AWS managed policies for Application Auto Scaling - Application Auto Scaling

AWS managed policies for Application Auto Scaling

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy granting access to AppStream 2.0 and CloudWatch

Policy name: AWSApplicationAutoscalingAppStreamFleetPolicy

You can't attach AWSApplicationAutoscalingAppStreamFleetPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_AppStreamFleet service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: appstream:DescribeFleets

  • Action: appstream:UpdateFleet

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Aurora and CloudWatch

Policy name: AWSApplicationAutoscalingRDSClusterPolicy

You can't attach AWSApplicationAutoscalingRDSClusterPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_RDSCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: rds:AddTagsToResource

  • Action: rds:CreateDBInstance

  • Action: rds:DeleteDBInstance

  • Action: rds:DescribeDBClusters

  • Action: rds:DescribeDBInstance

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon Comprehend and CloudWatch

Policy name: AWSApplicationAutoscalingComprehendEndpointPolicy

You can't attach AWSApplicationAutoscalingComprehendEndpointPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ComprehendEndpoint service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: comprehend:UpdateEndpoint

  • Action: comprehend:DescribeEndpoint

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to DynamoDB and CloudWatch

Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy

You can't attach AWSApplicationAutoscalingDynamoDBTablePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call DynamoDB and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_DynamoDBTable service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: dynamodb:DescribeTable

  • Action: dynamodb:UpdateTable

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon ECS and CloudWatch

Policy name: AWSApplicationAutoscalingECSServicePolicy

You can't attach AWSApplicationAutoscalingECSServicePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ECSService service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: ecs:DescribeServices

  • Action: ecs:UpdateService

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to ElastiCache and CloudWatch

Policy name: AWSApplicationAutoscalingElastiCacheRGPolicy

You can't attach AWSApplicationAutoscalingElastiCacheRGPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ElastiCacheRG service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: elasticache:DescribeReplicationGroups on all resources

  • Action: elasticache:ModifyReplicationGroupShardConfiguration on all resources

  • Action: elasticache:IncreaseReplicaCount on all resources

  • Action: elasticache:DecreaseReplicaCount on all resources

  • Action: elasticache:DescribeCacheClusters on all resources

  • Action: elasticache:DescribeCacheParameters on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon Keyspaces and CloudWatch

Policy name: AWSApplicationAutoscalingCassandraTablePolicy

You can't attach AWSApplicationAutoscalingCassandraTablePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_CassandraTable service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system/table/*

  • Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system_schema/table/*

  • Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/*

  • Action: cassandra:Alter on the resource arn:*:cassandra:*:*:"*"

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Lambda and CloudWatch

Policy name: AWSApplicationAutoscalingLambdaConcurrencyPolicy

You can't attach AWSApplicationAutoscalingLambdaConcurrencyPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: lambda:PutProvisionedConcurrencyConfig

  • Action: lambda:GetProvisionedConcurrencyConfig

  • Action: lambda:DeleteProvisionedConcurrencyConfig

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon MSK and CloudWatch

Policy name: AWSApplicationAutoscalingKafkaClusterPolicy

You can't attach AWSApplicationAutoscalingKafkaClusterPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_KafkaCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: kafka:DescribeCluster

  • Action: kafka:DescribeClusterOperation

  • Action: kafka:UpdateBrokerStorage

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Neptune and CloudWatch

Policy name: AWSApplicationAutoscalingNeptuneClusterPolicy

You can't attach AWSApplicationAutoscalingNeptuneClusterPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_NeptuneCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: rds:AddTagsToResource on resources with the prefix autoscaled-reader in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})

  • Action: rds:ListTagsForResource on all resources

  • Action: rds:CreateDBInstance on resources with the prefix autoscaled-reader in all DB clusters ("Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*") in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})

  • Action: rds:DescribeDBInstances on all resources

  • Action: rds:DescribeDBClusters on all resources

  • Action: rds:DescribeDBClusterParameters on all resources

  • Action: rds:DeleteDBInstance on the resource arn:*:rds:*:*:db:autoscaled-reader*

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to SageMaker and CloudWatch

Policy name: AWSApplicationAutoscalingSageMakerEndpointPolicy

You can't attach AWSApplicationAutoscalingSageMakerEndpointPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call SageMaker and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: sagemaker:DescribeEndpoint

  • Action: sagemaker:DescribeEndpointConfig

  • Action: sagemaker:UpdateEndpointWeightsAndCapacities

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to EC2 Spot Fleet and CloudWatch

Policy name: AWSApplicationAutoscalingEC2SpotFleetRequestPolicy

You can't attach AWSApplicationAutoscalingEC2SpotFleetRequestPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: ec2:DescribeSpotFleetRequests

  • Action: ec2:ModifySpotFleetRequest

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to your custom resources and CloudWatch

Policy name: AWSApplicationAutoScalingCustomResourcePolicy

You can't attach AWSApplicationAutoScalingCustomResourcePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_CustomResource service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: execute-api:Invoke

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

Application Auto Scaling updates to AWS managed policies

View details about updates to AWS managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page.

Change Description Date

Application Auto Scaling adds Neptune policy

Application Auto Scaling added a new managed policy for Neptune. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

October 6, 2021

Application Auto Scaling adds ElastiCache for Redis policy

Application Auto Scaling added a new managed policy for ElastiCache. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

August 19, 2021

Application Auto Scaling started tracking changes

Application Auto Scaling started tracking changes for its AWS managed policies.

August 19, 2021