AWS managed polices
We recommend that you use AWS Service Catalog AppRegistry managed policies to add permissions to identies. For more information see IAM identities (users, user groups, and roles) in the IAM User Guide.
You could create customer managed policies. However, creating these types of polcies requires product expertise and time. Managed policies are designed to help you get started quickly because they provide permissions for common use cases. For more information, see Creating IAM policies and AWS managed policies in the IAM User Guide.
AWS services maintain and update managed policies. The permissions in these policies cannot be changed. To support new features, services periodically add permissions to managed policies. These updates effect all identities where you can find managed policies. Services typically update these policies during feature launches or when new operations become available. Services don't remove permissions from managed policies, so updates don't break existing permissions.
In addition, AWS supports managed policies for job functions that extend multiple services.
For example, the ReadOnlyAccess
policy provides read-only access to all services and resources.
When services launch new features, AWS adds read-only permissions for new operations and resources.
For a list of job functions and their descriptions, see AWS managed policies for job functions in the IAM User Guide.
AWSServiceCatalogAppRegistryFullAccess
AppRegistry provides you with AWSServiceCatalogAppRegistryFullAccess
, an AWS managed policy that grants you full access to AppRegistry capabilities.
In this version of the policy, AppRegistry adds the resource group permissions resource-groups:AssociateResource
and resource-groups:DisassociateResource
, which allow you to call the resource groups for the AppRegistry AssociateResource
and DisassociateResource
APIs.
Note
You can use the AppRegistry AssociateResource
and DisassociateResource
APIs to add and remove resources associated with the awsApplication
tag.
For more information, see AssociateResource and DisassociateResource in the AWS Service Catalog AppRegistry Developer Guide.
AppRegistry also adds the permission tag:GetResources
, which allows you to return all tagged resources.
All tagged resources with defined tag keys and values can be included as resources for applications.
Permissions details
-
AWS CloudFormation – Allows AppRegistry to update a stack in AWS CloudFormation.
-
Resource Groups – Allows AppRegistry to create resource groups, return information about resource groups, delete resource groups, tag resource groups, return lists of tags associated with resource groups, remove tags from resource groups, retrieve resource tag information, and retrieve service configurations associated with resource groups.
-
IAM – Allows AppRegistry to create an IAM role that's linked to a specific AWS service.
You can link to the following JSON policy in the IAM console or include it in your documentation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AppRegistryUpdateStackAndResourceGroupTagging",
"Effect": "Allow",
"Action": [
"cloudformation:UpdateStack",
"tag:GetResources"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "servicecatalog-appregistry.amazonaws.com"
}
}
},
{
"Sid": "AppRegistryResourceGroupsIntegration",
"Effect": "Allow",
"Action": [
"resource-groups:CreateGroup",
"resource-groups:DeleteGroup",
"resource-groups:GetGroup",
"resource-groups:GetTags",
"resource-groups:Tag",
"resource-groups:Untag",
"resource-groups:GetGroupConfiguration",
"resource-groups:AssociateResource",
"resource-groups:DisassociateResource"
],
"Resource": "arn:aws:resource-groups:*:*:group/AWS_*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "servicecatalog-appregistry.amazonaws.com"
}
}
},
{
"Sid": "AppRegistryServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "servicecatalog-appregistry.amazonaws.com"
}
}
},
{
"Sid": "AppRegistryOperations",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"servicecatalog:CreateApplication",
"servicecatalog:GetApplication",
"servicecatalog:UpdateApplication",
"servicecatalog:DeleteApplication",
"servicecatalog:ListApplications",
"servicecatalog:AssociateResource",
"servicecatalog:DisassociateResource",
"servicecatalog:GetAssociatedResource",
"servicecatalog:ListAssociatedResources",
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:DisassociateAttributeGroup",
"servicecatalog:ListAssociatedAttributeGroups",
"servicecatalog:CreateAttributeGroup",
"servicecatalog:UpdateAttributeGroup",
"servicecatalog:DeleteAttributeGroup",
"servicecatalog:GetAttributeGroup",
"servicecatalog:ListAttributeGroups",
"servicecatalog:SyncResource",
"servicecatalog:ListAttributeGroupsForApplication",
"servicecatalog:GetConfiguration",
"servicecatalog:PutConfiguration"
],
"Resource": "*"
},
{
"Sid": "AppRegistryResourceTagging",
"Effect": "Allow",
"Action": [
"servicecatalog:ListTagsForResource",
"servicecatalog:UntagResource",
"servicecatalog:TagResource"
],
"Resource": "arn:aws:servicecatalog:*:*:*"
}
]
}
AWSServiceCatalogAppRegistryReadOnlyAccess
AWSServiceCatalogAppRegistryReadOnlyAccess
is an AWS managed policy
that provides read-only access
to AppRegistry capabilites.
You can use this policy
to associate tag keys and values
with applications.
Note
All tagged resouces with defined tag keys and values can be included as resources for applications.
You can link to this JSON policy in the IAM console or include it in your documentation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"servicecatalog:GetApplication",
"servicecatalog:ListApplications",
"servicecatalog:GetAssociatedResource",
"servicecatalog:ListAssociatedResources",
"servicecatalog:ListAssociatedAttributeGroups",
"servicecatalog:GetAttributeGroup",
"servicecatalog:ListAttributeGroups",
"servicecatalog:ListTagsForResource",
"servicecatalog:ListAttributeGroupsForApplication",
"servicecatalog:GetConfiguration"
],
"Resource": "*"
}
]
}
AWS managed policy updates
The following table includes information about the updates to the AWSServiceCatalogAppRegistryFullAccess
and AWSServiceCatalogAppRegistryReadOnlyAccess
policies.
Policy | Description | Date |
---|---|---|
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy |
Added the resource group permission |
December 07, 2023 |
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy |
Added the resource group permissions |
November 13, 2023 |
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy |
Added the following:
|
November 17, 2022 |
AWSServiceCatalogAppRegistryReadOnlyAccess – Update to an existing policy |
Added |
November 17, 2022 |
AWSServiceCatalogAppRegistryServiceRolePolicy – Update to an existing policy |
Updated |
October 24, 2022 |
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy |
Added |
June 15, 2022 |
AWSServiceCatalogAppRegistryReadOnlyAccess – Update to an existing policy |
Added |
June 15, 2022 |
AWSServiceCatalogAppRegistryServiceRolePolicy – Update to an existing policy |
Added permissions to tag AWS Resource Groups when AWS Resource Groups are created. |
August 24, 2021 |
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy |
Added the following:
|
August 24, 2021 |
AWSServiceCatalogAppRegistryReadOnlyAccess – Update to an existing policy |
Added the following:
|
August 24, 2021 |