Skip to content
Uptime Scheduler

IAM permissions reference

CloudFormation deployment role

The IAM principal that deploys the Uptime Scheduler CloudFormation stack needs sufficient permissions to create and manage the stack’s resources.

Lambda execution roles

The CloudFormation stack creates least-privilege IAM roles for each Lambda function. These are created automatically and do not require any action from you.

TagEventProcessor

  • ec2:DescribeInstances
  • ec2:DescribeNatGateways
  • rds:DescribeDBInstances
  • rds:ListTagsForResource
  • ecs:DescribeServices
  • dynamodb:PutItem, dynamodb:GetItem, dynamodb:UpdateItem
  • sns:Publish (infrastructure events topic)

ScheduleManager

  • dynamodb:GetRecords, dynamodb:GetShardIterator, dynamodb:DescribeStream, dynamodb:ListStreams
  • scheduler:CreateSchedule, scheduler:UpdateSchedule, scheduler:DeleteSchedule
  • iam:PassRole (for EventBridge Scheduler execution role)
  • sns:Publish (infrastructure events topic)

EC2ActionProcessor

  • ec2:StartInstances, ec2:StopInstances
  • ec2:DescribeInstances
  • dynamodb:UpdateItem
  • sqs:ReceiveMessage, sqs:DeleteMessage
  • sns:Publish

RDSActionProcessor

  • rds:StartDBInstance, rds:StopDBInstance
  • rds:DescribeDBInstances
  • dynamodb:UpdateItem
  • sqs:ReceiveMessage, sqs:DeleteMessage
  • sns:Publish

NATActionProcessor

  • ec2:CreateNatGateway, ec2:DeleteNatGateway
  • ec2:DescribeNatGateways
  • ec2:CreateRoute, ec2:DeleteRoute, ec2:DescribeRouteTables
  • ec2:AssociateAddress (for EIP reattachment)
  • dynamodb:GetItem, dynamodb:PutItem, dynamodb:UpdateItem
  • sqs:ReceiveMessage, sqs:DeleteMessage
  • sns:Publish

ECSActionProcessor

  • ecs:UpdateService
  • ecs:DescribeServices
  • dynamodb:GetItem, dynamodb:UpdateItem
  • sqs:ReceiveMessage, sqs:DeleteMessage
  • sns:Publish