Amazon managed policies for Application Auto Scaling
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
Contents
- Amazon managed policy granting access to AppStream 2.0 and CloudWatch
- Amazon managed policy granting access to Aurora and CloudWatch
- Amazon managed policy granting access to Amazon Comprehend and CloudWatch
- Amazon managed policy granting access to DynamoDB and CloudWatch
- Amazon managed policy granting access to Amazon ECS and CloudWatch
- Amazon managed policy granting access to ElastiCache and CloudWatch
- Amazon managed policy granting access to Amazon Keyspaces and CloudWatch
- Amazon managed policy granting access to Lambda and CloudWatch
- Amazon managed policy granting access to Amazon MSK and CloudWatch
- Amazon managed policy granting access to Neptune and CloudWatch
- Amazon managed policy granting access to SageMaker and CloudWatch
- Amazon managed policy granting access to EC2 Spot Fleet and CloudWatch
- Amazon managed policy granting access to your custom resources and CloudWatch
- Application Auto Scaling updates to Amazon managed policies
Amazon managed policy granting access to AppStream 2.0 and CloudWatch
Policy name: AWSApplicationAutoscalingAppStreamFleetPolicy
You can't attach AWSApplicationAutoscalingAppStreamFleetPolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_AppStreamFleet service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on all related
resources ("Resource": "*"):
-
Action:
appstream:DescribeFleets -
Action:
appstream:UpdateFleet -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Aurora and CloudWatch
Policy name: AWSApplicationAutoscalingRDSClusterPolicy
You can't attach AWSApplicationAutoscalingRDSClusterPolicy to your IAM
identities (users or roles). This policy is attached to a service-linked role that allows
Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_RDSCluster service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on all related
resources ("Resource": "*"):
-
Action:
rds:AddTagsToResource -
Action:
rds:CreateDBInstance -
Action:
rds:DeleteDBInstance -
Action:
rds:DescribeDBClusters -
Action:
rds:DescribeDBInstance -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Amazon Comprehend and CloudWatch
Policy name: AWSApplicationAutoscalingComprehendEndpointPolicy
You can't attach AWSApplicationAutoscalingComprehendEndpointPolicy to
your IAM identities (users or roles). This policy is attached to a service-linked role
that allows Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_ComprehendEndpoint
service-linked role permissions policy allows Application Auto Scaling to complete the following actions
on all related resources ("Resource": "*"):
-
Action:
comprehend:UpdateEndpoint -
Action:
comprehend:DescribeEndpoint -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to DynamoDB and CloudWatch
Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy
You can't attach AWSApplicationAutoscalingDynamoDBTablePolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call DynamoDB and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_DynamoDBTable service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on all related
resources ("Resource": "*"):
-
Action:
dynamodb:DescribeTable -
Action:
dynamodb:UpdateTable -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Amazon ECS and CloudWatch
Policy name: AWSApplicationAutoscalingECSServicePolicy
You can't attach AWSApplicationAutoscalingECSServicePolicy to your IAM
identities (users or roles). This policy is attached to a service-linked role that allows
Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_ECSService service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on all related
resources ("Resource": "*"):
-
Action:
ecs:DescribeServices -
Action:
ecs:UpdateService -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to ElastiCache and CloudWatch
Policy name: AWSApplicationAutoscalingElastiCacheRGPolicy
You can't attach AWSApplicationAutoscalingElastiCacheRGPolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_ElastiCacheRG service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on the specified
resources:
-
Action:
elasticache:DescribeReplicationGroupson all resources -
Action:
elasticache:ModifyReplicationGroupShardConfigurationon all resources -
Action:
elasticache:IncreaseReplicaCounton all resources -
Action:
elasticache:DecreaseReplicaCounton all resources -
Action:
elasticache:DescribeCacheClusterson all resources -
Action:
elasticache:DescribeCacheParameterson all resources -
Action:
cloudwatch:DescribeAlarmson all resources -
Action:
cloudwatch:PutMetricAlarmon the resourcearn:*:cloudwatch:*:*:alarm:TargetTracking* -
Action:
cloudwatch:DeleteAlarmson the resourcearn:*:cloudwatch:*:*:alarm:TargetTracking* -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Amazon Keyspaces and CloudWatch
Policy name: AWSApplicationAutoscalingCassandraTablePolicy
You can't attach AWSApplicationAutoscalingCassandraTablePolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_CassandraTable service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on the specified
resources:
-
Action:
cassandra:Selecton the resourcearn:*:cassandra:*:*:/keyspace/system/table/* -
Action:
cassandra:Selecton the resourcearn:*:cassandra:*:*:/keyspace/system_schema/table/* -
Action:
cassandra:Selecton the resourcearn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/* -
Action:
cassandra:Alteron the resourcearn:*:cassandra:*:*:"*" -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Lambda and CloudWatch
Policy name: AWSApplicationAutoscalingLambdaConcurrencyPolicy
You can't attach AWSApplicationAutoscalingLambdaConcurrencyPolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency
service-linked role permissions policy allows Application Auto Scaling to complete the following actions
on all related resources ("Resource": "*"):
-
Action:
lambda:PutProvisionedConcurrencyConfig -
Action:
lambda:GetProvisionedConcurrencyConfig -
Action:
lambda:DeleteProvisionedConcurrencyConfig -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Amazon MSK and CloudWatch
Policy name: AWSApplicationAutoscalingKafkaClusterPolicy
You can't attach AWSApplicationAutoscalingKafkaClusterPolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_KafkaCluster service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on all related
resources ("Resource": "*"):
-
Action:
kafka:DescribeCluster -
Action:
kafka:DescribeClusterOperation -
Action:
kafka:UpdateBrokerStorage -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to Neptune and CloudWatch
Policy name: AWSApplicationAutoscalingNeptuneClusterPolicy
You can't attach AWSApplicationAutoscalingNeptuneClusterPolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_NeptuneCluster service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on the specified
resources:
-
Action:
rds:AddTagsToResourceon resources with the prefix autoscaled-reader in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"}) -
Action:
rds:ListTagsForResourceon all resources -
Action:
rds:CreateDBInstanceon resources with the prefix autoscaled-reader in all DB clusters ("Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*") in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"}) -
Action:
rds:DescribeDBInstanceson all resources -
Action:
rds:DescribeDBClusterson all resources -
Action:
rds:DescribeDBClusterParameterson all resources -
Action:
rds:DeleteDBInstanceon the resourcearn:*:rds:*:*:db:autoscaled-reader* -
Action:
cloudwatch:DescribeAlarmson all resources -
Action:
cloudwatch:PutMetricAlarmon the resourcearn:*:cloudwatch:*:*:alarm:TargetTracking* -
Action:
cloudwatch:DeleteAlarmson the resourcearn:*:cloudwatch:*:*:alarm:TargetTracking* -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to SageMaker and CloudWatch
Policy name: AWSApplicationAutoscalingSageMakerEndpointPolicy
You can't attach AWSApplicationAutoscalingSageMakerEndpointPolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call SageMaker and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint
service-linked role permissions policy allows Application Auto Scaling to complete the following actions
on all related resources ("Resource": "*"):
-
Action:
sagemaker:DescribeEndpoint -
Action:
sagemaker:DescribeEndpointConfig -
Action:
sagemaker:UpdateEndpointWeightsAndCapacities -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to EC2 Spot Fleet and CloudWatch
Policy name: AWSApplicationAutoscalingEC2SpotFleetRequestPolicy
You can't attach AWSApplicationAutoscalingEC2SpotFleetRequestPolicy to
your IAM identities (users or roles). This policy is attached to a service-linked role
that allows Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest
service-linked role permissions policy allows Application Auto Scaling to complete the following actions
on all related resources ("Resource": "*"):
-
Action:
ec2:DescribeSpotFleetRequests -
Action:
ec2:ModifySpotFleetRequest -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Amazon managed policy granting access to your custom resources and CloudWatch
Policy name: AWSApplicationAutoScalingCustomResourcePolicy
You can't attach AWSApplicationAutoScalingCustomResourcePolicy to your
IAM identities (users or roles). This policy is attached to a service-linked role that
allows Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch
and perform scaling on your behalf.
Permission details
The AWSServiceRoleForApplicationAutoScaling_CustomResource service-linked
role permissions policy allows Application Auto Scaling to complete the following actions on all related
resources ("Resource": "*"):
-
Action:
execute-api:Invoke -
Action:
cloudwatch:DescribeAlarms -
Action:
cloudwatch:PutMetricAlarm -
Action:
cloudwatch:DeleteAlarms
Application Auto Scaling updates to Amazon managed policies
View details about updates to Amazon managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page.
| Change | Description | Date |
|---|---|---|
|
Application Auto Scaling adds Neptune policy |
Application Auto Scaling added a new managed policy for Neptune. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf. |
October 6, 2021 |
|
Application Auto Scaling adds ElastiCache for Redis policy |
Application Auto Scaling added a new managed policy for ElastiCache. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf. |
August 19, 2021 |
|
Application Auto Scaling started tracking changes |
Application Auto Scaling started tracking changes for its Amazon managed policies. |
August 19, 2021 |