AWS Identity and Access Management
User Guide

Providing Access to an AWS Service

Many AWS services require that you use roles to control what that service can access. A role that a service assumes to perform actions on your behalf is called a service role. When a service role serves a specialized purpose, it can be categorized as a service role for EC2 instances, or a service role linked to a service. See the AWS documentation for each service to see if it uses roles and to learn how to assign a role for the service to use.

For details about creating a role to delegate access to a service offered by AWS, see Creating a Role to Delegate Permissions to an AWS Service.

Service Roles

When you set up most AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs. Service roles vary from service to service, but many allow you to choose your permissions, as long as you meet the documented requirements for that service. You can create, modify, and delete a service role from within IAM.

Service Roles for EC2 Instances

Suppose you use the Amazon EC2 service to launch an instance that runs your application. That instance will probably need permission to access AWS resources such as an Amazon S3 bucket or a DynamoDB table. To provide these permissions, you must create a role that is assigned to the Amazon EC2 instance when it is launched. AWS automatically provides temporary security credentials that are attached to the role, and then makes them available for the Amazon EC2 instance to use on behalf of its applications. For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.

Service Roles Linked to a Service

Some AWS services require that you use a unique type of service role that is linked directly to the service. This role is predefined by the service, and includes all the permissions that the service requires. This makes setting up a service easier because you don’t have to manually add the necessary permissions. You can create this role from within IAM, but because the role is linked to the service, you cannot customize the role within IAM. You can manage and delete these roles only through the linked service.


You might already be using a service when it begins supporting service roles linked to a service. If so, you might receive an email telling you about a new role that will be added to your account. This role includes all the permissions that the service needs to perform actions on your behalf. You don't need to take any action to support this role. However, you should not delete the role from your account. Doing so could remove permissions that the service needs to access AWS resources.