How can I restrict the IAM permissions of an Elastic Beanstalk user or application?

Last updated: 2020-05-18

I want to restrict the AWS Identity and Access Management (IAM) permissions of an AWS Elastic Beanstalk user or application when I create a new Elastic Beanstalk environment.

Short Description

You can restrict the permissions of an IAM user or role by using an IAM policy. The policy can restrict access to a single environment or application.

Complete the steps in one of the following sections:

  • Restrict IAM access to a single environment or application only
  • Restrict IAM access to the Elastic Beanstalk service only

Note: For an example of how to combine IAM policies to restrict access to a single application, see Example policies based on managed policies or Example policies based on resource permissions.

Resolution

Restrict IAM access to a single environment or application only

Create an IAM policy that restricts access to your Elastic Beanstalk environment or application.

Consider the following:

  • In Elastic Beanstalk, you can't directly restrict permissions to your application because your application structure is a collection of components (such as environments, versions, and environment configurations). However, you can restrict permissions on a more granular level using actions, resources, and condition keys.
  • An IAM policy is not an effective way to secure underlying resources. For example, you can restrict how users interact with Elastic Beanstalk APIs using the appropriate IAM policy. However, you can't prevent users with Elastic Beanstalk permissions from creating resources in other AWS services that are unrelated to Elastic Beanstalk.
  • Some of the resources that Elastic Beanstalk integrates with don't support resource-level permissions. For more information, see AWS Services That Work with IAM.

See the following example of an IAM policy that grants full access to two Elastic Beanstalk applications, App1 and App2:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:UpdateApplicationVersion",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DeleteApplicationVersion"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeAccountAttributes",
                "elasticbeanstalk:AbortEnvironmentUpdate",
                "elasticbeanstalk:TerminateEnvironment",
                "rds:*",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "autoscaling:*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RebuildEnvironment",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "sns:*",
                "elasticbeanstalk:RestartAppServer",
                "s3:*",
                "cloudformation:*",
                "elasticloadbalancing:*",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:SwapEnvironmentCNAMEs",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:ApplyEnvironmentManagedAction",
                "cloudwatch:*",
                "elasticbeanstalk:CreateEnvironment",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:DeleteEnvironmentConfiguration",
                "elasticbeanstalk:UpdateEnvironment",
                "ec2:*",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "sqs:*",
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable"
            ],
            "Resource": "*"
        },
        {
           "Effect": "Allow",
           "Action": [
               "iam:*"
           ],
           "Resource": [
               "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role",
               "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role",
               "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
           ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEvents",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:AddTags",
                "elasticbeanstalk:ListPlatformVersions"
            ],
            "Resource": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:AddTags",
                "elasticbeanstalk:Describe*"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:*::platform/*",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:application/*",
                "arn:aws:elasticbeanstalk:*::solutionstack/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
                "arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"]
                }
            }
        }
    ]
}

Important: If you're not using the default Elastic Beanstalk service role and instance profile, then update the preceding IAM policy with your custom service role and instance profile.

For more information on restricting access to Elastic Beanstalk applications, see Resources and conditions for Elastic Beanstalk actions.

Restrict IAM access to the Elastic Beanstalk service only

Important: The following steps apply to new Elastic Beanstalk environments or applications only.

  1. Create a separate AWS account for your Elastic Beanstalk environment or application.
  2. Connect the separate account to your main AWS account using AWS Organizations.

Did this article help you?

Anything we could improve?


Need more help?