Controlling Access to Your Amazon EC2 Auto Scaling Resources
Amazon EC2 Auto Scaling integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:
-
Create users and groups under your organization's AWS account.
-
Assign unique security credentials to each user under your AWS account.
-
Control each user's permissions to perform tasks using AWS resources.
-
Allow the users in another AWS account to share your AWS resources.
-
Create roles for your AWS account and define the users or services that can assume them.
-
Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources.
For example, you can create an IAM policy that grants the Managers group permissions
to
use only the DescribeAutoScalingGroups,
DescribeLaunchConfigurations, DescribeScalingActivities, and
DescribePolicies API operations. Users in the Managers group could then use
those operations with any Auto Scaling groups and launch configurations.
You can also create IAM policies that restrict access to a particular Auto Scaling group or launch configuration.
For more information, see Identity and Access Management (IAM) or the IAM User Guide.
Contents
- Amazon EC2 Auto Scaling Actions
- Amazon EC2 Auto Scaling Resources
- Amazon EC2 Auto Scaling Condition Keys
- Supported Resource-Level Permissions
- Predefined AWS Managed Policies
- Customer Managed Policies
- Service-Linked Roles for Amazon EC2 Auto Scaling
- Required CMK Key Policy for Use with Encrypted Volumes
- Launch Auto Scaling Instances with an IAM Role
Amazon EC2 Auto Scaling Actions
You can specify any and all Amazon EC2 Auto Scaling actions in an IAM policy. Use
the following
prefix with the name of the action: autoscaling:. For example:
"Action": "autoscaling:CreateAutoScalingGroup"
To specify multiple actions in a single statement, enclose them in square brackets and separate them with commas, as follows:
"Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ]
You can also use wildcards. For example, use autoscaling:* to specify all
Amazon EC2 Auto Scaling actions.
"Action": "autoscaling:*"
Use Describe:* to specify all actions whose names start with
Describe.
"Action": "autoscaling:Describe*"
For more information, see Amazon EC2 Auto Scaling Actions in the Amazon EC2 Auto Scaling API Reference.
Required Permissions
When calling the following actions, you must grant IAM users permissions to call the action itself, plus additional actions from Amazon EC2 or IAM.
CreateLaunchConfiguration-
-
autoscaling:CreateLaunchConfiguration -
ec2:DescribeImages -
ec2:DescribeInstances -
ec2:DescribeInstanceAttribute -
ec2:DescribeKeyPairs -
ec2:DescribeSecurityGroups -
ec2:DescribeSpotInstanceRequests -
ec2:DescribeVpcClassicLink
-
CreateAutoScalingGroup-
-
autoscaling:CreateAutoScalingGroup -
iam:CreateServiceLinkedRole
-
Amazon EC2 Auto Scaling Resources
For actions that support resource-level permissions, you can control the Auto Scaling group or launch configuration that users are allowed to access.
To specify an Auto Scaling group, you must specify its Amazon Resource Name (ARN) as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:uuid:autoScalingGroupName/asg-name"
To specify an Auto Scaling group with CreateAutoScalingGroup, you must replace
the UUID with * as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:*:autoScalingGroupName/asg-name"
To specify a launch configuration, you must specify its ARN as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:uuid:launchConfigurationName/lc-name"
To specify a launch configuration with CreateLaunchConfiguration, you
must replace the UUID with * as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:*:launchConfigurationName/lc-name"
The following Amazon EC2 Auto Scaling actions do not support resource-level permissions:
-
DescribeAccountLimits -
DescribeAdjustmentTypes -
DescribeAutoScalingGroups -
DescribeAutoScalingInstances -
DescribeAutoScalingNotificationTypes -
DescribeLaunchConfigurations -
DescribeLifecycleHooks -
DescribeLifecycleHookTypes -
DescribeLoadBalancers -
DescribeLoadBalancerTargetGroups -
DescribeMetricCollectionTypes -
DescribeNotificationConfigurations -
DescribePolicies -
DescribeScalingActivities -
DescribeScalingProcessTypes -
DescribeScheduledActions -
DescribeTags -
DescribeTerminationPolicyTypes
For actions that don't support resource-level permissions, you must use "*" as the resource.
"Resource": "*"
Amazon EC2 Auto Scaling Condition Keys
When you create a policy, you can specify the conditions that control when the policy is in effect. Each condition contains one or more key-value pairs. There are global condition keys and service-specific condition keys.
The following condition keys are specific to Amazon EC2 Auto Scaling:
-
autoscaling:ImageId -
autoscaling:InstanceType -
autoscaling:LaunchConfigurationName -
autoscaling:LaunchTemplateVersionSpecified -
autoscaling:LoadBalancerNames -
autoscaling:MaxSize -
autoscaling:MinSize -
autoscaling:ResourceTag/key -
autoscaling:SpotPrice -
autoscaling:TargetGroupARNs -
autoscaling:VPCZoneIdentifiers
For more information about global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.
Supported Resource-Level Permissions
The following table describes the Amazon EC2 Auto Scaling API actions that support resource-level permissions, as well as the supported condition keys and resources for each action.
| API Action | Condition Keys | Resource ARN |
|---|---|---|
| AttachInstances | autoscaling:ResourceTag/ |
Auto Scaling group |
| AttachLoadBalancers |
|
Auto Scaling group |
| AttachLoadBalancerTargetGroups |
|
Auto Scaling group |
| CompleteLifecycleAction | autoscaling:ResourceTag/ |
Auto Scaling group |
| CreateAutoScalingGroup |
|
Auto Scaling group (replace UUID with *)
|
| CreateLaunchConfiguration |
|
Launch configuration (replace UUID with *)
|
| CreateOrUpdateTags |
|
Auto Scaling group |
| DeleteAutoScalingGroup | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteLaunchConfiguration | Launch configuration | |
| DeleteLifecycleHook | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteNotificationConfiguration | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeletePolicy | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteScheduledAction | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteTags |
|
Auto Scaling group |
| DetachInstances | autoscaling:ResourceTag/ |
Auto Scaling group |
| DetachLoadBalancers |
|
Auto Scaling group |
| DetachLoadBalancerTargetGroups |
|
Auto Scaling group |
| DisableMetricsCollection | autoscaling:ResourceTag/ |
Auto Scaling group |
| EnableMetricsCollection | autoscaling:ResourceTag/ |
Auto Scaling group |
| EnterStandby | autoscaling:ResourceTag/ |
Auto Scaling group |
| ExecutePolicy | autoscaling:ResourceTag/ |
Auto Scaling group |
| ExitStandby | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutLifecycleHook | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutNotificationConfiguration | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutScalingPolicy | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutScheduledUpdateGroupAction |
|
Auto Scaling group |
| RecordLifecycleActionHeartbeat | autoscaling:ResourceTag/ |
Auto Scaling group |
| ResumeProcesses | autoscaling:ResourceTag/ |
Auto Scaling group |
| SetDesiredCapacity | autoscaling:ResourceTag/ |
Auto Scaling group |
| SetInstanceHealth | autoscaling:ResourceTag/ |
Auto Scaling group |
| SetInstanceProtection | autoscaling:ResourceTag/ |
Auto Scaling group |
| SuspendProcesses | autoscaling:ResourceTag/ |
Auto Scaling group |
| TerminateInstanceInAutoScalingGroup | autoscaling:ResourceTag/ |
Auto Scaling group |
| UpdateAutoScalingGroup |
|
Auto Scaling group |
Predefined AWS Managed Policies
The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users, based on the access that they need. Each policy grants access to all or some of the API actions for Amazon EC2 Auto Scaling, plus additional API actions for Amazon EC2, CloudWatch, Elastic Load Balancing, IAM, and Amazon SNS.
The following are the AWS managed policies for Amazon EC2 Auto Scaling:
-
AutoScalingConsoleFullAccess — Grants full access to Amazon EC2 Auto Scaling using the AWS Management Console.
-
AutoScalingConsoleReadOnlyAccess — Grants read-only access to Amazon EC2 Auto Scaling using the AWS Management Console.
-
AutoScalingFullAccess — Grants full access to Amazon EC2 Auto Scaling.
-
AutoScalingReadOnlyAccess — Grants read-only access to Amazon EC2 Auto Scaling.
Customer Managed Policies
You can create custom IAM policies that grant your IAM users permissions to perform specific actions on specific resources. The following are example policies for Amazon EC2 Auto Scaling.
Example: Require a Launch Template
When you create or update an Auto Scaling group, you can specify a launch template, a launch configuration, or an EC2 instance. When you specify a launch template, you can configure the Auto Scaling group to use a specific launch template version, the latest version, or the default version when launching instances.
The autoscaling:LaunchTemplateVersionSpecified condition key is a
Boolean value that is set as follows:
-
null- If no launch template is specified. -
true- If a specific launch template version is used. -
false- If either the latest or default launch template version is used.
The following policy grants users permissions to create or update an Auto Scaling group using a specific launch template version, and access the Amazon EC2 resources specified in the launch template.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "Bool": { "autoscaling:LaunchTemplateVersionSpecified": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*" } ] }
Example: Create and Manage Launch Configurations
The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions
that
include the string LaunchConfiguration in their names. Alternatively,
you can list each action explicitly instead of using wildcards. However, the policy
does not automatically apply to any new Amazon EC2 Auto Scaling actions with
LaunchConfiguration in their names.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*LaunchConfiguration*", "Resource": "*" }] }
The following policy grants users permissions to create a launch configuration if
the instance type is t2.micro and the name of the launch configuration
starts with t2micro-. They can specify a launch configuration
for an Auto Scaling group only if its name starts with
t2micro-.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "autoscaling:CreateLaunchConfiguration", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:launchConfiguration:*:launchConfigurationName/t2micro-*" ], "Condition": { "StringEquals": { "autoscaling:InstanceType": "t2.micro" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "autoscaling:LaunchConfigurationName": "t2micro-*" } } }] }
Example: Create and Manage Auto Scaling Groups and Scaling Policies
The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions
that
include the string Scaling in their names.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*" }] }
The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions
that
include the string Scaling in their names, as long as the Auto Scaling group
has the tag purpose=webserver. Because the
Describe actions do not support resource-level permissions, you
must specify them in a separate statement without conditions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/purpose": "webserver" } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }
The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions
that
include the string Scaling in their names, as long as they don't
specify a minimum size less than 1 or a maximum size greater than 10. Because the
Describe actions do not support resource-level permissions, you
must specify them in a separate statement without conditions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "NumericGreaterThanEqualsIfExists": { "autoscaling:MinSize": 1 }, "NumericLessThanEqualsIfExists": { "autoscaling:MaxSize": 10 } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }
Example: Control Access Using Tags
To grant users permissions to create or tag an Auto Scaling group only if they specify
specific tags, use the aws:RequestTag condition key. To allow only
specific tag keys, use the aws:TagKeys condition key with the
ForAnyValue modifier.
The following policy requires users to tag any Auto Scaling groups with the tags
purpose=webserver and
cost-center=cc123, and allows only the
purpose and cost-center tags (no
other tags can be specified).
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "webserver", "aws:RequestTag/cost-center": "cc123" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["purpose", "cost-center"] } } }] }
The following policy requires users to specify a tag with the key
environment in the request.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/environment": "*" } } }] }
The following policy requires users to specify at least one tag in the request,
and allows only the cost-center and
owner keys.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["cost-center", "owner"] } } }] }
The following policy grants users access to Auto Scaling groups with the tag
allowed=true and allows them to apply only the tag
environment=test. Because launch configurations do not
support tags and Describe actions do not support resource-level
permissions, you must specify them in a separate statement without
conditions.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*Scaling*", "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/allowed": "true" }, "StringEqualsIfExists": { "aws:RequestTag/environment": "test" }, "ForAllValues:StringEquals": { "aws:TagKeys": "environment" } } }, { "Effect": "Allow", "Action": [ "autoscaling:*LaunchConfiguration*", "autoscaling:Describe*" ], "Resource": "*" }] }
Example: Change the Capacity of Auto Scaling Groups
The following policy grants users permissions to use the
SetDesiredCapacity action to change the capacity of any Auto Scaling
group.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": "*" }] }
The following policy grants users permissions to use the
SetDesiredCapacity action to change the capacity of the specified
Auto Scaling groups. Including the UUID ensures that access is granted to the specific
Auto Scaling
group. If you were to delete an Auto Scaling group and create a new one with the same
name,
the UUID for the new group would be different than the UUID for the original
group.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:7fe02b8e-7442-4c9e-8c8e-85fa99e9b5d9:autoScalingGroupName/group-1", "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:9d8e8ea4-22e1-44c7-a14d-520f8518c2b9:autoScalingGroupName/group-2", "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:60d6b363-ae8b-467c-947f-f1d308935521:autoScalingGroupName/group-3" ] }] }
The following policy grants users permissions to use the
SetDesiredCapacity action to change the capacity of any Auto Scaling group
whose name begins with group-.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:*:autoScalingGroupName/group-*" ] }] }
