Using service-linked roles for Amazon Web Services Support - Amazon Web Services Support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using service-linked roles for Amazon Web Services Support

Amazon Web Services Support tools gather information about your Amazon resources through API calls to provide customer service and technical support. To increase the transparency and auditability of support activities, Amazon Web Services Support uses an Amazon Identity and Access Management (IAM) service-linked role.

The AWSServiceRoleForSupport service-linked role is a unique IAM role that is linked directly to Amazon Web Services Support. This service-linked role is predefined, and it includes the permissions that Amazon Web Services Support requires to call other Amazon services on your behalf.

The AWSServiceRoleForSupport service-linked role trusts the support.amazonaws.com service to assume the role.

To provide these services, the role's predefined permissions give Amazon Web Services Support access to resource metadata, not customer data. Only Amazon Web Services Support tools can assume this role, which exists within your Amazon account.

We redact fields that could contain customer data. For example, the Input and Output fields of the GetExecutionHistory for the Amazon Step Functions API call aren't visible to Amazon Web Services Support. We use Amazon KMS keys to encrypt sensitive fields. These fields are redacted in the API response and aren't visible to Amazon Web Services Support agents.

Note

Amazon Trusted Advisor uses a separate IAM service-linked role to access Amazon resources for your account to provide best practice recommendations and checks. For more information, see Using service-linked roles for Trusted Advisor.

The AWSServiceRoleForSupport service-linked role enables all Amazon Web Services Support API calls to be visible to customers through Amazon CloudTrail. This helps with monitoring and auditing requirements, because it provides a transparent way to understand the actions that Amazon Web Services Support performs on your behalf. For information about CloudTrail, see the Amazon CloudTrail User Guide.

Service-linked role permissions for Amazon Web Services Support

This role uses the AWSSupportServiceRolePolicy Amazon managed policy. This managed policy is attached to the role and allows the role permission to complete actions on your behalf.

These actions might include the following:

  • Billing, administrative, support, and other customer services – Amazon customer service uses the permissions granted by the managed policy to perform a number of services as part of your support plan. These include investigating and answering account and billing questions, providing administrative support for your account, increasing service quotas, and offering additional customer support.

  • Processing of service attributes and usage data for your Amazon account – Amazon Web Services Support might use the permissions granted by the managed policy to access service attributes and usage data for your Amazon account. This policy allows Amazon Web Services Support to provide billing, administrative, and technical support for your account. Service attributes include your account’s resource identifiers, metadata tags, roles, and permissions. Usage data includes usage policies, usage statistics, and analytics.

  • Maintaining the operational health of your account and its resources – Amazon Web Services Support uses automated tools to perform actions related to operational and technical support.

For more information about the allowed services and actions, see the AWSSupportServiceRolePolicy policy in the IAM console.

Note

Amazon Web Services Support automatically updates the AWSSupportServiceRolePolicy policy once per month to add permissions for new Amazon services and actions.

For more information, see Amazon managed policies for Amazon Web Services Support.

Creating a service-linked role for Amazon Web Services Support

You don't need to manually create the AWSServiceRoleForSupport role. When you create an Amazon account, this role is automatically created and configured for you.

Important

If you used Amazon Web Services Support before it began supporting service-linked roles, then Amazon created the AWSServiceRoleForSupport role in your account. For more information, see A new role appeared in my IAM account.

Editing and deleting a service-linked role for Amazon Web Services Support

You can use IAM to edit the description for the AWSServiceRoleForSupport service-linked role. For more information, see Editing a service-linked role in the IAM User Guide.

The AWSServiceRoleForSupport role is necessary for Amazon Web Services Support to provide administrative, operational, and technical support for your account. As a result, this role can't be deleted through the IAM console, API, or Amazon Command Line Interface (Amazon CLI). This protects your Amazon account, because you can't inadvertently remove necessary permissions for administering support services.

For more information about the AWSServiceRoleForSupport role or its uses, contact Amazon Web Services Support.