Required roles Optional polices and roles

Elastic Beanstalk Service roles, instance profiles, and user policies

Roles are an entities that you create with AWS Identity and Access Management (IAM) to apply permissions. There are required roles for your Elastic Beanstalk environment to function properly. You also have the option to create your own custom policies and roles that you can assign to users or groups.

Required roles for your Elastic Beanstalk environment

When you create an environment, AWS Elastic Beanstalk prompts you to provide the following AWS Identity and Access Management (IAM) roles:

Service role: Elastic Beanstalk assumes a service role to use other AWS services on your behalf.
Instance profile Elastic Beanstalk applies an instance profile to the Amazon EC2 instances in your environment. This action allows them to perform required tasks, such as retrieving information from Amazon Simple Storage Service (Amazon S3) and uploading logs to S3.

Service role

When you create an environment the required service roles are created and assigned managed policies. These policies include all of the necessary permissions. Existing service roles are automatically assigned to the new environment if they already exists from previous environments.

Instance profile

If your AWS account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to new environments that you create. The Create environment wizard provides information to guide you through the IAM service, so that you can create an EC2 instance profile with the required permissions. After creating the instance profile, you can return to the console to select it as the EC2 instance profile and continue the steps to create your environment.

Optional polices and roles to manage your Elastic Beanstalk environment

You can optionally create user policies and apply them to IAM users and groups in your account. Doing so allows the users to create and manage Elastic Beanstalk applications and environments. You can also assign Elastic Beanstalk managed policies for full access and read-only access to users or groups. For more information about these policies, see Managing Elastic Beanstalk user policies.

You can create your own instance profiles and user policies for advanced scenarios. If your instances need to access services that aren't included in the default policies, you can create a new policy or add additional policies to the default one. If the managed policy is too permissive for your needs, you can also create more restrictive user policies. For more information about AWS permissions, see the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Design considerations

Service role