How Application Auto Scaling Works with IAM - Application Auto Scaling

How Application Auto Scaling Works with IAM

Note

In December 2017, there was an update for Application Auto Scaling, enabling several service-linked roles for Application Auto Scaling integrated services. Specific IAM permissions and an Application Auto Scaling service-linked role (or a service role for Amazon EMR auto scaling) are required so that users can configure scaling.

Before you use IAM to manage access to Application Auto Scaling, you should understand what IAM features are available to use with Application Auto Scaling. To get a high-level view of how Application Auto Scaling and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

Application Auto Scaling Identity-Based Policies

With IAM identity-based policies, you can specify allowed or denied actions and resources, and the conditions under which actions are allowed or denied. Application Auto Scaling supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.

Actions

The Action element of an IAM identity-based policy describes the specific action or actions that will be allowed or denied by the policy. Policy actions usually have the same name as the associated AWS API operation. The action is used in a policy to grant permissions to perform the associated operation.

Policy actions in Application Auto Scaling use the following prefix before the action: application-autoscaling:. Policy statements must include either an Action or NotAction element. Application Auto Scaling defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple actions in a single statement, separate them with commas as shown in the following example.

"Action": [ "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities"

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word Describe, include the following action.

"Action": "application-autoscaling:Describe*"

To see a list of Application Auto Scaling actions, see Actions in the Application Auto Scaling API Reference.

Resources

The Resource element specifies the object or objects to which the action applies.

Application Auto Scaling has no service-defined resources that can be used as the Resource element of an IAM policy statement. Therefore, there are no Amazon Resource Names (ARNs) for Application Auto Scaling for you to use in an IAM policy. To control access to Application Auto Scaling actions, always use an * (asterisk) as the resource when writing an IAM policy.

Condition Keys

The Condition element (or Condition block) lets you specify conditions in which a statement is in effect. For example, you might want a policy to be applied only after a specific date. To express conditions, use predefined condition keys.

Application Auto Scaling does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.

The Condition element is optional.

Examples

To view examples of Application Auto Scaling identity-based policies, see Example Policies for Working with the AWS CLI or an AWS SDK.

Application Auto Scaling Resource-Based Policies

Application Auto Scaling does not support resource-based policies.

Access Control Lists (ACLs)

Application Auto Scaling does not support Access Control Lists (ACLs).

Authorization Based on Application Auto Scaling Tags

Application Auto Scaling has no service-defined resources that can be tagged. Therefore, it does not support controlling access based on tags.

Application Auto Scaling IAM Roles

An IAM role is an entity within your AWS account that has specific permissions.

Using Temporary Credentials with Application Auto Scaling

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

Application Auto Scaling supports using temporary credentials.

Service-Linked Roles

Service-linked roles give permissions to Application Auto Scaling so that it can make specific calls to other AWS services on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.

Application Auto Scaling supports service-linked roles. For more information, see Service-Linked Roles for Application Auto Scaling.

Service Roles

If your Amazon EMR cluster uses automatic scaling, this feature allows Application Auto Scaling to assume a service role on your behalf. Similar to a service-linked role, a service role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.

Application Auto Scaling supports service roles only for Amazon EMR. For documentation for the EMR service role, see Using Automatic Scaling in Amazon EMR in the Amazon EMR Management Guide.

Note

With the introduction of service-linked roles, several legacy service roles are no longer required. If you specify a legacy service role for any other service (for example, Amazon ECS or Spot Fleet), Application Auto Scaling ignores it. Instead, it uses a service-linked role. If this role doesn't exist, you must have permissions to create it or a permission error occurs.