# Elastic Beanstalk Service roles, instance profiles, and user policies Permissions Roles are an entities that you create with Amazon Identity and Access Management (IAM) to apply permissions. There are required roles for your Elastic Beanstalk environment to function properly. You also have the option to create your own custom policies and roles that you can assign to users or groups. ## Required roles for your Elastic Beanstalk environment Required roles When you create an environment, Amazon Elastic Beanstalk prompts you to provide the following Amazon Identity and Access Management (IAM) roles: + [Service role](concepts-roles-service.md): Elastic Beanstalk assumes a service role to use other Amazon Web Services services on your behalf. + [Instance profile](concepts-roles-instance.md) Elastic Beanstalk applies an instance profile to the Amazon EC2 instances in your environment. This action allows them to perform required tasks, such as retrieving information from Amazon Simple Storage Service (Amazon S3) and uploading logs to S3. **Create the service role and EC2 instance profile role** If your Amazon account doesn’t have an EC2 instance profile or a service role, you must create one of each using the IAM service. You can then assign the EC2 instance profile and service role to new environments that you create. The **Create environment** wizard guides you to the IAM service, so that you can create these roles with the required permissions. ## Optional polices and roles to manage your Elastic Beanstalk environment Optional polices and roles You can optionally create [user policies](concepts-roles-user.md) and apply them to IAM users and groups in your account. Doing so allows the users to create and manage Elastic Beanstalk applications and environments. You can also assign Elastic Beanstalk [managed policies](AWSHowTo.iam.managed-policies.md) for full access and read-only access to users or groups. For more information about these policies, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md). You can create your own instance profiles and user policies for advanced scenarios. If your instances need to access services that aren't included in the default policies, you can create a new policy or add additional policies to the default one. If the managed policy is too permissive for your needs, you can also create more restrictive user policies. For more information about Amazon permissions, see the [](). # Elastic Beanstalk service role Service role A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. For example, Elastic Beanstalk uses a service role when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Amazon EC2 Auto Scaling APIs to gather information. The service role that Elastic Beanstalk uses is the one that you specified when you create the Elastic Beanstalk environment. There are two managed policies that are attached to the service role. These policies provide the permissions that allow Elastic Beanstalk to access the required Amazon resources to create and manage your environments. One managed policy provides permissions for [enhanced health monitoring](health-enhanced.md) and worker tier Amazon SQS support, and another one provides additional permissions required for [managed platform updates](environment-platform-update-managed.md). ## `AWSElasticBeanstalkEnhancedHealth` This policy grants permissions for Elastic Beanstalk to monitor instance and environment health. It also includes Amazon SQS actions to allow Elastic Beanstalk to monitor queue activity for worker environments. To view the content of this managed policy, see the [ AWSElasticBeanstalkEnhancedHealth](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSElasticBeanstalkEnhancedHealth.html) page in the *Amazon Managed Policy Reference Guide*. ## `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy` This policy grants permissions for Elastic Beanstalk to update environments on your behalf to perform managed platform updates. To view the content of this managed policy, see the [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy.html) page in the *Amazon Managed Policy Reference Guide*. **Service-level permission groupings** This policy is grouped into statements based on the set of permissions provided. + *`ElasticBeanstalkPermissions`* – This group of permissions is for calling the Elastic Beanstalk service actions (Elastic Beanstalk APIs). + *`AllowPassRoleToElasticBeanstalkAndDownstreamServices`* – This group of permissions allows any role to be passed to Elastic Beanstalk and to other downstream services like Amazon CloudFormation. + *`ReadOnlyPermissions`* – This group of permissions is for collecting information about the running environment. + *`*OperationPermissions`* – Groups with this naming pattern are for calling the necessary operations to perform platform updates. + *`*BroadOperationPermissions`* – Groups with this naming pattern are for calling the necessary operations to perform platform updates. They also include broad permissions for supporting legacy environments. + *`*TagResource`* – Groups with this naming pattern are for calls that use the tag-on-create APIs to attach tags on resources that are being created in an Elastic Beanstalk environment. You may create an Elastic Beanstalk environment with any of the following approaches. Each section describes how the approach handles the service role. **Elastic Beanstalk console** If you create an environment using the Elastic Beanstalk console, Elastic Beanstalk prompts you to create a service role that's named `aws-elasticbeanstalk-service-role`. When created via Elastic Beanstalk, this role includes a trust policy that allows Elastic Beanstalk to assume the service role. The two managed policies described earlier in this topic are also attached to the role. **Elastic Beanstalk Command Line Interface (EB CLI)** You may create an environment using the [**eb create**](eb3-create.md) command of the Elastic Beanstalk Command Line Interface (EB CLI). If you don't specify a service role through the `--service-role` option. Elastic Beanstalk creates the same default service role `aws-elasticbeanstalk-service-role`. If the default service role already exists, Elastic Beanstalk uses it for the new environment. When created via Elastic Beanstalk, this role includes a trust policy that allows Elastic Beanstalk to assume the service role. The two managed policies described earlier in this topic are also attached to the role. **Elastic Beanstalk API** You may create an environment using the `CreateEnvironment` action of the Elastic Beanstalk API. If you don't specify a service role, Elastic Beanstalk creates a monitoring service-linked role. This is a unique type of service role that is predefined by Elastic Beanstalk to include all the permissions that the service requires to call other Amazon Web Services services on your behalf. The service-linked role is associated with your account. Elastic Beanstalk creates it once, and then reuses it when creating additional environments. You can also use IAM to create the monitoring service-linked role for your account in advance. When your account has a monitoring service-linked role, you can use it to create an environment using either the Elastic Beanstalk console, the Elastic Beanstalk API, or the EB CLI. For instructions on how to use service-linked roles with Elastic Beanstalk environments, see [Using service-linked roles for Elastic Beanstalk](using-service-linked-roles.md). For more information about service roles, see [Managing Elastic Beanstalk service roles](iam-servicerole.md). # Elastic Beanstalk instance profile Instance profile An instance profile is an IAM role that's applied to Amazon EC2 instances that are launched in your Elastic Beanstalk environment. When creating an Elastic Beanstalk environment, you specify the instance profile that's used when your EC2 instances take the following actions: + Retrieve [application versions](concepts.md#concepts-version) from Amazon Simple Storage Service (Amazon S3) + Write logs to Amazon S3 + In [Amazon X-Ray integrated environments](environment-configuration-debugging.md), upload debugging data to X-Ray + In Amazon ECS managed Docker environments, coordinate container deployments with Amazon Elastic Container Service (Amazon ECS) + In worker environments, read from an Amazon Simple Queue Service (Amazon SQS) queue + In worker environments, perform leader election with Amazon DynamoDB + In worker environments, publish instance health metrics to Amazon CloudWatch ## Managed policies Managed policies Elastic Beanstalk provides a set of managed policies that allow the EC2 instances in your environment to perform required operations. The managed policies required for basic use cases are the following. + `AWSElasticBeanstalkWebTier` + `AWSElasticBeanstalkWorkerTier` + `AWSElasticBeanstalkMulticontainerDocker` If your web application requires access to other additional Amazon Web Services services, add statements or managed policies to the instance profile that allow access to those services. For more information, see [Adding permissions to the default instance profile](iam-instanceprofile.md#iam-instanceprofile-addperms). ## Creating an EC2 instance profile Creating an EC2 instance profile If your Amazon account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to new environments that you create. The **Create environment** steps in the Elastic Beanstalk console provides you access to the IAM console, so that you can create an EC2 instance profile with the required permissions. You can also create an EC2 instance profile by directly accessing the IAM console, without going through the Elastic Beanstalk console. For detailed steps to create an Elastic Beanstalk EC2 instance profile in the IAM console, see [Creating an instance profile](iam-instanceprofile.md#iam-instanceprofile-create). # Elastic Beanstalk user policy User policy Create IAM users for each user who uses Elastic Beanstalk to avoid using your root account or sharing credentials. As a security best practice, only grant these users permissions to access services and features that they need. Elastic Beanstalk requires permissions not only for its own API actions, but also for several other Amazon services. Elastic Beanstalk uses user permissions to launch resources in an environment. These resources include EC2 instances, an Elastic Load Balancing load balancer, and an Auto Scaling group. Elastic Beanstalk also uses user permissions to save logs and templates to Amazon Simple Storage Service (Amazon S3), send notifications to Amazon SNS, assign instance profiles, and publish metrics to CloudWatch. Elastic Beanstalk requires Amazon CloudFormation permissions to orchestrate resource deployments and updates. It also requires Amazon RDS permissions to create databases when needed, and Amazon SQS permissions to create queues for worker environments. For more information about user policies, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md).