Service-linked role for Amazon EC2 High Availability for SQL Server - Microsoft SQL Server on Amazon EC2
Role permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service-linked role for Amazon EC2 High Availability for SQL Server

Amazon EC2 uses service-linked roles for the permissions that it requires to call other Amazon Web Services services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an Amazon Web Services service. Service-linked roles provide a secure way to delegate permissions to Amazon Web Services services because only the linked service can assume a service-linked role. For more information about how Amazon EC2 uses IAM roles, including service-linked roles, see IAM roles for Amazon EC2 in the Amazon EC2 User Guide.

Amazon EC2 High Availability for SQL Server uses the service-linked role named AWSServiceRoleForEC2SqlHa to allow the service to detect whether an EC2 instance that's tagged with the EC2 SQL High Availability identifier (SqlHaMonitored set to true) is running in active or passive mode.

Permissions granted by AWSServiceRoleForEC2SqlHa

The AWSServiceRoleForEC2SqlHa service-linked role trusts the following service to assume the role: ec2sqlha.amazonaws.com

Amazon EC2 uses the AWSEC2SqlHaServiceRolePolicy managed policy to complete the following actions:

  • Amazon EC2 – Access is granted for the EC2 SQL High Availability service to describe EC2 instances, instance attributes, instance status which are tagged with the service identifier (SqlHaMonitored set to true).

  • Amazon EventBridge – Includes access to create Amazon EventBridge event rules and retrieve details about or delete rules that it created. This is to allow the System Manager document AWSEC2-DetectSqlHaState execution output being forwarded to the service. A managed Amazon EventBridge rule will be created to forward System Manager run command events. Managed rules are predefined by User Notifications and include event patterns that are required by the service to manage customer notifications, and unless defined otherwise, only the owning service can utilize these managed rules.

  • Amazon Systems Manager – Includes access to describe instance information and list commands and command invocations. To run the command document that begins with AWSEC2-DetectSqlHaState, on a monitored instance, access is granted for the SendCommand and GetCommandInvocation operations to EC2 SQL Server instances tagged with the service identifier(SqlHaMonitored set to true).

To view the permissions for this policy, see AWSEC2SqlHaServiceRolePolicy in the Amazon Managed Policy Reference.

For more information about using managed policies for EC2 instances, see Amazon managed policies for Amazon EC2 in the Amazon EC2 User Guide.