Amazon EC2 Auto Scaling
User Guide

Controlling Access to Your Amazon EC2 Auto Scaling Resources

Access to Amazon EC2 Auto Scaling requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to perform Amazon EC2 Auto Scaling actions.

This topic provides details on how you can use AWS Identity and Access Management (IAM) to help secure your resources by controlling who can perform Amazon EC2 Auto Scaling actions.

By default, a brand new IAM user has no permissions to do anything. To grant permissions to call Amazon EC2 Auto Scaling actions, you attach an IAM policy to the IAM users or groups that require the permissions it grants.

Specifying Actions in a Policy

You can specify any and all Amazon EC2 Auto Scaling actions in an IAM policy. For more information, see Actions in the Amazon EC2 Auto Scaling API Reference.

To specify a single policy, you can use the following prefix with the name of the action: autoscaling:. For example:

"Action": "autoscaling:CreateAutoScalingGroup"

To specify multiple actions in a single policy, enclose them in square brackets and separate them with commas, as follows:

"Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ]

Wildcards are supported. For example, you can use autoscaling:* to specify all Amazon EC2 Auto Scaling actions.

"Action": "autoscaling:*"

You can also use Describe* to specify all actions whose names start with Describe.

"Action": "autoscaling:Describe*"

Additional IAM Permissions

Users must have additional permissions from Amazon EC2 and IAM to perform certain actions. You specify the following actions in the Action element of an IAM policy statement.

Create an Auto Scaling group using a launch configuration

  • autoscaling:CreateAutoScalingGroup

  • iam:CreateServiceLinkedRole

Create an Auto Scaling group using a launch template

  • autoscaling:CreateAutoScalingGroup

  • iam:CreateServiceLinkedRole

  • ec2:RunInstances

Update an Auto Scaling group that uses a launch template

  • autoscaling:UpdateAutoScalingGroup

  • ec2:RunInstances

Create a launch configuration

  • autoscaling:CreateLaunchConfiguration

  • ec2:DescribeImages

  • ec2:DescribeInstances

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeKeyPairs

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSpotInstanceRequests

  • ec2:DescribeVpcClassicLink

Users may require additional permissions to create or use Amazon EC2 resources, for example, to work with volumes and manage security groups from the console. For more information, see Example Policies for Working in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances. For information about permissions for creating and updating launch templates, see Controlling the Use of Launch Templates in the Amazon EC2 User Guide for Linux Instances.

There are also additional API actions for CloudWatch, Elastic Load Balancing, IAM, and Amazon SNS that may be required. For example, the iam:PassRole action is required to use an instance profile.

Specifying the Resource

Access to resources can be controlled with an IAM policy. For actions that support resource-level permissions, you use an Amazon Resource Name (ARN) to identify the resource the policy applies to.

To specify an Auto Scaling group, you must specify its ARN as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:uuid:autoScalingGroupName/asg-name"

To specify a launch configuration, you must specify its ARN as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:uuid:launchConfigurationName/lc-name"

To specify an Auto Scaling group with the CreateAutoScalingGroup action, you must replace the UUID with * as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:autoScalingGroup:*:autoScalingGroupName/asg-name"

To specify a launch configuration with the CreateLaunchConfiguration action, you must replace the UUID with * as follows:

"Resource": "arn:aws:autoscaling:region:123456789012:launchConfiguration:*:launchConfigurationName/lc-name"

Alternatively, you can use the * wildcard as the resource if you do not want to target a specific resource.

"Resource": "*"

All Amazon EC2 Auto Scaling actions can be used in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon EC2 Auto Scaling actions support resource-level permissions, which enable you to specify the resources on which an action can be performed.

For actions that don't support resource-level permissions, you must use "*" as the resource.

The following Amazon EC2 Auto Scaling actions do not support resource-level permissions:

  • DescribeAccountLimits

  • DescribeAdjustmentTypes

  • DescribeAutoScalingGroups

  • DescribeAutoScalingInstances

  • DescribeAutoScalingNotificationTypes

  • DescribeLaunchConfigurations

  • DescribeLifecycleHooks

  • DescribeLifecycleHookTypes

  • DescribeLoadBalancers

  • DescribeLoadBalancerTargetGroups

  • DescribeMetricCollectionTypes

  • DescribeNotificationConfigurations

  • DescribePolicies

  • DescribeScalingActivities

  • DescribeScalingProcessTypes

  • DescribeScheduledActions

  • DescribeTags

  • DescribeTerminationPolicyTypes

Specifying Conditions in a Policy

For actions that support resource-level permissions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled.

When you grant permissions, you can use IAM policy language and predefined condition keys to specify the conditions.

The following condition keys are specific to Amazon EC2 Auto Scaling:

  • autoscaling:ImageId

  • autoscaling:InstanceType

  • autoscaling:InstanceTypes

  • autoscaling:LaunchConfigurationName

  • autoscaling:LaunchTemplateVersionSpecified

  • autoscaling:LoadBalancerNames

  • autoscaling:MaxSize

  • autoscaling:MinSize

  • autoscaling:ResourceTag/key

  • autoscaling:SpotPrice

  • autoscaling:TargetGroupARNs

  • autoscaling:VPCZoneIdentifiers

For a complete list of constrainable API actions, the supported condition keys for each action, and the AWS-wide condition keys, see Actions, Resources, and Condition Keys for Amazon EC2 Auto Scaling and AWS Global Condition Context Keys in the IAM User Guide.

Predefined AWS Managed Policies

The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users, based on the access that they need. Each policy grants access to all or some of the API actions for Amazon EC2 Auto Scaling.

The following are the AWS managed policies for Amazon EC2 Auto Scaling:

  • AutoScalingConsoleFullAccess — Grants full access to Amazon EC2 Auto Scaling using the AWS Management Console.

  • AutoScalingConsoleReadOnlyAccess — Grants read-only access to Amazon EC2 Auto Scaling using the AWS Management Console.

  • AutoScalingFullAccess — Grants full access to Amazon EC2 Auto Scaling.

  • AutoScalingReadOnlyAccess — Grants read-only access to Amazon EC2 Auto Scaling.

You can also use the AmazonEC2FullAccess policy to grant full access to all Amazon EC2 resources and related services.

Customer Managed Policies

You can create custom IAM policies that grant your IAM users permissions to perform specific actions on specific resources. The following are example policies for Amazon EC2 Auto Scaling.

Example: Require a Launch Template

The following policy grants IAM users permissions to create and update Auto Scaling groups on one condition. They must use a launch template and specify the version of the launch template the group uses to launch instances. Each instance uses the user-specified launch template version during launch. Users may access the Amazon EC2 resources specified in the launch template.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "Bool": { "autoscaling:LaunchTemplateVersionSpecified": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*" } ] }

The autoscaling:LaunchTemplateVersionSpecified condition key accepts the following values:

  • true - Ensures that a launch template version is specified.

  • false - Ensures that either the Latest or Default launch template version is specified.

  • null - Ensures that a launch template is not specified.

The ec2:* grants permission to call all Amazon EC2 API actions and access all Amazon EC2 resources.

Example: Create and Manage Launch Configurations

The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions that include the string LaunchConfiguration in their names. Alternatively, you can list each action explicitly instead of using wildcards. However, the policy does not automatically apply to any new Amazon EC2 Auto Scaling actions with LaunchConfiguration in their names.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*LaunchConfiguration*", "Resource": "*" }] }

The following policy grants users permissions to create a launch configuration if the instance type is t2.micro and the name of the launch configuration starts with t2micro-. They can specify a launch configuration for an Auto Scaling group only if its name starts with t2micro-.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "autoscaling:CreateLaunchConfiguration", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:launchConfiguration:*:launchConfigurationName/t2micro-*" ], "Condition": { "StringEquals": { "autoscaling:InstanceType": "t2.micro" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "autoscaling:LaunchConfigurationName": "t2micro-*" } } }] }

Example: Create and Manage Auto Scaling Groups and Scaling Policies

The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions that include the string Scaling in their names.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*" }] }

The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions that include the string Scaling in their names, as long as the Auto Scaling group has the tag purpose=webserver. Because the Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/purpose": "webserver" } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }

The following policy grants users permissions to use all Amazon EC2 Auto Scaling actions that include the string Scaling in their names, as long as they don't specify a minimum size less than 1 or a maximum size greater than 10. Because the Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:*Scaling*"], "Resource": "*", "Condition": { "NumericGreaterThanEqualsIfExists": { "autoscaling:MinSize": 1 }, "NumericLessThanEqualsIfExists": { "autoscaling:MaxSize": 10 } } }, { "Effect": "Allow", "Action": "autoscaling:Describe*Scaling*", "Resource": "*" }] }

Example: Control Access Using Tags

To grant users permissions to create or tag an Auto Scaling group only if they specify specific tags, use the aws:RequestTag condition key. To allow only specific tag keys, use the aws:TagKeys condition key with the ForAnyValue modifier.

The following policy requires users to tag any Auto Scaling groups with the tags purpose=webserver and cost-center=cc123, and allows only the purpose and cost-center tags (no other tags can be specified).

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/purpose": "webserver", "aws:RequestTag/cost-center": "cc123" }, "ForAllValues:StringEquals": { "aws:TagKeys": ["purpose", "cost-center"] } } }] }

The following policy requires users to specify a tag with the key environment in the request.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/environment": "*" } } }] }

The following policy requires users to specify at least one tag in the request, and allows only the cost-center and owner keys.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["cost-center", "owner"] } } }] }

The following policy grants users access to Auto Scaling groups with the tag allowed=true and allows them to apply only the tag environment=test. Because launch configurations do not support tags and Describe actions do not support resource-level permissions, you must specify them in a separate statement without conditions.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:*Scaling*", "Resource": "*", "Condition": { "StringEquals": { "autoscaling:ResourceTag/allowed": "true" }, "StringEqualsIfExists": { "aws:RequestTag/environment": "test" }, "ForAllValues:StringEquals": { "aws:TagKeys": "environment" } } }, { "Effect": "Allow", "Action": [ "autoscaling:*LaunchConfiguration*", "autoscaling:Describe*" ], "Resource": "*" }] }

Example: Change the Capacity of Auto Scaling Groups

The following policy grants users permissions to use the SetDesiredCapacity action to change the capacity of any Auto Scaling group.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": "*" }] }

The following policy grants users permissions to use the SetDesiredCapacity action to change the capacity of the specified Auto Scaling groups. Including the UUID ensures that access is granted to the specific Auto Scaling group. The UUID for a new group is different than the UUID for a deleted group with the same name.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:7fe02b8e-7442-4c9e-8c8e-85fa99e9b5d9:autoScalingGroupName/group-1", "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:9d8e8ea4-22e1-44c7-a14d-520f8518c2b9:autoScalingGroupName/group-2", "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:60d6b363-ae8b-467c-947f-f1d308935521:autoScalingGroupName/group-3" ] }] }

The following policy grants users permissions to use the SetDesiredCapacity action to change the capacity of any Auto Scaling group whose name begins with group-.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "autoscaling:SetDesiredCapacity", "Resource": [ "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:*:autoScalingGroupName/group-*" ] }] }