Using service-linked roles for Amazon Health - Amazon Health
Service-linked role permissions for Amazon HealthCreating a service-linked role for Amazon HealthEditing a service-linked role for Amazon HealthDeleting a service-linked role for Amazon Health
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using service-linked roles for Amazon Health

Amazon Health uses Amazon Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Health. Service-linked roles are predefined by Amazon Health and include all the permissions that the service requires to call other Amazon Web Services for you.

You can use a service-linked role to set up Amazon Health to avoid manually adding the necessary permissions. Amazon Health defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Health can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.

Service-linked role permissions for Amazon Health

Amazon Health has two service-linked roles:

  • AWSServiceRoleForHealth_Organizations – This role trusts the Amazon Health (health.amazonaws.com) to assume the role to access Amazon Web Services for you. Attached to this role is the Health_OrganizationsServiceRolePolicy Amazon managed policy.

  • AWSServiceRoleForHealth_EventProcessor – This role trusts the Amazon Health service principal (event-processor.health.amazonaws.com) to assume the role for you. Attached to this role is the AWSHealth_EventProcessorServiceRolePolicy Amazon managed policy. The service principal uses the role to create an Amazon EventBridge managed rule for Amazon Incident Detection and Response. This rule is the infrastructure required in your Amazon Web Services account to deliver alarm state change information from your account to Amazon Health.

For more information about the Amazon managed policies, see Amazon managed policies for Amazon Health.

Creating a service-linked role for Amazon Health

You don't need to create the AWSServiceRoleForHealth_Organizations service-linked role. When you call the EnableHealthServiceAccessForOrganization operation, Amazon Health creates the this service-linked role in the account for you.

You must manually create the AWSServiceRoleForHealth_EventProcessor service-linked role in your account. For more information, see Creating a service-linked role in the IAM User Guide.

Editing a service-linked role for Amazon Health

Amazon Health doesn't allow you to edit the service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for Amazon Health

To delete the AWSServiceRoleForHealth_Organizations role, you must first call the DisableHealthServiceAccessForOrganization operation. You can then delete the role through the IAM console, IAM API, or Amazon Command Line Interface (Amazon CLI).

To delete the AWSServiceRoleForHealth_EventProcessor role, contact Amazon Web Services Support and ask that they offboard your workloads from Amazon Incident Detection and Response. After this process completes, you can then delete either role through the IAM console, IAM API, or Amazon CLI.

For more information, see Using service-linked roles in the IAM User Guide.