Service-linked roles for Amazon EC2 Auto Scaling - Amazon EC2 Auto Scaling
OverviewPermissions granted by the service-linked roleCreate a service-linked role (automatic)Create a service-linked role (manual)Edit the service-linked roleDelete the service-linked roleSupported Regions for Amazon EC2 Auto Scaling service-linked roles
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-linked roles for Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling uses service-linked roles for the permissions that it requires to call other Amazon Web Services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an Amazon Web Service.

Service-linked roles provide a secure way to delegate permissions to other Amazon Web Services because only the linked service can assume a service-linked role. For more information, see Using service-linked roles in the IAM User Guide. Service-linked roles also enable all API calls to be visible through Amazon CloudTrail. This helps with monitoring and auditing requirements because you can track all actions that Amazon EC2 Auto Scaling performs on your behalf. For more information, see Log Amazon EC2 Auto Scaling API calls with Amazon CloudTrail.

The following sections describe how to create and manage Amazon EC2 Auto Scaling service-linked roles. Start by configuring permissions to allow an IAM identity (such as a user or role) to create, edit, or delete a service-linked role. For more information, see Using service-linked roles in the IAM User Guide.

Overview

There are two types of Amazon EC2 Auto Scaling service-linked roles:

  • The default service-linked role for your account, named AWSServiceRoleForAutoScaling. This role is automatically assigned to your Auto Scaling groups unless you specify a different service-linked role.

  • A service-linked role with a custom suffix that you specify when you create the role, for example, AWSServiceRoleForAutoScaling_mysuffix.

The permissions of a custom suffix service-linked role are identical to those of the default service-linked role. In both cases, you cannot edit the roles, and you also cannot delete them if they are still in use by an Auto Scaling group. The only difference is the role name suffix.

You can specify either role when you edit your Amazon Key Management Service key policies to allow instances that are launched by Amazon EC2 Auto Scaling to be encrypted with your customer managed key. However, if you plan to give granular access to a specific customer managed key, you should use a custom suffix service-linked role. Using a custom suffix service-linked role provides you with:

  • More control over the customer managed key

  • The ability to track which Auto Scaling group made an API call in your CloudTrail logs

If you create customer managed keys that not all users should have access to, follow these steps to allow the use of a custom suffix service-linked role:

  1. Create a service-linked role with a custom suffix. For more information, see Create a service-linked role (manual).

  2. Give the service-linked role access to a customer managed key. For more information about the key policy that allows the key to be used by a service-linked role, see Required Amazon KMS key policy for use with encrypted volumes.

  3. Give users access to the service-linked role that you created. For more information about creating the IAM policy, see Control which service-linked role can be passed (using PassRole). If users try to specify a service-linked role without permission to pass that role to the service, they receive an error.

Permissions granted by the service-linked role

Amazon EC2 Auto Scaling uses the service-linked role named AWSServiceRoleForAutoScaling or your custom suffix service-linked role.

The service-linked role trusts the following service to assume the role:

  • autoscaling.amazonaws.com

The role uses the AutoScalingServiceRolePolicy policy, which includes the following permissions:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"EC2InstanceManagement",
      "Effect":"Allow",
      "Action":[
        "ec2:AttachClassicLinkVpc",
        "ec2:CancelSpotInstanceRequests",
        "ec2:CreateFleet",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:Describe*",
        "ec2:DetachClassicLinkVpc",
        "ec2:GetInstanceTypesFromInstanceRequirements",
        "ec2:GetSecurityGroupsForVpc",
        "ec2:ModifyInstanceAttribute",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource":"*"
    },
    {
      "Sid":"EC2InstanceProfileManagement",
      "Effect":"Allow",
      "Action":[
        "iam:PassRole"
      ],
      "Resource":"*",
      "Condition":{
        "StringLike":{
          "iam:PassedToService":"ec2.amazonaws.com*"
        }
      }
    },
    {
      "Sid":"EC2SpotManagement",
      "Effect":"Allow",
      "Action":[
        "iam:CreateServiceLinkedRole"
      ],
      "Resource":"*",
      "Condition":{
        "StringEquals":{
          "iam:AWSServiceName":"spot.amazonaws.com"
        }
      }
    },
    {
      "Sid":"ELBManagement",
      "Effect":"Allow",
      "Action":[
        "elasticloadbalancing:Register*",
        "elasticloadbalancing:Deregister*",
        "elasticloadbalancing:Describe*"
      ],
      "Resource":"*"
    },
    {
      "Sid":"CWManagement",
      "Effect":"Allow",
      "Action":[
        "cloudwatch:DeleteAlarms",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:GetMetricData",
        "cloudwatch:PutMetricAlarm"
      ],
      "Resource":"*"
    },
    {
      "Sid":"SNSManagement",
      "Effect":"Allow",
      "Action":[
        "sns:Publish"
      ],
      "Resource":"*"
    },
    {
      "Sid":"EventBridgeRuleManagement",
      "Effect":"Allow",
      "Action":[
        "events:PutRule",
        "events:PutTargets",
        "events:RemoveTargets",
        "events:DeleteRule",
        "events:DescribeRule"
      ],
      "Resource":"*",
      "Condition":{
        "StringEquals":{
          "events:ManagedBy":"autoscaling.amazonaws.com"
        }
      }
    },
    {
      "Sid":"SystemsManagerParameterManagement",
      "Effect":"Allow",
      "Action":[
        "ssm:GetParameters"
      ],
      "Resource": "*"
    },
    {
      "Sid":"VpcLatticeManagement",
      "Effect":"Allow",
      "Action":[
        "vpc-lattice:DeregisterTargets",
        "vpc-lattice:GetTargetGroup",
        "vpc-lattice:ListTargets",
        "vpc-lattice:ListTargetGroups",
        "vpc-lattice:RegisterTargets"
      ],
      "Resource": "*"
    }
  ]
}

The role has permissions to do all of the following:

  • ec2 – Create, describe, modify, start/stop, and terminate EC2 instances.

  • iamPass IAM roles to EC2 instances so that applications running on the instances can access temporary credentials for the role.

  • iam – Create the AWSServiceRoleForEC2Spot service-linked role to allow Amazon EC2 Auto Scaling to launch Spot Instances on your behalf.

  • elasticloadbalancing – Register and deregister instances with Elastic Load Balancing and check the health of registered targets.

  • cloudwatch – Create, describe, modify, and delete CloudWatch alarms for scaling policies and retrieve metrics used for predictive scaling.

  • sns – Publish notifications to Amazon SNS when instances launch or terminate.

  • events – Create, describe, update, and delete EventBridge rules on your behalf.

  • ssm – Read parameters from Parameter Store when using a Systems Manager parameter as an alias for an AMI ID in a launch template.

  • vpc-lattice – Register and deregister instances with VPC Lattice and check the health of registered targets.

Create a service-linked role (automatic)

Amazon EC2 Auto Scaling creates the AWSServiceRoleForAutoScaling service-linked role for you the first time that you create an Auto Scaling group, unless you manually create a custom suffix service-linked role and specify it when creating the group.

Important

You must have IAM permissions to create the service-linked role. Otherwise, the automatic creation fails. For more information, see Service-linked role permissions in the IAM User Guide and Create a service-linked role in this guide.

Amazon EC2 Auto Scaling began supporting service-linked roles in March 2018. If you created an Auto Scaling group before then, Amazon EC2 Auto Scaling created the AWSServiceRoleForAutoScaling role in your account. For more information, see A new role appeared in my Amazon Web Services account in the IAM User Guide.

Create a service-linked role (manual)

To create a service-linked role (console)

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, Create role.

  3. For Select trusted entity, choose Amazon service.

  4. For Choose the service that will use this role, choose EC2 Auto Scaling and the EC2 Auto Scaling use case.

  5. Choose Next: Permissions, Next: Tags, and then Next: Review. Note: You cannot attach tags to service-linked roles during creation.

  6. On the Review page, leave Role name blank to create a service-linked role with the name AWSServiceRoleForAutoScaling, or enter a suffix to create a service-linked role with the name AWSServiceRoleForAutoScaling_suffix.

  7. (Optional) For Role description, edit the description for the service-linked role.

  8. Choose Create role.

To create a service-linked role (Amazon CLI)

Use the following create-service-linked-role CLI command to create a service-linked role for Amazon EC2 Auto Scaling with the name AWSServiceRoleForAutoScaling_suffix. 

aws iam create-service-linked-role --aws-service-name autoscaling.amazonaws.com --custom-suffix suffix

The output of this command includes the ARN of the service-linked role, which you can use to give the service-linked role access to your customer managed key. 

{
    "Role": {
        "RoleId": "ABCDEF0123456789ABCDEF",
        "CreateDate": "2018-08-30T21:59:18Z",
        "RoleName": "AWSServiceRoleForAutoScaling_suffix",
        "Arn": "arn:aws-cn:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling_suffix",
        "Path": "/aws-service-role/autoscaling.amazonaws.com/",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "sts:AssumeRole"
                    ],
                    "Principal": {
                        "Service": [
                            "autoscaling.amazonaws.com"
                        ]
                    },
                    "Effect": "Allow"
                }
            ]
        }
    }
}

For more information, see Creating a service-linked role in the IAM User Guide.

Edit the service-linked role

You cannot edit the service-linked roles that are created for Amazon EC2 Auto Scaling. After you create a service-linked role, you cannot change the name of the role or its permissions. However, you can edit the description of the role. For more information, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked role

If you are not using an Auto Scaling group, we recommend that you delete its service-linked role. Deleting the role prevents you from having an entity that is not used or actively monitored and maintained.

You can delete a service-linked role only after first deleting the related dependent resources. This protects you from inadvertently revoking Amazon EC2 Auto Scaling permissions to your resources. If a service-linked role is used with multiple Auto Scaling groups, you must delete all Auto Scaling groups that use the service-linked role before you can delete it. For more information, see Delete your Auto Scaling infrastructure.

You can use IAM to delete a service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

If you delete the AWSServiceRoleForAutoScaling service-linked role, Amazon EC2 Auto Scaling creates the role again when you create an Auto Scaling group and do not specify a different service-linked role.

Supported Regions for Amazon EC2 Auto Scaling service-linked roles

Amazon EC2 Auto Scaling supports using service-linked roles in all of the Amazon Web Services Regions where the service is available.