This is a tool to update an instances status within an ASG. This can be handy if you have to update or troubleshoot the instance and do not want the instance to serve traffic or be replaced during the process.
enter-standbyexit-standbyhealthyunhealthystatus
This policy is locked down to scope IAM permissions to instances within its own ASG. It leverages the built-in tags created by AWS CloudFormation.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:EnterStandby",
"autoscaling:ExitStandby",
"autoscaling:SetInstanceHealth"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"autoscaling:ResourceTag/aws:cloudformation:stack-id": "${aws:ResourceTag/aws:cloudformation:stack-id}",
"autoscaling:ResourceTag/aws:cloudformation:logical-id": "${aws:ResourceTag/aws:cloudformation:logical-id}"
}
}
}
]
}Unfortunately, you cannot use the AWS ASG-defined tags in conditional access policies.
For example, this condition does not work:
"autoscaling:ResourceTag/aws:autoscaling:groupName": "${aws:ResourceTag/aws:autoscaling:groupName}"