

# Resources created for Amazon DevOps Agent activated from Amazon Web Services Support
<a name="support-devops-agent-resources"></a>

Activation from the Support Center Console creates the following resources in `us-east-1`. Replace {{ACCOUNT\_ID}} with your 12-digit Amazon Web Services account ID. The role suffix is a 12-character identifier derived from the agent space.


**Resources created when you enable Amazon DevOps Agent from the Support Center Console**  

| Amazon Web Services service | Resource type | Resource name | Trust scope | Permissions granted | 
| --- | --- | --- | --- | --- | 
| Amazon DevOps Agent | Agent space | `DevOpsAgentSpace` | Not applicable | Container for the account association, operator web app configuration, and data the agent generates while it operates. | 
| Amazon Identity and Access Management (IAM) | Role | `DevOpsAgentRole-AgentSpace-{{suffix}}` | Trusted by `aidevops.amazonaws.com` with `aws:SourceAccount` and `aws:SourceArn` conditions that scope the role to agent spaces in your own account (confused-deputy protection). | Grants the agent the read-only investigation permissions across Amazon Web Services services that it needs to investigate resources in your account. Permissions come from the Amazon-managed `AIDevOpsAgentAccessPolicy` attached at activation time. For the full list, see [https://docs.amazonaws.cn/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.html#AIDevOpsAgentAccessPolicy](https://docs.amazonaws.cn/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.html#AIDevOpsAgentAccessPolicy) in the *Amazon DevOps Agent User Guide*. The customer-managed `AIDevOpsAllowAwsSupportActionsPolicy-{{suffix}}` policy is also attached. | 
| Amazon Identity and Access Management (IAM) | Role | `DevOpsAgentRole-WebappAdmin-{{suffix}}` | Trust policy scoped to a specific agent space, so only that agent space's operator web app can assume it. | Grants the operator web app the permissions it needs for chat, journal, recommendations, and Amazon Web Services Support integration. Permissions come from the Amazon-managed `AIDevOpsOperatorAppAccessPolicy`. For the full list, see [https://docs.amazonaws.cn/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.html#AIDevOpsOperatorAppAccessPolicy](https://docs.amazonaws.cn/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.html#AIDevOpsOperatorAppAccessPolicy) in the *Amazon DevOps Agent User Guide*. | 
| Amazon Identity and Access Management (IAM) | Customer-managed policy | `AIDevOpsAllowAwsSupportActionsPolicy-{{suffix}}` | Attached to the `DevOpsAgentRole-AgentSpace-{{suffix}}` role. | Grants `iam:CreateServiceLinkedRole`, scoped to the Amazon Resource Explorer service-linked role ARN (`arn:aws:iam::{{ACCOUNT_ID}}:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer`). This permission allows the agent to create the Amazon Resource Explorer service-linked role on your behalf if it doesn't already exist, so the agent can use Amazon Resource Explorer for topology discovery. | 

The Support Center Console activation doesn't create resources in any other Amazon Web Services Region.