Using Identity-Based Policies (IAM Policies) for Amazon Cloud Map - Amazon Cloud Map
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Identity-Based Policies (IAM Policies) for Amazon Cloud Map

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform actions on Amazon Cloud Map resources.


We recommend that you first review the introductory topics that explain the basic concepts and options to manage access to your Amazon Cloud Map resources. For more information, see Overview of Managing Access Permissions to Your Amazon Cloud Map Resources.

The following example shows a permissions policy that grants a user permission to register, deregister, and register service instances. The Sid, or statement ID, is optional:

{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AllowInstancePermissions", "Effect": "Allow", "Action": [ "servicediscovery:RegisterInstance", "servicediscovery:DeregisterInstance", "servicediscovery:DiscoverInstances", "servicediscovery:Get*", "servicediscovery:List*", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:GetHealthCheck", "route53:DeleteHealthCheck", "route53:UpdateHealthCheck", "ec2:DescribeInstances" ], "Resource": "*" } ] }

The policy grants permissions to the actions that are required to register and manage service instances. The Route 53 permission is required if you're using public or private DNS namespaces because Amazon Cloud Map creates, updates, and deletes Route 53 records and health checks when you register and deregister instances. The wildcard character (*) in Resource grants access to all Amazon Cloud Map instances, and Route 53 records and health checks that are owned by the current Amazon account.

For a list of actions and the ARN that you specify to grant or deny permission to use each action, see Amazon Cloud Map API Permissions: Actions, Resources, and Conditions Reference.

Permissions Required to Use the Amazon Cloud Map Console

To grant full access to the Amazon Cloud Map console, you grant the permissions in the following permissions policy:

{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:*", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:GetHealthCheck", "route53:DeleteHealthCheck", "route53:UpdateHealthCheck", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource":"*" } ] }

Here's why the permissions are required:


Lets you perform all Amazon Cloud Map actions.

route53:CreateHostedZone, route53:GetHostedZone, route53:ListHostedZonesByName, route53:DeleteHostedZone

Lets Amazon Cloud Map manage hosted zones when you create and delete public and private DNS namespaces.

route53:CreateHealthCheck, route53:GetHealthCheck, route53:DeleteHealthCheck, route53:UpdateHealthCheck

Lets Amazon Cloud Map manage health checks when you include Amazon Route 53 health checks when you create a service.

ec2:DescribeVpcs and ec2:DescribeRegions

Let Amazon Cloud Map manage private hosted zones.