- Newest
- Most votes
- Most comments
Yes, you can limit the Application Auto Scaling permissions to specific ECS clusters by using condition keys in your IAM policy. Application Auto Scaling supports condition keys that allow you to restrict actions based on the service namespace and scalable dimension.
For ECS services, you can use the application-autoscaling:service-namespace condition key with a value of "ecs" and potentially combine it with other identifiers to target specific clusters.
Here's how you could modify your policy:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:PutScalingPolicy" ], "Resource": "*", "Condition": { "StringEquals": { "application-autoscaling:service-namespace": "ecs", "application-autoscaling:scalable-dimension": "ecs:service:DesiredCount" }, "StringLike": { "application-autoscaling:ResourceId": "service/your-cluster-name/*" } } }, { "Effect": "Allow", "Action": [ "application-autoscaling:DescribeScalableTargets" ], "Resource": "*" } }
This policy uses condition keys to restrict the DeleteScalingPolicy and PutScalingPolicy actions to only ECS services within your specified cluster. The ResourceId pattern follows the format "service/cluster-name/service-name", allowing you to target a specific cluster.
The DescribeScalableTargets action is kept without restrictions since it's typically a read-only operation used to list resources.
Sources
Actions, resources, and condition keys for AWS Application Auto Scaling - Service Authorization Reference
IAM permissions required for Amazon ECS service auto scaling - Amazon Elastic Container Service
Relevant content
- asked 4 years ago
- asked 2 years ago
