AWS managed policies for AWS Elastic Beanstalk

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

Elastic Beanstalk updates to AWS managed policies

View details about updates to AWS managed policies for Elastic Beanstalk since March 1, 2021.

Change	Description	Date
AWSElasticBeanstalkMulticontainerDocker –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see Managing Elastic Beanstalk instance profiles.	March 23, 2023
AWSElasticBeanstalkRoleECS –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see Policies for integration with other services.	March 23, 2023
AdministratorAccess-AWSElasticBeanstalk –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see Managing Elastic Beanstalk user policies.	March 23, 2023
AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see Service-linked role permissions for Elastic Beanstalk.	March 23, 2023
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see Managed service role policies.	March 23, 2023
AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags to Auto Scaling groups when it creates them. For more information, see The managed-updates service-linked role.	January 27, 2023
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags on create of an Auto Scaling group (ASG). For more information, see Managed service role policies.	January 23, 2023
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy	This policy was updated to allow Elastic Beanstalk to add tags on create of an elastic load balancer (ELB). For more information, see Managed service role policies.	December 21, 2022
AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy	Permissions were added to this policy to allow Elastic Beanstalk to do the following during managed updates: Create and delete launch templates and template versions. Launch Amazon EC2 instances with launch templates. If an Amazon RDS is present, retrieve a list of the available DB engines and information about provisioned RDS instances. For more information, see The managed-updates service-linked role.	August 23, 2022
AWSElasticBeanstalkReadOnlyAccess – Deprecated GovCloud (US) AWS Region	This policy has been replaced by `AWSElasticBeanstalkReadOnly`. This policy will be phased out in the GovCloud (US) AWS Region. When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 17, 2021. For more information, see User policies.	June 17, 2021
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy	This policy was updated to allow Elastic Beanstalk to read attributes for EC2 Availability Zones. It enables Elastic Beanstalk to provide more effective validation of your instance type selection across Availability Zones. For more information, see Managed service role policies.	June 16, 2021
AWSElasticBeanstalkFullAccess – Deprecated GovCloud (US) AWS Region	This policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. This policy will be phased out in the GovCloud (US) AWS Region. When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 10, 2021. For more information, see User policies.	June 10, 2021
The following managed policies were deprecated in all of the China AWS Regions: AWSElasticBeanstalkFullAccess AWSElasticBeanstalkReadOnlyAccess	The `AWSElasticBeanstalkFullAccess` policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. The `AWSElasticBeanstalkReadOnlyAccess` policy has been replaced by `AWSElasticBeanstalkReadOnly`. These policies were phased out in all of the China AWS Regions. These policies will no longer be available for attachment to new IAM users, groups, or roles after June 3, 2021. For more information, see User policies.	June 3, 2021
AWSElasticBeanstalkService – Deprecated	This policy has been superseded by `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`. This policy is phased out and is no longer available for attachment to new IAM users, groups, or roles. For more information, see Managed service role policies.	June 2021 - January 2022
The following managed policies were deprecated in all AWS Regions, except for China and GovCloud (US): AWSElasticBeanstalkFullAccess AWSElasticBeanstalkReadOnlyAccess	The `AWSElasticBeanstalkFullAccess` policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. The `AWSElasticBeanstalkReadOnlyAccess` policy has been replaced by `AWSElasticBeanstalkReadOnly`. These policies were phased out in all the AWS Regions, except for China and GovCloud (US). These policies will no longer be available for attachment to new IAM users, groups, or roles after April 16, 2021. For more information, see User policies.	April 16, 2021
The following managed policies were updated: AdministratorAccess-AWSElasticBeanstalk AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy	Both of these policies now support PassRole permissions in China AWS Regions. For more information about `AdministratorAccess-AWSElasticBeanstalk`, see User policies. For more information about `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`, see Managed service role policies.	March 9, 2021
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy – New policy	Elastic Beanstalk added a new policy to replace the `AWSElasticBeanstalkService` managed policy. This new managed policy improves security for your resources by applying a more restrictive set of permissions. For more information, see Managed service role policies.	March 3, 2021
Elastic Beanstalk started tracking changes	Elastic Beanstalk started tracking changes for AWS managed policies.	March 1, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity and access management

Logging and monitoring