Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon EC2 Container Service

Amazon EC2 Container Service (service prefix: ecs) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EC2 Container Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CreateCluster Creates a new Amazon ECS cluster.

Write

CreateService Runs and maintains a desired number of tasks from a specified task definition.

Write

DeleteCluster Deletes the specified cluster.

Write

cluster*

DeleteService Deletes a specified service within a cluster.

Write

DeregisterContainerInstance Deregisters an Amazon ECS container instance from the specified cluster.

Write

cluster*

DeregisterTaskDefinition Deregisters the specified task definition by family and revision.

Write

DescribeClusters Describes one or more of your clusters.

Read

cluster*

DescribeContainerInstances Describes Amazon EC2 Container Service container instances.

Read

container-instance*

ecs:cluster

DescribeServices Describes the specified services running in your cluster.

Read

DescribeTaskDefinition Describes a task definition. You can specify a family and revision to find information about a specific task definition, or you can simply specify the family to find the latest ACTIVE revision in that family.

Read

DescribeTasks Describes a specified task or tasks.

Read

task*

ecs:cluster

DiscoverPollEndpoint Returns an endpoint for the Amazon EC2 Container Service agent to poll for updates.

Write

ListClusters Returns a list of existing clusters.

List

ListContainerInstances Returns a list of container instances in a specified cluster.

List

container-instance*

ListServices Lists the services that are running in a specified cluster.

List

ListTaskDefinitionFamilies Returns a list of task definition families that are registered to your account (which may include task definition families that no longer have any ACTIVE task definitions).

List

ListTaskDefinitions Returns a list of task definitions that are registered to your account.

List

ListTasks Returns a list of tasks for a specified cluster.

List

container-instance*

ecs:cluster

Poll [permission only] Grants permission to an agent to connect with the Amazon ECS service to report status and get commands.

Write

RegisterContainerInstance Registers an EC2 instance into the specified cluster.

Write

cluster*

RegisterTaskDefinition Registers a new task definition from the supplied family and containerDefinitions.

Write

RunTask Start a task using random placement and the default Amazon ECS scheduler.

Write

task*

ecs:cluster

StartTask Starts a new task from the specified task definition on the specified container instance or instances.

Write

task-definition*

ecs:cluster

ecs:container-instances

StopTask Stops a running task.

Write

task*

ecs:cluster

SubmitContainerStateChange Sent to acknowledge that a container changed states.

Write

cluster*

SubmitTaskStateChange Sent to acknowledge that a task changed states.

Write

cluster*

UpdateContainerAgent Updates the Amazon ECS container agent on a specified container instance.

Write

container-instance*

ecs:cluster

UpdateContainerInstancesState Enables the user to modify the status of an Amazon ECS container instance.

Write

container-instance*

ecs:cluster

UpdateService Modifies the desired count, deployment configuration, or task definition used in a service.

Write

Resources Defined by EC2 Container Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}
container arn:${Partition}:ecs:${Region}:${Account}:container/${ContainerId}
container-instance arn:${Partition}:ecs:${Region}:${Account}:container-instance/${ContainerInstanceId}
service arn:${Partition}:ecs:${Region}:${Account}:service/${ServiceName}
task arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}
task-definition arn:${Partition}:ecs:${Region}:${Account}:task-definition/${TaskDefinitionFamilyName:${TaskDefinitionRevisionNumber}

Condition Keys for Amazon EC2 Container Service

Amazon EC2 Container Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
ecs:cluster The ARN of an ECS cluster. ARN
ecs:container-instances The ARN of an ECS container instance. ARN