Chaos Engineering

Building a Basic FIS experiment

Demo Create FIS Permissions

In this guide, you’ll set up an AWS Fault Injection Simulator (FIS) service role that grants permissions to run chaos engineering experiments—such as terminating EC2 instances or simulating Availability Zone failures—and to send logs to Amazon CloudWatch for monitoring.

Prerequisites

Ensure your AWS identity has the following IAM permissions:

  • iam:CreateRole
  • iam:AttachRolePolicy
  • iam:PassRole

Step 1: Create the FIS Service Role

  1. Sign in to the AWS Management Console and open the IAM console.
  2. In the left navigation pane, choose Roles, then click Create role.
  3. Under Trusted entity type, select AWS service.
  4. In Use case, choose Fault Injection Simulator.
  5. From the list of managed policies, select the one matching your experiment. For an EC2 termination test, select:
    • AWSFIS_ExperimentTemplate_EC2InstanceTerminate
  6. Click Next to proceed.

Custom Experiment Templates

You can create and attach custom policies if your chaos tests require additional or more restrictive permissions.

Step 2: Configure Role Details

  1. Provide a descriptive Role name, for example, FIS-EC2-Termination-Role.

  2. Review the trust policy to confirm only FIS can assume this role:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "fis.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    
  3. Click Create role.

Step 3: Attach CloudWatch Logs Permissions

To enable FIS to publish experiment logs:

  1. In the IAM console, locate and open the newly created role (FIS-EC2-Termination-Role).
  2. On the Permissions tab, click Add permissionsAttach policies.
  3. Search for and select CloudWatchLogsFullAccess.
  4. Click Attach policies.
Policy NamePurpose
AWSFIS_ExperimentTemplate_EC2InstanceTerminateAllows FIS to terminate EC2 instances
CloudWatchLogsFullAccessEnables FIS to push logs to CloudWatch

Security Best Practice

In production environments, avoid overly permissive policies like CloudWatchLogsFullAccess. Instead, scope permissions to specific log groups and actions.

Next Steps

You now have an IAM role configured with the necessary permissions to run AWS FIS experiments and stream logs. Continue to the AWS FIS tutorial to launch your first chaos test.

References

Watch Video

Watch video content

Previous
FIS Permissions