create or update a lifecycle hook for the specified Auto Scaling Group | Write | |||
| PutNotificationConfiguration | Grants permission to configure an Auto Scaling group to send notifications when specified events take place | Write | |||
| PutScalingPolicy | Grants permission to create or update a policy for an Auto Scaling group | Write | |||
| PutScheduledUpdateGroupAction | Grants permission to create or update a scheduled scaling action for an Auto Scaling group | Write | |||
| PutWarmPool | Grants permission to create or update the warm pool associated with the specified Auto Scaling group | Write | |||
| RecordLifecycleActionHeartbeat | Grants permission to record a heartbeat for the lifecycle action associated with the specified token or instance | Write | |||
| ResumeProcesses | Grants permission to resume the specified suspended Auto Scaling processes, or all suspended process, for the specified Auto Scaling group | Write | |||
| RollbackInstanceRefresh | Grants permission to rollback an instance refresh operation in progress | Write | |||
| SetDesiredCapacity | Grants permission to set the size of the specified Auto Scaling group | Write | |||
| SetInstanceHealth | Grants permission to set the health status of the specified instance | Write | |||
| SetInstanceProtection | Grants permission to update the instance protection settings of the specified instances | Write | |||
| StartInstanceRefresh | Grants permission to start a new instance refresh operation | Write | |||
| SuspendProcesses | Grants permission to suspend the specified Auto Scaling processes, or all processes, for the specified Auto Scaling group | Write | |||
| TerminateInstanceInAutoScalingGroup | Grants permission to terminate the specified instance and optionally adjust the desired group size | Write | |||
| UpdateAutoScalingGroup | Grants permission to update the configuration for the specified Auto Scaling group | Write |
iam:PassRole |
||
|
autoscaling:LaunchConfigurationName |
Resource types defined by Amazon EC2 Auto Scaling
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| autoScalingGroup |
arn:${Partition}:autoscaling:${Region}:${Account}:autoScalingGroup:${GroupId}:autoScalingGroupName/${GroupFriendlyName}
|
|
| launchConfiguration |
arn:${Partition}:autoscaling:${Region}:${Account}:launchConfiguration:${Id}:launchConfigurationName/${LaunchConfigurationName}
|
Condition keys for Amazon EC2 Auto Scaling
Amazon EC2 Auto Scaling defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| autoscaling:ImageId | Filters access based on the AMI ID for the launch configuration | String |
| autoscaling:InstanceType | Filters access based on the instance type for the launch configuration | String |
| autoscaling:InstanceTypes | Filters access based on the instance types present as overrides to a launch template for a mixed instances policy. Use it to qualify which instance types can be explicitly defined in the policy | String |
| autoscaling:LaunchConfigurationName | Filters access based on the name of a launch configuration | String |
| autoscaling:LaunchTemplateVersionSpecified | Filters access based on whether users can specify any version of a launch template or only the Latest or Default version | Bool |
| autoscaling:LoadBalancerNames | Filters access based on the name of the load balancer | ArrayOfString |
| autoscaling:MaxSize | Filters access based on the maximum scaling size in the request | Numeric |
| autoscaling:MetadataHttpEndpoint | Filters access based on whether the HTTP endpoint is enabled for the instance metadata service | String |
| autoscaling:MetadataHttpPutResponseHopLimit | Filters access based on the allowed number of hops when calling the instance metadata service | Numeric |
| autoscaling:MetadataHttpTokens | Filters access based on whether tokens are required when calling the instance metadata service (optional or required) | String |
| autoscaling:MinSize | Filters access based on the minimum scaling size in the request | Numeric |
| autoscaling:ResourceTag/${TagKey} | Filters access based on the tags associated with the resource | String |
| autoscaling:SpotPrice | Filters access based on the price for Spot Instances for the launch configuration | Numeric |
| autoscaling:TargetGroupARNs | Filters access based on the ARN of a target group | ArrayOfARN |
| autoscaling:TrafficSourceIdentifiers | Filters access based on the identifiers of the traffic sources | ArrayOfString |
| autoscaling:VPCZoneIdentifiers | Filters access based on the identifier of a VPC zone | ArrayOfString |
| aws:RequestTag/${TagKey} | Filters access based on the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access based on the tags associated with the resource | String |
| aws:TagKeys | Filters access based on the tag keys that are passed in the request | ArrayOfString |
