Demo Create FIS Permissions

Step 1: Create the FIS Service Role
Step 2: Configure Role Details
Step 3: Attach CloudWatch Logs Permissions
Next Steps
References

In this guide, you’ll set up an AWS Fault Injection Simulator (FIS) service role that grants permissions to run chaos engineering experiments—such as terminating EC2 instances or simulating Availability Zone failures—and to send logs to Amazon CloudWatch for monitoring.

Ensure your AWS identity has the following IAM permissions:

iam:CreateRole
iam:AttachRolePolicy
iam:PassRole

Step 1: Create the FIS Service Role

Sign in to the AWS Management Console and open the IAM console.
In the left navigation pane, choose Roles, then click Create role.
Under Trusted entity type, select AWS service.
In Use case, choose Fault Injection Simulator.
From the list of managed policies, select the one matching your experiment. For an EC2 termination test, select:
- AWSFIS_ExperimentTemplate_EC2InstanceTerminate
Click Next to proceed.

You can create and attach custom policies if your chaos tests require additional or more restrictive permissions.

Step 2: Configure Role Details

Provide a descriptive Role name, for example, FIS-EC2-Termination-Role.

Review the trust policy to confirm only FIS can assume this role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "fis.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Click Create role.

Step 3: Attach CloudWatch Logs Permissions

To enable FIS to publish experiment logs:

In the IAM console, locate and open the newly created role (FIS-EC2-Termination-Role).
On the Permissions tab, click Add permissions → Attach policies.
Search for and select CloudWatchLogsFullAccess.
Click Attach policies.

Policy Name	Purpose
AWSFIS_ExperimentTemplate_EC2InstanceTerminate	Allows FIS to terminate EC2 instances
CloudWatchLogsFullAccess	Enables FIS to push logs to CloudWatch

In production environments, avoid overly permissive policies like CloudWatchLogsFullAccess. Instead, scope permissions to specific log groups and actions.

Next Steps

You now have an IAM role configured with the necessary permissions to run AWS FIS experiments and stream logs. Continue to the AWS FIS tutorial to launch your first chaos test.

References

Watch Video

FIS Permissions

Experiment 1 Chaos Engineering on ASG

⌘I

Introduction

Chaos Engineering Fundamentals

Building a Basic FIS experiment

Introduction to Real life Application

Chaos Engineering on Database Aurora

Chaos Engineering on Serverless Fargate

Chaos Engineering on Kubernetes EKS

Chaos Engineering on Availability Zone

Conclusion

Chaos Engineering on Compute E C2

Demo Create FIS Permissions

Step 1: Create the FIS Service Role

Step 2: Configure Role Details

Step 3: Attach CloudWatch Logs Permissions

Next Steps

References

Watch Video

Introduction

Chaos Engineering Fundamentals

Building a Basic FIS experiment

Introduction to Real life Application

Chaos Engineering on Database Aurora

Chaos Engineering on Serverless Fargate

Chaos Engineering on Kubernetes EKS

Chaos Engineering on Availability Zone

Conclusion

Chaos Engineering on Compute E C2

​Step 1: Create the FIS Service Role

​Step 2: Configure Role Details

​Step 3: Attach CloudWatch Logs Permissions

​Next Steps

​References

Watch Video

Step 1: Create the FIS Service Role

Step 2: Configure Role Details

Step 3: Attach CloudWatch Logs Permissions

Next Steps

References