AWSServiceCatalogAppRegistryFullAccess AWSServiceCatalogAppRegistryReadOnlyAccess AWS managed policy updates

AWS managed polices

We recommend that you use AWS Service Catalog AppRegistry managed policies to add permissions to identies. For more information see IAM identities (users, user groups, and roles) in the IAM User Guide.

You could create customer managed policies. However, creating these types of polcies requires product expertise and time. Managed policies are designed to help you get started quickly because they provide permissions for common use cases. For more information, see Creating IAM policies and AWS managed policies in the IAM User Guide.

AWS services maintain and update managed policies. The permissions in these policies cannot be changed. To support new features, services periodically add permissions to managed policies. These updates effect all identities where you can find managed policies. Services typically update these policies during feature launches or when new operations become available. Services don't remove permissions from managed policies, so updates don't break existing permissions.

In addition, AWS supports managed policies for job functions that extend multiple services. For example, the ReadOnlyAccess policy provides read-only access to all services and resources. When services launch new features, AWS adds read-only permissions for new operations and resources. For a list of job functions and their descriptions, see AWS managed policies for job functions in the IAM User Guide.

AWSServiceCatalogAppRegistryFullAccess

AppRegistry provides you with AWSServiceCatalogAppRegistryFullAccess, an AWS managed policy that grants you full access to AppRegistry capabilities.

In this version of the policy, AppRegistry adds the resource group permissions resource-groups:AssociateResource and resource-groups:DisassociateResource, which allow you to call the resource groups for the AppRegistry AssociateResource and DisassociateResource APIs.

Note

You can use the AppRegistry AssociateResource and DisassociateResource APIs to add and remove resources associated with the awsApplication tag. For more information, see AssociateResource and DisassociateResource in the AWS Service Catalog AppRegistry Developer Guide.

AppRegistry also adds the permission tag:GetResources, which allows you to return all tagged resources. All tagged resources with defined tag keys and values can be included as resources for applications.

Permissions details

AWS CloudFormation – Allows AppRegistry to update a stack in AWS CloudFormation.
Resource Groups – Allows AppRegistry to create resource groups, return information about resource groups, delete resource groups, tag resource groups, return lists of tags associated with resource groups, remove tags from resource groups, retrieve resource tag information, and retrieve service configurations associated with resource groups.
IAM – Allows AppRegistry to create an IAM role that's linked to a specific AWS service.

You can link to the following JSON policy in the IAM console or include it in your documentation.


{
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "AppRegistryUpdateStackAndResourceGroupTagging",
    			"Effect": "Allow",
    			"Action": [
    				"cloudformation:UpdateStack",
    				"tag:GetResources"
    			],
    			"Resource": "*",
    			"Condition": {
    				"ForAnyValue:StringEquals": {
    					"aws:CalledVia": "servicecatalog-appregistry.amazonaws.com"
    				}
    			}
    		},
    		{
    			"Sid": "AppRegistryResourceGroupsIntegration",
    			"Effect": "Allow",
    			"Action": [
    				"resource-groups:CreateGroup",
    				"resource-groups:DeleteGroup",
    				"resource-groups:GetGroup",
    				"resource-groups:GetTags",
    				"resource-groups:Tag",
    				"resource-groups:Untag",
    				"resource-groups:GetGroupConfiguration",
    				"resource-groups:AssociateResource",
    				"resource-groups:DisassociateResource"
    			],
    			"Resource": "arn:aws:resource-groups:*:*:group/AWS_*",
    			"Condition": {
    				"ForAnyValue:StringEquals": {
    					"aws:CalledVia": "servicecatalog-appregistry.amazonaws.com"
    				}
    			}
    		},
    		{
    			"Sid": "AppRegistryServiceLinkedRole",
    			"Effect": "Allow",
    			"Action": "iam:CreateServiceLinkedRole",
    			"Resource": "arn:aws:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry*",
    			"Condition": {
    				"StringEquals": {
    					"iam:AWSServiceName": "servicecatalog-appregistry.amazonaws.com"
    				}
    			}
    		},
    		{
    			"Sid": "AppRegistryOperations",
    			"Effect": "Allow",
    			"Action": [
    				"cloudformation:DescribeStacks",
    				"servicecatalog:CreateApplication",
    				"servicecatalog:GetApplication",
    				"servicecatalog:UpdateApplication",
    				"servicecatalog:DeleteApplication",
    				"servicecatalog:ListApplications",
    				"servicecatalog:AssociateResource",
    				"servicecatalog:DisassociateResource",
    				"servicecatalog:GetAssociatedResource",
    				"servicecatalog:ListAssociatedResources",
    				"servicecatalog:AssociateAttributeGroup",
    				"servicecatalog:DisassociateAttributeGroup",
    				"servicecatalog:ListAssociatedAttributeGroups",
    				"servicecatalog:CreateAttributeGroup",
    				"servicecatalog:UpdateAttributeGroup",
    				"servicecatalog:DeleteAttributeGroup",
    				"servicecatalog:GetAttributeGroup",
    				"servicecatalog:ListAttributeGroups",
    				"servicecatalog:SyncResource",
    				"servicecatalog:ListAttributeGroupsForApplication",
    				"servicecatalog:GetConfiguration",
    				"servicecatalog:PutConfiguration"
    			],
    			"Resource": "*"
    		},
    		{
    			"Sid": "AppRegistryResourceTagging",
    			"Effect": "Allow",
    			"Action": [
    				"servicecatalog:ListTagsForResource",
    				"servicecatalog:UntagResource",
    				"servicecatalog:TagResource"
    			],
    			"Resource": "arn:aws:servicecatalog:*:*:*"
    		}
    	]
}

AWSServiceCatalogAppRegistryReadOnlyAccess

AWSServiceCatalogAppRegistryReadOnlyAccess is an AWS managed policy that provides read-only access to AppRegistry capabilites. You can use this policy to associate tag keys and values with applications.

Note

All tagged resouces with defined tag keys and values can be included as resources for applications.

You can link to this JSON policy in the IAM console or include it in your documentation.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"servicecatalog:GetApplication",
				"servicecatalog:ListApplications",
				"servicecatalog:GetAssociatedResource",
				"servicecatalog:ListAssociatedResources",
				"servicecatalog:ListAssociatedAttributeGroups",
				"servicecatalog:GetAttributeGroup",
				"servicecatalog:ListAttributeGroups",
				"servicecatalog:ListTagsForResource",
				"servicecatalog:ListAttributeGroupsForApplication",
				"servicecatalog:GetConfiguration"
			],
			"Resource": "*"
		}
	]
}

AWS managed policy updates

The following table includes information about the updates to the AWSServiceCatalogAppRegistryFullAccess and AWSServiceCatalogAppRegistryReadOnlyAccess policies.

Policy	Description	Date
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy	Added the resource group permission `tag:GetResources`, which allows you to retrieve resource tag information.	December 07, 2023
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy	Added the resource group permissions `resource-groups:AssociateResource` and `resource-groups:DisassociateResource`, which allow you to call the resource groups for `AssociateResource` and `DisassociateResource`.	November 13, 2023
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy	Added the following: `GetConfiguration` to retrieve a `TagKey` configuration from an account. `PutConfiguration` to associate a `TagKey` configuration with an account. The resource group actions `AssociateResource` and `DisassociateResource`, which are required to perform `AssociateResource` and `DisassociateResource` on a tag value.	November 17, 2022
AWSServiceCatalogAppRegistryReadOnlyAccess – Update to an existing policy	Added `GetConfiguration` to retrieve a `TagKey` configuration from an account.	November 17, 2022
AWSServiceCatalogAppRegistryServiceRolePolicy – Update to an existing policy	Updated `GetGroup` and `GetGroupConfiguration` permissions, which are required for AppRegistry to verify which service-linked resource groups exist in customer accounts.	October 24, 2022
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy	Added `ListAttributeGroupsForApplication` to list the details of all attribute groups associated with an application.	June 15, 2022
AWSServiceCatalogAppRegistryReadOnlyAccess – Update to an existing policy	Added `ListAttributeGroupsForApplication` to list the details of all attribute groups associated with an application.	June 15, 2022
AWSServiceCatalogAppRegistryServiceRolePolicy – Update to an existing policy	Added permissions to tag AWS Resource Groups when AWS Resource Groups are created.	August 24, 2021
AWSServiceCatalogAppRegistryFullAccess – Update to an existing policy	Added the following: `UpdateStack` permissions to perform `SyncResource`, which updates the tags on the AWS Service Catalog stack. `TagResource`, `ListTagForResources`, and `UntagResource` to perform tagging operations on resources. `GetAssociatedResource`, as part of the integration with AWS Resource Groups.	August 24, 2021
AWSServiceCatalogAppRegistryReadOnlyAccess – Update to an existing policy	Added the following: `ListTagForResources` to list all of the tags on a resource. `GetAssociatedResource`, as part of the integration with AWS Resource Groups.	August 24, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure Security

Troubleshooting in AppRegistry