How can I restrict the IAM permissions of an Elastic Beanstalk user?

Last updated: 2019-10-15

How can I restrict the AWS Identity and Access Management (IAM) permissions of an AWS Elastic Beanstalk user when I create a new Elastic Beanstalk environment or application?

Short Description

You can restrict the permissions of an IAM user or role by using an IAM policy. The policy can restrict access to a single environment or application.

Complete the steps in one of the following sections:

  • Restrict IAM access to a single environment or application only
  • Restrict IAM access to the Elastic Beanstalk service only

Resolution

Restrict IAM access to a single environment or application only

Create an IAM policy that restricts access to your Elastic Beanstalk environment or application.

Consider the following:

  • In Elastic Beanstalk, you can't directly restrict permissions to your application due to its structure as a collection of components (such as environments, versions, and environment configurations). However, you can restrict permissions on a more granular level using actions, resources, and condition keys. For an example of how you can combine IAM policies to restrict access to a single application, see Example Policies Based on Managed Policies.
  • An IAM policy is not an effective way to secure underlying resources. For example, you can restrict how users interact with Elastic Beanstalk APIs using the appropriate IAM policy. However, you can't prevent users with Elastic Beanstalk permissions from creating resources in other AWS services that are unrelated to Elastic Beanstalk.
  • Some of the resources that Elastic Beanstalk integrates with don't support resource-level permissions. For more information, see AWS Services That Work with IAM.

Restrict IAM access to the Elastic Beanstalk service only

Important: The following steps apply to new Elastic Beanstalk environments or applications only.

  1. Create a separate AWS account for your Elastic Beanstalk environment or application.
  2. Connect the separate account to your main AWS account using AWS Organizations.

Did this article help you?

Anything we could improve?


Need more help?