Permissions required for the Amazon ECS console - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions required for the Amazon ECS console

Following the best practice of granting least privilege, you can use the AmazonECS_FullAccess managed policy as a template for creating you own custom policy. That way, you can take away or add permissions to and from the managed policy based on your specific requirements. For more information, see Permissions details.

Permissions for creating IAM roles

The following actions require additional permissions in order to complete the operation:

You can add these permissions by creating a role in IAM before you use them in the Amazon ECS console. If you do not create the roles, the Amazon ECS console creates then on your behalf.

Permissions required for registering an external instance to a cluster

You need additional permissions when you register an external instance to a cluster and you want to create a new external instance (ecsExternalInstanceRole) role.

The following additional permissions are required:

  • iam– Allows principals to create and list IAM roles and their attached policies.

  • ssm – Allows principals to register the external instance with Systems Manager.

Note

In order to choose an existing ecsExternalInstanceRole, you must have the iam:GetRole and iam:PassRole permissions.

The following policy contains the required permissions, and limits the actions to the ecsExternalInstanceRole role.

{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" }, { "Effect": "Allow", "Action": ["iam:PassRole","ssm:CreateActivation"], "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" } ] }

Permissions required for registering a task definition

You need additional permissions when you register a task definition and you want to create a new task execution (ecsTaskExecutionRole) role.

The following additional permissions are required:

  • iam– Allows principals to create and list IAM roles and their attached policies.

Note

In order to choose an existing ecsTaskExecutionRole, you must have the iam:GetRole permission.

The following policy contains the required permissions, and limits the actions to the ecsTaskExecutionRole role.

{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsTaskExecutionRole" } ] }

Permissions required for creating an EventBridge rule for scheduled tasks

You need additional permissions when you schedule a task and you want to create a new CloudWatch Events role (ecsEventsRole) role.

The following additional permissions are required:

  • iam– Allows principals to create and list IAM roles and their attached policies, and to allow Amazon ECS to pass the role to other services to assume the role.

Note

In order to choose an existing ecsEventsRole, you must have the iam:GetRole and iam:PassRole permissions.

The following policy contains the required permissions, and limits the actions to the ecsEventsRole role.

{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole", "iam: PassRole" ], "Resource": "arn:aws:iam::*:role/ecsEventsRole" } ] }