Demo Create FIS Permissions

In this guide, you’ll set up an AWS Fault Injection Simulator (FIS) service role that grants permissions to run chaos engineering experiments—such as terminating EC2 instances or simulating Availability Zone failures—and to send logs to Amazon CloudWatch for monitoring.

Step 1: Create the FIS Service Role

1. Sign in to the AWS Management Console and open the IAM console.
2. In the left navigation pane, choose Roles, then click Create role.
3. Under Trusted entity type, select AWS service.
4. In Use case, choose Fault Injection Simulator.
5. From the list of managed policies, select the one matching your experiment. For an EC2 termination test, select:
   • AWSFIS_ExperimentTemplate_EC2InstanceTerminate
6. Click Next to proceed.

Step 2: Configure Role Details

1. Provide a descriptive Role name, for example, FIS-EC2-Termination-Role.

2. Review the trust policy to confirm only FIS can assume this role:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "fis.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   

3. Click Create role.

Step 3: Attach CloudWatch Logs Permissions

To enable FIS to publish experiment logs:

1. In the IAM console, locate and open the newly created role (FIS-EC2-Termination-Role).
2. On the Permissions tab, click Add permissions → Attach policies.
3. Search for and select CloudWatchLogsFullAccess.
4. Click Attach policies.

Next Steps

You now have an IAM role configured with the necessary permissions to run AWS FIS experiments and stream logs. Continue to the AWS FIS tutorial to launch your first chaos test.

References

• AWS Fault Injection Simulator Documentation
• IAM Roles in AWS
• Amazon CloudWatch Logs