AWS managed policies for Application Auto Scaling - Application Auto Scaling

AWS managed policies for Application Auto Scaling

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AppStream 2.0 and CloudWatch

Policy name: AWSApplicationAutoscalingAppStreamFleetPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_AppStreamFleet to allow Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: appstream:DescribeFleets

  • Action: appstream:UpdateFleet

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: Aurora and CloudWatch

Policy name: AWSApplicationAutoscalingRDSClusterPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_RDSCluster to allow Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: rds:AddTagsToResource

  • Action: rds:CreateDBInstance

  • Action: rds:DeleteDBInstance

  • Action: rds:DescribeDBClusters

  • Action: rds:DescribeDBInstance

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: Amazon Comprehend and CloudWatch

Policy name: AWSApplicationAutoscalingComprehendEndpointPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_ComprehendEndpoint to allow Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: comprehend:UpdateEndpoint

  • Action: comprehend:DescribeEndpoint

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: DynamoDB and CloudWatch

Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_DynamoDBTable to allow Application Auto Scaling to call DynamoDBand CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: dynamodb:DescribeTable

  • Action: dynamodb:UpdateTable

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: Amazon ECS and CloudWatch

Policy name: AWSApplicationAutoscalingECSServicePolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_ECSService to allow Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: ecs:DescribeServices

  • Action: ecs:UpdateService

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: ElastiCache and CloudWatch

Policy name: AWSApplicationAutoscalingElastiCacheRGPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_ElastiCacheRG to allow Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: elasticache:DescribeReplicationGroups on all resources

  • Action: elasticache:ModifyReplicationGroupShardConfiguration on all resources

  • Action: elasticache:IncreaseReplicaCount on all resources

  • Action: elasticache:DecreaseReplicaCount on all resources

  • Action: elasticache:DescribeCacheClusters on all resources

  • Action: elasticache:DescribeCacheParameters on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:aws:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:aws:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: Amazon Keyspaces and CloudWatch

Policy name: AWSApplicationAutoscalingCassandraTablePolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_CassandraTable to allow Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: cassandra:Select on the following resources:

    • arn:*:cassandra:*:*:/keyspace/system/table/*

    • arn:*:cassandra:*:*:/keyspace/system_schema/table/*

    • arn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/*

  • Action: cassandra:Alter on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on all resources

  • Action: cloudwatch:DeleteAlarms on all resources

AWS managed policy: Lambda and CloudWatch

Policy name: AWSApplicationAutoscalingLambdaConcurrencyPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency to allow Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: lambda:PutProvisionedConcurrencyConfig

  • Action: lambda:GetProvisionedConcurrencyConfig

  • Action: lambda:DeleteProvisionedConcurrencyConfig

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: Amazon MSK and CloudWatch

Policy name: AWSApplicationAutoscalingKafkaClusterPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_KafkaCluster to allow Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: kafka:DescribeCluster

  • Action: kafka:DescribeClusterOperation

  • Action: kafka:UpdateBrokerStorage

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: Neptune and CloudWatch

Policy name: AWSApplicationAutoscalingNeptuneClusterPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_NeptuneCluster to allow Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: rds:ListTagsForResource on all resources

  • Action: rds:DescribeDBInstances on all resources

  • Action: rds:DescribeDBClusters on all resources

  • Action: rds:DescribeDBClusterParameters on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: rds:AddTagsToResource on resources with the prefix autoscaled-reader in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})

  • Action: rds:CreateDBInstance on resources with the prefix autoscaled-reader in all DB clusters ("Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*") in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})

  • Action: rds:DeleteDBInstance on the resource arn:aws:rds:*:*:db:autoscaled-reader*

  • Action: cloudwatch:PutMetricAlarm on the resource arn:aws:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:aws:cloudwatch:*:*:alarm:TargetTracking*

AWS managed policy: SageMaker and CloudWatch

Policy name: AWSApplicationAutoscalingSageMakerEndpointPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint to allow Application Auto Scaling to call SageMaker and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: sagemaker:DescribeEndpoint on all resources

  • Action: sagemaker:DescribeEndpointConfig on all resources

  • Action: sagemaker:DescribeInferenceComponent on all resources

  • Action: sagemaker:UpdateEndpointWeightsAndCapacities on all resources

  • Action: sagemaker:UpdateInferenceComponentRuntimeConfig on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:GetMetricData on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:aws:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:aws:cloudwatch:*:*:alarm:TargetTracking*

AWS managed policy: EC2 Spot Fleet and CloudWatch

Policy name: AWSApplicationAutoscalingEC2SpotFleetRequestPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest to allow Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: ec2:DescribeSpotFleetRequests

  • Action: ec2:ModifySpotFleetRequest

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy: WorkSpaces and CloudWatch

Policy name: AWSApplicationAutoscalingWorkSpacesPoolPolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_WorkSpacesPool to allow Application Auto Scaling to call WorkSpaces and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: workspaces:DescribeWorkspacesPools on all resources from the same account as the SLR

  • Action: workspaces:UpdateWorkspacesPool on all resources from the same account as the SLR

  • Action: cloudwatch:DescribeAlarms on all alarms from the same account as the SLR

  • Action: cloudwatch:PutMetricAlarm on all alarms from the same account as the SLR, where the alarm name starts with TargetTracking

  • Action: cloudwatch:DeleteAlarms on all alarms from the same account as the SLR, where the alarm name starts with TargetTracking

AWS managed policy: custom resources and CloudWatch

Policy name: AWSApplicationAutoScalingCustomResourcePolicy

This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_CustomResource to allow Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch and perform scaling on your behalf.

Permission details

The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: execute-api:Invoke

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

Application Auto Scaling updates to AWS managed policies

View details about updates to AWS managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page.

Change Description Date

AWSApplicationAutoscalingWorkSpacesPoolPolicy – New policy

Added a managed policy for Amazon WorkSpaces. This policy is attached to a service-linked role that allows Application Auto Scaling to call WorkSpaces and CloudWatch and perform scaling on your behalf.

June 24, 2024

AWSApplicationAutoscalingSageMakerEndpointPolicy – Update to an existing policy

Added permissions to call the SageMaker DescribeInferenceComponent and UpdateInferenceComponentRuntimeConfig API actions to support compatibility for the auto scaling of SageMaker resources for an upcoming integration. The policy also now restricts the CloudWatch PutMetricAlarm and DeleteAlarms API actions to CloudWatch alarms that are used with target tracking scaling policies.

November 13, 2023

AWSApplicationAutoscalingNeptuneClusterPolicy – New policy

Added a managed policy for Neptune. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

October 6, 2021

AWSApplicationAutoscalingRDSClusterPolicy – New policy

Added a managed policy for ElastiCache. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

August 19, 2021

Application Auto Scaling started tracking changes

Application Auto Scaling started tracking changes for its AWS managed policies.

August 19, 2021