Controlling Access to Your Amazon EC2 Auto Scaling Resources
Amazon EC2 Auto Scaling integrates with AWS Identity and Access Management (IAM), a service that enables you to do the following:
-
Create users and groups under your organization's AWS account
-
Assign unique security credentials to each user under your AWS account
-
Control each user's permissions to perform tasks using AWS resources
-
Allow the users in another AWS account to share your AWS resources
-
Create roles for your AWS account and define the users or services that can assume them
-
Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources
For example, you can create an IAM policy that grants the Managers group permission
to
use only the DescribeAutoScalingGroups, DescribeLaunchConfigurations,
DescribeScalingActivities, and DescribePolicies API operations.
Users in the Managers group could then use those operations with any Auto Scaling
groups and launch
configurations.
You can also create IAM policies that restrict access to a particular Auto Scaling group or launch configuration.
For more information, see Identity and Access Management (IAM) or the IAM User Guide.
Contents
Amazon EC2 Auto Scaling Actions
You can specify any and all Amazon EC2 Auto Scaling actions in an IAM policy. Use
the following prefix
with the name of the action: autoscaling:. For example:
"Action": "autoscaling:CreateAutoScalingGroup"
To specify multiple actions in a single statement, enclose them in square brackets and separate them with commas, as follows:
"Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ]
You can also use wildcards. For example, use autoscaling:* to specify all Amazon EC2 Auto Scaling actions.
"Action": "autoscaling:*"
Use Describe:* to specify all actions whose names start with Describe.
"Action": "autoscaling:Describe*"
For more information, see Amazon EC2 Auto Scaling Actions in the Amazon EC2 Auto Scaling API Reference.
Required Permissions
When calling the following actions, you must grant IAM users permission to call the action itself, plus additional actions from Amazon EC2 or IAM.
CreateLaunchConfiguration-
-
autoscaling:CreateLaunchConfiguration -
ec2:DescribeImages -
ec2:DescribeInstances -
ec2:DescribeInstanceAttribute -
ec2:DescribeKeyPairs -
ec2:DescribeSecurityGroups -
ec2:DescribeSpotInstanceRequests -
ec2:DescribeVpcClassicLink
-
CreateAutoScalingGroup-
-
autoscaling:CreateAutoScalingGroup -
iam:CreateServiceLinkedRole
-
Amazon EC2 Auto Scaling Resources
For actions that support resource-level permissions, you can control the Auto Scaling group or launch configuration that users are allowed to access.
To specify an Auto Scaling group, you must specify its Amazon Resource Name (ARN) as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:uuid:autoScalingGroupName/asg-name"
To specify an Auto Scaling group with CreateAutoScalingGroup, you must replace the UUID with * as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:*:autoScalingGroupName/asg-name"
To specify a launch configuration, you must specify its ARN as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:uuid:launchConfigurationName/lc-name"
To specify a launch configuration with CreateLaunchConfiguration, you must replace the UUID with * as follows:
"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:*:launchConfigurationName/lc-name"
The following Amazon EC2 Auto Scaling actions do not support resource-level permissions:
-
DescribeAccountLimits -
DescribeAdjustmentTypes -
DescribeAutoScalingGroups -
DescribeAutoScalingInstances -
DescribeAutoScalingNotificationTypes -
DescribeLaunchConfigurations -
DescribeLifecycleHooks -
DescribeLifecycleHookTypes -
DescribeLoadBalancers -
DescribeLoadBalancerTargetGroups -
DescribeMetricCollectionTypes -
DescribeNotificationConfigurations -
DescribePolicies -
DescribeScalingActivities -
DescribeScalingProcessTypes -
DescribeScheduledActions -
DescribeTags -
DescribeTerminationPolicyTypes
For actions that don't support resource-level permissions, you must use "*" as the resource.
"Resource": "*"
Amazon EC2 Auto Scaling Condition Keys
When you create a policy, you can specify the conditions that control when the policy is in effect. Each condition contains one or more key-value pairs. There are global condition keys and service-specific condition keys.
The following condition keys are specific to Amazon EC2 Auto Scaling:
-
autoscaling:ImageId -
autoscaling:InstanceType -
autoscaling:LaunchConfigurationName -
autoscaling:LaunchTemplateVersionSpecified -
autoscaling:LoadBalancerNames -
autoscaling:MaxSize -
autoscaling:MinSize -
autoscaling:ResourceTag/key -
autoscaling:SpotPrice -
autoscaling:TargetGroupARNs -
autoscaling:VPCZoneIdentifiers
For more information about global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.
Supported Resource-Level Permissions
The following table describes the Amazon EC2 Auto Scaling API actions that support resource-level permissions, as well as the supported condition keys and resources for each action.
| API Action | Condition Keys | Resource ARN |
|---|---|---|
| AttachInstances | autoscaling:ResourceTag/ |
Auto Scaling group |
| AttachLoadBalancers |
|
Auto Scaling group |
| AttachLoadBalancerTargetGroups |
|
Auto Scaling group |
| CompleteLifecycleAction | autoscaling:ResourceTag/ |
Auto Scaling group |
| CreateAutoScalingGroup |
|
Auto Scaling group (replace UUID with *)
|
| CreateLaunchConfiguration |
|
Launch configuration (replace UUID with *)
|
| CreateOrUpdateTags |
|
Auto Scaling group |
| DeleteAutoScalingGroup | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteLaunchConfiguration | Launch configuration | |
| DeleteLifecycleHook | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteNotificationConfiguration | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeletePolicy | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteScheduledAction | autoscaling:ResourceTag/ |
Auto Scaling group |
| DeleteTags |
|
Auto Scaling group |
| DetachInstances | autoscaling:ResourceTag/ |
Auto Scaling group |
| DetachLoadBalancers |
|
Auto Scaling group |
| DetachLoadBalancerTargetGroups |
|
Auto Scaling group |
| DisableMetricsCollection | autoscaling:ResourceTag/ |
Auto Scaling group |
| EnableMetricsCollection | autoscaling:ResourceTag/ |
Auto Scaling group |
| EnterStandby | autoscaling:ResourceTag/ |
Auto Scaling group |
| ExecutePolicy | autoscaling:ResourceTag/ |
Auto Scaling group |
| ExitStandby | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutLifecycleHook | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutNotificationConfiguration | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutScalingPolicy | autoscaling:ResourceTag/ |
Auto Scaling group |
| PutScheduledUpdateGroupAction |
|
Auto Scaling group |
| RecordLifecycleActionHeartbeat | autoscaling:ResourceTag/ |
Auto Scaling group |
| ResumeProcesses | autoscaling:ResourceTag/ |
Auto Scaling group |
| SetDesiredCapacity | autoscaling:ResourceTag/ |
Auto Scaling group |
| SetInstanceHealth | autoscaling:ResourceTag/ |
Auto Scaling group |
| SetInstanceProtection | autoscaling:ResourceTag/ |
Auto Scaling group |
| SuspendProcesses | autoscaling:ResourceTag/ |
Auto Scaling group |
| TerminateInstanceInAutoScalingGroup | autoscaling:ResourceTag/ |
Auto Scaling group |
| UpdateAutoScalingGroup |
|
Auto Scaling group |
Predefined AWS Managed Policies
The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users, based on the access that they need. Each policy grants access to all or some of the API actions for Amazon EC2 Auto Scaling, plus additional API actions for Amazon EC2, CloudWatch, Elastic Load Balancing, IAM, and Amazon SNS.
The following are the AWS managed policies for Amazon EC2 Auto Scaling:
-
AutoScalingConsoleFullAccess — Grants full access to Amazon EC2 Auto Scaling using the AWS Management Console.
-
AutoScalingConsoleReadOnlyAccess — Grants read-only access to Amazon EC2 Auto Scaling using the AWS Management Console.
-
AutoScalingFullAccess — Grants full access to Amazon EC2 Auto Scaling.
-
AutoScalingReadOnlyAccess — Grants read-only access to Amazon EC2 Auto Scaling.
Customer Managed Policies
You can create custom IAM policies that grant your IAM users permissions to perform specific actions on specific resources. The following are example policies for Amazon EC2 Auto Scaling.
Example: Require a Launch Template
When you create or update an Auto Scaling group, you can specify a launch template, a launch configuration, or an EC2 instance. When you specify a launch template, you can configure the Auto Scaling group to use a specific launch template version, the latest version, or the default version when launching instances.
The autoscaling:LaunchTemplateVersionSpecified condition key is a Boolean value that
is set as follows:
-
null- If no launch template is specified -
true- If a specific launch template version is used -
false- If either the latest or default launch template version is used
The following policy grants users permission to create or update an Auto Scaling group using a specific launch template version, and access the Amazon EC2 resources specified in the launch template.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "Bool": { "autoscaling:LaunchTemplateVersionSpecified": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*" } ] }
Example: Create and Manage Launch Configurations
The following policy grants users permission to use all Amazon EC2 Auto Scaling actions
that include the string
LaunchConfiguration in their names. Alternatively, you can list each action explicitly
instead of using wildcards. However, the policy would not automatically apply to any
new Amazon EC2 Auto Scaling actions
with LaunchConfiguration in their names.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*LaunchConfiguration*", "Resource": "*" }] }
The following policy grants users permission to create a launch configuration if the
instance type is
t2.micro and the name of the launch configuration starts with t2micro-,
and specify a launch configuration for an Auto Scaling group only if its name starts
with t2micro-.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "autoscaling:CreateLaunchConfiguration", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:launchConfiguration:*:launchConfigurationName/t2micro-*" ], "Condition": { "StringEquals": { "autoscaling:InstanceType": "t2.micro" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "autoscaling:LaunchConfigurationName": "t2micro-*" } } }] }
Example: Create and Manage Auto Scaling Groups and Scaling Policies
The following policy grants users permission to use all Amazon EC2 Auto Scaling actions
that include the string
Scaling in their names.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*" }] }
The following policy grants users permission to use all Amazon EC2 Auto Scaling actions
that include the string
Scaling in their names, as long as the Auto Scaling group has the tag purpose=webserver.
Because the Describe actions do not support resource-level permissions, you must
specify them in a separate statement without conditions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/purpose": "webserver" } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }
The following policy grants users permission to use all Amazon EC2 Auto Scaling actions
that include the string
Scaling in their names, as long as they don't specify a minimum size less than 1
or a maximum size greater than 10. Because the Describe actions do not support
resource-level permissions, you must specify them in a separate statement without
conditions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "NumericGreaterThanEqualsIfExists": { "autoscaling:MinSize": 1 }, "NumericLessThanEqualsIfExists": { "autoscaling:MaxSize": 10 } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }
Example: Control Access Using Tags
To grant users permission to create or tag an Auto Scaling group only if they specify
specific tags, use the aws:RequestTag condition key. To allow only
specific tag keys, use the aws:TagKeys condition key with the
ForAnyValue modifier.
The following policy requires users to tag any Auto Scaling groups with the tags
purpose=webserver and cost-center=cc123,
and allows only the purpose and cost-center
tags (no other tags can be specified).
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "webserver", "aws:RequestTag/cost-center": "cc123" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["purpose", "cost-center"] } } }] }
The following policy requires users to specify a tag with the key environment
in the request.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/environment": "*" } } }] }
The following policy requires users to specify at least one tag in the request, and
allows only
the cost-center and owner keys.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["cost-center", "owner"] } } }] }
The following policy grants users access to Auto Scaling groups with the tag allowed=true
and allows them to apply only the tag environment=test. Because launch configurations
do not support tags and Describe actions do not support resource-level permissions, you must
specify them in a separate statement without conditions.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*Scaling*", "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/allowed": "true" }, "StringEqualsIfExists": { "aws:RequestTag/environment": "test" }, "ForAllValues:StringEquals": { "aws:TagKeys": "environment" } } }, { "Effect": "Allow", "Action": [ "autoscaling:*LaunchConfiguration*", "autoscaling:Describe*" ], "Resource": "*" }] }
Example: Change the Capacity of Auto Scaling Groups
The following policy grants users permission to use the SetDesiredCapacity action
to change the capacity of any Auto Scaling group.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": "*" }] }
The following policy grants users permission to use the SetDesiredCapacity action
to change the capacity of the specified Auto Scaling groups. Note that including the
UUID ensures that
access is granted to the specific Auto Scaling group. If you were to delete an Auto
Scaling group and create a
new one with the same name, the UUID for the new group would be different than the
UUID for the
original group.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:7fe02b8e-7442-4c9e-8c8e-85fa99e9b5d9:autoScalingGroupName/group-1", "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:9d8e8ea4-22e1-44c7-a14d-520f8518c2b9:autoScalingGroupName/group-2", "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:60d6b363-ae8b-467c-947f-f1d308935521:autoScalingGroupName/group-3" ] }] }
The following policy grants users permission to use the SetDesiredCapacity action
to change the capacity of any Auto Scaling group whose name begins with group-.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:*:autoScalingGroupName/group-*" ] }] }
