Amazon managed policies for Amazon Batch - Amazon Batch
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Batch

You can use Amazon managed policies for simpler identity access management for your team and provisioned Amazon resources. Amazon managed policies cover a variety of common use cases, are available by default in your Amazon account, and are maintained and updated on your behalf. You can't change the permissions in Amazon managed policies. If you require greater flexibility, you can alternatively choose to create IAM customer managed policies. This way, you can provide your team provisioned resources with only the exact permissions they need.

For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Amazon services maintain and update Amazon managed policies on your behalf. Periodically, Amazon services add additional permissions to an Amazon managed policy. Amazon managed policies are most likely updated when a new feature launch or operation becomes available. These updates automatically affect all identities (users, groups, and roles) where the policy is attached. However, they don't remove permissions or break your existing permissions.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.

Amazon managed policy: BatchServiceRolePolicy

The BatchServiceRolePolicy managed IAM policy is used by the AWSServiceRoleForBatch service-linked role. This allows Amazon Batch to perform actions on your behalf. You can't attach this policy to your IAM entities. For more information, see Use service-linked roles for Amazon Batch.

This policy allows Amazon Batch to complete the following actions on specific resources:

  • autoscaling – Allows Amazon Batch to create and manage Amazon EC2 Auto Scaling resources. Amazon Batch creates and manages Amazon EC2 Auto Scaling groups for most compute environments.

  • ec2 – Allows Amazon Batch to control the lifecycle of Amazon EC2 instances as well as create and manage launch templates and tags. Amazon Batch creates and manages EC2 Spot Fleet requests for some EC2 Spot compute environments.

  • ecs - Allows Amazon Batch to create and managed Amazon ECS clusters, task-definitions and tasks for job execution.

  • eks - Allows Amazon Batch to describe the Amazon EKS cluster resource for validations.

  • iam - Allows Amazon Batch to validate and pass roles provided by owner to Amazon EC2, Amazon EC2 Auto Scaling and Amazon ECS.

  • logs – Allows Amazon Batch to create and manage log groups and log streams for Amazon Batch jobs.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "eks:DescribeCluster", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/batch/job*" }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement6", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement7", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement8", "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement9", "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws-cn:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement10", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws-cn:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement11", "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws-cn:ecs:*:*:cluster/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement12", "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws-cn:ecs:*:*:task-definition/*" }, { "Sid": "AWSBatchPolicyStatement13", "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws-cn:ecs:*:*:task/*/*" }, { "Sid": "AWSBatchPolicyStatement14", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement15", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:*::image/*", "arn:aws-cn:ec2:*::snapshot/*", "arn:aws-cn:ec2:*:*:subnet/*", "arn:aws-cn:ec2:*:*:network-interface/*", "arn:aws-cn:ec2:*:*:security-group/*", "arn:aws-cn:ec2:*:*:volume/*", "arn:aws-cn:ec2:*:*:key-pair/*", "arn:aws-cn:ec2:*:*:launch-template/*", "arn:aws-cn:ec2:*:*:placement-group/*", "arn:aws-cn:ec2:*:*:capacity-reservation/*", "arn:aws-cn:ec2:*:*:elastic-gpu/*", "arn:aws-cn:elastic-inference:*:*:elastic-inference-accelerator/*", "arn:aws-cn:resource-groups:*:*:group/*" ] }, { "Sid": "AWSBatchPolicyStatement16", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws-cn:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement17", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }

Amazon managed policy: AWSBatchServiceRole policy

The role permissions policy named AWSBatchServiceRole allows Amazon Batch to complete the following actions on specific resources:

The AWSBatchServiceRole managed IAM policy is often used by a role named AWSBatchServiceRole and includes the following permissions. Following the standard security advice of granting least privilege, the AWSBatchServiceRole managed policy can be used as a guide. If any of the permissions that are granted in the managed policy aren't needed for your use case, create a custom policy and add only the permissions that you require. This Amazon Batch managed policy and role can be used with most compute environment types, but service-linked role usage is preferred for a less-error-prone, better scoped and improved managed experience.

  • autoscaling – Allows Amazon Batch to create and manage Amazon EC2 Auto Scaling resources. Amazon Batch creates and manages Amazon EC2 Auto Scaling groups for most compute environments.

  • ec2 – Allows Amazon Batch to manage the lifecycle of Amazon EC2 instances as well as create and manage launch templates and tags. Amazon Batch creates and manages EC2 Spot Fleet requests for some EC2 Spot compute environments.

  • ecs - Allows Amazon Batch to create and managed Amazon ECS clusters, task-definitions and tasks for job execution.

  • iam - Allows Amazon Batch to validate and pass roles provided by owner to Amazon EC2, Amazon EC2 Auto Scaling and Amazon ECS.

  • logs – Allows Amazon Batch to create and manage log groups and log streams for Amazon Batch jobs.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws-cn:ecs:*:*:task/*_Batch_*" ] }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }

Amazon managed policy: AWSBatchFullAccess

The AWSBatchFullAccess policy grants Amazon Batch actions full access to Amazon Batch resources. It also grants describe and list action access for Amazon EC2, Amazon ECS, Amazon EKS, CloudWatch, and IAM services. This is so that IAM identities, either users or roles, can view Amazon Batch managed resources that were created on their behalf. Last, this policy also allows for selected IAM roles to be passed to those services.

You can attach AWSBatchFullAccess to your IAM entities. Amazon Batch also attaches this policy to a service role that allows Amazon Batch to perform actions on your behalf.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "batch:*", "cloudwatch:GetMetricStatistics", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeImages", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeClusters", "ecs:Describe*", "ecs:List*", "eks:DescribeCluster", "eks:ListClusters", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws-cn:iam::*:role/AWSBatchServiceRole", "arn:aws-cn:iam::*:role/service-role/AWSBatchServiceRole", "arn:aws-cn:iam::*:role/ecsInstanceRole", "arn:aws-cn:iam::*:instance-profile/ecsInstanceRole", "arn:aws-cn:iam::*:role/iaws-ec2-spot-fleet-role", "arn:aws-cn:iam::*:role/aws-ec2-spot-fleet-role", "arn:aws-cn:iam::*:role/AWSBatchJobRole*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws-cn:iam::*:role/*Batch*", "Condition": { "StringEquals": { "iam:AWSServiceName": "batch.amazonaws.com" } } } ] }

Amazon Batch updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon Batch since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Batch Document history page.

Change Description Date

BatchServiceRolePolicy policy updated

Updated to add support for describing Spot Fleet request history and Amazon EC2 Auto Scaling activities.

December 5, 2023

AWSBatchServiceRole policy added

Updated to add statement IDs, grant Amazon Batch permissions to ec2:DescribeSpotFleetRequestHistory and autoscaling:DescribeScalingActivities.

December 5, 2023

BatchServiceRolePolicy policy updated

Updated to add support for describing Amazon EKS clusters.

October 20, 2022

AWSBatchFullAccess policy updated

Updated to add support for listing and describing Amazon EKS clusters.

October 20, 2022

BatchServiceRolePolicy policy updated

Updated to add support for Amazon EC2 Capacity Reservation groups that are managed by Amazon Resource Groups. For more information, see Work with Capacity Reservation groups in Amazon EC2 User Guide.

May 18, 2022

BatchServiceRolePolicy and AWSBatchServiceRole policies updated

Updated to add support for describing the status of Amazon Batch managed instances in Amazon EC2 so that unhealthy instances are replaced.

December 6, 2021

BatchServiceRolePolicy policy updated

Updated to add support for placement group, capacity reservation, elastic GPU, and Elastic Inference resources in Amazon EC2.

March 26, 2021

BatchServiceRolePolicy policy added

With the BatchServiceRolePolicy managed policy for the AWSServiceRoleForBatch service-linked role, you can use a service-linked role managed by Amazon Batch. With this policy, you don't need to maintain your own role for use in your compute environments.

March 10, 2021

AWSBatchFullAccess - add permission to add service-linked role

Add IAM permissions to allow the AWSServiceRoleForBatch service-linked role to be added to the account.

March 10, 2021

Amazon Batch started tracking changes

Amazon Batch started tracking changes for its Amazon managed policies.

March 10, 2021