Menu
AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)

Elastic Beanstalk Service Role

A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. For example, Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources for enhanced health monitoring.

The AWSElasticBeanstalkEnhancedHealth managed policy contains all of the permissions that Elastic Beanstalk needs to monitor environment health:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeInstanceHealth",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:GetConsoleOutput",
        "ec2:AssociateAddress",
        "ec2:DescribeAddresses",
        "ec2:DescribeSecurityGroups",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DescribeNotificationConfigurations"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This policy also includes Amazon SQS actions to allow Elastic Beanstalk to monitor queue activity for worker environments.

When you create an environment using the Elastic Beanstalk console, Elastic Beanstalk prompts you to create a service role named aws-elasticbeanstalk-service-role with the default set of permissions and a trust policy that allows Elastic Beanstalk to assume the service role. If you enable managed platform updates, Elastic Beanstalk attaches another policy with permissions that enable that feature.

Similarly, when you create an envitonment using the eb create command of the Elastic Beanstalk Command Line Interface (EB CLI) and don't specify a service role through the --service-role option, Elastic Beanstalk creates the default service role aws-elasticbeanstalk-service-role. If the default service role already exists, Elastic Beanstalk uses it for the new environment.

When you create an environment by using the CreateEnvironment action of the Elastic Beanstalk API, and don't specify a service role, Elastic Beanstalk creates a service-linked role. This is a unique type of service role that is predefined by Elastic Beanstalk to include all the permissions that the service requires to call other AWS services on your behalf. The service-linked role is associated with your account. Elastic Beanstalk creates it once, then reuses it when creating additional environments. You can also use IAM to create your account's service-linked role in advance. When your account has a service-linked role, you can use it to create an environment by using the Elastic Beanstalk API, the Elastic Beanstalk console, or the EB CLI. For details about using service-linked roles with Elastic Beanstalk environments, see Using Service-Linked Roles for Elastic Beanstalk.

For more information about service roles, see Managing Elastic Beanstalk Service Roles.