Beta

Chaos Engineering

Building a Basic FIS experiment

FIS Permissions

AWS Fault Injection Simulator (FIS) relies on two distinct IAM roles to enforce security boundaries:

  1. User Role – Grants permissions to view, modify, or run FIS experiments through the console or CLI.
  2. Service Role – Assumed by FIS itself to perform actions on your AWS resources (for example, terminating an EC2 instance or failing over an Aurora database).

Warning

FIS experiments can induce downtime or resource failures. Apply the principle of least privilege when granting permissions to both roles.

IAM Role Comparison

IAM RolePurposeExample Permissions
FIS User RoleControls who can see, create, modify, or start experimentsfis:CreateExperimentTemplate, fis:StartExperiment
FIS Service RoleDefines what AWS resources FIS can interact with when running an experimentec2:TerminateInstances, rds:FailoverDBCluster

1. Create the FIS User Role

This role is assumed by your users or CI/CD pipelines. It requires a trust policy for IAM principals and permissions to manage FIS experiments.

aws iam create-role \
  --role-name FISUserRole \
  --assume-role-policy-document file://trust-policy-user.json

Example trust-policy-user.json:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
    "Action": "sts:AssumeRole"
  }]
}

Attach the managed policy (or a custom policy) that grants FIS actions:

aws iam attach-role-policy \
  --role-name FISUserRole \
  --policy-arn arn:aws:iam::aws:policy/AmazonFISFullAccess

Note

You can scope the policy further by granting only the specific fis: actions your team requires.

2. Create the FIS Service Role

The service role grants FIS permission to manipulate AWS resources on your behalf. Start by defining a trust relationship allowing the FIS service to assume it.

aws iam create-role \
  --role-name FISServiceRole \
  --assume-role-policy-document file://trust-policy-service.json

Example trust-policy-service.json:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "Service": "fis.amazonaws.com" },
    "Action": "sts:AssumeRole"
  }]
}

Next, attach a policy that covers all resource actions your experiments require:

aws iam put-role-policy \
  --role-name FISServiceRole \
  --policy-name FISServicePolicy \
  --policy-document file://fis-service-policy.json

An example snippet from fis-service-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:TerminateInstances",
        "rds:FailoverDBCluster",
        "autoscaling:UpdateAutoScalingGroup"
      ],
      "Resource": "*"
    }
  ]
}

References

Watch Video

Watch video content

Previous
FIS Experiments in this Course
Next
Demo Create FIS Permissions