Amazon managed policies for Amazon Elastic Beanstalk - Amazon Elastic Beanstalk
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Elastic Beanstalk

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Elastic Beanstalk updates to Amazon managed policies

View details about updates to Amazon managed policies for Elastic Beanstalk since March 1, 2021.

To see the JSON source for a specific managed policy, see the Amazon Managed Policy Reference Guide.

Change Description Date

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to perform managed updates when Tag propagation to launch templates is enabled.

For more information, see Managed service role policies.

February 27, 2025

AdministratorAccess-AWSElasticBeanstalk –Updated existing policy

This policy was updated to replace the StringLike operator with the ArnLike operator to evaluate the ARN-type keys in the condition block iam:PolicyArn. This provides more secure enforcement.

For more information, see Managing Elastic Beanstalk user policies.

December 11, 2024

The following polices were updated:

  • AWSElasticBeanstalkInternalMaintenanceRolePolicy

  • AWSElasticBeanstalkMaintenance

  • AWSElasticBeanstalkManagedUpdatesInternalServiceRolePolicy

  • AWSElasticBeanstalkManagedUpdatesServiceRolePolicy

  • AWSElasticBeanstalkRoleCore

These policies were updated to allow Elastic Beanstalk to add or remove tags when it creates or updates an Amazon CloudFormation stack or change set.

For more information about AWSElasticBeanstalkManagedUpdatesServiceRolePolicy, see Service-linked role permissions for Elastic Beanstalk.

For more information about AWSElasticBeanstalkRoleCore, see Policies for integration with other services.

April 30, 2024

AWSElasticBeanstalkService –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Elastic Load Balancing, Auto Scaling groups (ASG), and Amazon ECS.

Note

This policy has been previously superseded by AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy. Although this policy is no longer available for attachment to new IAM users, groups, or roles, it may still be attached to prior existing ones.

For more information, see Managed service role policies.

May 10, 2023

AWSElasticBeanstalkMulticontainerDocker –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS.

For more information, see Managing Elastic Beanstalk instance profiles.

March 23, 2023

AWSElasticBeanstalkRoleECS –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS.

For more information, see Policies for integration with other services.

March 23, 2023

AdministratorAccess-AWSElasticBeanstalk –Updated existing policy

This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS.

For more information, see Managing Elastic Beanstalk user policies.

March 23, 2023

AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them.

For more information, see Service-linked role permissions for Elastic Beanstalk.

March 23, 2023

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them.

For more information, see Managed service role policies.

March 23, 2023

AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags to Auto Scaling groups when it creates them.

For more information, see The managed-updates service-linked role.

January 27, 2023

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags on create of an Auto Scaling group (ASG).

For more information, see Managed service role policies.

January 23, 2023

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to add tags on create of an elastic load balancer (ELB).

For more information, see Managed service role policies.

December 21, 2022

AWSElasticBeanstalkManagedUpdatesServiceRolePolicy –Updated existing policy

Permissions were added to this policy to allow Elastic Beanstalk to do the following during managed updates:

  • Create and delete launch templates and template versions.

  • Launch Amazon EC2 instances with launch templates.

  • If an Amazon RDS is present, retrieve a list of the available DB engines and information about provisioned RDS instances.

For more information, see The managed-updates service-linked role.

August 23, 2022

AWSElasticBeanstalkReadOnlyAccess – Deprecated

GovCloud (US) Amazon Web Services Region

This policy has been replaced by AWSElasticBeanstalkReadOnly.

This policy will be phased out in the GovCloud (US) Amazon Web Services Region.

When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 17, 2021.

For more information, see User policies.

June 17, 2021

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy –Updated existing policy

This policy was updated to allow Elastic Beanstalk to read attributes for EC2 Availability Zones. It enables Elastic Beanstalk to provide more effective validation of your instance type selection across Availability Zones.

For more information, see Managed service role policies.

June 16, 2021

AWSElasticBeanstalkFullAccess – Deprecated

GovCloud (US) Amazon Web Services Region

This policy has been replaced by AdministratorAccess-AWSElasticBeanstalk.

This policy will be phased out in the GovCloud (US) Amazon Web Services Region.

When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 10, 2021.

For more information, see User policies.

June 10, 2021

The following managed policies were deprecated in all of the China Amazon Web Services Regions:

  • AWSElasticBeanstalkFullAccess

  • AWSElasticBeanstalkReadOnlyAccess

The AWSElasticBeanstalkFullAccess policy has been replaced by AdministratorAccess-AWSElasticBeanstalk.

The AWSElasticBeanstalkReadOnlyAccess policy has been replaced by AWSElasticBeanstalkReadOnly.

These policies were phased out in all of the China Amazon Web Services Regions.

These policies will no longer be available for attachment to new IAM users, groups, or roles after June 3, 2021.

For more information, see User policies.

June 3, 2021

AWSElasticBeanstalkService – Deprecated

This policy has been superseded by AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy.

This policy is phased out and is no longer available for attachment to new IAM users, groups, or roles.

For more information, see Managed service role policies.

June 2021 - January 2022

The following managed policies were deprecated in all Amazon Web Services Regions, except for China and GovCloud (US):

  • AWSElasticBeanstalkFullAccess

  • AWSElasticBeanstalkReadOnlyAccess

The AWSElasticBeanstalkFullAccess policy has been replaced by AdministratorAccess-AWSElasticBeanstalk.

The AWSElasticBeanstalkReadOnlyAccess policy has been replaced by AWSElasticBeanstalkReadOnly.

These policies were phased out in all the Amazon Web Services Regions, except for China and GovCloud (US).

These policies will no longer be available for attachment to new IAM users, groups, or roles after April 16, 2021.

For more information, see User policies.

April 16, 2021

The following managed policies were updated:

  • AdministratorAccess-AWSElasticBeanstalk

  • AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy

Both of these policies now support PassRole permissions in China Amazon Web Services Regions.

For more information about AdministratorAccess-AWSElasticBeanstalk, see User policies.

For more information about AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy, see Managed service role policies.

March 9, 2021

AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy – New policy

Elastic Beanstalk added a new policy to replace the AWSElasticBeanstalkService managed policy.

This new managed policy improves security for your resources by applying a more restrictive set of permissions.

For more information, see Managed service role policies.

March 3, 2021

Elastic Beanstalk started tracking changes

Elastic Beanstalk started tracking changes for Amazon managed policies.

March 1, 2021