AWS managed policies for Application Auto Scaling - Application Auto Scaling
AppStream 2.0 policyAurora policyComprehend policyDynamoDB policyECS policyElastiCache policyKeyspaces policyLambda policyMSK policyNeptune policySageMaker policySpot Fleets policyCustom resources policyApplication Auto Scaling updates to AWS managed policies

AWS managed policies for Application Auto Scaling

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy granting access to AppStream 2.0 and CloudWatch

Policy name: AWSApplicationAutoscalingAppStreamFleetPolicy

You can't attach AWSApplicationAutoscalingAppStreamFleetPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_AppStreamFleet service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: appstream:DescribeFleets

  • Action: appstream:UpdateFleet

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Aurora and CloudWatch

Policy name: AWSApplicationAutoscalingRDSClusterPolicy

You can't attach AWSApplicationAutoscalingRDSClusterPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_RDSCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: rds:AddTagsToResource

  • Action: rds:CreateDBInstance

  • Action: rds:DeleteDBInstance

  • Action: rds:DescribeDBClusters

  • Action: rds:DescribeDBInstance

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon Comprehend and CloudWatch

Policy name: AWSApplicationAutoscalingComprehendEndpointPolicy

You can't attach AWSApplicationAutoscalingComprehendEndpointPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ComprehendEndpoint service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: comprehend:UpdateEndpoint

  • Action: comprehend:DescribeEndpoint

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to DynamoDB and CloudWatch

Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy

You can't attach AWSApplicationAutoscalingDynamoDBTablePolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call DynamoDB and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_DynamoDBTable service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: dynamodb:DescribeTable

  • Action: dynamodb:UpdateTable

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon ECS and CloudWatch

Policy name: AWSApplicationAutoscalingECSServicePolicy

You can't attach AWSApplicationAutoscalingECSServicePolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ECSService service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: ecs:DescribeServices

  • Action: ecs:UpdateService

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to ElastiCache and CloudWatch

Policy name: AWSApplicationAutoscalingElastiCacheRGPolicy

You can't attach AWSApplicationAutoscalingElastiCacheRGPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ElastiCacheRG service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: elasticache:DescribeReplicationGroups on all resources

  • Action: elasticache:ModifyReplicationGroupShardConfiguration on all resources

  • Action: elasticache:IncreaseReplicaCount on all resources

  • Action: elasticache:DecreaseReplicaCount on all resources

  • Action: elasticache:DescribeCacheClusters on all resources

  • Action: elasticache:DescribeCacheParameters on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon Keyspaces and CloudWatch

Policy name: AWSApplicationAutoscalingCassandraTablePolicy

You can't attach AWSApplicationAutoscalingCassandraTablePolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_CassandraTable service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system/table/*

  • Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system_schema/table/*

  • Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/*

  • Action: cassandra:Alter on the resource arn:*:cassandra:*:*:"*"

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Lambda and CloudWatch

Policy name: AWSApplicationAutoscalingLambdaConcurrencyPolicy

You can't attach AWSApplicationAutoscalingLambdaConcurrencyPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: lambda:PutProvisionedConcurrencyConfig

  • Action: lambda:GetProvisionedConcurrencyConfig

  • Action: lambda:DeleteProvisionedConcurrencyConfig

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon MSK and CloudWatch

Policy name: AWSApplicationAutoscalingKafkaClusterPolicy

You can't attach AWSApplicationAutoscalingKafkaClusterPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_KafkaCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: kafka:DescribeCluster

  • Action: kafka:DescribeClusterOperation

  • Action: kafka:UpdateBrokerStorage

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Neptune and CloudWatch

Policy name: AWSApplicationAutoscalingNeptuneClusterPolicy

You can't attach AWSApplicationAutoscalingNeptuneClusterPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_NeptuneCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: rds:AddTagsToResource on resources with the prefix autoscaled-reader in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})

  • Action: rds:ListTagsForResource on all resources

  • Action: rds:CreateDBInstance on resources with the prefix autoscaled-reader in all DB clusters ("Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*") in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})

  • Action: rds:DescribeDBInstances on all resources

  • Action: rds:DescribeDBClusters on all resources

  • Action: rds:DescribeDBClusterParameters on all resources

  • Action: rds:DeleteDBInstance on the resource arn:*:rds:*:*:db:autoscaled-reader*

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to SageMaker and CloudWatch

Policy name: AWSApplicationAutoscalingSageMakerEndpointPolicy

You can't attach AWSApplicationAutoscalingSageMakerEndpointPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call SageMaker and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

  • Action: sagemaker:DescribeEndpoint on all resources

  • Action: sagemaker:DescribeEndpointConfig on all resources

  • Action: sagemaker:DescribeInferenceComponent on all resources

  • Action: sagemaker:UpdateEndpointWeightsAndCapacities on all resources

  • Action: sagemaker:UpdateInferenceComponentRuntimeConfig on all resources

  • Action: cloudwatch:DescribeAlarms on all resources

  • Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

  • Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*

AWS managed policy granting access to EC2 Spot Fleet and CloudWatch

Policy name: AWSApplicationAutoscalingEC2SpotFleetRequestPolicy

You can't attach AWSApplicationAutoscalingEC2SpotFleetRequestPolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: ec2:DescribeSpotFleetRequests

  • Action: ec2:ModifySpotFleetRequest

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to your custom resources and CloudWatch

Policy name: AWSApplicationAutoScalingCustomResourcePolicy

You can't attach AWSApplicationAutoScalingCustomResourcePolicy to your IAM identities (users or roles). This policy is attached to a service-linked role that allows Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_CustomResource service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

  • Action: execute-api:Invoke

  • Action: cloudwatch:DescribeAlarms

  • Action: cloudwatch:PutMetricAlarm

  • Action: cloudwatch:DeleteAlarms

Application Auto Scaling updates to AWS managed policies

View details about updates to AWS managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page.

Change Description Date

Application Auto Scaling adds permissions to its SageMaker service-linked role

This policy now grants permissions to the service to call the SageMaker DescribeInferenceComponent and UpdateInferenceComponentRuntimeConfig API actions to support compatibility for the auto scaling of SageMaker resources for an upcoming integration. The policy also now restricts the CloudWatch PutMetricAlarm and DeleteAlarms API actions to CloudWatch alarms that are used with target tracking scaling policies.

 November 13, 2023

Application Auto Scaling adds Neptune policy

Application Auto Scaling added a new managed policy for Neptune. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

 October 6, 2021

Application Auto Scaling adds ElastiCache for Redis policy

Application Auto Scaling added a new managed policy for ElastiCache. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

 August 19, 2021

Application Auto Scaling started tracking changes

Application Auto Scaling started tracking changes for its AWS managed policies.

 August 19, 2021