AWS managed policies for AWS Proton
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
AWS Proton provides managed IAM policies and trust relationships that you can attach to users, groups, or roles that allow differing levels of control over resources and API operations. You can apply these policies directly, or you can use them as starting points for creating your own policies.
The following trust relationship is used for each of the AWS Proton managed policies.
{ "Version": "2012-10-17", "Statement": { "Sid": "ExampleTrustRelationshipWithProtonConfusedDeputyPrevention", "Effect": "Allow", "Principal": { "Service": "proton.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws::proton:*:123456789012:environment/*" } } } }
AWS managed policy: AWSProtonFullAccess
You can attach AWSProtonFullAccess to your IAM entities. AWS Proton also attaches this policy to a service role that allows AWS Proton to perform actions on your behalf.
This policy grants administrative permissions that allow full access to AWS Proton actions and limited access to other AWS service actions that AWS Proton depends on.
The policy includes the following key action namespaces:
-
proton– Allows administrators full access to AWS Proton APIs. -
iam– Allows administrators to pass roles to AWS Proton. This is required so that AWS Proton can make API calls to other services on the administrator's behalf. -
kms– Allows administrators to add a grant to a customer managed key. -
codeconnections– Allows administrators to list and pass codeconnections so they can be used by AWS Proton.
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ProtonPermissions", "Effect": "Allow", "Action": [ "proton:*", "codestar-connections:ListConnections", "kms:ListAliases", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "CreateGrantPermissions", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "proton.*.amazonaws.com" } } }, { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "proton.amazonaws.com" } } }, { "Sid": "CreateServiceLinkedRolePermissions", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/sync.proton.amazonaws.com/AWSServiceRoleForProtonSync", "Condition": { "StringEquals": { "iam:AWSServiceName": "sync.proton.amazonaws.com" } } }, { "Sid": "CodeStarConnectionsPermissions", "Effect": "Allow", "Action": [ "codestar-connections:PassConnection" ], "Resource": [ "arn:aws:codestar-connections:*:*:connection/*", "arn:aws:codeconnections:*:*:connection/*" ], "Condition": { "StringEquals": { "codestar-connections:PassedToService": "proton.amazonaws.com" } } }, { "Sid": "CodeConnectionsPermissions", "Effect": "Allow", "Action": [ "codeconnections:PassConnection" ], "Resource": [ "arn:aws:codestar-connections:*:*:connection/*", "arn:aws:codeconnections:*:*:connection/*" ], "Condition": { "StringEquals": { "codeconnections:PassedToService": "proton.amazonaws.com" } } } ] }
AWS managed policy: AWSProtonDeveloperAccess
You can attach AWSProtonDeveloperAccess to your IAM entities. AWS Proton also attaches this policy to a service role that allows AWS Proton to perform actions on your behalf.
This policy grants permissions that allow limited access to AWS Proton actions and to other AWS actions that AWS Proton depends on. The scope of these permissions is designed to support the role of a developer who creates and deploys AWS Proton services.
This policy doesn't provide access to AWS Proton template and environment create, delete and update APIs. If developers need even more limited permissions than what this policy provides, we recommend creating a custom policy that is scoped down to grant the least privilege.
The policy includes the following key action namespaces:
-
proton– Allows contributors access to a limited set of AWS Proton APIs. -
codeconnections– Allows contributors to list and pass codeconnections so they can be used by AWS Proton.
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ProtonPermissions", "Effect": "Allow", "Action": [ "codecommit:ListRepositories", "codepipeline:GetPipeline", "codepipeline:GetPipelineExecution", "codepipeline:GetPipelineState", "codepipeline:ListPipelineExecutions", "codepipeline:ListPipelines", "codestar-connections:ListConnections", "codestar-connections:UseConnection", "proton:CancelServiceInstanceDeployment", "proton:CancelServicePipelineDeployment", "proton:CreateService", "proton:DeleteService", "proton:GetAccountRoles", "proton:GetAccountSettings", "proton:GetEnvironment", "proton:GetEnvironmentAccountConnection", "proton:GetEnvironmentTemplate", "proton:GetEnvironmentTemplateMajorVersion", "proton:GetEnvironmentTemplateMinorVersion", "proton:GetEnvironmentTemplateVersion", "proton:GetRepository", "proton:GetRepositorySyncStatus", "proton:GetResourcesSummary", "proton:GetService", "proton:GetServiceInstance", "proton:GetServiceTemplate", "proton:GetServiceTemplateMajorVersion", "proton:GetServiceTemplateMinorVersion", "proton:GetServiceTemplateVersion", "proton:GetTemplateSyncConfig", "proton:GetTemplateSyncStatus", "proton:ListEnvironmentAccountConnections", "proton:ListEnvironmentOutputs", "proton:ListEnvironmentProvisionedResources", "proton:ListEnvironments", "proton:ListEnvironmentTemplateMajorVersions", "proton:ListEnvironmentTemplateMinorVersions", "proton:ListEnvironmentTemplates", "proton:ListEnvironmentTemplateVersions", "proton:ListRepositories", "proton:ListRepositorySyncDefinitions", "proton:ListServiceInstanceOutputs", "proton:ListServiceInstanceProvisionedResources", "proton:ListServiceInstances", "proton:ListServicePipelineOutputs", "proton:ListServicePipelineProvisionedResources", "proton:ListServices", "proton:ListServiceTemplateMajorVersions", "proton:ListServiceTemplateMinorVersions", "proton:ListServiceTemplates", "proton:ListServiceTemplateVersions", "proton:ListTagsForResource", "proton:UpdateService", "proton:UpdateServiceInstance", "proton:UpdateServicePipeline", "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": "*" }, { "Sid": "CodeStarConnectionsPermissions", "Effect": "Allow", "Action": "codestar-connections:PassConnection", "Resource": [ "arn:aws:codestar-connections:*:*:connection/*", "arn:aws:codeconnections:*:*:connection/*" ], "Condition": { "StringEquals": { "codestar-connections:PassedToService": "proton.amazonaws.com" } } }, { "Sid": "CodeConnectionsPermissions", "Effect": "Allow", "Action": "codeconnections:PassConnection", "Resource": [ "arn:aws:codestar-connections:*:*:connection/*", "arn:aws:codeconnections:*:*:connection/*" ], "Condition": { "StringEquals": { "codeconnections:PassedToService": "proton.amazonaws.com" } } } ] }
AWS managed policy: AWSProtonReadOnlyAccess
You can attach AWSProtonReadOnlyAccess to your IAM entities. AWS Proton also attaches this policy to a service role that allows AWS Proton to perform actions on your behalf.
This policy grants permissions that allow read-only access to AWS Proton actions and limited read-only access to other AWS service actions that AWS Proton depends on.
The policy includes the following key action namespaces:
-
proton– Allows contributors read-only access to AWS Proton APIs.
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions", "codepipeline:ListPipelines", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:GetPipelineExecution", "proton:GetAccountRoles", "proton:GetAccountSettings", "proton:GetEnvironment", "proton:GetEnvironmentAccountConnection", "proton:GetEnvironmentTemplate", "proton:GetEnvironmentTemplateMajorVersion", "proton:GetEnvironmentTemplateMinorVersion", "proton:GetEnvironmentTemplateVersion", "proton:GetRepository", "proton:GetRepositorySyncStatus", "proton:GetResourcesSummary", "proton:GetService", "proton:GetServiceInstance", "proton:GetServiceTemplate", "proton:GetServiceTemplateMajorVersion", "proton:GetServiceTemplateMinorVersion", "proton:GetServiceTemplateVersion", "proton:GetTemplateSyncConfig", "proton:GetTemplateSyncStatus", "proton:ListEnvironmentAccountConnections", "proton:ListEnvironmentOutputs", "proton:ListEnvironmentProvisionedResources", "proton:ListEnvironments", "proton:ListEnvironmentTemplateMajorVersions", "proton:ListEnvironmentTemplateMinorVersions", "proton:ListEnvironmentTemplates", "proton:ListEnvironmentTemplateVersions", "proton:ListRepositories", "proton:ListRepositorySyncDefinitions", "proton:ListServiceInstanceOutputs", "proton:ListServiceInstanceProvisionedResources", "proton:ListServiceInstances", "proton:ListServicePipelineOutputs", "proton:ListServicePipelineProvisionedResources", "proton:ListServices", "proton:ListServiceTemplateMajorVersions", "proton:ListServiceTemplateMinorVersions", "proton:ListServiceTemplates", "proton:ListServiceTemplateVersions", "proton:ListTagsForResource" ], "Resource": "*" } ] }
AWS managed policy: AWSProtonSyncServiceRolePolicy
AWS Proton attaches this policy to the AWSServiceRoleForProtonSync service-linked role that allows AWS Proton to perform template sync.
This policy grants permissions that allow limited access to AWS Proton actions and to other AWS service actions that AWS Proton depends on.
The policy includes the following key action namespaces:
-
proton– Allows AWS Proton sync limited access to AWS Proton APIs. -
codeconnections– Allows AWS Proton sync limited access to CodeConnections APIs.
For information on the permission details for the AWSProtonSyncServiceRolePolicy, see Service-linked role permissions for AWS Proton.
AWS managed policy: AWSProtonCodeBuildProvisioningBasicAccess
Permissions CodeBuild needs to run a build for AWS Proton CodeBuild Provisioning. You can attach
AWSProtonCodeBuildProvisioningBasicAccess to your CodeBuild Provisioning Role.
This policy grants the minimum permissions for AWS Proton CodeBuild Provisioning to function. It grants permissions that allow CodeBuild to generate build logs. It also grants permission for Proton to make Infrastructure as Code (IaC) outputs available to AWS Proton users. It does not provide permissions needed by IaC tools to manage infrastructure.
The policy includes the following key action namespaces:
-
logs‐ Allows CodeBuild to generate build logs. Without this permission, CodeBuild will fail to start. -
proton‐ Allows a CodeBuild Provisioning command to callaws proton notify-resource-deployment-status-changefor updating the IaaC outputs for a given AWS Proton resource.
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/codebuild/AWSProton-*" ] }, { "Effect": "Allow", "Action": "proton:NotifyResourceDeploymentStatusChange", "Resource": "arn:aws:proton:*:*:*" } ] }
AWS managed policy: AWSProtonCodeBuildProvisioningServiceRolePolicy
AWS Proton attaches this policy to the AWSServiceRoleForProtonCodeBuildProvisioning service-linked role that allows AWS Proton to perform CodeBuild-based provisioning.
This policy grants permissions that allow limited access to AWS service actions that AWS Proton depends on.
The policy includes the following key action namespaces:
-
cloudformation– Allows AWS Proton CodeBuild-based provisioning limited access to AWS CloudFormation APIs. -
codebuild– Allows AWS Proton CodeBuild-based provisioning limited access to CodeBuild APIs. -
iam– Allows administrators to pass roles to AWS Proton. This is required so that AWS Proton can make API calls to other services on the administrator's behalf. -
servicequotas– Allows AWS Proton to check the CodeBuild concurrent build limit, which ensures proper build queuing.
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:ListStackResources" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/AWSProton-CodeBuild-*" ] }, { "Effect": "Allow", "Action": [ "codebuild:CreateProject", "codebuild:DeleteProject", "codebuild:UpdateProject", "codebuild:StartBuild", "codebuild:StopBuild", "codebuild:RetryBuild", "codebuild:BatchGetBuilds", "codebuild:BatchGetProjects" ], "Resource": "arn:aws:codebuild:*:*:project/AWSProton*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEqualsIfExists": { "iam:PassedToService": "codebuild.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "*" } ] }
AWS managed policy: AwsProtonServiceGitSyncServiceRolePolicy
AWS Proton attaches this policy to the AwsProtonServiceGitSyncServiceRolePolicy service-linked role that allows AWS Proton to perform service sync.
This policy grants permissions that allow limited access to AWS Proton actions and to other AWS service actions that AWS Proton depends on.
The policy includes the following key action namespaces:
-
proton– Allows AWS Proton sync limited access to AWS Proton APIs.
For information on the permission details for the AwsProtonServiceGitSyncServiceRolePolicy, see Service-linked role permissions for AWS Proton.
AWS Proton updates to AWS managed policies
View details about updates to AWS managed policies for AWS Proton since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Proton Document history page.
| Change | Description | Date |
|---|---|---|
|
|
The managed policy for the service-linked role to use Git sync with Git repositories has been updated for resources with both service prefixes. For more information, see Using service-linked roles for AWS CodeConnections and Managed policies. |
April 25, 2024 |
|
|
The managed policy for the service-linked role to use Git sync with Git repositories has been updated for resources with both service prefixes. For more information, see Using service-linked roles for AWS CodeConnections and Managed policies. |
April 25, 2024 |
|
|
The managed policy for the service-linked role to use Git sync with Git repositories has been updated for resources with both service prefixes. For more information, see Using service-linked roles for AWS CodeConnections and Managed policies. |
April 25, 2024 |
|
AWSProtonCodeBuildProvisioningServiceRolePolicy – Update to an existing policy |
AWS Proton updated this policy to add permissions to ensure accounts have the necessary CodeBuild concurrent build limit in order to use CodeBuild Provisioning. |
May 12, 2023 |
|
AwsProtonServiceGitSyncServiceRolePolicy – New policy |
AWS Proton added a new policy to allow AWS Proton to perform service syncing. The policy is used in the AWSServiceRoleForProtonServiceSync service-linked role. |
March 31, 2023 |
|
AWSProtonDeveloperAccess – Update to an existing policy |
AWS Proton added a new |
November 18, 2022 |
|
AWSProtonReadOnlyAccess – Update to an existing policy |
AWS Proton added a new |
November 18, 2022 |
|
AWSProtonCodeBuildProvisioningBasicAccess – New policy |
AWS Proton added a new policy that gives CodeBuild the permissions it needs to run a build for AWS Proton CodeBuild Provisioning. |
November 16, 2022 |
|
AWSProtonCodeBuildProvisioningServiceRolePolicy – New policy |
AWS Proton added a new policy to allow AWS Proton to perform operations related to CodeBuild-based provisioning. The policy is used in the AWSServiceRoleForProtonCodeBuildProvisioning service-linked role. |
September 02, 2022 |
|
AWSProtonFullAccess – Update to an existing policy |
AWS Proton updated this policy to provide access to new AWS Proton API operations and to fix permission issues for some AWS Proton console operations. |
March 30, 2022 |
|
AWSProtonDeveloperAccess – Update to an existing policy |
AWS Proton update this policy to provide access to new AWS Proton API operations and to fix permission issues for some AWS Proton console operations. |
March 30, 2022 |
|
AWSProtonReadOnlyAccess – Update to an existing policy |
AWS Proton update this policy to provide access to new AWS Proton API operations and to fix permission issues for some AWS Proton console operations. |
March 30, 2022 |
|
AWSProtonSyncServiceRolePolicy – New policy |
AWS Proton added a new policy to allow AWS Proton to perform operations related to template sync. The policy is used in the AWSServiceRoleForProtonSync service-linked role. |
November 23, 2021 |
|
AWSProtonFullAccess – New policy |
AWS Proton added a new policy to provide administrative role access to AWS Proton API operations and to the AWS Proton console. |
June 09, 2021 |
|
AWSProtonDeveloperAccess – New policy |
AWS Proton added a new policy to provide developer role access to AWS Proton API operations and to the AWS Proton console. |
June 09, 2021 |
|
AWSProtonReadOnlyAccess – New policy |
AWS Proton added a new policy to provide read-only access to AWS Proton API operations and to the AWS Proton console. |
June 09, 2021 |
|
AWS Proton started tracking changes. |
AWS Proton started tracking changes for its AWS managed policies. |
June 09, 2021 |
