Service roles, instance profiles, and user policies - Amazon Elastic Beanstalk
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service roles, instance profiles, and user policies

When you create an environment, Amazon Elastic Beanstalk prompts you to provide the following Amazon Identity and Access Management (IAM) roles:

  • Service role: Elastic Beanstalk assumes a service role to use other Amazon Web Services on your behalf.

  • Instance profile Elastic Beanstalk applies instances profile to the instances in your environment. It allows them to do the following:

    • Retrieve application versions from Amazon Simple Storage Service (Amazon S3).

    • Upload logs to Amazon S3.

    • Perform other tasks that vary depending on the environment type and platform.

Service role

When you create an environment in the Elastic Beanstalk console or using Elastic Beanstalk EB CLI, the required service roles are created and assigned managed policies. These policies include all of the necessary permissions. Now, suppose that the service role already exists in your account and you then create a new environment in Elastic Beanstalk console or using Elastic Beanstalk CLI. If this happens, the existing service role automatically gets assigned to the new environment.

Instance profile

If your Amazon account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to new environments that you create. The Create environment wizard provides information to guide you through the IAM service, so that you can create an EC2 instance profile with the required permissions. After creating the instance profile, you can return to the console to select it as the EC2 instance profile and continue the steps to create your environment.


Previously Elastic Beanstalk created a default EC2 instance profile named aws-elasticbeanstalk-ec2-role the first time an Amazon account created an environment. This instance profile included default managed policies. If your account already has this instance profile, it will remain available for you to assign to your environments.

However, recent Amazon security guidelines don’t allow an Amazon service to automatically create roles with trust policies to other Amazon services, EC2 in this case. Because of these security guidelines, Elastic Beanstalk no longer creates a default aws-elasticbeanstalk-ec2-role instance profile.

User policies

In addition to the roles that you assign to your environment, you can also create user policies and apply them to IAM users and groups in your account. Applying user policies allows the users to create and manage Elastic Beanstalk applications and environments. Elastic Beanstalk also provides managed policies for full access and read-only access. For more information about these policies, see Managing Elastic Beanstalk user policies.

Additional instance profiles and user policies

You can create your own instance profiles and user policies for advanced scenarios. If your instances need to access services that aren't included in the default policies, you can create a new policy or add additional policies to the default one. If the managed policy is too permissive for your needs, you can also create more restrictive user policies. For more information about Amazon permissions, see the IAM User Guide.