Chaos Engineering
Building a Basic FIS experiment
Demo Create FIS Permissions
In this guide, you’ll set up an AWS Fault Injection Simulator (FIS) service role that grants permissions to run chaos engineering experiments—such as terminating EC2 instances or simulating Availability Zone failures—and to send logs to Amazon CloudWatch for monitoring.
Prerequisites
Ensure your AWS identity has the following IAM permissions:
iam:CreateRole
iam:AttachRolePolicy
iam:PassRole
Step 1: Create the FIS Service Role
- Sign in to the AWS Management Console and open the IAM console.
- In the left navigation pane, choose Roles, then click Create role.
- Under Trusted entity type, select AWS service.
- In Use case, choose Fault Injection Simulator.
- From the list of managed policies, select the one matching your experiment. For an EC2 termination test, select:
- AWSFIS_ExperimentTemplate_EC2InstanceTerminate
- Click Next to proceed.
Custom Experiment Templates
You can create and attach custom policies if your chaos tests require additional or more restrictive permissions.
Step 2: Configure Role Details
Provide a descriptive Role name, for example,
FIS-EC2-Termination-Role
.Review the trust policy to confirm only FIS can assume this role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "fis.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Click Create role.
Step 3: Attach CloudWatch Logs Permissions
To enable FIS to publish experiment logs:
- In the IAM console, locate and open the newly created role (
FIS-EC2-Termination-Role
). - On the Permissions tab, click Add permissions → Attach policies.
- Search for and select CloudWatchLogsFullAccess.
- Click Attach policies.
Policy Name | Purpose |
---|---|
AWSFIS_ExperimentTemplate_EC2InstanceTerminate | Allows FIS to terminate EC2 instances |
CloudWatchLogsFullAccess | Enables FIS to push logs to CloudWatch |
Security Best Practice
In production environments, avoid overly permissive policies like CloudWatchLogsFullAccess
. Instead, scope permissions to specific log groups and actions.
Next Steps
You now have an IAM role configured with the necessary permissions to run AWS FIS experiments and stream logs. Continue to the AWS FIS tutorial to launch your first chaos test.
References
Watch Video
Watch video content