Amazon EC2 Auto Scaling API permissions - Amazon EC2 Auto Scaling
Required permissions from other Amazon APIs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EC2 Auto Scaling API permissions

You must grant users permission to call the Amazon EC2 Auto Scaling API actions they need, as described in Policy actions for Amazon EC2 Auto Scaling. In addition, for some Amazon EC2 Auto Scaling actions, you must grant users permission to call specific actions from other Amazon APIs.

Required permissions from other Amazon APIs

In addition to Amazon EC2 Auto Scaling API permissions, users must have the following permissions from other Amazon APIs to successfully perform the associated action.

Create an Auto Scaling group (autoscaling:CreateAutoScalingGroup)

  • iam:CreateServiceLinkedRole – To create the default service-linked role if that role does not yet exist.

  • iam:PassRole – To pass an IAM role to the service or to EC2 instances on launch. Needed when a nondefault service-linked role, an IAM role for a lifecycle hook, or a launch template that specifies an instance profile (a container for an IAM role) is provided.

  • ec2:RunInstances – To launch instances when a launch template is provided.

  • ec2:CreateTags – To tag instances and volumes on launch when a launch template with a tag specification is provided.

Create a lifecycle hook (autoscaling:PutLifecycleHook)

  • iam:PassRole – To pass an IAM role to the service. Needed when an IAM role is provided.

Attach a VPC Lattice target group (autoscaling:AttachTrafficSources)

  • vpc-lattice:RegisterTargets – To automatically register instances with the target group.

Detach a VPC Lattice target group (autoscaling:DetachTrafficSources)

  • vpc-lattice:DeregisterTargets – To automatically deregister instances with the target group.

Create a launch configuration (autoscaling:CreateLaunchConfiguration)

  • ec2:DescribeImages

  • ec2:DescribeInstances

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeKeyPairs

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSpotInstanceRequests

  • ec2:DescribeVpcClassicLink

  • iam:PassRole – To pass an IAM role to EC2 instances on launch. Needed when a launch configuration specifies an instance profile (a container for an IAM role).