Granting IAM permissions for Amazon EC2 Auto Scaling actions - Amazon EC2 Auto Scaling
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting IAM permissions for Amazon EC2 Auto Scaling actions

If you receive an AccessDeniedException when calling an Amazon EC2 Auto Scaling API action, it means that the Amazon Identity and Access Management (IAM) credentials that you are using do not have the required permissions to make that call.

By default, a brand new user in your Amazon Web Services account has no permissions to do anything. An IAM administrator must create and assign IAM policies that give an IAM identity (such as a user or role) permission to perform Amazon EC2 Auto Scaling API actions. For more information, see Identity and Access Management for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

In general, to perform an Amazon EC2 Auto Scaling action, an IAM identity must have only the matching action included in a policy, but doesn't need to be explicitly granted permission to manage Amazon EC2 instances. However, there are some operations that require multiple actions in a policy. These additional actions are called dependent actions. For example, if you call CreateAutoScalingGroup to create an Auto Scaling group with a launch template, you must also have the Amazon EC2 API permissions necessary to complete this action. For more information, see Amazon EC2 Auto Scaling API permissions in the Amazon EC2 Auto Scaling User Guide.