End of support notice: On October 7, 2026, AWS will end support for AWS Proton. After October 7, 2026, you will no longer be able to access the AWS Proton console or AWS Proton resources. Your deployed infrastructure will remain intact. For more information, see [AWS Proton Service Deprecation and Migration Guide](https://docs.aws.amazon.com/proton/latest/userguide/proton-end-of-support.html). # Policy examples for AWS Proton Policy examples Find AWS Proton IAM policy examples in the following sections. **Topics** + [ # Identity-based policy examples for AWS Proton ](security_iam_id-based-policy-examples.md) + [ # AWS Proton IAM service role policy examples ](security_iam_service-role-policy-examples.md) + [ # Condition-key based policy examples for AWS Proton ](security_iam_condition-key-based-policy-examples.md) # Identity-based policy examples for AWS Proton Identity-based policy examples By default, users and roles don't have permission to create or modify AWS Proton resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*. For details about actions and resource types defined by AWS Proton, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for AWS Proton](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html) in the *Service Authorization Reference*. **Topics** + [ ## Policy best practices ](#security_iam_service-with-iam-policy-best-practices) + [ ## Links to Identity-based policy examples for AWS Proton ](#security_iam-example-links) ## Policy best practices Identity-based policies determine whether someone can create, access, or delete AWS Proton resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Links to Identity-based policy examples for AWS Proton Identity-based example links **Links to example identity-based policy examples for AWS Proton** + [AWS managed policies for AWS Proton](security-iam-awsmanpol.md) + [AWS Proton IAM service role policy examples](security_iam_service-role-policy-examples.md) + [Condition-key based policy examples for AWS Proton](security_iam_condition-key-based-policy-examples.md) # AWS Proton IAM service role policy examples Service role policy examples Administrators own and manage the resources that AWS Proton creates as defined by the environment and service templates. They attach IAM service roles to their account that permit AWS Proton to create resources on their behalf. Administrators supply the IAM roles and AWS Key Management Service keys for resources that are later owned and managed by developers when AWS Proton deploys their application as an AWS Proton service in an AWS Proton environment. For more information about AWS KMS and data encryption, see [Data protection in AWS Proton](data-protection.md). A service role is an Amazon Web Services (IAM) role that allows AWS Proton to make calls to resources on your behalf. If you specify a service role, AWS Proton uses that role's credentials. Use a service role to explicitly specify the actions that AWS Proton can perform. You create the service role and its permission policy with the IAM service. For more information about creating a service role, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. ## AWS Proton service role for provisioning using CloudFormation AWS-managed provisioning role As a member of the platform team, you can as an administrator create an AWS Proton service role and provide it to AWS Proton when you create an environment as the environment's CloudFormation service role (the `protonServiceRoleArn` parameter of the [CreateEnvironment](https://docs.aws.amazon.com/proton/latest/APIReference/API_CreateEnvironment.html) API action). This role allows AWS Proton to make API calls to other services on your behalf when the environment or any of the service instances running in it use AWS-managed provisioning and AWS CloudFormation to provision infrastructure. We recommend that you use the following IAM role and trust policy for your AWS Proton service role. When you use the AWS Proton console to create an environment and choose to create a new role, this is the policy that AWS Proton adds to the service role it creates for you. When scoping down permission on this policy, keep in mind that AWS Proton fails on `Access Denied` errors. **Important** Be aware that the policies shown in the following examples grant administrator privileges to anyone that can register a template to your account. Because we don't know which resources you will define in your AWS Proton templates, these policies have broad permissions. We recommend that you scope down the permissions to the specific resources that will be deployed in your environments. ### AWS Proton service role policy example for CloudFormation Replace `123456789012` with your AWS account ID. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStacks", "cloudformation:DetectStackResourceDrift", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "NotAction": [ "organizations:*", "account:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "cloudformation.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "account:ListRegions" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "cloudformation.amazonaws.com" ] } } } ] } ``` ------ ### AWS Proton service trust policy ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": { "Sid": "ServiceTrustRelationshipWithConfusedDeputyPrevention", "Effect": "Allow", "Principal": { "Service": "proton.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:proton:*:123456789012:environment/*" } } } } ``` ------ ### Scoped down AWS-managed provisioning service role policy The following is an example of a scoped down AWS Proton service role policy that you can use if you only need AWS Proton services to provision S3 resources. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStacks", "cloudformation:DetectStackResourceDrift", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "cloudformation.amazonaws.com" ] } } } ] } ``` ------ ## AWS Proton service role for CodeBuild provisioning CodeBuild provisioning role As a member of the platform team, you can as an administrator create an AWS Proton service role and provide it to AWS Proton when you create an environment as the environment's CodeBuild service role (the `codebuildRoleArn` parameter of the [CreateEnvironment](https://docs.aws.amazon.com/proton/latest/APIReference/API_CreateEnvironment.html) API action). This role allows AWS Proton to make API calls to other services on your behalf when the environment or any of the service instances running in it use CodeBuild provisioning to provision infrastructure. When you use the AWS Proton console to create an environment and choose to create a new role, AWS Proton adds a policy with administrator privileges to the service role it creates for you. When you create your own role and scope down permissions, keep in mind that AWS Proton fails on `Access Denied` errors. **Important** Be aware that the policies that AWS Proton attaches to roles that it creates for you grant administrator privileges to anyone that can register a template to your account. Because we don't know which resources you will define in your AWS Proton templates, these policies have broad permissions. We recommend that you scope down the permissions to the specific resources that will be deployed in your environments. ### AWS Proton service role policy example for CodeBuild The following example provides permissions for CodeBuild to provision resources using the AWS Cloud Development Kit (AWS CDK). Replace `123456789012` with your AWS account ID. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/AWSProton- Shell-*", "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/AWSProton- Shell-*:*" ], "Effect": "Allow" }, { "Action": "proton:NotifyResourceDeploymentStatusChange", "Resource": "arn:aws:proton:us-east-1:123456789012:*", "Effect": "Allow" }, { "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::123456789012:role/cdk-*-deploy-role-*", "arn:aws:iam::123456789012:role/cdk-*-file-publishing-role-*" ], "Effect": "Allow" } ] } ``` ------ ### AWS Proton CodeBuild trust policy ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": { "Sid": "CodeBuildTrustRelationshipWithConfusedDeputyPrevention", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:proton:*:123456789012:environment/*" } } } } ``` ------ ## AWS Proton pipeline service roles Pipeline service roles To provision service pipelines, AWS Proton needs permissions to make API calls to other services. The required service roles are similar to the service roles you provide when you create environments. However, the roles for creating pipelines are shared among all services in your AWS account, and you provide these roles as **Account settings** in the console, or through the [UpdateAccountSettings](https://docs.aws.amazon.com/proton/latest/APIReference/API_UpdateAccountSettings.html) API action. When you use the AWS Proton console to update account settings and choose to create a new role for either the CloudFormation or the CodeBuild service roles, the policies that AWS Proton adds to the service roles it creates for you are the same as the policies described in the previous sections, [AWS-managed provisioning role](#proton-svc-role) and [CodeBuild provisioning role](#codebuild-proton-svc-role). When scoping down permission on this policy, keep in mind that AWS Proton fails on `Access Denied` errors. **Important** Be aware that the example policies in the previous sections grant administrator privileges to anyone that can register a template to your account. Because we don't know which resources you will define in your AWS Proton templates, these policies have broad permissions. We recommend that you scope down the permissions to the specific resources that will be deployed in your pipelines. ## AWS Proton component role Component role As a member of the platform team, you can as an administrator create an AWS Proton service role and provide it to AWS Proton when you create an environment as the environment's CloudFormation component role (the `componentRoleArn` parameter of the [CreateEnvironment](https://docs.aws.amazon.com/proton/latest/APIReference/API_CreateEnvironment.html) API action). This role scopes down the infrastructure that directly defined components can provision. For more information about components, see [AWS Proton components](ag-components.md). The following example policy supports creating a directly defined component that provisions an Amazon Simple Storage Service (Amazon S3) bucket and a related access policy. ### AWS Proton component role policy example Replace `123456789012` with your AWS account ID. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:DescribeStacks", "cloudformation:ContinueUpdateRollback", "cloudformation:DetectStackResourceDrift", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStackEvents", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucket*", "iam:CreatePolicy", "iam:DeletePolicy", "iam:GetPolicy", "iam:ListPolicyVersions", "iam:DeletePolicyVersion" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cloudformation.amazonaws.com" } } } ] } ``` ------ ### AWS Proton component trust policy ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": { "Sid": "ServiceTrustRelationshipWithConfusedDeputyPrevention", "Effect": "Allow", "Principal": { "Service": "proton.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:proton:*:123456789012:environment/*" } } } } ``` ------ # Condition-key based policy examples for AWS Proton Condition-key based policy examples The following example IAM policy denies access to AWS Proton actions that match the templates specified in the `Condition` block. Note that these condition keys are only supported by the actions listed at [Actions, resources, and condition keys for AWS Proton](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html). To manage permissions on other actions, such as `DeleteEnvironmentTemplate`, you must use Resource-level access control. **Example policy that denies AWS Proton template actions on a specific templates:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ["proton:*"], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:EnvironmentTemplate": ["arn:aws:proton:region_id:123456789012:environment-template/my-environment-template"] } } }, { "Effect": "Deny", "Action": ["proton:*"], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:ServiceTemplate": ["arn:aws:proton:region_id:123456789012:service-template/my-service-template"] } } } ] } ``` ------ In the next example policy, the first Resource-level statement denies access to AWS Proton template actions, other than `ListServiceTemplates`, that match the service template listed in the `Resource` block. The second statement denies access to AWS Proton actions that match the template listed in the `Condition` block. **Example policy that denies AWS Proton actions that match a specific template:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "proton:*" ], "Resource": "arn:aws:proton:us-east-1:123456789012:service-template/my-service-template" }, { "Effect": "Deny", "Action": [ "proton:*" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:ServiceTemplate": [ "arn:aws:proton:us-east-1:123456789012:service-template/my-service-template" ] } } } ] } ``` ------ The final policy example allows developer AWS Proton actions that match the specific service template listed in the `Condition` block. **Example policy to allow AWS Proton developer actions that match a specific template:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "proton:ListServiceTemplates", "proton:ListServiceTemplateVersions", "proton:ListServices", "proton:ListServiceInstances", "proton:ListEnvironments", "proton:GetServiceTemplate", "proton:GetServiceTemplateVersion", "proton:GetService", "proton:GetServiceInstance", "proton:GetEnvironment", "proton:CreateService", "proton:UpdateService", "proton:UpdateServiceInstance", "proton:UpdateServicePipeline", "proton:DeleteService", "codestar-connections:ListConnections" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:ServiceTemplate": "arn:aws:proton:region_id:123456789012:service-template/my-service-template" } } }, { "Effect": "Allow", "Action": [ "codestar-connections:PassConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*", "Condition": { "StringEquals": { "codestar-connections:PassedToService": "proton.amazonaws.com" } } } ] } ``` ------