Skip to content

ECS IAM Policies

ECS Exec

For your ECS task role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnableEcsExec",
      "Effect": "Allow",
      "Action": [
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel"
      ],
      "Resource": "*"
    }
  ]
}

data "aws_iam_policy_document" "ecs_exec_task" {
  statement {
    sid       = "EnableEcsExec"
    effect    = "Allow"
    resources = ["*"]

    actions = [
      "ssmmessages:CreateControlChannel",
      "ssmmessages:CreateDataChannel",
      "ssmmessages:OpenControlChannel",
      "ssmmessages:OpenDataChannel",
    ]
  }
}

For the end user/role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EcsExecConnect",
      "Effect": "Allow",
      "Action": "ecs:ExecuteCommand",
      "Resource": "arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}"
    }
  ]
}

data "aws_iam_policy_document" "ecs_exec_user" {
  statement {
    sid       = "EcsExecConnect"
    effect    = "Allow"
    resources = ["arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}"]
    actions   = ["ecs:ExecuteCommand"]
  }
}