Search code examples
amazon-elastic-beanstalkamazon-iam

Elastic Beanstalk IAM developer permissions

I have been trying to figure out what permissions I need to set to let a developer do eb deploy, eb logs and eb ssh on a particular EB environment. I want to set it so that all the developers can do deploy and debug on our develop environment, but that only one can do deploy and debug master.

I also want it locked down so that they can't affect any other EC2-instances, RDS-instances, S3-buckets, Load Balancers and so on.

Has anybody managed to put together an IAM policy (or two...) for this?

Solution

  • Elastic Beanstalk composes many AWS services. You need to give all specific permission to AWS resources those are used by Elastic Beanstalk to read and update the environment, including:

    • CloudFormation
    • EC2
    • Auto Scaling Group
    • Elastic Load Balancer
    • CloudWatch
    • S3
    • SNS
    • RDS
    • SQS
    • Elastic Beanstalk

    This is all required policy to allow IAM user access, update, deploy and ssh to Elastic Beanstalk:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ElasticBeanstalkReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "s3:Get*",
        "s3:List*",
        "sns:Get*",
        "sns:List*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*",
        "cloudformation:Validate*",
        "cloudformation:Estimate*",
        "rds:Describe*",
        "sqs:Get*",
        "sqs:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ElasticBeanstalkDeployAccess",
      "Effect": "Allow",
      "Action": [
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:UpdateAutoScalingGroup",
        "cloudformation:UpdateStack",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticbeanstalk:CreateStorageLocation",
        "elasticbeanstalk:CreateApplicationVersion",
        "elasticbeanstalk:CreateConfigurationTemplate",
        "elasticbeanstalk:UpdateApplicationVersion",
        "elasticbeanstalk:UpdateConfigurationTemplate",
        "elasticbeanstalk:UpdateEnvironment",
        "elasticbeanstalk:ValidateConfigurationSettings",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

    The above policy is to allow IAM users to read-only and deploy-only access to any Elastic Beanstalk and related services.

    If you want to restrict access the users to a particular AWS resources, you need to specify the ARN and conditions by your self. For example:

    • Restrict S3 resources to something like arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/* (Elastic Beanstalk's S3 Bucket).
    • EC2 with Resource Tag as conditional (like: elasticbeanstalk:environment-name).
    • You can also specify AWS region on ARN.