Actions, resources, and condition keys for Amazon EC2 Auto Scaling - Service Authorization Reference

Actions, resources, and condition keys for Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling (service prefix: autoscaling) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon EC2 Auto Scaling

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AttachInstances Grants permission to attach one or more EC2 instances to the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

AttachLoadBalancerTargetGroups Grants permission to attach one or more target groups to the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:TargetGroupARNs

AttachLoadBalancers Grants permission to attach one or more load balancers to the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:LoadBalancerNames

AttachTrafficSources Grants permission to attach one or more traffic sources to an Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:TrafficSourceIdentifiers

BatchDeleteScheduledAction Grants permission to delete the specified scheduled actions Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

BatchPutScheduledUpdateGroupAction Grants permission to create or update multiple scheduled scaling actions for an Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

CancelInstanceRefresh Grants permission to cancel an instance refresh operation in progress Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

CompleteLifecycleAction Grants permission to complete the lifecycle action for the specified token or instance with the specified result Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

CreateAutoScalingGroup Grants permission to create an Auto Scaling group with the specified name and attributes Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

iam:CreateServiceLinkedRole

iam:PassRole

autoscaling:CapacityReservationIds

autoscaling:CapacityReservationResourceGroupArns

autoscaling:InstanceTypes

autoscaling:LaunchConfigurationName

autoscaling:LaunchTemplateVersionSpecified

autoscaling:LoadBalancerNames

autoscaling:MaxSize

autoscaling:MinSize

autoscaling:TargetGroupARNs

autoscaling:TrafficSourceIdentifiers

autoscaling:VPCZoneIdentifiers

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLaunchConfiguration Grants permission to create a launch configuration Write

launchConfiguration*

autoscaling:ImageId

autoscaling:InstanceType

autoscaling:SpotPrice

autoscaling:MetadataHttpTokens

autoscaling:MetadataHttpPutResponseHopLimit

autoscaling:MetadataHttpEndpoint

CreateOrUpdateTags Grants permission to create or update tags for the specified Auto Scaling group Tagging

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAutoScalingGroup Grants permission to delete the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DeleteLaunchConfiguration Grants permission to delete the specified launch configuration Write

launchConfiguration*

DeleteLifecycleHook Grants permission to deletes the specified lifecycle hook Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DeleteNotificationConfiguration Grants permission to delete the specified notification Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DeletePolicy Grants permission to delete the specified Auto Scaling policy Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DeleteScheduledAction Grants permission to delete the specified scheduled action Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DeleteTags Grants permission to delete the specified tags Tagging

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteWarmPool Grants permission to delete the warm pool associated with the Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DescribeAccountLimits Grants permission to describe the current Auto Scaling resource limits for your AWS account List
DescribeAdjustmentTypes Grants permission to describe the policy adjustment types for use with PutScalingPolicy List
DescribeAutoScalingGroups Grants permission to describe one or more Auto Scaling groups. If a list of names is not provided, the call describes all Auto Scaling groups List
DescribeAutoScalingInstances Grants permission to describe one or more Auto Scaling instances. If a list is not provided, the call describes all instances List
DescribeAutoScalingNotificationTypes Grants permission to describe the notification types that are supported by Auto Scaling List
DescribeInstanceRefreshes Grants permission to describe one or more instance refreshes for an Auto Scaling group List
DescribeLaunchConfigurations Grants permission to describe one or more launch configurations. If you omit the list of names, then the call describes all launch configurations List
DescribeLifecycleHookTypes Grants permission to describe the available types of lifecycle hooks List
DescribeLifecycleHooks Grants permission to describe the lifecycle hooks for the specified Auto Scaling group List
DescribeLoadBalancerTargetGroups Grants permission to describe the target groups for the specified Auto Scaling group List
DescribeLoadBalancers Grants permission to describe the load balancers for the specified Auto Scaling group List
DescribeMetricCollectionTypes Grants permission to describe the available CloudWatch metrics for Auto Scaling List
DescribeNotificationConfigurations Grants permission to describe the notification actions associated with the specified Auto Scaling group List
DescribePolicies Grants permission to describe the policies for the specified Auto Scaling group List
DescribeScalingActivities Grants permission to describe one or more scaling activities for the specified Auto Scaling group List
DescribeScalingProcessTypes Grants permission to describe the scaling process types for use with ResumeProcesses and SuspendProcesses List
DescribeScheduledActions Grants permission to describe the actions scheduled for your Auto Scaling group that haven't run List
DescribeTags Grants permission to describe the specified tags Read
DescribeTerminationPolicyTypes Grants permission to describe the termination policies supported by Auto Scaling List
DescribeTrafficSources Grants permission to describe the target groups for the specified Auto Scaling group List
DescribeWarmPool Grants permission to describe the warm pool associated with the Auto Scaling group List
DetachInstances Grants permission to remove one or more instances from the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

DetachLoadBalancerTargetGroups Grants permission to detach one or more target groups from the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:TargetGroupARNs

DetachLoadBalancers Grants permission to remove one or more load balancers from the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:LoadBalancerNames

DetachTrafficSources Grants permission to detach one or more traffic sources from an Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:TrafficSourceIdentifiers

DisableMetricsCollection Grants permission to disable monitoring of the specified metrics for the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

EnableMetricsCollection Grants permission to enable monitoring of the specified metrics for the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

EnterStandby Grants permission to move the specified instances into Standby mode Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

ExecutePolicy Grants permission to execute the specified policy Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

ExitStandby Grants permission to move the specified instances out of Standby mode Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

GetPredictiveScalingForecast Grants permission to retrieve the forecast data for a predictive scaling policy List
PutLifecycleHook Grants permission to create or update a lifecycle hook for the specified Auto Scaling Group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

PutNotificationConfiguration Grants permission to configure an Auto Scaling group to send notifications when specified events take place Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

PutScalingPolicy Grants permission to create or update a policy for an Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

PutScheduledUpdateGroupAction Grants permission to create or update a scheduled scaling action for an Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

autoscaling:MaxSize

autoscaling:MinSize

PutWarmPool Grants permission to create or update the warm pool associated with the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

RecordLifecycleActionHeartbeat Grants permission to record a heartbeat for the lifecycle action associated with the specified token or instance Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

ResumeProcesses Grants permission to resume the specified suspended Auto Scaling processes, or all suspended process, for the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

RollbackInstanceRefresh Grants permission to rollback an instance refresh operation in progress Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

SetDesiredCapacity Grants permission to set the size of the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

SetInstanceHealth Grants permission to set the health status of the specified instance Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

SetInstanceProtection Grants permission to update the instance protection settings of the specified instances Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

StartInstanceRefresh Grants permission to start a new instance refresh operation Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

SuspendProcesses Grants permission to suspend the specified Auto Scaling processes, or all processes, for the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

TerminateInstanceInAutoScalingGroup Grants permission to terminate the specified instance and optionally adjust the desired group size Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

UpdateAutoScalingGroup Grants permission to update the configuration for the specified Auto Scaling group Write

autoScalingGroup*

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

iam:PassRole

autoscaling:CapacityReservationIds

autoscaling:CapacityReservationResourceGroupArns

autoscaling:InstanceTypes

autoscaling:LaunchConfigurationName

autoscaling:LaunchTemplateVersionSpecified

autoscaling:MaxSize

autoscaling:MinSize

autoscaling:VPCZoneIdentifiers

Resource types defined by Amazon EC2 Auto Scaling

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
autoScalingGroup arn:${Partition}:autoscaling:${Region}:${Account}:autoScalingGroup:${GroupId}:autoScalingGroupName/${GroupFriendlyName}

autoscaling:ResourceTag/${TagKey}

aws:ResourceTag/${TagKey}

launchConfiguration arn:${Partition}:autoscaling:${Region}:${Account}:launchConfiguration:${Id}:launchConfigurationName/${LaunchConfigurationName}

Condition keys for Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
autoscaling:CapacityReservationIds Filters access based on the Capacity Reservation IDs ArrayOfString
autoscaling:CapacityReservationResourceGroupArns Filters access based on the ARN of a Capacity Reservation resource group ArrayOfString
autoscaling:ImageId Filters access based on the AMI ID for the launch configuration String
autoscaling:InstanceType Filters access based on the instance type for the launch configuration String
autoscaling:InstanceTypes Filters access based on the instance types present as overrides to a launch template for a mixed instances policy. Use it to qualify which instance types can be explicitly defined in the policy String
autoscaling:LaunchConfigurationName Filters access based on the name of a launch configuration String
autoscaling:LaunchTemplateVersionSpecified Filters access based on whether users can specify any version of a launch template or only the Latest or Default version Bool
autoscaling:LoadBalancerNames Filters access based on the name of the load balancer ArrayOfString
autoscaling:MaxSize Filters access based on the maximum scaling size in the request Numeric
autoscaling:MetadataHttpEndpoint Filters access based on whether the HTTP endpoint is enabled for the instance metadata service String
autoscaling:MetadataHttpPutResponseHopLimit Filters access based on the allowed number of hops when calling the instance metadata service Numeric
autoscaling:MetadataHttpTokens Filters access based on whether tokens are required when calling the instance metadata service (optional or required) String
autoscaling:MinSize Filters access based on the minimum scaling size in the request Numeric
autoscaling:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
autoscaling:SpotPrice Filters access based on the price for Spot Instances for the launch configuration Numeric
autoscaling:TargetGroupARNs Filters access based on the ARN of a target group ArrayOfARN
autoscaling:TrafficSourceIdentifiers Filters access based on the identifiers of the traffic sources ArrayOfString
autoscaling:VPCZoneIdentifiers Filters access based on the identifier of a VPC zone ArrayOfString
aws:RequestTag/${TagKey} Filters access based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
aws:TagKeys Filters access based on the tag keys that are passed in the request ArrayOfString