Using service-linked roles for Trusted Advisor
Amazon Trusted Advisor uses the Amazon Identity and Access Management (IAM) service-linked role. A service-linked role is a unique IAM role that is linked directly to Amazon Trusted Advisor. Service-linked roles are predefined by Trusted Advisor, and they include all the permissions that the service requires to call other Amazon services on your behalf. Trusted Advisor uses this role to check your usage across Amazon and to provide recommendations to improve your Amazon environment. For example, Trusted Advisor analyzes your Amazon Elastic Compute Cloud (Amazon EC2) instance use to help you reduce costs, increase performance, tolerate failures, and improve security.
Note
Amazon Web Services Support uses a separate IAM service-linked role for accessing your account's resources to provide billing, administrative, and support services. For more information, see Using service-linked roles for Amazon Web Services Support.
For information about other services that support service-linked roles, see Amazon services that work with IAM. Look for the services that have Yes in the Service-linked role column. Choose a Yes with a link to view the service-linked role documentation for that service.
Topics
Service-linked role permissions for Trusted Advisor
Trusted Advisor uses two service-linked roles:
-
AWSServiceRoleForTrustedAdvisor
– This role trusts the Trusted Advisor service to assume the role to access Amazon services on your behalf. The role permissions policy allows Trusted Advisor read-only access for all Amazon resources. This role simplifies getting started with your Amazon account, because you don't have to add the necessary permissions for Trusted Advisor. When you open an Amazon account, Trusted Advisor creates this role for you. The defined permissions include the trust policy and the permissions policy. You can't attach the permissions policy to any other IAM entity. For more information about the attached policy, see AWSTrustedAdvisorServiceRolePolicy.
-
AWSServiceRoleForTrustedAdvisorReporting
– This role trusts the Trusted Advisor service to assume the role for the organizational view feature. This role enables Trusted Advisor as a trusted service in your Amazon Organizations organization. Trusted Advisor creates this role for you when you enable organizational view. For more information about the attached policy, see AWSTrustedAdvisorReportingServiceRolePolicy.
You can use the organizational view to create reports for Trusted Advisor check results for all accounts in your organization. For more information about this feature, see Organizational view for Amazon Trusted Advisor.
Manage permissions for service-linked roles
You must configure permissions to allow an IAM entity (such as a user, group, or role)
to create, edit, or delete a service-linked role. The following examples use the
AWSServiceRoleForTrustedAdvisor
service-linked role.
Example : Allow an IAM entity to create the AWSServiceRoleForTrustedAdvisor
service-linked role
This step is necessary only if the Trusted Advisor account is disabled, the service-linked role is deleted, and the user must recreate the role to reenable Trusted Advisor.
You can add the following statement to the permissions policy for the IAM entity to create the service-linked role.
{ "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor*", "Condition": {"StringLike": {"iam:AWSServiceName": "trustedadvisor.amazonaws.com"}} }
Example : Allow an IAM entity to edit the description of the
AWSServiceRoleForTrustedAdvisor
service-linked role
You can only edit the description for the AWSServiceRoleForTrustedAdvisor
role. You can add
the following statement to the permissions policy for the IAM entity to edit the
description of a service-linked role.
{ "Effect": "Allow", "Action": [ "iam:UpdateRoleDescription" ], "Resource": "arn:aws:iam::*:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor*", "Condition": {"StringLike": {"iam:AWSServiceName": "trustedadvisor.amazonaws.com"}} }
Example : Allow an IAM entity to delete the AWSServiceRoleForTrustedAdvisor
service-linked
role
You can add the following statement to the permissions policy for the IAM entity to delete a service-linked role.
{ "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor*", "Condition": {"StringLike": {"iam:AWSServiceName": "trustedadvisor.amazonaws.com"}} }
You can also use an Amazon managed policy, such as AdministratorAccess
Creating a service-linked role for Trusted Advisor
You don't need to manually create the AWSServiceRoleForTrustedAdvisor
service-linked role.
When you open an Amazon account, Trusted Advisor creates the service-linked role for
you.
Important
If you were using the Trusted Advisor service before it began supporting service-linked
roles, then Trusted Advisor already created the AWSServiceRoleForTrustedAdvisor
role in your
account. To learn more, see A new
role appeared in my IAM account in the
IAM User Guide.
If your account doesn't have the AWSServiceRoleForTrustedAdvisor
service-linked role, then
Trusted Advisor won't work as expected. This can happen if someone in your account disabled
Trusted Advisor and then deleted the service-linked role. In this case, you can use IAM to
create the AWSServiceRoleForTrustedAdvisor
service-linked role, and then reenable
Trusted Advisor.
To enable Trusted Advisor (console)
-
Use the IAM console, Amazon CLI, or the IAM API to create a service-linked role for Trusted Advisor. For more information, see Creating a service-linked role.
-
Sign in to the Amazon Web Services Management Console, and then navigate to the Trusted Advisor console at https://console.amazonaws.cn/trustedadvisor
. The Disabled Trusted Advisor status banner appears in the console.
-
Choose Enable Trusted Advisor Role from the status banner. If the required
AWSServiceRoleForTrustedAdvisor
isn't detected, the disabled status banner remains.
Editing a service-linked role for Trusted Advisor
You can't change the name of a service-linked role because various entities might reference the role. However, you can use the IAM console, Amazon CLI, or the IAM API to edit the description of the role. For more information, see Editing a service-linked role in the IAM User Guide.
Deleting a service-linked role for Trusted Advisor
If you don't need to use the features or services of Trusted Advisor, you can delete the
AWSServiceRoleForTrustedAdvisor
role. You must disable Trusted Advisor before you
can delete this service-linked role. This prevents you from removing permissions required by
Trusted Advisor operations. When you disable Trusted Advisor, you disable all service features,
including offline processing and notifications. Also, if you disable Trusted Advisor for a
member account, then the separate payer account is also affected, which means you won't
receive Trusted Advisor checks that identify ways to save costs. You can't access the Trusted Advisor
console. API calls to Trusted Advisor return an access denied error.
You must recreate the AWSServiceRoleForTrustedAdvisor
service-linked role in the account
before you can reenable Trusted Advisor.
You must first disable Trusted Advisor in the console before you can delete the
AWSServiceRoleForTrustedAdvisor
service-linked role.
To disable Trusted Advisor
-
Sign in to the Amazon Web Services Management Console and navigate to the Trusted Advisor console at https://console.amazonaws.cn/trustedadvisor
. -
In the navigation pane, choose Preferences.
-
In the Service Linked Role Permissions section, choose Disable Trusted Advisor.
-
In the confirmation dialog box, choose OK to confirm that you want to disable Trusted Advisor.
After you disable Trusted Advisor, all Trusted Advisor functionality is disabled, and the Trusted Advisor console displays only the disabled status banner.
You can then use the IAM console, the Amazon CLI, or the IAM API to delete the
Trusted Advisor service-linked role named AWSServiceRoleForTrustedAdvisor
. For more information, see
Deleting a service-linked role in the IAM User Guide.