Elastic Load Balancing service-linked role - Elastic Load Balancing

Elastic Load Balancing service-linked role

Elastic Load Balancing uses a service-linked role for the permissions that it requires to call other AWS services on your behalf. For more information, see Using service-linked roles in the IAM User Guide.

Permissions granted by the service-linked role

Elastic Load Balancing uses the service-linked role named AWSServiceRoleForElasticLoadBalancing to call the following actions on your behalf:

  • ec2:AssignIpv6Addresses

  • ec2:AssignPrivateIpAddresses

  • ec2:AssociateAddress

  • ec2:AttachNetworkInterface

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:CreateNetworkInterface

  • ec2:CreateSecurityGroup

  • ec2:DeleteNetworkInterface

  • ec2:DescribeAccountAttributes

  • ec2:DescribeAddresses

  • ec2:DescribeClassicLinkInstances

  • ec2:DescribeCoipPools

  • ec2:DescribeInstances

  • ec2:DescribeInternetGateways

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeVpcClassicLink

  • ec2:DescribeVpcPeeringConnections

  • ec2:DescribeVpcs

  • ec2:DetachNetworkInterface

  • ec2:DisassociateAddress

  • ec2:GetCoipPoolUsage

  • ec2:ModifyNetworkInterfaceAttribute

  • ec2:ReleaseAddress

  • ec2:UnassignIpv6Addresses

  • logs:CreateLogDelivery

  • logs:DeleteLogDelivery

  • logs:GetLogDelivery

  • logs:ListLogDeliveries

  • logs:UpdateLogDelivery

  • outposts:GetOutpostInstanceTypes

AWSServiceRoleForElasticLoadBalancing trusts the elasticloadbalancing.amazonaws.com service to assume the role.

Create the service-linked role

You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load Balancing creates this role for you when you create a load balancer or a target group.

For Elastic Load Balancing to create a service-linked role on your behalf, you must have the required permissions. For more information, see Service-linked role permissions in the IAM User Guide.

If you created a load balancer before January 11, 2018, Elastic Load Balancing created AWSServiceRoleForElasticLoadBalancing in your AWS account. For more information, see A new role appeared in my AWS account in the IAM User Guide.

Edit the service-linked role

You can edit the description of AWSServiceRoleForElasticLoadBalancing using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Elastic Load Balancing, we recommend that you delete AWSServiceRoleForElasticLoadBalancing.

You can delete this service-linked role only after you delete all load balancers in your AWS account. This ensures that you can't inadvertently remove permission to access your load balancers. For more information, see Delete an Application Load Balancer, Delete a Network Load Balancer, and Delete a Classic Load Balancer.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a service-linked role in the IAM User Guide.

After you delete AWSServiceRoleForElasticLoadBalancing, Elastic Load Balancing creates the role again if you create a load balancer.