Using service-linked roles for Amazon Web Services Support
Amazon Web Services Support tools gather information about your Amazon resources through API calls to provide customer service and technical support. To increase the transparency and auditability of support activities, Amazon Web Services Support uses an Amazon Identity and Access Management (IAM) service-linked role.
The AWSServiceRoleForSupport
service-linked role is a unique IAM role that is linked
directly to Amazon Web Services Support. This service-linked role is predefined, and it includes the permissions
that Amazon Web Services Support requires to call other Amazon services on your behalf.
The AWSServiceRoleForSupport
service-linked role trusts the
support.amazonaws.com
service to assume the role.
To provide these services, the role's predefined permissions give Amazon Web Services Support access to resource metadata, not customer data. Only Amazon Web Services Support tools can assume this role, which exists within your Amazon account.
We redact fields that could contain customer data. For example, the Input
and
Output
fields of the GetExecutionHistory for the Amazon Step Functions API call aren't visible to Amazon Web Services Support.
We use
Amazon KMS keys to encrypt sensitive fields. These fields are redacted in the API response
and aren't visible to Amazon Web Services Support agents.
Note
Amazon Trusted Advisor uses a separate IAM service-linked role to access Amazon resources for your account to provide best practice recommendations and checks. For more information, see Using service-linked roles for Trusted Advisor.
The AWSServiceRoleForSupport
service-linked role enables all Amazon Web Services Support API calls to be
visible to customers through Amazon CloudTrail. This helps with monitoring and auditing requirements,
because it provides a transparent way to understand the actions that Amazon Web Services Support performs on your
behalf. For information about CloudTrail, see the Amazon CloudTrail User Guide.
Service-linked role permissions for Amazon Web Services Support
This role uses the AWSSupportServiceRolePolicy
Amazon managed policy. This
managed policy is attached to the role and allows the role permission to complete
actions on your behalf.
These actions might include the following:
-
Billing, administrative, support, and other customer services – Amazon customer service uses the permissions granted by the managed policy to perform a number of services as part of your support plan. These include investigating and answering account and billing questions, providing administrative support for your account, increasing service quotas, and offering additional customer support.
-
Processing of service attributes and usage data for your Amazon account – Amazon Web Services Support might use the permissions granted by the managed policy to access service attributes and usage data for your Amazon account. This policy allows Amazon Web Services Support to provide billing, administrative, and technical support for your account. Service attributes include your account’s resource identifiers, metadata tags, roles, and permissions. Usage data includes usage policies, usage statistics, and analytics.
-
Maintaining the operational health of your account and its resources – Amazon Web Services Support uses automated tools to perform actions related to operational and technical support.
For more information about the allowed services and actions, see the AWSSupportServiceRolePolicy
Note
Amazon Web Services Support automatically updates the AWSSupportServiceRolePolicy
policy once per month to add permissions for new Amazon services and actions.
For more information, see Amazon managed policies for Amazon Web Services Support.
Creating a service-linked role for Amazon Web Services Support
You don't need to manually create the AWSServiceRoleForSupport
role. When you
create an Amazon account, this role is automatically created and configured for
you.
Important
If you used Amazon Web Services Support before it began supporting service-linked roles, then Amazon
created the AWSServiceRoleForSupport
role in your account. For more information,
see A new role appeared in my IAM account.
Editing and deleting a service-linked role for Amazon Web Services Support
You can use IAM to edit the description for the AWSServiceRoleForSupport
service-linked role. For more information, see Editing
a service-linked role in the IAM User Guide.
The AWSServiceRoleForSupport
role is necessary for Amazon Web Services Support to provide administrative,
operational, and technical support for your account. As a result, this role can't be
deleted through the IAM console, API, or Amazon Command Line Interface (Amazon CLI). This protects your Amazon
account, because you can't inadvertently remove necessary permissions for administering
support services.
For more information about the AWSServiceRoleForSupport
role or its uses, contact
Amazon Web Services Support