In this guide, you’ll set up an AWS Fault Injection Simulator (FIS) service role that grants permissions to run chaos engineering experiments—such as terminating EC2 instances or simulating Availability Zone failures—and to send logs to Amazon CloudWatch for monitoring.Documentation Index
Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
Ensure your AWS identity has the following IAM permissions:
iam:CreateRoleiam:AttachRolePolicyiam:PassRole
Step 1: Create the FIS Service Role
- Sign in to the AWS Management Console and open the IAM console.
- In the left navigation pane, choose Roles, then click Create role.
- Under Trusted entity type, select AWS service.
- In Use case, choose Fault Injection Simulator.
- From the list of managed policies, select the one matching your experiment. For an EC2 termination test, select:
- AWSFIS_ExperimentTemplate_EC2InstanceTerminate
- Click Next to proceed.
You can create and attach custom policies if your chaos tests require additional or more restrictive permissions.
Step 2: Configure Role Details
-
Provide a descriptive Role name, for example,
FIS-EC2-Termination-Role. -
Review the trust policy to confirm only FIS can assume this role:
- Click Create role.
Step 3: Attach CloudWatch Logs Permissions
To enable FIS to publish experiment logs:- In the IAM console, locate and open the newly created role (
FIS-EC2-Termination-Role). - On the Permissions tab, click Add permissions → Attach policies.
- Search for and select CloudWatchLogsFullAccess.
- Click Attach policies.
| Policy Name | Purpose |
|---|---|
| AWSFIS_ExperimentTemplate_EC2InstanceTerminate | Allows FIS to terminate EC2 instances |
| CloudWatchLogsFullAccess | Enables FIS to push logs to CloudWatch |
In production environments, avoid overly permissive policies like
CloudWatchLogsFullAccess. Instead, scope permissions to specific log groups and actions.