Configuring permissions for AWS AppConfig
AWS AppConfig uses the following API actions.
We recommend that you create restrictive IAM permissions policies that grant users, groups, and roles the least privileges necessary to perform a desired action in AWS AppConfig.
For example, you can create a read-only IAM permissions policy that includes only
the Get and List API actions used by AWS AppConfig, like the
following.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:ListDocuments", "appconfig:ListApplications", "appconfig:GetApplication", "appconfig:ListEnvironments", "appconfig:GetEnvironment", "appconfig:ListConfigurationProfiles", "appconfig:GetConfigurationProfile", "appconfig:ListDeploymentStrategies", "appconfig:GetDeploymentStrategy", "appconfig:GetConfiguration", "appconfig:ListDeployments" ], "Resource": "*" } ] }
Restrict access to the StartDeployment and StopDeployment API actions to trusted users who understand the responsibilities and consequences of deploying a new configuration to your targets.
For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide. For information about how to assign this policy to an IAM group, see Attaching a Policy to an IAM Group.
To configure an IAM user account with permission to use AWS AppConfig
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
In the list, choose a name.
-
Choose the Permissions tab.
-
On the right side of the page, under Permission policies, choose Add inline policy.
-
Choose the JSON tab.
-
Replace the default content with your custom permissions policy.
-
Choose Review policy.
-
On the Review policy page, for Name, enter a name for the inline policy. For example:
AWS AppConfig-<.action>-Access -
Choose Create policy.
