Deprecation of AWSElasticBeanstalkService policy

[jakubgs]

I got this email today:

We have detected that at least one user, group, or role in your account is currently employing the AWSElasticBeanstalkService managed policy. This policy is scheduled for deprecation and will no longer be available for attachment to new IAM users, groups, or roles after April 15, 2021.

What do I need to do?
The AWSElasticBeanstalkService policy should be replaced with the new versions of this policy:  AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy.

We recommend the following actions:
• Test your environments with the new policy. This new managed policy improves security for your resources by applying a more restrictive set of permissions. Therefore, we strongly recommend that customers perform testing to ensure their environments retain access to required resources, especially if you are using the following services: AutoScaling, CodeBuild, CloudWatch Metrics, CloudWatch Logs, EC2, ECS, S3, SNS and SQS.

With this updated managed policy, the stricter naming conventions will not allow you to manage resources that were not created through Elastic Beanstalk. Also, you will not be able to manage resources that were provisioned by Elastic Beanstalk that have been renamed. If your testing reveals that any required resources do not conform to the naming conventions in the new policy, you can create and add a custom policy to manage the additional resources. Attach your custom policy along with the new Elastic Beanstalk managed policy to retain all the required access while benefiting from the managed policy. For more information see Creating a custom user policy [1] in the AWS Elastic Beanstalk Developer Guide.

• Attach the new policy to your resources. For more information, including instructions to view the content of a policy, refer [2] in the AWS Elastic Beanstalk Developer Guide.

Why do I need to take action?
The new Elastic Beanstalk managed policy improves security for your resources by applying a more restrictive set of permissions. We strongly encourage you to employ the new policy as soon as possible. Because the deprecated managed policy will no longer be maintained or supported, permissions for all upcoming Elastic Beanstalk features will be added only to the new policy after April 15, 2021.

What will happen if I do not take action?
The AWSElasticBeanstalkService policy will continue to function normally for any IAM user, group, or role attached to it before April 15, 2021. However, this deprecated policy will not receive any future updates to support new Elastic Beanstalk functionality, which may lead to future permission errors from the console or command line interface (CLI).

If you have any questions or concerns, the AWS Support Team is available on the community forums and via AWS Premium Support [3].

[1] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html#AWSHowTo.iam.policies
[2] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-servicerole.html
[3] https://aws.amazon.com/support

This should be fine as long as we are not creating new environments.
But we might have to update the Terraform modules to make this work in the future.