AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon EC2 Container Service

Amazon EC2 Container Service (service prefix: ecs) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon EC2 Container Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CreateCluster Creates a new Amazon ECS cluster. Write
CreateService Runs and maintains a desired number of tasks from a specified task definition. Write
DeleteAttributes Deletes one or more custom attributes from an Amazon ECS resource. Write

container-instance*

ecs:cluster

DeleteCluster Deletes the specified cluster. Write

cluster*

DeleteService Deletes a specified service within a cluster. Write
DeregisterContainerInstance Deregisters an Amazon ECS container instance from the specified cluster. Write

cluster*

DeregisterTaskDefinition Deregisters the specified task definition by family and revision. Write
DescribeClusters Describes one or more of your clusters. Read

cluster*

DescribeContainerInstances Describes Amazon EC2 Container Service container instances. Read

container-instance*

ecs:cluster

DescribeServices Describes the specified services running in your cluster. Read
DescribeTaskDefinition Describes a task definition. You can specify a family and revision to find information about a specific task definition, or you can simply specify the family to find the latest ACTIVE revision in that family. Read
DescribeTasks Describes a specified task or tasks. Read

task*

ecs:cluster

DiscoverPollEndpoint Returns an endpoint for the Amazon EC2 Container Service agent to poll for updates. Write
ListAttributes Lists the attributes for Amazon ECS resources within a specified target type and cluster. List

cluster*

ListClusters Returns a list of existing clusters. List
ListContainerInstances Returns a list of container instances in a specified cluster. List

container-instance*

ListServices Lists the services that are running in a specified cluster. List
ListTaskDefinitionFamilies Returns a list of task definition families that are registered to your account (which may include task definition families that no longer have any ACTIVE task definitions). List
ListTaskDefinitions Returns a list of task definitions that are registered to your account. List
ListTasks Returns a list of tasks for a specified cluster. List

container-instance*

ecs:cluster

Poll [permission only] Grants permission to an agent to connect with the Amazon ECS service to report status and get commands. Write

container-instance*

ecs:cluster

PutAttributes Create or update an attribute on an Amazon ECS resource. Write

container-instance*

ecs:cluster

RegisterContainerInstance Registers an EC2 instance into the specified cluster. Write

cluster*

RegisterTaskDefinition Registers a new task definition from the supplied family and containerDefinitions. Write
RunTask Start a task using random placement and the default Amazon ECS scheduler. Write

task-definition*

ecs:cluster

StartTask Starts a new task from the specified task definition on the specified container instance or instances. Write

task-definition*

ecs:cluster

ecs:container-instances

StopTask Stops a running task. Write

task*

ecs:cluster

SubmitContainerStateChange Sent to acknowledge that a container changed states. Write

cluster*

SubmitTaskStateChange Sent to acknowledge that a task changed states. Write

cluster*

UpdateContainerAgent Updates the Amazon ECS container agent on a specified container instance. Write

container-instance*

ecs:cluster

UpdateContainerInstancesState Enables the user to modify the status of an Amazon ECS container instance. Write

container-instance*

ecs:cluster

UpdateService Modifies the desired count, deployment configuration, or task definition used in a service. Write

Resources Defined by EC2 Container Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}
container arn:${Partition}:ecs:${Region}:${Account}:container/${ContainerId}
container-instance arn:${Partition}:ecs:${Region}:${Account}:container-instance/${ContainerInstanceId}
service arn:${Partition}:ecs:${Region}:${Account}:service/${ServiceName}
task arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}
task-definition arn:${Partition}:ecs:${Region}:${Account}:task-definition/${TaskDefinitionFamilyName:${TaskDefinitionRevisionNumber}

Condition Keys for Amazon EC2 Container Service

Amazon EC2 Container Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
ecs:cluster The ARN of an ECS cluster. ARN
ecs:container-instances The ARN of an ECS container instance. ARN