Beanstalk: Autoscaling Permissions

Question

Hello! I'm receiving the following error message when my beanstalk environment try to scale the instances:

"Access denied while accessing Auto Scaling and Elastic Load Balancing using role "arn:aws:iam::310405260866:role/service-role/aws-elasticbeanstalk-service-role". Verify the role policy."

But the role "aws-elasticbeanstalk-service-role" has attached the following policies:

**ElasticLoadBalancingFullAccess**,
**AmazonEC2FullAccess**,
**AutoScalingFullAccess**,
**AutoScalingConsoleFullAccess**,
**AdministratorAccess-AWSElasticBeanstalk**,
**AWSElasticBeanstalkEnhancedHealth**,
**AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy**,

I've tried to terminate and recreate the environment but i keep getting this message in the events of the environment. Thank you so much!!

Answer

Let's work on improving this. Elastic Beanstalk managed policies lack granularity in permissions as they grant all potentially necessary permissions for working with Elastic Beanstalk applications. To address this, ensure that your service role `aws-elasticbeanstalk-service-role` possesses the required permission.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudformationReadOperationsOnElasticBeanstalkStacks",
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/awseb-*",
                "arn:aws:cloudformation:*:*:stack/eb-*"
            ]
        },
        {
            "Sid": "AllowOperations",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeNotificationConfigurations",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:PutNotificationConfiguration",
                "ec2:DescribeInstanceStatus",
                "ec2:AssociateAddress",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeTargetGroups",
                "lambda:GetFunction",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sns:Publish"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowOperationsOnHealthStreamingLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:DeleteLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*"
        }
    ]
}
```

This will grant all the essential permissions required for your Elastic Beanstalk. Once you've completed your tasks with the service, consider adjusting your **Service Role** to have minimal privileges. To accomplish this, utilize **IAM Access Analyzer** (Unused access). This tool identifies unused permissions, allowing you to remove those that your service role doesn't require.

Beanstalk: Autoscaling Permissions

Relevant content