Menu
Elastic Load Balancing
User Guide

Elastic Load Balancing Service-Linked Role

Elastic Load Balancing uses a service-linked role for the permissions that it requires to call other AWS services on your behalf. For more information, see Using Service-Linked Roles in the IAM User Guide.

Permissions Granted by the Service-Linked Role

Elastic Load Balancing uses the service-linked role named AWSServiceRoleForElasticLoadBalancing to call the following actions on your behalf:

  • ec2:DescribeAddresses

  • ec2:DescribeInstances

  • ec2:DescribeSubnets

  • ec2:DescribeSecurityGroups

  • ec2:DescribeVpcs

  • ec2:DescribeInternetGateways

  • ec2:DescribeAccountAttributes

  • ec2:DescribeClassicLinkInstances

  • ec2:DescribeVpcClassicLink

  • ec2:CreateSecurityGroup

  • ec2:CreateNetworkInterface

  • ec2:DeleteNetworkInterface

  • ec2:ModifyNetworkInterface

  • ec2:ModifyNetworkInterfaceAttribute

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:AssociateAddress

  • ec2:DisassociateAddress

  • ec2:AttachNetworkInterface

  • ec2:DetachNetworkInterface

  • ec2:AssignPrivateIpAddresses

  • ec2:AssignIpv6Addresses

  • ec2:UnassignIpv6Addresses

  • logs:CreateLogDelivery

  • logs:GetLogDelivery

  • logs:UpdateLogDelivery

  • logs:DeleteLogDelivery

  • logs:ListLogDeliveries

AWSServiceRoleForElasticLoadBalancing trusts the elasticloadbalancing.amazonaws.com service to assume the role.

Create the Service-Linked Role

You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load Balancing creates this role for you when you create a load balancer.

If you created a load balancer before January 11, 2018, Elastic Load Balancing created AWSServiceRoleForElasticLoadBalancing in your AWS account. For more information, see A New Role Appeared in My AWS Account in the IAM User Guide.

Edit the Service-Linked Role

You can edit the description of AWSServiceRoleForElasticLoadBalancing using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Delete the Service-Linked Role

If you no longer need to use Elastic Load Balancing, we recommend that you delete AWSServiceRoleForElasticLoadBalancing.

You can delete this service-linked role only after you delete all load balancers in your AWS account. This ensures that you can't inadvertently remove permission to access your load balancers. For more information, see Delete an Application Load Balancer, Delete a Network Load Balancer, and Delete a Classic Load Balancer.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

After you delete AWSServiceRoleForElasticLoadBalancing, Elastic Load Balancing creates the role again if you create a load balancer.