Configuring permissions for AWS AppConfig
By default, only AWS account adminstrators have access to AWS AppConfig. You can grant AWS Identity and Access Management (IAM) users, groups, and roles access to AWS AppConfig by specifying resources, actions, and condition context keys in an IAM permission policy that you assign to the user, group, or role. For more information, see Actions, resources, and condition keys for AWS AppConfig in the Service Authorization Reference.
Security is a shared responsibility between AWS and you. The shared responsibility model
We recommend that you create restrictive IAM permissions policies that grant users, groups, and roles the least privileges necessary to perform a desired action in AWS AppConfig.
For example, you can create a read-only IAM permissions policy that includes only
the Get
and List
API actions used by AWS AppConfig, like the
following.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:ListDocuments", "appconfig:GetLatestConfiguration", "appconfig:StartConfigurationSession", "appconfig:ListApplications", "appconfig:GetApplication", "appconfig:ListEnvironments", "appconfig:GetEnvironment", "appconfig:ListConfigurationProfiles", "appconfig:GetConfigurationProfile", "appconfig:ListDeploymentStrategies", "appconfig:GetDeploymentStrategy", "appconfig:GetConfiguration", "appconfig:ListDeployments", "appconfig:GetDeployment" ], "Resource": "*" } ] }
Restrict access to the StartDeployment and StopDeployment API actions to trusted users who understand the responsibilities and consequences of deploying a new configuration to your targets.
For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide. For information about how to assign this policy to an IAM group, see Attaching a Policy to an IAM Group.
To configure an IAM user account with permission to use AWS AppConfig
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
In the list, choose a name.
-
Choose the Permissions tab.
-
On the right side of the page, under Permission policies, choose Add inline policy.
-
Choose the JSON tab.
-
Replace the default content with your custom permissions policy.
-
Choose Review policy.
-
On the Review policy page, for Name, enter a name for the inline policy. For example:
AWSAppConfig-<
.action
>-Access -
Choose Create policy.