1 Answer
- Newest
- Most votes
- Most comments
0
Let's work on improving this. Elastic Beanstalk managed policies lack granularity in permissions as they grant all potentially necessary permissions for working with Elastic Beanstalk applications. To address this, ensure that your service role aws-elasticbeanstalk-service-role
possesses the required permission.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCloudformationReadOperationsOnElasticBeanstalkStacks", "Effect": "Allow", "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/awseb-*", "arn:aws:cloudformation:*:*:stack/eb-*" ] }, { "Sid": "AllowOperations", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeNotificationConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:PutNotificationConfiguration", "ec2:DescribeInstanceStatus", "ec2:AssociateAddress", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "lambda:GetFunction", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sns:Publish" ], "Resource": [ "*" ] }, { "Sid": "AllowOperationsOnHealthStreamingLogs", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DeleteLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*" } ] }
This will grant all the essential permissions required for your Elastic Beanstalk. Once you've completed your tasks with the service, consider adjusting your Service Role to have minimal privileges. To accomplish this, utilize IAM Access Analyzer (Unused access). This tool identifies unused permissions, allowing you to remove those that your service role doesn't require.
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 20 days ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
Where do i have to put this? In trust relationships? Or in what part of the role? Thanks!