Using Identity-Based Policies (IAM Policies) for Amazon Cloud Map - Amazon Cloud Map
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Identity-Based Policies (IAM Policies) for Amazon Cloud Map

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform actions on Amazon Cloud Map resources.


We recommend that you first review the introductory topics that explain the basic concepts and options to manage access to your Amazon Cloud Map resources. For more information, see Overview of Managing Access Permissions to Your Amazon Cloud Map Resources.

The following example shows a permissions policy that grants a user permission to register, deregister, and register service instances. The Sid, or statement ID, is optional:

{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AllowInstancePermissions", "Effect": "Allow", "Action": [ "servicediscovery:RegisterInstance", "servicediscovery:DeregisterInstance", "servicediscovery:DiscoverInstances", "servicediscovery:Get*", "servicediscovery:List*", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:GetHealthCheck", "route53:DeleteHealthCheck", "route53:UpdateHealthCheck", "ec2:DescribeInstances" ], "Resource": "*" } ] }

The policy grants permissions to the actions that are required to register and manage service instances. The Route 53 permission is required if you're using public or private DNS namespaces because Amazon Cloud Map creates, updates, and deletes Route 53 records and health checks when you register and deregister instances. The wildcard character (*) in Resource grants access to all Amazon Cloud Map instances, and Route 53 records and health checks that are owned by the current Amazon account.

For a list of actions and the ARN that you specify to grant or deny permission to use each action, see Amazon Cloud Map API Permissions: Actions, Resources, and Conditions Reference.

Permissions Required to Use the Amazon Cloud Map Console

To grant full access to the Amazon Cloud Map console, you grant the permissions in the following permissions policy:

{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:*", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:GetHealthCheck", "route53:DeleteHealthCheck", "route53:UpdateHealthCheck", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource":"*" } ] }

Here's why the permissions are required:


Lets you perform all Amazon Cloud Map actions.

route53:CreateHostedZone, route53:GetHostedZone, route53:ListHostedZonesByName, route53:DeleteHostedZone

Lets Amazon Cloud Map manage hosted zones when you create and delete public and private DNS namespaces.

route53:CreateHealthCheck, route53:GetHealthCheck, route53:DeleteHealthCheck, route53:UpdateHealthCheck

Lets Amazon Cloud Map manage health checks when you include Amazon Route 53 health checks when you create a service.

ec2:DescribeVpcs and ec2:DescribeRegions

Let Amazon Cloud Map manage private hosted zones.

Amazon Managed (Predefined) Policies for Amazon Cloud Map

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see Amazon Managed Policies in the IAM User Guide. For Amazon Cloud Map, IAM provides the following managed policies:

  • AWSCloudMapDiscoverInstanceAccess – Grants access to the Amazon Cloud Map DiscoverInstances API action

  • AWSCloudMapReadOnlyAccess – Grants read-only access to all Amazon Cloud Map actions

  • AWSCloudMapRegisterInstanceAccess – Grants read-only access to namespaces and services, and grants permission to register and deregister service instances

  • AWSCloudMapFullAccess – Provides full access to all Amazon Cloud Map actions

Customer Managed Policy Examples

You can create your own custom IAM policies to allow permissions for Amazon Cloud Map actions. You can attach these custom policies to the IAM users or groups that require the specified permissions. These policies work when you are using the Amazon Cloud Map API, the Amazon SDKs, or the Amazon CLI. The following examples show permissions for several common use cases. For the policy that grants a user full access to Amazon Cloud Map, see Permissions Required to Use the Amazon Cloud Map Console.

Example 1: Allow Read Access to All Amazon Cloud Map Resources

The following permissions policy grants the user read-only access to all Amazon Cloud Map resources:

{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:Get*", "servicediscovery:List*", "servicediscovery:DiscoverInstances" ], "Resource":"*" } ] }

Example 2: Allow Creation of All Types of Namespaces

The following permissions policy allows users to create all types of namespaces:

{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:CreateHttpNamespace", "servicediscovery:CreatePrivateDnsNamespace", "servicediscovery:CreatePublicDnsNamespace", "route53:CreateHostedZone", "route53:GetHostedZone", "route53:ListHostedZonesByName", "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource":"*" } ] }

To provide access, add permissions to your users, groups, or roles: