Service-linked role for EC2 Fast Launch - Amazon Elastic Compute Cloud
Permissions granted by AWSServiceRoleForEC2FastLaunchAccess to customer managed keys for use with encrypted AMIs and EBS snapshots
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-linked role for EC2 Fast Launch

Amazon EC2 uses service-linked roles for the permissions that it requires to call other Amazon Web Services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an Amazon Web Service. Service-linked roles provide a secure way to delegate permissions to Amazon Web Services because only the linked service can assume a service-linked role. For more information about how Amazon EC2 uses IAM roles, including service-linked roles, see IAM roles for Amazon EC2.

Amazon EC2 uses the service-linked role named AWSServiceRoleForEC2FastLaunch to create and manage a set of pre-provisioned snapshots that reduce the time it takes to launch instances from your Windows AMI.

You don't need to create this service-linked role manually. When you start using EC2 Fast Launch for your AMI, Amazon EC2 creates the service-linked role for you, if it doesn't already exist.

Note

If the service-linked role is deleted from your account, you can enable EC2 Fast Launch for another Windows AMI to re-create the role in your account. Alternatively, you can disable EC2 Fast Launch for your current AMI, and then enable it again. However, disabling the feature results in your AMI using the standard launch process for all new instances while Amazon EC2 removes all of your pre-provisioned snapshots. After all of the pre-provisioned snapshots are gone, you can enable using EC2 Fast Launch for your AMI again.

Amazon EC2 does not allow you to edit the AWSServiceRoleForEC2FastLaunch service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role by using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

You can delete a service-linked role only after first deleting all of the related resources. This protects the Amazon EC2 resources that are associated with your Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled, because you can't inadvertently remove permission to access the resources.

Amazon EC2 supports the EC2 Fast Launch service-linked role in all of the Regions where the Amazon EC2 service is available. For more information, see Regions.

Permissions granted by AWSServiceRoleForEC2FastLaunch

Amazon EC2 uses the EC2FastLaunchServiceRolePolicy managed policy to complete the following actions:

  • cloudwatch:PutMetricData – Post metric data associated with EC2 Fast Launch to the Amazon EC2 namespace.

  • ec2:CreateLaunchTemplate – Create a launch template for your Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled.

  • ec2:CreateSnapshot – Create pre-provisioned snapshots for your Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled.

  • ec2:CreateTags – Create tags for resources that are associated with launching and pre-provisioning Windows instances for your Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled.

  • ec2:DeleteSnapshots – Delete all associated pre-provisioned snapshots if EC2 Fast Launch is turned off for a previously enabled AMI.

  • ec2:DescribeImages – Describe images for all resources.

  • ec2:DescribeInstanceAttribute – Describe instance attributes for all resources.

  • ec2:DescribeInstanceStatus – Describe instance status for all resources.

  • ec2:DescribeInstances – Describe instances for all resources.

  • ec2:DescribeInstanceTypeOfferings – Describe instance type offerings for all resources.

  • ec2:DescribeLaunchTemplates – Describe launch templates for all resources.

  • ec2:DescribeLaunchTemplateVersions – Describe launch template versions for all resources.

  • ec2:DescribeSnapshots – Describe snapshot resources for all resources.

  • ec2:DescribeSubnets – Describe subnets for all resources.

  • ec2:RunInstances – Launch instances from an Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled, in order to perform provisioning steps.

  • ec2:StopInstances – Stop instances that were launched from an Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled, in order to create pre-provisioned snapshots.

  • ec2:TerminateInstances – Terminate an instance that was launched from an Amazon EC2 Windows Server AMI with EC2 Fast Launch enabled, after creating the pre-provisioned snapshot from it.

  • iam:PassRole – Allows the AWSServiceRoleForEC2FastLaunch service-linked role to launch instances on your behalf using the instance profile from your launch template.

For more information about using managed policies for Amazon EC2, see Amazon managed policies for Amazon EC2.

Access to customer managed keys for use with encrypted AMIs and EBS snapshots

Prerequisite

  • To enable Amazon EC2 to access an encrypted AMI on your behalf, you must have permission for the createGrant action in the customer managed key.

When you enable EC2 Fast Launch for an encrypted AMI, Amazon EC2 ensures that permission is granted for the AWSServiceRoleForEC2FastLaunch role to use the customer managed key to access your AMI. This permission is needed to launch instances and create pre-provisioned snapshots on your behalf.