AWS IAM Policy to Automate Deployments to Elastic Beanstalk

AWS_IAM_EB_POLICY.md

An IAM Policy to Automate Deployments to Elastic Beanstalk

Recently our automated deployments to EB started failing as AWS had changed the IAM policy requirements. After having updated the policy, I thought it might be useful to share the set up.

We use CodeShip as our CI/CD server and this is the IAM policy required to allow it to deploy to EB.

This policy sets the minimum requirements that will allow an IAM account to successfully deploy an EB app.

The Policy

Where:

• {REGION} is your application region
• {ACCOUNT_ID} is you account id

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:DeleteApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "sns:CreateTopic",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:Subscribe"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:{REGION}:{ACCOUNT_ID}:*"
        },
        {
            "Action": [
                "autoscaling:SuspendProcesses",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:ResumeProcesses",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStackResource",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:CancelUpdateStack",
                "cloudformation:DescribeStackResources",
                "cloudformation:ListStackResources"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:cloudformation:{REGION}:{ACCOUNT_ID}:*"
        },
        {
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeAddresses"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketPolicy",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-{REGION}-{ACCOUNT_ID}",
                "arn:aws:s3:::elasticbeanstalk-{REGION}-{ACCOUNT_ID}/*"
            ]
        },
        {
            "Action": "s3:Get*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::elasticbeanstalk-*/*"
        },
        {
            "Action": [
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBEngineVersions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}