AWS managed policies for AWS Elastic Beanstalk - AWS Elastic Beanstalk

AWS managed policies for AWS Elastic Beanstalk

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

Elastic Beanstalk updates to AWS managed policies

View details about updates to AWS managed policies for Elastic Beanstalk since March 1, 2021.

To see the JSON source for a specific managed policy, see the AWS Managed Policy Reference Guide.

Change Description Date

The following polices were updated:

  • AWSElasticBeanstalkInternalMaintenanceRolePolicy

  • AWSElasticBeanstalkMaintenance

  • AWSElasticBeanstalkManagedUpdatesInternalServiceRolePolicy

  • AWSElasticBeanstalkManagedUpdatesServiceRolePolicy

  • AWSElasticBeanstalkRoleCore

These policies were updated to allow Elastic Beanstalk to add or remove tags when it creates or updates an AWS CloudFormation stack or change set.

For more information about AWSElasticBeanstalkManagedUpdatesServiceRolePolicy, see Service-linked role permissions for Elastic Beanstalk.

For more information about AWSElasticBeanstalkRoleCore, see Policies for integration with other services.

April 30, 2024

AWSElasticBeanstalkService –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Elastic Load Balancing, Auto Scaling groups (ASG), and Amazon ECS.

Note

This policy has been previously superseded by AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy. Although this policy is no longer available for attachment to new IAM users, groups, or roles, it may still be attached to prior existing ones.

For more information, see Managed service role policies.

May 10, 2023

AWSElasticBeanstalkMulticontainerDocker –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS.

For more information, see Managing Elastic Beanstalk instance profiles.

March 23, 2023

AWSElasticBeanstalkRoleECS –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS.

For more information, see Policies for integration with other services.

March 23, 2023

AdministratorAccess-AWSElasticBeanstalk –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS.

For more information, see Managing Elastic Beanstalk user policies.

March 23, 2023

AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them.

For more information, see Service-linked role permissions for Elastic Beanstalk.

March 23, 2023

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them.

For more information, see Managed service role policies.

March 23, 2023

AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags to Auto Scaling groups when it creates them.

For more information, see The managed-updates service-linked role.

January 27, 2023

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags on create of an Auto Scaling group (ASG).

For more information, see Managed service role policies.

January 23, 2023

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags on create of an elastic load balancer (ELB).

For more information, see Managed service role policies.

December 21, 2022

AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy

Permissions were added to this policy to allow Elastic Beanstalk to do the following during managed updates:

  • Create and delete launch templates and template versions.

  • Launch Amazon EC2 instances with launch templates.

  • If an Amazon RDS is present, retrieve a list of the available DB engines and information about provisioned RDS instances.

For more information, see The managed-updates service-linked role.

August 23, 2022

AWSElasticBeanstalkReadOnlyAccess – Deprecated

GovCloud (US) AWS Region

This policy has been replaced by AWSElasticBeanstalkReadOnly.

This policy will be phased out in the GovCloud (US) AWS Region.

When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 17, 2021.

For more information, see User policies.

June 17, 2021

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to read attributes for EC2 Availability Zones. It enables Elastic Beanstalk to provide more effective validation of your instance type selection across Availability Zones.

For more information, see Managed service role policies.

June 16, 2021

AWSElasticBeanstalkFullAccess – Deprecated

GovCloud (US) AWS Region

This policy has been replaced by AdministratorAccess-AWSElasticBeanstalk.

This policy will be phased out in the GovCloud (US) AWS Region.

When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 10, 2021.

For more information, see User policies.

June 10, 2021

The following managed policies were deprecated in all of the China AWS Regions:

  • AWSElasticBeanstalkFullAccess

  • AWSElasticBeanstalkReadOnlyAccess

The AWSElasticBeanstalkFullAccess policy has been replaced by AdministratorAccess-AWSElasticBeanstalk.

The AWSElasticBeanstalkReadOnlyAccess policy has been replaced by AWSElasticBeanstalkReadOnly.

These policies were phased out in all of the China AWS Regions.

These policies will no longer be available for attachment to new IAM users, groups, or roles after June 3, 2021.

For more information, see User policies.

June 3, 2021

AWSElasticBeanstalkService – Deprecated

This policy has been superseded by AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy.

This policy is phased out and is no longer available for attachment to new IAM users, groups, or roles.

For more information, see Managed service role policies.

June 2021 - January 2022

The following managed policies were deprecated in all AWS Regions, except for China and GovCloud (US):

  • AWSElasticBeanstalkFullAccess

  • AWSElasticBeanstalkReadOnlyAccess

The AWSElasticBeanstalkFullAccess policy has been replaced by AdministratorAccess-AWSElasticBeanstalk.

The AWSElasticBeanstalkReadOnlyAccess policy has been replaced by AWSElasticBeanstalkReadOnly.

These policies were phased out in all the AWS Regions, except for China and GovCloud (US).

These policies will no longer be available for attachment to new IAM users, groups, or roles after April 16, 2021.

For more information, see User policies.

April 16, 2021

The following managed policies were updated:

  • AdministratorAccess-AWSElasticBeanstalk

  • AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy

Both of these policies now support PassRole permissions in China AWS Regions.

For more information about AdministratorAccess-AWSElasticBeanstalk, see User policies.

For more information about AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy, see Managed service role policies.

March 9, 2021

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy – New policy

Elastic Beanstalk added a new policy to replace the AWSElasticBeanstalkService managed policy.

This new managed policy improves security for your resources by applying a more restrictive set of permissions.

For more information, see Managed service role policies.

March 3, 2021

Elastic Beanstalk started tracking changes

Elastic Beanstalk started tracking changes for AWS managed policies.

March 1, 2021