Using service-linked roles for AWS Audit Manager - AWS Audit Manager

Using service-linked roles for AWS Audit Manager

AWS Audit Manager uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Audit Manager. Service-linked roles are predefined by Audit Manager and include all the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up AWS Audit Manager easier because you don’t have to manually add the necessary permissions. Audit Manager defines the permissions of its service-linked roles, and unless defined otherwise, only Audit Manager can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for AWS Audit Manager

Audit Manager uses the service-linked role named AWSServiceRoleForAuditManager, which enables access to AWS services and resources used or managed by AWS Audit Manager.

The AWSServiceRoleForAuditManager service-linked role trusts the service to assume the role.

The role permissions policy, AWSAuditManagerServiceRolePolicy, allows Audit Manager to complete the following actions on the specified resources:

  • cloudtrail:DescribeTrails

  • cloudwatch:DescribeAlarms

  • cognito-idp:DescribeUserPool

  • config:DescribeConfigRules

  • config:DescribeDeliveryChannels

  • config:ListDiscoveredResources

  • dynamodb:DescribeTable

  • dynamodb:ListTables

  • ec2:DescribeFlowLogs

  • ec2:DescribeInstances

  • ec2:DescribeNetworkAcls

  • ec2:DescribeRouteTables

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSnapshots

  • ec2:DescribeVolumes

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeVpcs

  • elasticfilesystem:DescribeFileSystems

  • events:DescribeRule

  • iam:GenerateCredentialReport

  • iam:GetAccountPasswordPolicy

  • iam:GetAccountSummary

  • iam:ListEntitiesForPolicy

  • iam:ListGroupPolicies

  • iam:ListGroups

  • iam:ListPolicies

  • iam:ListRolePolicies

  • iam:ListRoles

  • iam:ListUserPolicies

  • iam:ListUsers

  • kms:DescribeKey

  • kms:GetKeyPolicy

  • kms:GetKeyRotationStatus

  • kms:ListGrants

  • kms:ListKeyPolicies

  • kms:ListKeys

  • license-manager:ListAssociationsForLicenseConfiguration

  • license-manager:ListUsageForLicenseConfiguration

  • organizations:DescribeOrganization

  • organizations:DescribePolicy

  • rds:DescribeDBInstances

  • redshift:DescribeClusters

  • route53:GetQueryLoggingConfig

  • s3:GetEncryptionConfiguration

  • s3:GetLifecycleConfiguration

  • s3:ListAllMyBuckets

To view the full permissions details of the service-linked role AWSServiceRoleForAuditManager, go to the Audit Manager console, choose Settings, and then choose View IAM service-linked role permissions.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating a service-linked role for AWS Audit Manager

You don't need to manually create a service-linked role. When you enable AWS Audit Manager, the service automatically creates the service-linked role for you. You can enable Audit Manager from the onboarding page of the AWS Management Console, or via the API or AWS CLI. For more information, see Enable AWS Audit Manager in this user guide.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account.

Editing a service-linked role for AWS Audit Manager

AWS Audit Manager does not allow you to edit the AWSServiceRoleForAuditManager service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

To allow an IAM entity to edit the description of the AWSServiceRoleForAuditManager service-linked role

Add the following statement to the permissions policy for the IAM entity that needs to edit the description of a service-linked role.

{ "Effect": "Allow", "Action": [ "iam:UpdateRoleDescription" ], "Resource": "arn:aws:iam::*:role/aws-service-role/*", "Condition": {"StringLike": {"iam:AWSServiceName": ""}} }

Supported Regions for AWS Audit Manager service-linked roles

AWS Audit Manager supports using service-linked roles in all of the Regions where the service is available. For more information, see AWS service endpoints.