AWS AmazonECS documentation change
Summary
Added permissions required to view Amazon ECS lifecycle events in Container Insights, including inline IAM policy example.
Security assessment
Documents required IAM permissions for monitoring features, which relates to security best practices for access control. This helps users implement least-privilege permissions but does not indicate a security issue was fixed.
Diff
diff --git a/AmazonECS/latest/developerguide/console-permissions.md b/AmazonECS/latest/developerguide/console-permissions.md index 2f58ed7c2..a25e4558a 100644 --- a//AmazonECS/latest/developerguide/console-permissions.md +++ b//AmazonECS/latest/developerguide/console-permissions.md @@ -5 +5 @@ -Permissions for creating IAM rolesPermissions required for registering an external instance to a clusterPermissions required for registering a task definitionPermissions required for creating an EventBridge rule for scheduled tasksPermissions required for viewing service deployments +Permissions for creating IAM rolesPermissions required for registering an external instance to a clusterPermissions required for registering a task definitionPermissions required for creating an EventBridge rule for scheduled tasksPermissions required for viewing service deploymentsPermissions required to view Amazon ECS lifecycle events in Container Insights @@ -181,0 +182,29 @@ Replace the `account`, `cluster-name`, and `service-name` with your values. +## Permissions required to view Amazon ECS lifecycle events in Container Insights + +The following permissions are required to view the lifecycle events. Add the following permissions as an inline policy to the role. For more information, see [Adding and Removing IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). + + * events:DescribeRule + + * events:ListTargetsByRule + + * logs:DescribeLogGroups + + + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "events:DescribeRule", + "events:ListTargetsByRule", + "logs:DescribeLogGroups" + ], + "Resource": "*" + } + ] + } +