Using service-linked roles for Macie
Amazon Macie uses an AWS Identity and Access Management (IAM) service-linked role named
AWSServiceRoleForAmazonMacie
. This service-linked role is an IAM role
that's linked directly to Macie. It's predefined by Macie and it includes all the
permissions that Macie requires to call other AWS services and monitor AWS resources on
your behalf. Macie uses this service-linked role in all the AWS Regions where Macie is
available.
A service-linked role makes setting up Macie easier because you don't have to manually add the necessary permissions. Macie defines the permissions of this service-linked role, and unless defined otherwise, only Macie can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.
For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to review the service-linked role documentation for that service.
Topics
Service-linked role permissions for Macie
Amazon Macie uses the service-linked role named
AWSServiceRoleForAmazonMacie
. This service-linked role trusts the
macie.amazonaws.com
service to assume the role.
The permissions policy for the role, which is named
AmazonMacieServiceRolePolicy
, allows Macie to perform tasks such as the
following on the specified resources:
-
Use Amazon S3 actions to retrieve information about S3 buckets and objects.
-
Use Amazon S3 actions to retrieve S3 objects.
-
Use AWS Organizations actions to retrieve information about associated accounts.
-
Use Amazon CloudWatch Logs actions to log events for sensitive data discovery jobs.
The role is configured with the following permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListAccountAliases", "organizations:DescribeAccount", "organizations:ListAccounts", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/macie/*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/macie/*:log-stream:*" ] } ] }
For details about updates to the AmazonMacieServiceRolePolicy
policy, see
Macie updates to AWS managed
policies. For automatic alerts about changes
to this policy, subscribe to the RSS feed on the Macie
document history page.
You must configure permissions to allow an IAM entity (such as a user or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.
Creating the service-linked role for Macie
You don't need to manually create the AWSServiceRoleForAmazonMacie
service-linked role for Amazon Macie. When you enable Macie for your AWS account, Macie
automatically creates the service-linked role for you.
If you delete the Macie service-linked role and then need to create it again, you can use the same process to re-create the role in your account. When you enable Macie again, Macie creates the service-linked role again for you.
Editing the service-linked role for Macie
Amazon Macie doesn't allow you to edit the AWSServiceRoleForAmazonMacie
service-linked role. After a service-linked role is created, you can't change the name
of the role because various entities might reference the role. However, you can edit the
description of the role by using IAM. For more information, see Updating a
service-linked role in the IAM User Guide.
Deleting the service-linked role for Macie
You can delete a service-linked role only after you delete its related resources. This protects your resources because you can't inadvertently remove permission to access the resources.
If you no longer need to use Amazon Macie, we recommend that you manually delete the
AWSServiceRoleForAmazonMacie
service-linked role. When you disable
Macie, Macie doesn't delete the role for you.
Before you delete the role, you must disable Macie in each AWS Region where you enabled it. You must also manually clean up the resources for the role. To delete the role, you can use the IAM console, the AWS CLI, or the AWS API. For more information, see Deleting a service-linked role in the IAM User Guide.
Note
If Macie is using the AWSServiceRoleForAmazonMacie
role when you try to
delete the resources, the deletion might fail. If that happens, wait a few minutes
and then try the operation again.
If you delete the AWSServiceRoleForAmazonMacie
service-linked role and need to
create it again, you can create it again by enabling Macie for your account. When you
enable Macie again, Macie creates the service-linked role again for you.
Supported AWS Regions for the Macie service-linked role
Amazon Macie supports using the AWSServiceRoleForAmazonMacie
service-linked role
in all the AWS Regions where Macie is available. For a list of Regions where Macie is
currently available, see Amazon Macie endpoints and
quotas in the AWS General Reference.