How Application Auto Scaling Works with IAM
In December 2017, there was an update for Application Auto Scaling, enabling several service-linked roles for Application Auto Scaling integrated services. Specific IAM permissions and an Application Auto Scaling service-linked role (or a service role for Amazon EMR auto scaling) are required so that users can configure scaling.
Before you use IAM to manage access to Application Auto Scaling, you should understand what IAM features are available to use with Application Auto Scaling. To get a high-level view of how Application Auto Scaling and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
Topics
Application Auto Scaling Identity-Based Policies
With IAM identity-based policies, you can specify allowed or denied actions and resources, and the conditions under which actions are allowed or denied. Application Auto Scaling supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.
Actions
The Action element of an IAM identity-based policy describes the
specific action or actions that will be allowed or denied by the policy. Policy
actions usually have the same name as the associated AWS API operation. The action
is used in a policy to grant permissions to perform the associated operation.
Policy actions in Application Auto Scaling use the
following prefix before the action: application-autoscaling:. Policy
statements must include either an Action or NotAction element.
Application Auto Scaling defines its own set of actions that describe tasks that you
can perform with this
service.
To specify multiple actions in a single statement, separate them with commas as shown in the following example.
"Action": [ "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities"
You can specify multiple actions using wildcards (*). For example, to specify all
actions that begin with the word Describe, include the following
action.
"Action": "application-autoscaling:Describe*"
To see a list of Application Auto Scaling actions, see Actions in the Application Auto Scaling API Reference.
Resources
The Resource element specifies the object or objects to which the action
applies.
Application Auto Scaling has no service-defined resources that can be used as the
Resource element of an IAM policy statement. Therefore, there are no
Amazon Resource Names (ARNs) for Application Auto Scaling for you to use in an IAM
policy. To control
access to Application Auto Scaling actions, always use an * (asterisk) as the resource
when writing an
IAM policy.
Condition Keys
The Condition element (or Condition
block) lets you specify conditions in which a statement
is in effect. For example, you might want a policy to be applied only after a specific
date. To express conditions, use predefined condition keys.
Application Auto Scaling does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.
The Condition element is optional.
Examples
To view examples of Application Auto Scaling identity-based policies, see Example Policies for Working with the AWS CLI or an AWS SDK.
Application Auto Scaling Resource-Based Policies
Application Auto Scaling does not support resource-based policies.
Access Control Lists (ACLs)
Application Auto Scaling does not support Access Control Lists (ACLs).
Authorization Based on Application Auto Scaling Tags
Application Auto Scaling has no service-defined resources that can be tagged. Therefore, it does not support controlling access based on tags.
Application Auto Scaling IAM Roles
An IAM role is an entity within your AWS account that has specific permissions.
Using Temporary Credentials with Application Auto Scaling
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.
Application Auto Scaling supports using temporary credentials.
Service-Linked Roles
Service-linked roles give permissions to Application Auto Scaling so that it can make specific calls to other AWS services on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
Application Auto Scaling supports service-linked roles. For more information, see Service-Linked Roles for Application Auto Scaling.
Service Roles
If your Amazon EMR cluster uses automatic scaling, this feature allows Application Auto Scaling to assume a service role on your behalf. Similar to a service-linked role, a service role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.
Application Auto Scaling supports service roles only for Amazon EMR. For documentation for the EMR service role, see Using Automatic Scaling in Amazon EMR in the Amazon EMR Management Guide.
With the introduction of service-linked roles, several legacy service roles are no longer required. If you specify a legacy service role for any other service (for example, Amazon ECS or Spot Fleet), Application Auto Scaling ignores it. Instead, it uses a service-linked role. If this role doesn't exist, you must have permissions to create it or a permission error occurs.
