How Application Auto Scaling works with IAM
In December 2017, there was an update for Application Auto Scaling, enabling several service-linked roles for Application Auto Scaling integrated services. Specific IAM permissions and an Application Auto Scaling service-linked role (or a service role for Amazon EMR auto scaling) are required so that users can configure scaling.
Before you use IAM to manage access to Application Auto Scaling, you should understand what IAM features are available to use with Application Auto Scaling. To get a high-level view of how Application Auto Scaling and other AWS services work with IAM, see AWS services that work with IAM in the IAM User Guide.
Topics
Application Auto Scaling identity-based policies
With IAM identity-based policies, you can specify allowed or denied actions and resources, and the conditions under which actions are allowed or denied. Application Auto Scaling supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide.
Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Action
element of a JSON policy describes the
actions that you can use to allow or deny access in a policy. Policy
actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only
actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy.
These additional actions are called dependent actions.
Include actions in a policy to grant permissions to perform the associated operation.
Application Auto Scaling API actions in IAM policy statements use the following prefix before the
action: application-autoscaling:
. Policy statements must include either an
Action
or NotAction
element. Application Auto Scaling defines its own set of
actions that describe tasks that you can perform with this service.
To specify multiple actions in a single statement, separate them with commas as shown in the following example.
"Action": [ "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities"
You can specify multiple actions using wildcards (*). For example, to specify all
actions that begin with the word Describe
, include the following
action.
"Action": "application-autoscaling:Describe*"
To see a complete list of policy actions for Application Auto Scaling, see Actions, resources, and condition keys for Application Auto Scaling in the Service Authorization Reference.
Resources
The Resource
element specifies the object or objects to which the action
applies.
Application Auto Scaling has no service-defined resources that can be used as the
Resource
element of an IAM policy statement. Therefore, there are no
Amazon Resource Names (ARNs) for Application Auto Scaling for you to use in an IAM policy. To control
access to Application Auto Scaling API actions, always use an * (asterisk) as the resource when writing an
IAM policy.
Condition keys
The Condition
element (or Condition
block) lets you specify conditions in which a statement
is in effect. For example, you might want a policy to be applied only after a specific
date. To express conditions, use predefined condition keys.
Application Auto Scaling does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.
The Condition
element is optional.
Examples
To view examples of Application Auto Scaling identity-based policies, see Application Auto Scaling identity-based policy examples.
Application Auto Scaling resource-based policies
Other AWS services, such as Amazon Simple Storage Service, support resource-based permissions policies. For example, you can attach a permissions policy to an S3 bucket to manage access permissions to that bucket.
Application Auto Scaling does not support resource-based policies.
Access Control Lists (ACLs)
Application Auto Scaling does not support Access Control Lists (ACLs).
Authorization based on Application Auto Scaling tags
Application Auto Scaling has no service-defined resources that can be tagged. Therefore, it does not support controlling access based on tags.
Application Auto Scaling IAM roles
An IAM role is an entity within your AWS account that has specific permissions.
Using temporary credentials with Application Auto Scaling
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.
Application Auto Scaling supports using temporary credentials.
Service-linked roles
Service-linked roles give permissions to Application Auto Scaling so that it can make specific calls to other AWS services on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
Application Auto Scaling supports service-linked roles. For more information, see Service-linked roles for Application Auto Scaling.
Service roles
If your Amazon EMR cluster uses automatic scaling, this feature allows Application Auto Scaling to assume a service role on your behalf. Similar to a service-linked role, a service role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.
Application Auto Scaling supports service roles only for Amazon EMR. For documentation for the EMR service role, see Using automatic scaling with a custom policy for instance groups in the Amazon EMR Management Guide.
With the introduction of service-linked roles, several legacy service roles are no longer required, for example, for Amazon ECS and Spot Fleet.