Example policies based on managed policies - Amazon Elastic Beanstalk
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example policies based on managed policies

This section demonstrates how to control user access to Amazon Elastic Beanstalk and includes example policies that provide the required access for common scenarios. These policies are derived from the Elastic Beanstalk managed policies. For information about attaching managed policies to users and groups, see Managing Elastic Beanstalk user policies.

In this scenario, Example Corp. is a software company with three teams responsible for the company website: administrators who manage the infrastructure, developers who build the software for the website, and a QA team that tests the website. To help manage permissions to their Elastic Beanstalk resources, Example Corp. creates three groups to which members of each respective team belong: Admins, Developers, and Testers. Example Corp. wants the Admins group to have full access to all applications, environments, and their underlying resources so that they can create, troubleshoot, and delete all Elastic Beanstalk assets. Developers require permissions to view all Elastic Beanstalk assets and to create and deploy application versions. Developers should not be able to create new applications or environments or terminate running environments. Testers need to view all Elastic Beanstalk resources to monitor and test applications. The Testers should not be able to make changes to any Elastic Beanstalk resources.

The following example policies provide the required permissions for each group.

Example 1: Admins group – All Elastic Beanstalk and related service APIs

The following policy gives users permissions for all actions required to use Elastic Beanstalk. This policy also allows Elastic Beanstalk to provision and manage resources on your behalf in the following services. Elastic Beanstalk relies on these additional services to provision underlying resources when creating an environment.

  • Amazon Elastic Compute Cloud

  • Elastic Load Balancing

  • Auto Scaling

  • Amazon CloudWatch

  • Amazon Simple Storage Service

  • Amazon Simple Notification Service

  • Amazon Relational Database Service

  • Amazon CloudFormation

Note that this policy is an example. It gives a broad set of permissions to the Amazon services that Elastic Beanstalk uses to manage applications and environments. For example, ec2:* allows an Amazon Identity and Access Management (IAM) user to perform any action on any Amazon EC2 resource in the Amazon account. These permissions are not limited to the resources that you use with Elastic Beanstalk. As a best practice, you should grant individuals only the permissions they need to perform their duties.

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "rds:*", "cloudformation:*" ], "Resource" : "*" } ] }

Example 2: Developers group – All but highly privileged operations

The following policy denies permission to create applications and environments, and allows all other Elastic Beanstalk actions.

Note that this policy is an example. It gives a broad set of permissions to the Amazon products that Elastic Beanstalk uses to manage applications and environments. For example, ec2:* allows an IAM user to perform any action on any Amazon EC2 resource in the Amazon account. These permissions are not limited to the resources that you use with Elastic Beanstalk. As a best practice, you should grant individuals only the permissions they need to perform their duties.

{ "Version" : "2012-10-17", "Statement" : [ { "Action" : [ "elasticbeanstalk:CreateApplication", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:DeleteApplication", "elasticbeanstalk:RebuildEnvironment", "elasticbeanstalk:SwapEnvironmentCNAMEs", "elasticbeanstalk:TerminateEnvironment"], "Effect" : "Deny", "Resource" : "*" }, { "Action" : [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "rds:*", "cloudformation:*"], "Effect" : "Allow", "Resource" : "*" } ] }

Example 3: Testers – View only

The following policy allows read-only access to all applications, application versions, events, and environments. It doesn't allow performing any actions.

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "ec2:Describe*", "elasticloadbalancing:Describe*", "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:List*", "cloudwatch:Get*", "s3:Get*", "s3:List*", "sns:Get*", "sns:List*", "rds:Describe*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "cloudformation:Validate*", "cloudformation:Estimate*" ], "Resource" : "*" } ] }