Skip to main content

IAM Role Policies For Task Definitions

In the createIAMRoles function, several policies are attached to the task role. Let's examine each of these policies and their significance:

1. AmazonECSTaskExecutionRolePolicy

new aws.iam.RolePolicyAttachment(`${name}-${stack}-ecs-${region}-execution-role-policy`, {
  role: executionRole,
  policyArn: "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
});

Purpose: This policy is attached to the execution role and provides the minimum permissions required for Amazon ECS to run tasks on your behalf.

Key permissions:

  • Pull container images from Amazon ECR (Elastic Container Registry)
  • Publish container logs to Amazon CloudWatch Logs
  • Create and manage elastic network interfaces for awsvpc network mode

Why it's important: Without this policy, ECS wouldn't be able to start your containers or manage their basic networking and logging needs.

2. AmazonSSMManagedInstanceCore

new aws.iam.RolePolicyAttachment(`${name}-${stack}-ecs-${region}-task-role-ssm-policy`, {
  role: taskRole,
  policyArn: "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
});

Purpose: This policy allows the ECS tasks to use AWS Systems Manager (SSM) services.

Key permissions:

  • Access to SSM Parameter Store for secure parameter management
  • Ability to use SSM Session Manager for interactive shell access to containers
  • Permission to use SSM Run Command for remote task execution

Why it's important: It enables secure storage and retrieval of configuration data and provides mechanisms for remote management and troubleshooting of ECS tasks.

3. CloudWatchLogsFullAccess

new aws.iam.RolePolicyAttachment(`${name}-${stack}-ecs-${region}-task-role-cloudwatch-policy`, {
  role: taskRole,
  policyArn: "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
});

Purpose: This policy grants full access to CloudWatch Logs services.

Key permissions:

  • Create, read, update, and delete log groups and log streams
  • Put log events (write logs) to any log stream
  • Describe and filter log events

Why it's important: It allows the tasks to write detailed logs directly to CloudWatch, which is crucial for monitoring, troubleshooting, and auditing application behavior.

4. AmazonS3FullAccess

new aws.iam.RolePolicyAttachment(`${name}-${stack}-ecs-${region}-task-role-s3-policy`, {
  role: taskRole,
  policyArn: "arn:aws:iam::aws:policy/AmazonS3FullAccess",
});

Purpose: This policy provides full access to Amazon S3 (Simple Storage Service) resources.

Key permissions:

  • Create, read, update, and delete S3 buckets and objects
  • Manage bucket policies and ACLs
  • Configure bucket versioning, replication, and lifecycle rules

Why it's important: It allows tasks to interact with S3 for various purposes such as file storage, backups, or serving static assets.