AWS Security ChangesHomeSearch

AWS elasticbeanstalk documentation change

Service: elasticbeanstalk · 2025-06-07 · Documentation low

File: elasticbeanstalk/latest/dg/iam-instanceprofile.md

Summary

Reorganized sections, added detailed steps for creating instance profiles with default managed policies, and moved/updated instructions for adding permissions to the default instance profile.

Security assessment

The changes improve documentation clarity around IAM instance profile configuration and permissions management. While IAM roles are security-related, there is no evidence of a specific security vulnerability being addressed. The updates focus on procedural guidance (e.g., specifying default managed policies like AWSElasticBeanstalkWebTier) rather than patching a security flaw.

Diff

diff --git a/elasticbeanstalk/latest/dg/iam-instanceprofile.md b/elasticbeanstalk/latest/dg/iam-instanceprofile.md
index 8a46f2f72..35b705224 100644
--- a//elasticbeanstalk/latest/dg/iam-instanceprofile.md
+++ b//elasticbeanstalk/latest/dg/iam-instanceprofile.md
@@ -5 +5 @@
-Creating an instance profileVerifying the permissions assigned your instance profileUpdating an out-of-date default instance profileAdding permissions to the default instance profile
+Creating an instance profileAdding permissions to the default instance profileVerifying the permissions assigned your instance profileUpdating an out-of-date default instance profile
@@ -11 +11 @@ An instance profile is a container for an AWS Identity and Access Management (IA
-If your AWS account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to new environments that you create. The **Create environment** wizard provides information to guide you through the IAM service, so that you can create an EC2 instance profile with the required permissions. After creating the instance profile, you can return to the console to select it as the EC2 instance profile and continue the steps to create your environment.
+If your AWS account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to new environments that you create. The **Create environment** steps in the Elastic Beanstalk console provides you access to the IAM console, so that you can create an EC2 instance profile with the required permissions.
@@ -61,0 +62,2 @@ To customize permissions, you can add policies to the role attached to the defau
+  * Adding permissions to the default instance profile
+
@@ -66,2 +67,0 @@ To customize permissions, you can add policies to the role attached to the defau
-  * Adding permissions to the default instance profile
-
@@ -73 +73,30 @@ To customize permissions, you can add policies to the role attached to the defau
-An instance profile is a wrapper around a standard IAM role that allows an EC2 instance to assume the role. You can create additional instance profiles to customize permissions for different applications. Or you can create an instance profile that doesn't grant permissions for worker tier or ECS managed Docker environments, if you don't use those features.
+An instance profile is a wrapper around a standard IAM role that allows an EC2 instance to assume the role. You can create an instance profile with the default Elastic Beanstalk managed policies. You can also create additional instance profiles to customize permissions for different applications. Or you can create an instance profile that doesn't include the two managed policies that grant permissions for worker tier or ECS managed Docker environments, if you don't use those features.
+
+###### To create an instance profile with the default managed policies
+
+  1. Open the [**Roles** page](https://console.aws.amazon.com/iam/home#roles) in the IAM console.
+
+  2. Choose **Create role**.
+
+  3. For **Trusted entity type** , choose **AWS service**.
+
+  4. For **Service or use case** , choose **Elastic Beanstalk**.
+
+  5. For **Use case** , choose**Elastic Beanstalk – Compute**. 
+
+  6. Choose **Next**.
+
+  7. Enter a **Role name**.
+
+You can enter the name of the default role that the Elastic Beanstalk console suggests: `aws-elasticbeanstalk-ec2-role`.
+
+  8. Verify that **Permissions policies** include the following, then choose **Next** :
+
+     * `AWSElasticBeanstalkWebTier`
+
+     * `AWSElasticBeanstalkWorkerTier`
+
+     * `AWSElasticBeanstalkMulticontainerDocker`
+
+  9. Choose **Create role**.
+
@@ -75 +104,3 @@ An instance profile is a wrapper around a standard IAM role that allows an EC2 i
-###### To create an instance profile
+
+
+###### To create an instance profile with your specific choice of managed policies
@@ -99,0 +131,19 @@ An instance profile is a wrapper around a standard IAM role that allows an EC2 i
+## Adding permissions to the default instance profile
+
+If your application accesses AWS APIs or resources to which permissions aren't granted in the default instance profile, add policies that grant permissions in the IAM console.
+
+###### To add policies to the role attached to the default instance profile
+
+  1. Open the [Roles page](https://console.aws.amazon.com/iam/home#roles) in the IAM console.
+
+  2. Choose the role assigned as your EC2 instance profile.
+
+  3. On the **Permissions** tab, choose **Attach policies**.
+
+  4. Select the managed policy for the additional services that your application uses. For example, `AmazonS3FullAccess` or `AmazonDynamoDBFullAccess`.
+
+  5. Choose **Attach policy**.
+
+
+
+
@@ -142,19 +191,0 @@ If the default instance profile lacks the required permissions, you can add the
-## Adding permissions to the default instance profile
-
-If your application accesses AWS APIs or resources to which permissions aren't granted in the default instance profile, add policies that grant permissions in the IAM console.
-
-###### To add policies to the role attached to the default instance profile
-
-  1. Open the [Roles page](https://console.aws.amazon.com/iam/home#roles) in the IAM console.
-
-  2. Choose the role assigned as your EC2 instance profile.
-
-  3. On the **Permissions** tab, choose **Attach policies**.
-
-  4. Select the managed policy for the additional services that your application uses. For example, `AmazonS3FullAccess` or `AmazonDynamoDBFullAccess`.
-
-  5. Choose **Attach policy**.
-
-
-
-