# AWS managed policies for AWS Elastic Beanstalk
AWS managed policies







An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.





## Elastic Beanstalk updates to AWS managed policies
Policy updates

View details about updates to AWS managed policies for Elastic Beanstalk since March 1, 2021.

To see the JSON source for a specific managed policy, see the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html).




| Change | Description | Date | 
| --- | --- | --- | 
|  **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to perform managed updates when [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md) is enabled. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | March 17, 2026 | 
|  **AWSElasticBeanstalkWebTier** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to use Amazon Bedrock for [AI-powered environment analysis](health-ai-analysis.md). For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md).  | March 11, 2026 | 
|  **AWSElasticBeanstalkWorkerTier** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to use Amazon Bedrock for [AI-powered environment analysis](health-ai-analysis.md). For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md).  | March 11, 2026 | 
|  **AWSElasticBeanstalkMulticontainerDocker** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to use Amazon Bedrock for [AI-powered environment analysis](health-ai-analysis.md). For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md).  | March 11, 2026 | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to perform managed updates when [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md) is enabled for single instance. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | January 27, 2026 | 
|  **AdministratorAccess-AWSElasticBeanstalk** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to configure public access block settings and bucket ownership controls on S3 buckets. For more information, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md).  | November 12, 2025  | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to perform managed updates when [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md) is enabled. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | February 27, 2025 | 
|  **AdministratorAccess-AWSElasticBeanstalk** –Updated existing policy  |  This policy was updated to replace the *StringLike* operator with the *ArnLike* operator to evaluate the ARN-type keys in the condition block `iam:PolicyArn`. This provides more secure enforcement.  For more information, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md).  | December 11, 2024 | 
|  The following polices were updated: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html)  |  These policies were updated to allow Elastic Beanstalk to add or remove tags when it creates or updates an AWS CloudFormation stack or change set. For more information about `AWSElasticBeanstalkManagedUpdatesServiceRolePolicy`, see [Service-linked role permissions for Elastic Beanstalk](using-service-linked-roles-managedupdates.md#service-linked-role-permissions-managedupdates). For more information about `AWSElasticBeanstalkRoleCore`, see [Policies for integration with other services](AWSHowTo.iam.managed-policies.md#iam-userpolicies-managed-other-services).  |  April 30, 2024  | 
|  **AWSElasticBeanstalkService** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Elastic Load Balancing, Auto Scaling groups (ASG), and Amazon ECS.  This policy has been previously superseded by `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`. Although this policy is no longer available for attachment to new IAM users, groups, or roles, it may still be attached to prior existing ones.  For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  |  May 10, 2023  | 
|  **AWSElasticBeanstalkMulticontainerDocker** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS. For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md).  | March 23, 2023 | 
|  **AWSElasticBeanstalkRoleECS** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS. For more information, see [Policies for integration with other services](AWSHowTo.iam.managed-policies.md#iam-userpolicies-managed-other-services). | March 23, 2023 | 
|  **AdministratorAccess-AWSElasticBeanstalk** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS. For more information, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md). | March 23, 2023 | 
|  **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy ** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see [Service-linked role permissions for Elastic Beanstalk](using-service-linked-roles-managedupdates.md#service-linked-role-permissions-managedupdates).  | March 23, 2023 | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | March 23, 2023 | 
|  **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to add tags to Auto Scaling groups when it creates them. For more information, see [The managed-updates service-linked role](using-service-linked-roles-managedupdates.md).  | January 27, 2023 | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to add tags on create of an Auto Scaling group (ASG).  For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | January 23, 2023 | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to add tags on create of an elastic load balancer (ELB). For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | December 21, 2022 | 
|  **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy** –Updated existing policy  |  Permissions were added to this policy to allow Elastic Beanstalk to do the following during managed updates: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html) For more information, see [The managed-updates service-linked role](using-service-linked-roles-managedupdates.md).  | August 23, 2022 | 
|  **AWSElasticBeanstalkReadOnlyAccess** – DeprecatedGovCloud (US) AWS Region  |  This policy has been replaced by `AWSElasticBeanstalkReadOnly`. This policy will be phased out in the GovCloud (US) AWS Region. When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 17, 2021.  For more information, see [User policies](AWSHowTo.iam.managed-policies.md).  | June 17, 2021 | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy  |  This policy was updated to allow Elastic Beanstalk to read attributes for EC2 Availability Zones. It enables Elastic Beanstalk to provide more effective validation of your instance type selection across Availability Zones. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | June 16, 2021 | 
|  **AWSElasticBeanstalkFullAccess** – DeprecatedGovCloud (US) AWS Region  |  This policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. This policy will be phased out in the GovCloud (US) AWS Region. When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 10, 2021.  For more information, see [User policies](AWSHowTo.iam.managed-policies.md).  | June 10, 2021 | 
|  The following managed policies were deprecated in all of the China AWS Regions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html)  |  The `AWSElasticBeanstalkFullAccess` policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. The `AWSElasticBeanstalkReadOnlyAccess` policy has been replaced by `AWSElasticBeanstalkReadOnly`. These policies were phased out in all of the China AWS Regions. These policies will no longer be available for attachment to new IAM users, groups, or roles after June 3, 2021. For more information, see [User policies](AWSHowTo.iam.managed-policies.md).  | June 3, 2021 | 
|  **AWSElasticBeanstalkService** – Deprecated  |  This policy has been superseded by `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`. This policy is phased out and is no longer available for attachment to new IAM users, groups, or roles. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | June 2021 - January 2022 | 
|  The following managed policies were deprecated in all AWS Regions, except for China and GovCloud (US): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html)  |  The `AWSElasticBeanstalkFullAccess` policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. The `AWSElasticBeanstalkReadOnlyAccess` policy has been replaced by `AWSElasticBeanstalkReadOnly`. These policies were phased out in all the AWS Regions, except for China and GovCloud (US). These policies will no longer be available for attachment to new IAM users, groups, or roles after April 16, 2021.  For more information, see [User policies](AWSHowTo.iam.managed-policies.md).  | April 16, 2021 | 
|  The following managed policies were updated: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html)  |  Both of these policies now support PassRole permissions in China AWS Regions. For more information about `AdministratorAccess-AWSElasticBeanstalk`, see [User policies](AWSHowTo.iam.managed-policies.md). For more information about `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | March 9, 2021 | 
|  **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** – New policy  |  Elastic Beanstalk added a new policy to replace the `AWSElasticBeanstalkService` managed policy. This new managed policy improves security for your resources by applying a more restrictive set of permissions. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy).  | March 3, 2021 | 
|  Elastic Beanstalk started tracking changes  |  Elastic Beanstalk started tracking changes for AWS managed policies.  | March 1, 2021 |