Amazon managed policies for Application Auto Scaling
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
Amazon managed policy: AppStream 2.0 and CloudWatch
Policy name: AWSApplicationAutoscalingAppStreamFleetPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_AppStreamFleet to allow Application Auto Scaling to call Amazon AppStream and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
appstream:DescribeFleets
-
Action:
appstream:UpdateFleet
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: Aurora and CloudWatch
Policy name: AWSApplicationAutoscalingRDSClusterPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_RDSCluster to allow Application Auto Scaling to call Aurora and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
rds:AddTagsToResource
-
Action:
rds:CreateDBInstance
-
Action:
rds:DeleteDBInstance
-
Action:
rds:DescribeDBClusters
-
Action:
rds:DescribeDBInstance
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: Amazon Comprehend and CloudWatch
Policy name: AWSApplicationAutoscalingComprehendEndpointPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_ComprehendEndpoint to allow Application Auto Scaling to call Amazon Comprehend and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
comprehend:UpdateEndpoint
-
Action:
comprehend:DescribeEndpoint
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: DynamoDB and CloudWatch
Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_DynamoDBTable to allow Application Auto Scaling to call DynamoDBand CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
dynamodb:DescribeTable
-
Action:
dynamodb:UpdateTable
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: Amazon ECS and CloudWatch
Policy name: AWSApplicationAutoscalingECSServicePolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_ECSService to allow Application Auto Scaling to call Amazon ECS and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
ecs:DescribeServices
-
Action:
ecs:UpdateService
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:GetMetricData
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: ElastiCache and CloudWatch
Policy name: AWSApplicationAutoscalingElastiCacheRGPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_ElastiCacheRG to allow Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:
-
Action:
elasticache:DescribeReplicationGroups
on all resources -
Action:
elasticache:ModifyReplicationGroupShardConfiguration
on all resources -
Action:
elasticache:IncreaseReplicaCount
on all resources -
Action:
elasticache:DecreaseReplicaCount
on all resources -
Action:
elasticache:DescribeCacheClusters
on all resources -
Action:
elasticache:DescribeCacheParameters
on all resources -
Action:
cloudwatch:DescribeAlarms
on all resources -
Action:
cloudwatch:PutMetricAlarm
on the resourcearn:aws:cloudwatch:*:*:alarm:TargetTracking*
-
Action:
cloudwatch:DeleteAlarms
on the resourcearn:aws:cloudwatch:*:*:alarm:TargetTracking*
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: Amazon Keyspaces and CloudWatch
Policy name: AWSApplicationAutoscalingCassandraTablePolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_CassandraTable to allow Application Auto Scaling to call Amazon Keyspaces and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:
-
Action:
cassandra:Select
on the following resources:arn:*:cassandra:*:*:/keyspace/system/table/*
arn:*:cassandra:*:*:/keyspace/system_schema/table/*
arn:*:cassandra:*:*:/keyspace/system_schema_mcs/table/*
-
Action:
cassandra:Alter
on all resources -
Action:
cloudwatch:DescribeAlarms
on all resources -
Action:
cloudwatch:PutMetricAlarm
on all resources -
Action:
cloudwatch:DeleteAlarms
on all resources
Amazon managed policy: Lambda and CloudWatch
Policy name: AWSApplicationAutoscalingLambdaConcurrencyPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency to allow Application Auto Scaling to call Lambda and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
lambda:PutProvisionedConcurrencyConfig
-
Action:
lambda:GetProvisionedConcurrencyConfig
-
Action:
lambda:DeleteProvisionedConcurrencyConfig
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: Amazon MSK and CloudWatch
Policy name: AWSApplicationAutoscalingKafkaClusterPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_KafkaCluster to allow Application Auto Scaling to call Amazon MSK and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
kafka:DescribeCluster
-
Action:
kafka:DescribeClusterOperation
-
Action:
kafka:UpdateBrokerStorage
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: Neptune and CloudWatch
Policy name: AWSApplicationAutoscalingNeptuneClusterPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_NeptuneCluster to allow Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:
-
Action:
rds:ListTagsForResource
on all resources -
Action:
rds:DescribeDBInstances
on all resources -
Action:
rds:DescribeDBClusters
on all resources -
Action:
rds:DescribeDBClusterParameters
on all resources -
Action:
cloudwatch:DescribeAlarms
on all resources -
Action:
rds:AddTagsToResource
on resources with the prefix autoscaled-reader in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"}
) -
Action:
rds:CreateDBInstance
on resources with the prefix autoscaled-reader in all DB clusters ("Resource":"arn:*:rds:*:*:db:autoscaled-reader*", "arn:aws:rds:*:*:cluster:*"
) in the Amazon Neptune database engine ("Condition":{"StringEquals":{"rds:DatabaseEngine":"neptune"}
) -
Action:
rds:DeleteDBInstance
on the resourcearn:aws:rds:*:*:db:autoscaled-reader*
-
Action:
cloudwatch:PutMetricAlarm
on the resourcearn:aws:cloudwatch:*:*:alarm:TargetTracking*
-
Action:
cloudwatch:DeleteAlarms
on the resourcearn:aws:cloudwatch:*:*:alarm:TargetTracking*
Amazon managed policy: SageMaker AI and CloudWatch
Policy name: AWSApplicationAutoscalingSageMakerEndpointPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint to allow Application Auto Scaling to call SageMaker AI and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:
-
Action:
sagemaker:DescribeEndpoint
on all resources -
Action:
sagemaker:DescribeEndpointConfig
on all resources -
Action:
sagemaker:DescribeInferenceComponent
on all resources -
Action:
sagemaker:UpdateEndpointWeightsAndCapacities
on all resources -
Action:
sagemaker:UpdateInferenceComponentRuntimeConfig
on all resources -
Action:
cloudwatch:DescribeAlarms
on all resources -
Action:
cloudwatch:GetMetricData
on all resources -
Action:
cloudwatch:PutMetricAlarm
on the resourcearn:aws:cloudwatch:*:*:alarm:TargetTracking*
-
Action:
cloudwatch:DeleteAlarms
on the resourcearn:aws:cloudwatch:*:*:alarm:TargetTracking*
Amazon managed policy: EC2 Spot Fleet and CloudWatch
Policy name: AWSApplicationAutoscalingEC2SpotFleetRequestPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest to allow Application Auto Scaling to call Amazon EC2 and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
ec2:DescribeSpotFleetRequests
-
Action:
ec2:ModifySpotFleetRequest
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Amazon managed policy: WorkSpaces and CloudWatch
Policy name: AWSApplicationAutoscalingWorkSpacesPoolPolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_WorkSpacesPool to allow Application Auto Scaling to call WorkSpaces and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on the specified resources:
-
Action:
workspaces:DescribeWorkspacesPools
on all resources from the same account as the SLR -
Action:
workspaces:UpdateWorkspacesPool
on all resources from the same account as the SLR -
Action:
cloudwatch:DescribeAlarms
on all alarms from the same account as the SLR -
Action:
cloudwatch:PutMetricAlarm
on all alarms from the same account as the SLR, where the alarm name starts with TargetTracking -
Action:
cloudwatch:DeleteAlarms
on all alarms from the same account as the SLR, where the alarm name starts with TargetTracking
Amazon managed policy: custom resources and CloudWatch
Policy name: AWSApplicationAutoScalingCustomResourcePolicy
This policy is attached to the service-linked role named AWSServiceRoleForApplicationAutoScaling_CustomResource to allow Application Auto Scaling to call your custom resources that are available through API Gateway and CloudWatch and perform scaling on your behalf.
Permission details
The permissions policy allows Application Auto Scaling to complete the following actions on all related resources ("Resource": "*"):
-
Action:
execute-api:Invoke
-
Action:
cloudwatch:DescribeAlarms
-
Action:
cloudwatch:PutMetricAlarm
-
Action:
cloudwatch:DeleteAlarms
Application Auto Scaling updates to Amazon managed policies
View details about updates to Amazon managed policies for Application Auto Scaling since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Application Auto Scaling Document history page.
Change | Description | Date |
---|---|---|
AWSApplicationAutoscalingECSServicePolicy – Update an existing policy |
Added permission to call CloudWatch |
November 21, 2024 |
AWSApplicationAutoscalingWorkSpacesPoolPolicy – New policy |
Added a managed policy for Amazon WorkSpaces. This policy is attached to a service-linked role that allows Application Auto Scaling to call WorkSpaces and CloudWatch and perform scaling on your behalf. |
June 24, 2024 |
AWSApplicationAutoscalingSageMakerEndpointPolicy – Update to an existing policy |
Added permissions to call the SageMaker AI |
November 13, 2023 |
AWSApplicationAutoscalingNeptuneClusterPolicy – New policy |
Added a managed policy for Neptune. This policy is attached to a service-linked role that allows Application Auto Scaling to call Neptune and CloudWatch and perform scaling on your behalf. |
October 6, 2021 |
AWSApplicationAutoscalingRDSClusterPolicy – New policy |
Added a managed policy for ElastiCache. This policy is attached to a service-linked role that allows Application Auto Scaling to call ElastiCache and CloudWatch and perform scaling on your behalf. |
August 19, 2021 |
Application Auto Scaling started tracking changes |
Application Auto Scaling started tracking changes for its Amazon managed policies. |
August 19, 2021 |