Policy information for Elastic Beanstalk actions Condition keys for Elastic Beanstalk actions

Resources and conditions for Elastic Beanstalk actions

This section describes the resources and conditions that you can use in policy statements to grant permissions that allow specific Elastic Beanstalk actions to be performed on specific Elastic Beanstalk resources.

Conditions enable you to specify permissions to resources that the action needs to complete. For example, when you can call the CreateEnvironment action, you must also specify the application version to deploy as well as the application that contains that application name. When you set permissions for the CreateEnvironment action, you specify the application and application version that you want the action to act upon by using the InApplication and FromApplicationVersion conditions.

In addition, you can specify the environment configuration with a solution stack (FromSolutionStack) or a configuration template (FromConfigurationTemplate). The following policy statement allows the CreateEnvironment action to create an environment with the name myenv (specified by Resource) in the application My App (specified by the InApplication condition) using the application version My Version (FromApplicationVersion) with a 32bit Amazon Linux running Tomcat 7 configuration (FromSolutionStack):


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}

Note

Most condition keys mentioned in this topic are specific to Elastic Beanstalk, and their names contain the elasticbeanstalk: prefix. For brevity, we omit this prefix from the condition key names when we mention them in the following sections. For example, we mention InApplication instead of its full name elasticbeanstalk:InApplication.

In contrast, we mention a few condition keys used across AWS services, and we include their aws: prefix to highlight the exception.

Policy examples always show full condition key names, including the prefix.

Sections

Policy information for Elastic Beanstalk actions
Condition keys for Elastic Beanstalk actions

Policy information for Elastic Beanstalk actions

The following table lists all Elastic Beanstalk actions, the resource that each action acts upon, and the additional contextual information that can be provided using conditions.

Policy information for Elastic Beanstalk actions, including resources, conditions, examples, and dependencies
Resource	Conditions	Example statement
Action: `AbortEnvironmentUpdate`
`application` `environment`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows a user to abort environment update operations on environments in an application named `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:AbortEnvironmentUpdate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App" ] } ] }`
Action: `CheckDNSAvailability`
`"*"`	N/A	`{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CheckDNSAvailability" ], "Effect": "Allow", "Resource": "*" } ] }`
Action: `ComposeEnvironments`
`application`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows a user to compose environments that belong to an application named `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:ComposeEnvironments" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App" ] } ] }`
Action: `CreateApplication`
`application`	`aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	This example allows the `CreateApplication` action to create applications whose names begin with `DivA`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreateApplication" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/DivA*" ] } ] }`
Action: `CreateApplicationVersion`
`applicationversion`	`InApplication` `aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	This example allows the `CreateApplicationVersion` action to create application versions with any name (``) in the application `My App`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreateApplicationVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `CreateConfigurationTemplate`
`configurationtemplate`	`InApplication` `FromApplication` `FromApplicationVersion` `FromConfigurationTemplate` `FromEnvironment` `FromSolutionStack` `aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `CreateConfigurationTemplate` action to create configuration templates whose name begins with `My Template` (`My Template`) in the application `My App`: { "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreateConfigurationTemplate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"], "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"] } } } ] }
Action: `CreateEnvironment`
`environment`	`InApplication` `FromApplicationVersion` `FromConfigurationTemplate` `FromSolutionStack` `aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `CreateEnvironment` action to create an environment whose name is `myenv` in the application `My App` and using the solution stack `32bit Amazon Linux running Tomcat 7`: { "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"], "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"], "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"] } } } ] }
Action: `CreatePlatformVersion`
`platform`	`aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	This example allows the `CreatePlatformVersion` action to create platform versions targeting the `us-east-2` region, whose names begin with `us-east-2_`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreatePlatformVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*" ] } ] }`
Action: `CreateStorageLocation`
`"*"`	N/A	`{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreateStorageLocation" ], "Effect": "Allow", "Resource": "*" } ] }`
Action: `DeleteApplication`
`application`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DeleteApplication` action to delete the application `My App`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DeleteApplication" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App" ] } ] }`
Action: `DeleteApplicationVersion`
`applicationversion`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DeleteApplicationVersion` action to delete an application version whose name is `My Version` in the application `My App`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DeleteApplicationVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `DeleteConfigurationTemplate`
`configurationtemplate`	`InApplication` (Optional) `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DeleteConfigurationTemplate` action to delete a configuration template whose name is `My Template` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DeleteConfigurationTemplate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template" ] } ] }`
Action: `DeleteEnvironmentConfiguration`
`environment`	`InApplication` (Optional)	The following policy allows the `DeleteEnvironmentConfiguration` action to delete a draft configuration for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DeleteEnvironmentConfiguration" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ] } ] }`
Action: `DeletePlatformVersion`
`platform`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DeletePlatformVersion` action to delete platform versions targeting the `us-east-2` region, whose names begin with `us-east-2_`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DeletePlatformVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*" ] } ] }`
Action: `DescribeApplications`
`application`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeApplications` action to describe the application My App. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DescribeApplications" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App" ] } ] }`
Action: `DescribeApplicationVersions`
`applicationversion`	`InApplication` (Optional) `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeApplicationVersions` action to describe the application version `My Version` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DescribeApplicationVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version" ] } ] }`
Action: `DescribeConfigurationOptions`
`environment` `configurationtemplate` `solutionstack`	`InApplication` (Optional) `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeConfigurationOptions` action to describe the configuration options for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeConfigurationOptions", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ] } ] }`
Action: `DescribeConfigurationSettings`
`environment` `configurationtemplate`	`InApplication` (Optional) `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeConfigurationSettings` action to describe the configuration settings for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeConfigurationSettings", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ] } ] }`
Action: `DescribeEnvironmentHealth`
`environment`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows use of `DescribeEnvironmentHealth` to retrieve health information for an environment named `myenv`. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeEnvironmentHealth", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ] } ] }`
Action: `DescribeEnvironmentResources`
`environment`	`InApplication` (Optional) `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeEnvironmentResources` action to return list of AWS resources for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeEnvironmentResources", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ] } ] }`
Action: `DescribeEnvironments`
`environment`	`InApplication` (Optional) `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeEnvironments` action to describe the environments `myenv` and `myotherenv` in the application `My App`. Specifying the application name as a condition is optional. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeEnvironments", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv", "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App2/myotherenv" ] } ] }`
Action: `DescribeEvents`
`application` `applicationversion` `configurationtemplate` `environment`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribeEvents` action to list event descriptions for the environment `myenv` and the application version `My Version` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeEvents", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv", "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `DescribeInstancesHealth`
`environment`	N/A	The following policy allows use of `DescribeInstancesHealth` to retrieve health information for instances in an environment named `myenv`. `{ "Version": "2012-10-17", "Statement": [ { "Action": "elasticbeanstalk:DescribeInstancesHealth", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ] } ] }`
Action: `DescribePlatformVersion`
`platform`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `DescribePlatformVersion` action to describe platform versions targeting the `us-east-2` region, whose names begin with `us-east-2_`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:DescribePlatformVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*" ] } ] }`
Action: `ListAvailableSolutionStacks`
`solutionstack`	N/A	The following policy allows the `ListAvailableSolutionStacks` action to return only the solution stack `32bit Amazon Linux running Tomcat 7`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:ListAvailableSolutionStacks" ], "Effect": "Allow", "Resource": "arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7" } ] }`
Action: `ListPlatformVersions`
`platform`	`aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	This example allows the `CreatePlatformVersion` action to create platform versions targeting the `us-east-2` region, whose names begin with `us-east-2_`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:ListPlatformVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*" ] } ] }`
Action: `ListTagsForResource`
`application` `applicationversion` `configurationtemplate` `environment` `platform`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `ListTagsForResource` action to list tags of existing resources only if they have a tag named `stage` with the value `test`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:ListTagsForResource" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": ["test"] } } } ] }`
Action: `RebuildEnvironment`
`environment`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `RebuildEnvironment` action to rebuild the environment `myenv` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:RebuildEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `RequestEnvironmentInfo`
`environment`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `RequestEnvironmentInfo` action to compile information about the environment `myenv` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:RequestEnvironmentInfo" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `RestartAppServer`
`environment`	`InApplication`	The following policy allows the `RestartAppServer` action to restart the application container server for the environment `myenv` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:RestartAppServer" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `RetrieveEnvironmentInfo`
`environment`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `RetrieveEnvironmentInfo` action to retrieve the compiled information for the environment `myenv` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:RetrieveEnvironmentInfo" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `SwapEnvironmentCNAMEs`
`environment`	`InApplication` (Optional) `FromEnvironment` (Optional)	The following policy allows the `SwapEnvironmentCNAMEs` action to swap the CNAMEs for the environments `mysrcenv` and `mydestenv`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:SwapEnvironmentCNAMEs" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mysrcenv", "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mydestenv" ] } ] }`
Action: `TerminateEnvironment`
`environment`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `TerminateEnvironment` action to terminate the environment `myenv` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:TerminateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: UpdateApplication
`application`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `UpdateApplication` action to update properties of the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:UpdateApplication" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App" ] } ] }`
Action: UpdateApplicationResourceLifecycle
`application`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `UpdateApplicationResourceLifecycle` action to update lifecycle settings of the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:UpdateApplicationResourceLifecycle" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App" ] } ] }`
Action: `UpdateApplicationVersion`
`applicationversion`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `UpdateApplicationVersion` action to update the properties of the application version `My Version` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:UpdateApplicationVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `UpdateConfigurationTemplate`
`configurationtemplate`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `UpdateConfigurationTemplate` action to update the properties or options of the configuration template `My Template` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:UpdateConfigurationTemplate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`
Action: `UpdateEnvironment`
`environment`	`InApplication` `FromApplicationVersion` `FromConfigurationTemplate` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `UpdateEnvironment` action to update the environment `myenv` in the application `My App` by deploying the application version `My Version`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:UpdateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"], "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"] } } } ] }`
Action: `UpdateTagsForResource` – `AddTags`
`application` `applicationversion` `configurationtemplate` `environment` `platform`	`aws:ResourceTag/key-name` (Optional) `aws:RequestTag/key-name` (Optional) `aws:TagKeys` (Optional)	The `AddTags` action is one of two virtual actions associated with the `UpdateTagsForResource` API. The following policy allows the `AddTags` action to modify tags of existing resources only if they have a tag named `stage` with the value `test`: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:AddTags" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": ["test"] } } } ] }`
Action: `UpdateTagsForResource` – `RemoveTags`
`application` `applicationversion` `configurationtemplate` `environment` `platform`	`aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The `RemoveTags` action is one of two virtual actions associated with the `UpdateTagsForResource` API. The following policy denies the `RemoveTags` action to request the removal of a tag named `stage` from existing resources: `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:RemoveTags" ], "Effect": "Deny", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["stage"] } } } ] }`
Action: `ValidateConfigurationSettings`
`template` `environment`	`InApplication` `aws:ResourceTag/key-name` (Optional) `aws:TagKeys` (Optional)	The following policy allows the `ValidateConfigurationSettings` action to validates configuration settings against the environment `myenv` in the application `My App`. `{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:ValidateConfigurationSettings" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"] } } } ] }`

Condition keys for Elastic Beanstalk actions

Keys enable you to specify conditions that express dependencies, restrict permissions, or specify constraints on the input parameters for an action. Elastic Beanstalk supports the following keys.

InApplication

Specifies the application that contains the resource that the action operates on.

The following example allows the UpdateApplicationVersion action to update the properties of the application version My Version. The InApplication condition specifies My App as the container for My Version.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

FromApplicationVersion

Specifies an application version as a dependency or a constraint on an input parameter.

The following example allows the UpdateEnvironment action to update the environment myenv in the application My App. The FromApplicationVersion condition constrains the VersionLabel parameter to allow only the application version My Version to update the environment.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"]
        }
      }
    }
  ]
}

FromConfigurationTemplate

Specifies a configuration template as a dependency or a constraint on an input parameter.

The following example allows the UpdateEnvironment action to update the environment myenv in the application My App. The FromConfigurationTemplate condition constrains the TemplateName parameter to allow only the configuration template My Template to update the environment.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromConfigurationTemplate": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template"]
        }
      }
    }
  ]
}

FromEnvironment

Specifies an environment as a dependency or a constraint on an input parameter.

The following example allows the SwapEnvironmentCNAMEs action to swap the CNAMEs in My App for all environments whose names begin with mysrcenv and mydestenv but not those environments whose names begin with mysrcenvPROD* and mydestenvPROD*.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:SwapEnvironmentCNAMEs"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mysrcenv*",
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mydestenv*"
      ],
      "Condition": {
        "StringNotLike": {
          "elasticbeanstalk:FromEnvironment": [
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mysrcenvPROD*",
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mydestenvPROD*"
          ]
        }
      }
    }
  ]
}

FromSolutionStack

Specifies a solution stack as a dependency or a constraint on an input parameter.

The following policy allows the CreateConfigurationTemplate action to create configuration templates whose name begins with My Template (My Template*) in the application My App. The FromSolutionStack condition constrains the solutionstack parameter to allow only the solution stack 32bit Amazon Linux running Tomcat 7 as the input value for that parameter.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateConfigurationTemplate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}

aws:ResourceTag/key-name

aws:RequestTag/key-name

aws:TagKeys

Specify tag-based conditions. For details, see Using tags to control access to Elastic Beanstalk resources.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ARN format

Tag-based access control