AWS Auto Scaling
User Guide

Authentication and Access Control for AWS Auto Scaling

Access to AWS Auto Scaling requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to perform AWS Auto Scaling actions, such as creating scaling plans.

This topic provides details on how you can use AWS Identity and Access Management (IAM) to help secure your resources by controlling who can perform AWS Auto Scaling actions.

By default, a brand new IAM user has no permissions to do anything. To grant permissions to call AWS Auto Scaling actions, you attach an IAM policy to the IAM users or groups that require the permissions it grants.

Specifying Actions in a Policy

You can specify any and all AWS Auto Scaling actions in an IAM policy. For more information, see Actions in the AWS Auto Scaling API Reference.

To specify a single policy, you can use the following prefix with the name of the action: autoscaling-plans:. For example:

"Action": "autoscaling-plans:DescribeScalingPlans"

Wildcards are supported. For example, you can use autoscaling-plans:* to specify all AWS Auto Scaling actions.

"Action": "autoscaling-plans:*"

You can also use Describe* to specify all actions whose names start with Describe.

"Action": "autoscaling-plans:Describe*"

Specifying the Resource

AWS Auto Scaling has no service-defined resources that can be used as the Resource element of an IAM policy statement. Therefore, there are no Amazon Resource Names (ARNs) for you to use in an IAM policy. To control access to AWS Auto Scaling actions, always use an * (asterisk) as the resource when writing an IAM policy.

Specifying Conditions in a Policy

When you grant permissions, you can use IAM policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. To express conditions, use predefined condition keys.

For a list of context keys supported by each AWS service and a list of AWS-wide policy keys, see Actions, Resources, and Condition Keys for AWS Services and AWS Global Condition Context Keys in the IAM User Guide.

AWS Auto Scaling does not provide additional condition keys.

Example Policies

To create a scaling plan, users must have permission to use the actions in the following example policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling-plans:*", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudformation:ListStackResources", "iam:CreateServiceLinkedRole" ], "Resource": "*" } ] }

Additional IAM Permissions

Users must have the following IAM additional permissions for each type of scalable resource they must add to a scaling plan. You can specify the following actions in the Action element of an IAM policy statement.

Auto Scaling groups

  • autoscaling:UpdateAutoScalingGroups

  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:PutScalingPolicy

  • autoscaling:DescribePolicies

  • autoscaling:DeletePolicy

Resource types other than Auto Scaling groups

  • application-autoscaling:RegisterScalableTarget

  • application-autoscaling:DescribeScalableTargets

  • application-autoscaling:DeregisterScalableTarget

  • application-autoscaling:PutScalingPolicy

  • application-autoscaling:DescribeScalingPolicies

  • application-autoscaling:DeleteScalingPolicy

ECS services

  • ecs:DescribeServices

  • ecs:UpdateServices

Spot Fleet requests

  • ec2:DescribeSpotFleetRequests

  • ec2:ModifySpotFleetRequest

DynamoDB tables or global indexes

  • dynamodb:DescribeTable

  • dynamodb:UpdateTable

Aurora DB clusters

  • rds:AddTagsToResource

  • rds:CreateDBInstance

  • rds:DeleteDBInstance

  • rds:DescribeDBClusters

  • rds:DescribeDBInstances