# Identity and Access Management for Application Auto Scaling Identity and Access Management AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Application Auto Scaling resources. IAM is an AWS service that you can use with no additional charge. For complete IAM documentation, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/). ## Access control You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Application Auto Scaling resources. For example, you must have permissions to create scaling policies, configure scheduled scaling, and so on. The following sections provide details on how an IAM administrator can use IAM to help secure your AWS resources, by controlling who can perform Application Auto Scaling API actions. **Topics** + [ ## Access control ](#access-control) + [ # How Application Auto Scaling works with IAM ](security_iam_service-with-iam.md) + [AWS managed policies](security-iam-awsmanpol.md) + [Service-linked roles](application-auto-scaling-service-linked-roles.md) + [Identity-based policy examples](security_iam_id-based-policy-examples.md) + [Troubleshooting](security_iam_troubleshoot.md) + [Permissions validation](security_iam_permission_validation.md) # How Application Auto Scaling works with IAM **Note** In December 2017, there was an update for Application Auto Scaling, enabling several service-linked roles for Application Auto Scaling integrated services. Specific IAM permissions *and* an Application Auto Scaling service-linked role (or a service role for Amazon EMR auto scaling) are required so that users can configure scaling. Before you use IAM to manage access to Application Auto Scaling, learn what IAM features are available to use with Application Auto Scaling. **IAM features you can use with Application Auto Scaling** | IAM feature | Application Auto Scaling support | | --- | --- | | [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | Yes | | [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | Yes | | [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | Yes | | [Policy condition keys (service-specific)](#security_iam_service-with-iam-id-based-policies-conditionkeys) | Yes | | [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | No | | [ACLs](#security_iam_service-with-iam-acls) | No | | [ABAC (tags in policies)](#security_iam_service-with-iam-tags) | Partial | | [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | Yes | | [Service roles](#security_iam_service-with-iam-roles-service) | Yes | | [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | Yes | To get a high-level view of how Application Auto Scaling and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. ## Application Auto Scaling identity-based policies **Supports identity-based policies:** Yes Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. ### Identity-based policy examples for Application Auto Scaling To view examples of Application Auto Scaling identity-based policies, see [Application Auto Scaling identity-based policy examples](security_iam_id-based-policy-examples.md). ### Actions **Supports policy actions:** Yes In an IAM policy statement, you can specify any API action from any service that supports IAM. For Application Auto Scaling, use the following prefix with the name of the API action: `application-autoscaling:`. For example: `application-autoscaling:RegisterScalableTarget`, `application-autoscaling:PutScalingPolicy`, and `application-autoscaling:DeregisterScalableTarget`. To specify multiple actions in a single statement, separate them with commas as shown in the following example. ``` "Action": [ "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities" ``` You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action. ``` "Action": "application-autoscaling:Describe*" ``` For a list of Application Auto Scaling actions, see [Actions defined by AWS Application Auto Scaling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationautoscaling.html#awsapplicationautoscaling-actions-as-permissions) in the *Service Authorization Reference*. ### Resources **Supports policy resources:** Yes In an IAM policy statement, the `Resource` element specifies the object or objects that the statement covers. For Application Auto Scaling, each IAM policy statement applies to the scalable targets that you specify using their Amazon Resource Names (ARNs). The ARN resource format for scalable targets: ``` arn:aws:application-autoscaling:region:account-id:scalable-target/unique-identifier ``` For example, you can indicate a specific scalable target in your statement using its ARN as follows. The unique ID (1234abcd56ab78cd901ef1234567890ab123) is a value assigned by Application Auto Scaling to the scalable target. ``` "Resource": "arn:aws:application-autoscaling:us-east-1:123456789012:scalable-target/1234abcd56ab78cd901ef1234567890ab123" ``` You can specify all instances that belong to a specific account by replacing the unique identifier with a wildcard (\$1) as follows. ``` "Resource": "arn:aws:application-autoscaling:us-east-1:123456789012:scalable-target/*" ``` To specify all resources, or if a specific API action does not support ARNs, use a wildcard (\$1) as the `Resource` element as follows. ``` "Resource": "*" ``` For more information, see [Resource types defined by AWS Application Auto Scaling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationautoscaling.html#awsapplicationautoscaling-policy-keys) in the *Service Authorization Reference*. ### Condition keys **Supports service-specific policy condition keys:** Yes You can specify conditions in the IAM policies that control access to Application Auto Scaling resources. The policy statement is effective only when the conditions are true. Application Auto Scaling supports the following service-defined condition keys that you can use in identity-based policies to determine who can perform Application Auto Scaling API actions. + `application-autoscaling:scalable-dimension` + `application-autoscaling:service-namespace` To learn which Application Auto Scaling API actions you can use a condition key with, see [Actions defined by AWS Application Auto Scaling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationautoscaling.html#awsapplicationautoscaling-actions-as-permissions) in the *Service Authorization Reference*. For more information about using Application Auto Scaling condition keys, see [Condition keys for AWS Application Auto Scaling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationautoscaling.html#awsapplicationautoscaling-policy-keys). To view the global condition keys that are available to all services, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. ## Resource-based policies **Supports resource-based policies:** No Other AWS services, such as Amazon Simple Storage Service, support resource-based permissions policies. For example, you can attach a permissions policy to an S3 bucket to manage access permissions to that bucket. Application Auto Scaling does not support resource-based policies. ## Access Control Lists (ACLs) **Supports ACLs:** No Application Auto Scaling does not support Access Control Lists (ACLs). ## ABAC with Application Auto Scaling ABAC **Supports ABAC (tags in policies):** Partial Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called *tags*. You can attach tags to IAM entities (users or roles) and to many AWS resources. Tagging entities and resources is the first step of ABAC. Then you design ABAC policies to allow operations when the principal's tag matches the tag on the resource that they are trying to access. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. ABAC is possible for resources that support tags, but not everything supports tags. Scheduled actions and scaling policies don't support tags, but scalable targets support tags. For more information, see [Tagging support for Application Auto Scaling](resource-tagging-support.md). For more information about ABAC, see [What is ABAC?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*. ## Using temporary credentials with Application Auto Scaling Temporary credentials **Supports temporary credentials:** Yes Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. ## Service roles **Supports service roles:** Yes If your Amazon EMR cluster uses automatic scaling, this feature allows Application Auto Scaling to assume a service role on your behalf. Similar to a service-linked role, a service role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. Application Auto Scaling supports service roles only for Amazon EMR. For documentation for the EMR service role, see [Using automatic scaling with a custom policy for instance groups](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-automatic-scaling.html) in the *Amazon EMR Management Guide*. **Note** With the introduction of service-linked roles, several legacy service roles are no longer required, for example, for Amazon ECS and Spot Fleet. ## Service-linked roles **Supports service-linked roles:** Yes A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. For information about Application Auto Scaling service-linked roles, see [Service-linked roles for Application Auto Scaling](application-auto-scaling-service-linked-roles.md). # AWS managed policies for Application Auto Scaling AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## AWS managed policy: WorkSpaces Applications and CloudWatch AWSApplicationAutoscalingAppStreamFleetPolicy **Policy name: [AWSApplicationAutoscalingAppStreamFleetPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingAppStreamFleetPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1AppStreamFleet](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `appstream:DescribeFleets` + Action: `appstream:UpdateFleet` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: Aurora and CloudWatch AWSApplicationAutoscalingRDSClusterPolicy **Policy name: [AWSApplicationAutoscalingRDSClusterPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingRDSClusterPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1RDSCluster](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `rds:AddTagsToResource` + Action: `rds:CreateDBInstance` + Action: `rds:DeleteDBInstance` + Action: `rds:DescribeDBClusters` + Action: `rds:DescribeDBInstance` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: Amazon Comprehend and CloudWatch AWSApplicationAutoscalingComprehendEndpointPolicy **Policy name: [AWSApplicationAutoscalingComprehendEndpointPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingComprehendEndpointPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1ComprehendEndpoint](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `comprehend:UpdateEndpoint` + Action: `comprehend:DescribeEndpoint` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: DynamoDB and CloudWatch AWSApplicationAutoscalingDynamoDBTablePolicy **Policy name: [AWSApplicationAutoscalingDynamoDBTablePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingDynamoDBTablePolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1DynamoDBTable](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call DynamoDBand CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `dynamodb:DescribeTable` + Action: `dynamodb:UpdateTable` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: Amazon ECS and CloudWatch AWSApplicationAutoscalingECSServicePolicy **Policy name: [AWSApplicationAutoscalingECSServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingECSServicePolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1ECSService](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `ecs:DescribeServices` + Action: `ecs:UpdateService` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:GetMetricData` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: ElastiCache and CloudWatch AWSApplicationAutoscalingElastiCacheRGPolicy **Policy name: [AWSApplicationAutoscalingElastiCacheRGPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingElastiCacheRGPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1ElastiCacheRG](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf. This service-linked role can be used for ElastiCache Memcached, Redis OSS, and Valkey. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources: + Action: `elasticache:DescribeReplicationGroups` on all resources + Action: `elasticache:ModifyReplicationGroupShardConfiguration` on all resources + Action: `elasticache:IncreaseReplicaCount` on all resources + Action: `elasticache:DecreaseReplicaCount` on all resources + Action: `elasticache:DescribeCacheClusters` on all resources + Action: `elasticache:DescribeCacheParameters` on all resources + Action: `elasticache:ModifyCacheCluster` on all resources + Action: `cloudwatch:DescribeAlarms` on the resource `arn:aws:cloudwatch:*:*:alarm:*` + Action: `cloudwatch:PutMetricAlarm` on the resource `arn:aws:cloudwatch:*:*:alarm:TargetTracking*` + Action: `cloudwatch:DeleteAlarms` on the resource `arn:aws:cloudwatch:*:*:alarm:TargetTracking*` ## AWS managed policy: Amazon Keyspaces and CloudWatch AWSApplicationAutoscalingCassandraTablePolicy **Policy name: [AWSApplicationAutoscalingCassandraTablePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingCassandraTablePolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1CassandraTable](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources: + Action: `cassandra:Select` on the following resources: + `arn:*:cassandra:*:*:/keyspace/system/table/*` + `arn:*:cassandra:*:*:/keyspace/system_schema/table/*` + `arn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/*` + Action: `cassandra:Alter` on all resources + Action: `cloudwatch:DescribeAlarms` on all resources + Action: `cloudwatch:PutMetricAlarm` on all resources + Action: `cloudwatch:DeleteAlarms` on all resources ## AWS managed policy: Lambda and CloudWatch AWSApplicationAutoscalingLambdaConcurrencyPolicy **Policy name: [AWSApplicationAutoscalingLambdaConcurrencyPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingLambdaConcurrencyPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1LambdaConcurrency](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `lambda:PutProvisionedConcurrencyConfig` + Action: `lambda:GetProvisionedConcurrencyConfig` + Action: `lambda:DeleteProvisionedConcurrencyConfig` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: Amazon MSK and CloudWatch AWSApplicationAutoscalingKafkaClusterPolicy **Policy name: [AWSApplicationAutoscalingKafkaClusterPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingKafkaClusterPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1KafkaCluster](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `kafka:DescribeCluster` + Action: `kafka:DescribeClusterOperation` + Action: `kafka:UpdateBrokerStorage` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: Neptune and CloudWatch AWSApplicationAutoscalingNeptuneClusterPolicy **Policy name: [AWSApplicationAutoscalingNeptuneClusterPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingNeptuneClusterPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1NeptuneCluster](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources: + Action: `rds:ListTagsForResource` on all resources + Action: `rds:DescribeDBInstances` on all resources + Action: `rds:DescribeDBClusters` on all resources + Action: `rds:DescribeDBClusterParameters` on all resources + Action: `cloudwatch:DescribeAlarms` on all resources + Action: `rds:AddTagsToResource` on resources with the prefix *autoscaled-reader* in the Amazon Neptune database engine (`"Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"}`) + Action: `rds:CreateDBInstance` on resources with the prefix *autoscaled-reader* in all DB clusters (`"Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*"`) in the Amazon Neptune database engine (`"Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"}`) + Action: `rds:DeleteDBInstance` on the resource `arn:aws:rds:*:*:db:autoscaled-reader*` + Action: `cloudwatch:PutMetricAlarm` on the resource `arn:aws:cloudwatch:*:*:alarm:TargetTracking*` + Action: `cloudwatch:DeleteAlarms` on the resource `arn:aws:cloudwatch:*:*:alarm:TargetTracking*` ## AWS managed policy: SageMaker AI and CloudWatch AWSApplicationAutoscalingSageMakerEndpointPolicy **Policy name: [AWSApplicationAutoscalingSageMakerEndpointPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingSageMakerEndpointPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1SageMakerEndpoint](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call SageMaker AI and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources: + Action: `sagemaker:DescribeEndpoint` on all resources + Action: `sagemaker:DescribeEndpointConfig` on all resources + Action: `sagemaker:DescribeInferenceComponent` on all resources + Action: `sagemaker:UpdateEndpointWeightsAndCapacities` on all resources + Action: `sagemaker:UpdateInferenceComponentRuntimeConfig` on all resources + Action: `cloudwatch:DescribeAlarms` on all resources + Action: `cloudwatch:GetMetricData` on all resources + Action: `cloudwatch:PutMetricAlarm` on the resource `arn:aws:cloudwatch:*:*:alarm:TargetTracking*` + Action: `cloudwatch:DeleteAlarms` on the resource `arn:aws:cloudwatch:*:*:alarm:TargetTracking*` ## AWS managed policy: EC2 Spot Fleet and CloudWatch AWSApplicationAutoscalingEC2SpotFleetRequestPolicy **Policy name: [AWSApplicationAutoscalingEC2SpotFleetRequestPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingEC2SpotFleetRequestPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1EC2SpotFleetRequest](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `ec2:DescribeSpotFleetRequests` + Action: `ec2:ModifySpotFleetRequest` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## AWS managed policy: WorkSpaces and CloudWatch AWSApplicationAutoscalingWorkSpacesPoolPolicy **Policy name: [AWSApplicationAutoscalingWorkSpacesPoolPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoscalingWorkSpacesPoolPolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1WorkSpacesPool](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call WorkSpaces and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources: + Action: `workspaces:DescribeWorkspacesPools` on all resources from the same account as the SLR + Action: `workspaces:UpdateWorkspacesPool` on all resources from the same account as the SLR + Action: `cloudwatch:DescribeAlarms` on all alarms from the same account as the SLR + Action: `cloudwatch:PutMetricAlarm` on all alarms from the same account as the SLR, where the alarm name starts with TargetTracking + Action: `cloudwatch:DeleteAlarms` on all alarms from the same account as the SLR, where the alarm name starts with TargetTracking ## AWS managed policy: custom resources and CloudWatch AWSApplicationAutoScalingCustomResourcePolicy **Policy name: [AWSApplicationAutoScalingCustomResourcePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationAutoScalingCustomResourcePolicy.html)** This policy is attached to the service-linked role named [AWSServiceRoleForApplicationAutoScaling\$1CustomResource](application-auto-scaling-service-linked-roles.md) to allow Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch and perform scaling on your behalf. **Permission details** The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "\$1"): + Action: `execute-api:Invoke` + Action: `cloudwatch:DescribeAlarms` + Action: `cloudwatch:PutMetricAlarm` + Action: `cloudwatch:DeleteAlarms` ## Application Auto Scaling updates to AWS managed policies Policy updates View details about updates to AWS managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page. | Change | Description | Date | | --- | --- | --- | | [AWSApplicationAutoscalingElastiCacheRGPolicy](#elasticache-policy) – Update an existing policy | Added permission to call the ElastiCache `ModifyCacheCluster` API action to support Memcached automatic scaling. | April 10, 2025 | | [AWSApplicationAutoscalingECSServicePolicy](#ecs-policy) – Update an existing policy | Added permission to call the CloudWatch `GetMetricData` API action to support predictive scaling. | November 21, 2024 | | [AWSApplicationAutoscalingWorkSpacesPoolPolicy](#workspaces-policy) – New policy | Added a managed policy for Amazon WorkSpaces. This policy is attached to a [service-linked role](application-auto-scaling-service-linked-roles.md) that allows Application Auto Scaling to call WorkSpaces and CloudWatch and perform scaling on your behalf. | June 24, 2024 | | [AWSApplicationAutoscalingSageMakerEndpointPolicy](#sagemaker-policy) – Update to an existing policy | Added permissions to call the SageMaker AI `DescribeInferenceComponent` and `UpdateInferenceComponentRuntimeConfig` API actions to support compatibility for the auto scaling of SageMaker AI resources for an upcoming integration. The policy also now restricts the CloudWatch `PutMetricAlarm` and `DeleteAlarms` API actions to CloudWatch alarms that are used with target tracking scaling policies. | November 13, 2023 | | [AWSApplicationAutoscalingNeptuneClusterPolicy](#neptune-policy) – New policy | Added a managed policy for Neptune. This policy is attached to a [service-linked role](application-auto-scaling-service-linked-roles.md) that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf. | October 6, 2021 | | [AWSApplicationAutoscalingRDSClusterPolicy](#aurora-policy) – New policy | Added a managed policy for ElastiCache. This policy is attached to a [service-linked role](application-auto-scaling-service-linked-roles.md) that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf. | August 19, 2021 | | Application Auto Scaling started tracking changes | Application Auto Scaling started tracking changes for its AWS managed policies. | August 19, 2021 | # Service-linked roles for Application Auto Scaling Service-linked roles Application Auto Scaling uses [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) for the permissions that it requires to call other AWS services on your behalf. A service-linked role is a unique type of AWS Identity and Access Management (IAM) role that is linked directly to an AWS service. Service-linked roles provide a secure way to delegate permissions to AWS services because only the linked service can assume a service-linked role. For services that integrate with Application Auto Scaling, Application Auto Scaling creates service-linked roles for you. There is one service-linked role for each service. Each service-linked role trusts the specified service principal to assume it. For more information, see [Service-linked role ARN reference](#specify-service-linked-role). Application Auto Scaling includes all of the necessary permissions for each service-linked role. These managed permissions are created and managed by Application Auto Scaling, and they define the allowed actions for each resource type. For details about the permissions that each role grants, see [AWS managed policies for Application Auto Scaling](security-iam-awsmanpol.md). **Topics** + [ ## Permissions required to create a service-linked role ](#create-service-linked-role-permissions) + [ ## Create service-linked roles (automatic) ](#create-service-linked-role-automatic) + [ ## Create service-linked roles (manual) ](#create-service-linked-role-manual) + [ ## Edit the service-linked roles ](#edit-service-linked-role) + [ ## Delete the service-linked roles ](#delete-service-linked-role) + [ ## Supported Regions for Application Auto Scaling service-linked roles ](#slr-regions) + [ ## Service-linked role ARN reference ](#specify-service-linked-role) ## Permissions required to create a service-linked role Application Auto Scaling requires permissions to create a service-linked role the first time any user in your AWS account calls `RegisterScalableTarget` for a given service. Application Auto Scaling creates a service-linked role for the target service in your account, if the role does not exist already. The service-linked role grants permissions to Application Auto Scaling so that it can call the target service on your behalf. For automatic role creation to succeed, users must have permission for the `iam:CreateServiceLinkedRole` action. ``` "Action": "iam:CreateServiceLinkedRole" ``` The following is an identity-based policy that grants permission to create a service-linked role for Spot Fleet. You can specify the service-linked role in the policy's `Resource` field as an ARN, and the service principal for your service-linked role as a condition, as shown. For the ARN for each service, see [Service-linked role ARN reference](#specify-service-linked-role). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] } ``` ------ **Note** The `iam:AWSServiceName` IAM condition key specifies the service principal to which the role is attached, which is indicated in this example policy as `ec2.application-autoscaling.amazonaws.com`. Do not try to guess the service principal. To view the service principal for a service, see [AWS services that you can use with Application Auto Scaling](integrated-services-list.md). ## Create service-linked roles (automatic) You don't need to manually create a service-linked role. Application Auto Scaling creates the appropriate service-linked role for you when you call `RegisterScalableTarget`. For example, if you set up automatic scaling for an Amazon ECS service, Application Auto Scaling creates the `AWSServiceRoleForApplicationAutoScaling_ECSService` role. ## Create service-linked roles (manual) To create the service-linked role, you can use the IAM console, AWS CLI, or IAM API. For more information, see [Create a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html) in the *IAM User Guide*. **To create a service-linked role (AWS CLI)** Use the following [create-service-linked-role](https://docs.aws.amazon.com/cli/latest/reference/iam/create-service-linked-role.html) command to create the Application Auto Scaling service-linked role. In the request, specify the service name "prefix". To find the service name prefix, refer to the information about the service principal for the service-linked role for each service in the [AWS services that you can use with Application Auto Scaling](integrated-services-list.md) section. The service name and the service principal share the same prefix. For example, to create the AWS Lambda service-linked role, use `lambda.application-autoscaling.amazonaws.com`. ``` aws iam create-service-linked-role --aws-service-name prefix.application-autoscaling.amazonaws.com ``` ## Edit the service-linked roles With the service-linked roles created by Application Auto Scaling, you can edit only their descriptions. For more information, see [Edit a service-linked role description](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html#edit-service-linked-role-iam-console) in the *IAM User Guide*. ## Delete the service-linked roles If you no longer use Application Auto Scaling with a supported service, we recommend that you delete the corresponding service-linked role. You can delete a service-linked role only after first deleting the related AWS resources. This protects you from inadvertently revoking Application Auto Scaling permissions to your resources. For more information, see the [documentation](https://docs.aws.amazon.com/) for the scalable resource. For example, to delete an Amazon ECS service, see [Deleting an Amazon ECS service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/delete-service-v2.html) in the *Amazon Elastic Container Service Developer Guide*. You can use IAM to delete a service-linked role. For more information, see [Delete a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr) in the *IAM User Guide*. After you delete a service-linked role, Application Auto Scaling creates the role again when you call `RegisterScalableTarget`. ## Supported Regions for Application Auto Scaling service-linked roles Application Auto Scaling supports using service-linked roles in all of the AWS Regions where the service is available. ## Service-linked role ARN reference The following table lists the Amazon Resource Name (ARN) of the service-linked role for each AWS service that works with Application Auto Scaling. **** | Service | ARN | | --- | --- | | AppStream 2.0 | arn:aws:iam::012345678910:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1AppStreamFleet | | Aurora | arn:aws:iam::012345678910:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1RDSCluster | | Comprehend | arn:aws:iam::012345678910:role/aws-service-role/comprehend.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1ComprehendEndpoint | | DynamoDB | arn:aws:iam::012345678910:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1DynamoDBTable | | ECS | arn:aws:iam::012345678910:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1ECSService | | ElastiCache | arn:aws:iam::012345678910:role/aws-service-role/elasticache.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1ElastiCacheRG | | Keyspaces | arn:aws:iam::012345678910:role/aws-service-role/cassandra.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1CassandraTable | | Lambda | arn:aws:iam::012345678910:role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1LambdaConcurrency | | MSK | arn:aws:iam::012345678910:role/aws-service-role/kafka.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1KafkaCluster | | Neptune | arn:aws:iam::012345678910:role/aws-service-role/neptune.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1NeptuneCluster | | SageMaker AI | arn:aws:iam::012345678910:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1SageMakerEndpoint | | Spot Fleets | arn:aws:iam::012345678910:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1EC2SpotFleetRequest | | WorkSpaces | arn:aws:iam::012345678910:role/aws-service-role/workspaces.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1WorkSpacesPool | | Custom resources | arn:aws:iam::012345678910:role/aws-service-role/custom-resource.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling\$1CustomResource | **Note** You can specify the ARN of a service-linked role for the `RoleARN` property of an [AWS::ApplicationAutoScaling::ScalableTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalabletarget.html) resource in your CloudFormation stack templates, even if the specified service-linked role doesn't yet exist. Application Auto Scaling automatically creates the role for you. # Application Auto Scaling identity-based policy examples Identity-based policy examples By default, a brand new user in your AWS account has no permissions to do anything. An IAM administrator must create and assign IAM policies that give an IAM identity (such as a user or role) permission to perform Application Auto Scaling API actions. To learn how to create an IAM policy using the following example JSON policy documents, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. **Topics** + [ ## Permissions required for Application Auto Scaling API actions ](#application-auto-scaling-actions-permissions) + [ ## Permissions required for API actions on target services and CloudWatch ](#application-auto-scaling-additional-permissions) + [ ## Permissions for working in the AWS Management Console ](#security_iam_id-based-policy-examples-console) ## Permissions required for Application Auto Scaling API actions The following policies grant permissions for common use cases when calling Application Auto Scaling API. Refer to this section when writing identity-based policies. Each policy grants permissions to all or some of the Application Auto Scaling API actions. You also need to make sure that end users have permissions for the target service and CloudWatch (see the next section for details). The following identity-based policy grants permissions to all Application Auto Scaling API actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*" ], "Resource": "*" } ] } ``` ------ The following identity-based policy grants permissions to all Application Auto Scaling API actions that are required to configure scaling policies and not scheduled actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScalingPolicy" ], "Resource": "*" } ] } ``` ------ The following identity-based policy grants permissions to all Application Auto Scaling API actions that are required to configure scheduled actions and not scaling policies. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScheduledAction", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScheduledAction" ], "Resource": "*" } ] } ``` ------ ## Permissions required for API actions on target services and CloudWatch To successfully configure and use Application Auto Scaling with the target service, end users must be granted permissions for Amazon CloudWatch and for each target service for which they will configure scaling. Use the following policies to grant the minimum permissions required to work with target services and CloudWatch. **Topics** + [ ### AppStream 2.0 fleets ](#permissions-for-appstream-fleets) + [ ### Aurora replicas ](#permissions-for-aurora-clusters) + [ ### Amazon Comprehend document classification and entity recognizer endpoints ](#permissions-for-comprehend-endpoints) + [ ### DynamoDB tables and global secondary indexes ](#permissions-for-dynamodb-tables-and-gsis) + [ ### ECS services ](#permissions-for-ecs-services) + [ ### ElastiCache replication groups ](#permissions-for-elasticache) + [ ### Amazon EMR clusters ](#permissions-for-emr-clusters) + [ ### Amazon Keyspaces tables ](#permissions-for-keyspaces-tables) + [ ### Lambda functions ](#permissions-for-lambda-functions) + [ ### Amazon Managed Streaming for Apache Kafka (MSK) broker storage ](#permissions-for-msk-broker-storage) + [ ### Neptune clusters ](#permissions-for-neptune-clusters) + [ ### SageMaker AI endpoints ](#permissions-for-sagemaker-endpoints) + [ ### Spot Fleets (Amazon EC2) ](#permissions-for-spot-fleet) + [ ### Custom resources ](#permissions-for-custom-resources) ### AppStream 2.0 fleets The following identity-based policy grants permissions to all AppStream 2.0 and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:DescribeFleets", "appstream:UpdateFleet", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Aurora replicas The following identity-based policy grants permissions to all Aurora and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Amazon Comprehend document classification and entity recognizer endpoints The following identity-based policy grants permissions to all Amazon Comprehend and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:UpdateEndpoint", "comprehend:DescribeEndpoint", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### DynamoDB tables and global secondary indexes The following identity-based policy grants permissions to all DynamoDB and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:UpdateTable", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### ECS services The following identity-based policy grants permissions to all ECS and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### ElastiCache replication groups The following identity-based policy grants permissions to all ElastiCache and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroupShardConfiguration", "elasticache:IncreaseReplicaCount", "elasticache:DecreaseReplicaCount", "elasticache:DescribeReplicationGroups", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameters", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Amazon EMR clusters The following identity-based policy grants permissions to all Amazon EMR and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Amazon Keyspaces tables The following identity-based policy grants permissions to all Amazon Keyspaces and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cassandra:Select", "cassandra:Alter", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Lambda functions The following identity-based policy grants permissions to all Lambda and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:PutProvisionedConcurrencyConfig", "lambda:GetProvisionedConcurrencyConfig", "lambda:DeleteProvisionedConcurrencyConfig", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Amazon Managed Streaming for Apache Kafka (MSK) broker storage The following identity-based policy grants permissions to all Amazon MSK and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka:DescribeCluster", "kafka:DescribeClusterOperation", "kafka:UpdateBrokerStorage", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Neptune clusters The following identity-based policy grants permissions to all Neptune and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:DescribeDBClusterParameters", "rds:DeleteDBInstance", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### SageMaker AI endpoints The following identity-based policy grants permissions to all SageMaker AI and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeInferenceComponent", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:UpdateInferenceComponentRuntimeConfig", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Spot Fleets (Amazon EC2) The following identity-based policy grants permissions to all Spot Fleet and CloudWatch API actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ### Custom resources The following identity-based policy grants permission for the API Gateway API executing action. This policy also grants permissions to all CloudWatch actions that are required. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] } ``` ------ ## Permissions for working in the AWS Management Console There is no standalone Application Auto Scaling console. Most services that integrate with Application Auto Scaling have features that are dedicated to helping you configure scaling with their console. In most cases, each service provides AWS managed (predefined) IAM policies that define access to their console, which includes permissions to the Application Auto Scaling API actions. For more information, refer to the documentation for the service whose console you want to use. You can also create your own custom IAM policies to give users fine-grained permissions to view and work with specific Application Auto Scaling API actions in the AWS Management Console. You can use the example policies in the previous sections; however, they are designed for requests that are made with the AWS CLI or an SDK. The console uses additional API actions for its features, so these policies may not work as expected. For example, to configure step scaling, users might require additional permissions to create and manage CloudWatch alarms. **Tip** To help you work out which API actions are required to perform tasks in the console, you can use a service such as AWS CloudTrail. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). The following identity-based policy grants permissions to configure scaling policies for Spot Fleet. In addition to the IAM permissions for Spot Fleet, the console user that accesses fleet scaling settings from the Amazon EC2 console must have the appropriate permissions for the services that support dynamic scaling. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*", "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:DisableAlarmActions", "cloudwatch:EnableAlarmActions", "sns:CreateTopic", "sns:Subscribe", "sns:Get*", "sns:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] } ``` ------ This policy allows console users to view and modify scaling policies in the Amazon EC2 console, and to create and manage CloudWatch alarms in the CloudWatch console. You can adjust the API actions to limit user access. For example, replacing `application-autoscaling:*` with `application-autoscaling:Describe*` means that the user has read-only access. You can also adjust the CloudWatch permissions as required to limit user access to CloudWatch features. For more information, see [Permissions needed for the CloudWatch console](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console) in the *Amazon CloudWatch User Guide*. # Troubleshooting access to Application Auto Scaling Troubleshooting If you encounter `AccessDeniedException` or similar difficulties when working with Application Auto Scaling, consult the information in this section. ## I am not authorized to perform an action in Application Auto Scaling If you receive an `AccessDeniedException` when calling an AWS API operation, it means that the AWS Identity and Access Management (IAM) credentials that you are using do not have the required permissions to make that call. The following example error occurs when the `mateojackson` user tries to view details about a scalable target, but does not have `application-autoscaling:DescribeScalableTargets` permission. ``` An error occurred (AccessDeniedException) when calling the DescribeScalableTargets operation: User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: application-autoscaling:DescribeScalableTargets ``` If you receive this or similar errors, then you must contact your administrator for assistance. An administrator for your account will need to make sure that you have permissions to access all of the API actions that Application Auto Scaling uses to access resources in the target service and CloudWatch. There are different permissions required depending on which resources you are working with. Application Auto Scaling also requires permission to create a service-linked role the first time that a user configures scaling for a given resource. ## I'm an administrator and my IAM policy returned an error or isn't working as expected In addition to Application Auto Scaling actions, your IAM policies must grant permissions to call the target service and CloudWatch. If a user or application doesn't have these additional permissions, their access might be unexpectedly denied. To write IAM policies for users and applications in your accounts, consult the information in [Application Auto Scaling identity-based policy examples](security_iam_id-based-policy-examples.md). For information about how validation is performed, see [Permissions validation for Application Auto Scaling API calls on target resources](security_iam_permission_validation.md). Note that some permission issues can also be due to an issue with creating the service-linked roles used by Application Auto Scaling. For information about creating these service-linked roles, see [Service-linked roles for Application Auto Scaling](application-auto-scaling-service-linked-roles.md). # Permissions validation for Application Auto Scaling API calls on target resources Permissions validation Making authorized requests to Application Auto Scaling API actions requires that the API caller has permissions to access AWS resources in the target service and in CloudWatch. Application Auto Scaling validates permissions for requests associated with both the target service and CloudWatch before proceeding with the request. To accomplish this, we issue a series of calls to validate the IAM permissions on target resources. When a response is returned, it is read by Application Auto Scaling. If the IAM permissions do not allow a given action, Application Auto Scaling fails the request and returns an error to the user containing information about the missing permission. This ensures that the scaling configuration that the user wants to deploy functions as intended, and that a useful error is returned if the request fails. As an example of how this works, the following information provides details about how Application Auto Scaling performs permissions validations with Aurora and CloudWatch. When a user calls the `RegisterScalableTarget` API against an Aurora DB cluster, Application Auto Scaling performs all of the following checks to verify that the user has the required permissions (in bold). + **rds:CreateDBInstance**: To determine whether the user has this permission, we send a request to the `CreateDBInstance` API operation, attempting to create a DB instance with invalid parameters (empty instance ID) in the Aurora DB cluster that the user specified. For an authorized user, the API returns an `InvalidParameterValue` error code response after it audits the request. However, for an unauthorized user, we get an `AccessDenied` error and fail the Application Auto Scaling request with a `ValidationException` error to the user that lists the missing permissions. + **rds:DeleteDBInstance**: We send an empty instance ID to the `DeleteDBInstance` API operation. For an authorized user, this request results in an `InvalidParameterValue` error. For an unauthorized user, it results in `AccessDenied` and sends a validation exception to the user (same treatment as described in the first bullet point). + **rds:AddTagsToResource**: Because the `AddTagsToResource` API operation requires an Amazon Resource Name (ARN), it is necessary to specify a "dummy" resource using an invalid account ID (12345) and dummy instance ID (non-existing-db) to construct the ARN (`arn:aws:rds:us-east-1:12345:db:non-existing-db`). For an authorized user, this request results in an `InvalidParameterValue` error. For an unauthorized user, it results in `AccessDenied` and sends a validation exception to the user. + **rds:DescribeDBClusters**: We describe the cluster name for the resource being registered for auto scaling. For an authorized user, we get a valid describe result. For an unauthorized user, it results in `AccessDenied` and sends a validation exception to the user. + **rds:DescribeDBInstances**: We call the `DescribeDBInstances` API with a `db-cluster-id` filter that filters on the cluster name that was provided by the user to register the scalable target. For an authorized user, we are permitted to describe all of the DB instances in the DB cluster. For an unauthorized user, this call results in `AccessDenied` and sends a validation exception to the user. + **cloudwatch:PutMetricAlarm**: We call the `PutMetricAlarm` API without any parameters. Because alarm name is missing, the request results in `ValidationError` for an authorized user. For an unauthorized user, it results in `AccessDenied` and sends a validation exception to the user. + **cloudwatch:DescribeAlarms**: We call the `DescribeAlarms` API with the maximum number of records value set to 1. For an authorized user, we expect information on one alarm in the response. For an unauthorized user, this call results in `AccessDenied` and sends a validation exception to the user. + **cloudwatch:DeleteAlarms**: Similar to `PutMetricAlarm` above, we provide no parameters to `DeleteAlarms` request. Because an alarm name is missing from the request, this call fails with `ValidationError` for an authorized user. For an unauthorized user, it results in `AccessDenied` and sends a validation exception to the user. Whenever any one of these validation exceptions occur, it is logged. You can take steps to manually identify which calls failed validation by using AWS CloudTrail. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). **Note** If you receive alerts for Application Auto Scaling events using CloudTrail, these alerts will include the Application Auto Scaling calls to validate user permissions by default. To filter out these alerts, use the `invokedBy` field, which will contain `application-autoscaling.amazonaws.com` for these validation checks.