Permissions required for the Amazon ECS console
Following the best practice of granting least privilege, you can use the
AmazonECS_FullAccess managed policy as a template for creating you own
custom policy. That way, you can take away or add permissions to and from the managed policy
based on your specific requirements. For more information, see Permissions details.
The Amazon ECS console is powered by Amazon CloudFormation and requires additional IAM permissions in the following cases:
-
Creating a cluster
-
Creating a service
-
Creating a capacity provider
You can create a policy for the additional permissions, and then attach them to the IAM role you use to access the console. For more information, see Creating IAM policies in the IAM User Guide.
Amazon ECS IAM permissions required for creating a cluster
When you create a cluster in the console, you need additional permissions that grant you permissions to manage Amazon CloudFormation stacks.
The following additional permissions are required:
-
cloudformation– Allows principals to create and manage Amazon CloudFormation stacks. This is required when creating Amazon ECS clusters using the Amazon Web Services Management Console and the subsequent managing of those clusters.
The following policy contains the required Amazon CloudFormation permissions, and limits the actions to resources created in the Amazon ECS console.
{ "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack" ], "Resource": [ "arn:*:cloudformation:*:*:stack/Infra-ECS-Cluster-*" ] } ] }
If you have not created the Amazon ECS container instance role
(ecsInstanceRole), and you are creating a cluster that uses Amazon EC2
instances, then the console will create the role on your behalf.
In addition, if you use Auto Scaling groups, then you need additional permissions so that the console can add tags to the auto scaling groups when using the cluster auto scaling feature.
The following additional permissions are required:
-
autoscaling– Allows the console to tag Amazon EC2 Auto Scaling group. This is required when managing Amazon EC2 auto scaling groups when using the cluster auto scaling feature. The tag is the ECS-managed tag that the console automatically adds to the group to indicate is was created in the console. -
iam– Allows principals to list IAM roles and their attached policies. Principals can also list instance profiles available to your Amazon EC2 instances.
The following policy contains the required IAM permissions, and limits the actions
to the ecsInstanceRole role.
The Auto Scaling permissions are not limited.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsInstanceRole" }, { "Effect": "Allow", "Action": "autoscaling:CreateOrUpdateTags", "Resource": "*" } ] }
Amazon ECS IAM permissions required for creating a capacity provider
When you create a service in the console, you need additional permissions that grant you permissions to manage Amazon CloudFormation stacks. The following additional permissions are required:
-
cloudformation– Allows principals to create and manage Amazon CloudFormation stacks. This is required when creating Amazon ECS capacity providers using the Amazon Web Services Management Console and the subsequent managing of those capacity providers.
The following policy contains the required permissions, and limits the actions to resources created in the Amazon ECS console.
{ "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack" ], "Resource": [ "arn:*:cloudformation:*:*:stack/Infra-ECS-CapacityProvider-*" ] } ] }
Amazon ECS IAM permissions required for creating a service
When you create a service in the console, you need additional permissions that grant you permissions to manage Amazon CloudFormation stacks. The following additional permissions are required:
-
cloudformation– Allows principals to create and manage Amazon CloudFormation stacks. This is required when creating Amazon ECS services using the Amazon Web Services Management Console and the subsequent managing of those services.
The following policy contains the required permissions, and limits the actions to resources created in the Amazon ECS console.
{ "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack" ], "Resource": [ "arn:*:cloudformation:*:*:stack/ECS-Console-V2-Service-*" ] } ] }
Permissions for creating IAM roles
The following actions require additional permissions in order to complete the operation:
-
Registering an external instance - for more information, see Amazon ECS Anywhere IAM role
-
Registering a task definition - for more information, see Amazon ECS task execution IAM role
-
Creating an EventBridge rule to use for scheduling tasks - for more information, see Amazon ECS EventBridge IAM Role
You can add these permissions by creating a role in IAM before you use them in the Amazon ECS console. If you do not create the roles, the Amazon ECS console creates then on your behalf.
Amazon ECS IAM permissions required for registering an external instance to a cluster
You need additional permissions when you register an external instance to a cluster
and you want to create a new external instance
(escExternalInstanceRole) role.
The following additional permissions are required:
-
iam– Allows principals to create and list IAM roles and their attached policies. -
ssm– Allows principals to register the external instance with Systems Manager.
Note
In order to choose an existing escExternalInstanceRole, you must have the
iam:GetRole and iam:PassRole permissions.
The following policy contains the required permissions, and limits the actions to the
escExternalInstanceRole role.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/escExternalInstanceRole" }, { "Effect": "Allow", "Action": ["iam:PassRole", "ssm:CreateActivation"], "Resource": "arn:aws:iam::*:role/escExternalInstanceRole" } ] }
Amazon ECS IAM permissions required for registering a task definition
You need additional permissions when you register a task definition and you want to
create a new task execution (ecsTaskExecutionRole) role.
The following additional permissions are required:
-
iam– Allows principals to create and list IAM roles and their attached policies.
Note
In order to choose an existing ecsTaskExecutionRole, you must have the
iam:GetRole permission.
The following policy contains the required permissions, and limits the actions to the
ecsTaskExecutionRole role.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsTaskExecutionRole" } ] }
Amazon ECS IAM permissions required for creating an EventBridge rule for scheduled tasks
You need additional permissions when you schedule a task and you want to create a new
CloudWatch Events role (ecsEventsRole) role.
The following additional permissions are required:
-
iam– Allows principals to create and list IAM roles and their attached policies, and to allow Amazon ECS to pass the role to other services to assume the role.
Note
In order to choose an existing ecsEventsRole, you must have the
iam:GetRole and iam:PassRole permissions.
The following policy contains the required permissions, and limits the actions to the
ecsEventsRole role.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole", "iam: PassRole" ], "Resource": "arn:aws:iam::*:role/ecsEventsRole" } ] }