View a markdown version of this page

Resources created for Amazon DevOps Agent activated from Amazon Web Services Support - Amazon Web Services Support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resources created for Amazon DevOps Agent activated from Amazon Web Services Support

Activation from the Support Center Console creates the following resources in us-east-1. Replace ACCOUNT_ID with your 12-digit Amazon Web Services account ID. The role suffix is a 12-character identifier derived from the agent space.

Resources created when you enable Amazon DevOps Agent from the Support Center Console

Amazon Web Services service

Resource type

Resource name

Trust scope

Permissions granted

Amazon DevOps Agent

Agent space

DevOpsAgentSpace

Not applicable

Container for the account association, operator web app configuration, and data the agent generates while it operates.

Amazon Identity and Access Management (IAM)

Role

DevOpsAgentRole-AgentSpace-suffix

Trusted by aidevops.amazonaws.com with aws:SourceAccount and aws:SourceArn conditions that scope the role to agent spaces in your own account (confused-deputy protection).

Grants the agent the read-only investigation permissions across Amazon Web Services services that it needs to investigate resources in your account. Permissions come from the Amazon-managed AIDevOpsAgentAccessPolicy attached at activation time. For the full list, see AIDevOpsAgentAccessPolicy in the Amazon DevOps Agent User Guide. The customer-managed AIDevOpsAllowAwsSupportActionsPolicy-suffix policy is also attached.

Amazon Identity and Access Management (IAM)

Role

DevOpsAgentRole-WebappAdmin-suffix

Trust policy scoped to a specific agent space, so only that agent space's operator web app can assume it.

Grants the operator web app the permissions it needs for chat, journal, recommendations, and Amazon Web Services Support integration. Permissions come from the Amazon-managed AIDevOpsOperatorAppAccessPolicy. For the full list, see AIDevOpsOperatorAppAccessPolicy in the Amazon DevOps Agent User Guide.

Amazon Identity and Access Management (IAM)

Customer-managed policy

AIDevOpsAllowAwsSupportActionsPolicy-suffix

Attached to the DevOpsAgentRole-AgentSpace-suffix role.

Grants iam:CreateServiceLinkedRole, scoped to the Amazon Resource Explorer service-linked role ARN (arn:aws:iam::ACCOUNT_ID:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer). This permission allows the agent to create the Amazon Resource Explorer service-linked role on your behalf if it doesn't already exist, so the agent can use Amazon Resource Explorer for topology discovery.

The Support Center Console activation doesn't create resources in any other Amazon Web Services Region.