AppStream 2.0 policy Aurora policy Comprehend policy DynamoDB policy ECS policy ElastiCache policy Keyspaces policy Lambda policy MSK policy Neptune policy SageMaker policy Spot Fleets policy Custom resources policy Application Auto Scaling updates to AWS managed policies

AWS managed policies for Application Auto Scaling

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

Contents

AWS managed policy granting access to AppStream 2.0 and CloudWatch
AWS managed policy granting access to Aurora and CloudWatch
AWS managed policy granting access to Amazon Comprehend and CloudWatch
AWS managed policy granting access to DynamoDB and CloudWatch
AWS managed policy granting access to Amazon ECS and CloudWatch
AWS managed policy granting access to ElastiCache and CloudWatch
AWS managed policy granting access to Amazon Keyspaces and CloudWatch
AWS managed policy granting access to Lambda and CloudWatch
AWS managed policy granting access to Amazon MSK and CloudWatch
AWS managed policy granting access to Neptune and CloudWatch
AWS managed policy granting access to SageMaker and CloudWatch
AWS managed policy granting access to EC2 Spot Fleet and CloudWatch
AWS managed policy granting access to your custom resources and CloudWatch
Application Auto Scaling updates to AWS managed policies

AWS managed policy granting access to AppStream 2.0 and CloudWatch

Policy name: AWSApplicationAutoscalingAppStreamFleetPolicy

You can't attach AWSApplicationAutoscalingAppStreamFleetPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_AppStreamFleet service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: appstream:DescribeFleets
Action: appstream:UpdateFleet
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Aurora and CloudWatch

Policy name: AWSApplicationAutoscalingRDSClusterPolicy

You can't attach AWSApplicationAutoscalingRDSClusterPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_RDSCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: rds:AddTagsToResource
Action: rds:CreateDBInstance
Action: rds:DeleteDBInstance
Action: rds:DescribeDBClusters
Action: rds:DescribeDBInstance
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon Comprehend and CloudWatch

Policy name: AWSApplicationAutoscalingComprehendEndpointPolicy

You can't attach AWSApplicationAutoscalingComprehendEndpointPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ComprehendEndpoint service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: comprehend:UpdateEndpoint
Action: comprehend:DescribeEndpoint
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to DynamoDB and CloudWatch

Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy

You can't attach AWSApplicationAutoscalingDynamoDBTablePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call DynamoDB and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_DynamoDBTable service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: dynamodb:DescribeTable
Action: dynamodb:UpdateTable
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon ECS and CloudWatch

Policy name: AWSApplicationAutoscalingECSServicePolicy

You can't attach AWSApplicationAutoscalingECSServicePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ECSService service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: ecs:DescribeServices
Action: ecs:UpdateService
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to ElastiCache and CloudWatch

Policy name: AWSApplicationAutoscalingElastiCacheRGPolicy

You can't attach AWSApplicationAutoscalingElastiCacheRGPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_ElastiCacheRG service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

Action: elasticache:DescribeReplicationGroups on all resources
Action: elasticache:ModifyReplicationGroupShardConfiguration on all resources
Action: elasticache:IncreaseReplicaCount on all resources
Action: elasticache:DecreaseReplicaCount on all resources
Action: elasticache:DescribeCacheClusters on all resources
Action: elasticache:DescribeCacheParameters on all resources
Action: cloudwatch:DescribeAlarms on all resources
Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*
Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon Keyspaces and CloudWatch

Policy name: AWSApplicationAutoscalingCassandraTablePolicy

You can't attach AWSApplicationAutoscalingCassandraTablePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_CassandraTable service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system/table/*
Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system_schema/table/*
Action: cassandra:Select on the resource arn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/*
Action: cassandra:Alter on the resource arn:*:cassandra:*:*:"*"
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Lambda and CloudWatch

Policy name: AWSApplicationAutoscalingLambdaConcurrencyPolicy

You can't attach AWSApplicationAutoscalingLambdaConcurrencyPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: lambda:PutProvisionedConcurrencyConfig
Action: lambda:GetProvisionedConcurrencyConfig
Action: lambda:DeleteProvisionedConcurrencyConfig
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Amazon MSK and CloudWatch

Policy name: AWSApplicationAutoscalingKafkaClusterPolicy

You can't attach AWSApplicationAutoscalingKafkaClusterPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_KafkaCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: kafka:DescribeCluster
Action: kafka:DescribeClusterOperation
Action: kafka:UpdateBrokerStorage
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to Neptune and CloudWatch

Policy name: AWSApplicationAutoscalingNeptuneClusterPolicy

You can't attach AWSApplicationAutoscalingNeptuneClusterPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_NeptuneCluster service-linked role permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:

Action: rds:AddTagsToResource on resources with the prefix autoscaled-reader in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})
Action: rds:ListTagsForResource on all resources
Action: rds:CreateDBInstance on resources with the prefix autoscaled-reader in all DB clusters ("Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*") in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"})
Action: rds:DescribeDBInstances on all resources
Action: rds:DescribeDBClusters on all resources
Action: rds:DescribeDBClusterParameters on all resources
Action: rds:DeleteDBInstance on the resource arn:*:rds:*:*:db:autoscaled-reader*
Action: cloudwatch:DescribeAlarms on all resources
Action: cloudwatch:PutMetricAlarm on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*
Action: cloudwatch:DeleteAlarms on the resource arn:*:cloudwatch:*:*:alarm:TargetTracking*
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to SageMaker and CloudWatch

Policy name: AWSApplicationAutoscalingSageMakerEndpointPolicy

You can't attach AWSApplicationAutoscalingSageMakerEndpointPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call SageMaker and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: sagemaker:DescribeEndpoint
Action: sagemaker:DescribeEndpointConfig
Action: sagemaker:UpdateEndpointWeightsAndCapacities
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to EC2 Spot Fleet and CloudWatch

Policy name: AWSApplicationAutoscalingEC2SpotFleetRequestPolicy

You can't attach AWSApplicationAutoscalingEC2SpotFleetRequestPolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: ec2:DescribeSpotFleetRequests
Action: ec2:ModifySpotFleetRequest
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

AWS managed policy granting access to your custom resources and CloudWatch

Policy name: AWSApplicationAutoScalingCustomResourcePolicy

You can't attach AWSApplicationAutoScalingCustomResourcePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch and perform scaling on your behalf.

Permission details

The AWSServiceRoleForApplicationAutoScaling_CustomResource service-linked role permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):

Action: execute-api:Invoke
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
Action: cloudwatch:DeleteAlarms

Application Auto Scaling updates to AWS managed policies

View details about updates to AWS managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page.

Change	Description	Date
Application Auto Scaling adds Neptune policy	Application Auto Scaling added a new managed policy for Neptune. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.	October 6, 2021
Application Auto Scaling adds ElastiCache for Redis policy	Application Auto Scaling added a new managed policy for ElastiCache. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.	August 19, 2021
Application Auto Scaling started tracking changes	Application Auto Scaling started tracking changes for its AWS managed policies.	August 19, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How Application Auto Scaling works with IAM

Service-linked roles