Managing AWS OpsWorks Stacks Permissions by Attaching an IAM Policy - AWS OpsWorks

Managing AWS OpsWorks Stacks Permissions by Attaching an IAM Policy


The AWS OpsWorks Stacks service reached end of life on May 26, 2024 and has been disabled for both new and existing customers. We strongly recommend customers migrate their workloads to other solutions as soon as possible. If you have questions about migration, reach out to the AWS Support Team on AWS re:Post or through AWS Premium Support.

You can specify a user's AWS OpsWorks Stacks permissions by attaching an IAM policy. An attached policy is required for some permissions:

  • Administrative user permissions, such as importing users.

  • Permissions for some actions, such as creating or cloning a stack.

For a complete list of actions that require an attached policy, see AWS OpsWorks Stacks Permissions Levels.

You can also use a policy to customize permission levels that were granted through the Permissions page. This section provides a brief summary of how to apply an IAM policy to a user to specify AWS OpsWorks Stacks permissions. For more information, see Access management for AWS resources.

An IAM policy is a JSON object that contains one or more statements. Each statement element has a list of permissions, which have three basic elements of their own:


The actions that the permission affects. You specify AWS OpsWorks Stacks actions as opsworks:action. An Action can be set to a specific action such as opsworks:CreateStack, which specifies whether the user is allowed to call CreateStack. You can also use wildcards to specify groups of actions. For example, opsworks:Create* specifies all creation actions. For a complete list of AWS OpsWorks Stacks actions, see the AWS OpsWorks Stacks API Reference.


Whether the specified actions are allowed or denied.


The AWS resources that the permission affects. AWS OpsWorks Stacks has one resource type, the stack. To specify permissions for a particular stack resource, set Resource to the stack's ARN, which has the following format: arn:aws:opsworks:region:account_id:stack/stack_id/.

You can also use wildcards. For example, setting Resource to * grants permissions for every resource.

For example, the following policy denies the user the ability to stop instances on the stack whose ID is 2860-2f18b4cb-4de5-4429-a149-ff7da9f0d8ee.

{ "Version": "2012-10-17", "Statement": [ { "Action": "opsworks:StopInstance", "Effect": "Deny", "Resource": "arn:aws:opsworks:*:*:stack/2f18b4cb-4de5-4429-a149-ff7da9f0d8ee/" } ] }

For information about adding permissions to an IAM user, see

For more information about how to create or modify IAM policies, see Policies and permissions in IAM. For some examples of AWS OpsWorks Stacks policies, see Example Policies.