Service-linked roles for Amazon Macie - Amazon Macie

Service-linked roles for Amazon Macie

Amazon Macie uses an AWS Identity and Access Management (IAM) service-linked role to gain the permissions that it requires to call other AWS services on your behalf.

Permissions for Macie

Macie uses the service-linked role named AWSServiceRoleForAmazonMacie. This role trusts the macie.amazonaws.com service to assume the role.

The permissions policy for the role allows Macie to perform tasks such as:

  • Use Amazon S3 actions to retrieve information about S3 buckets and objects

  • Use Amazon S3 actions to retrieve S3 objects

  • Use AWS Organizations actions to describe associated accounts

The role is configured with the following permissions policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "*", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "iam:ListAccountAliases", "organizations:DescribeAccount", "organizations:ListAccounts", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ] }, { "Effect": "Allow", "Resource": "arn:aws:cloudtrail:*:*:trail/AWSMacieTrail-DO-NOT-EDIT", "Action": [ "cloudtrail:CreateTrail", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:s3:::awsmacie-*", "arn:aws:s3:::awsmacietrail-*", "arn:aws:s3:::*-awsmacietrail-*" ], "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:PutBucketPolicy" ] } ] }

Amazon Macie and Amazon Macie Classic use the same service-linked role and permissions policy. (This helps Macie Classic users move to and use Macie.) Macie performs all the actions allowed by the policy except CreateTrail, StartLogging, StopLogging, UpdateTrail, PutEventSelectors, and DeleteTrail.

In addition, Macie doesn’t perform actions on the arn:aws:cloudtrail:*:*:trail/AWSMacieTrail-DO-NOT-EDIT trail or S3 buckets that have the following Amazon Resource Names: arn:aws:s3:::awsmacie-*, arn:aws:s3:::awsmacietrail-*, and arn:aws:s3:::*-awsmacietrail-*. Only Macie Classic performs actions for those resources, as defined by the policy.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Create a service-linked role for Macie

You don't need to manually create a service-linked role for Macie. When you enable Macie, Macie automatically creates the AWSServiceRoleForAmazonMacie service-linked role for you.

Edit a service-linked role for Macie

You can edit the description of AWSServiceRoleForAmazonMacie by using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Delete a service-linked role for Macie

If you no longer need to use Macie, we recommend that you delete the AWSServiceRoleForAmazonMacie role. Before you can delete the role, you must disable Macie in each AWS Region where it's enabled. When you disable Macie, it doesn't delete the role for you. Therefore, if you enable Macie again, it can use the existing role.

You can use the IAM console, the AWS CLI, or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role. You can then manually delete the role. For more information, see Deleting a service-linked role in the IAM User Guide.

If you delete this service-linked role, and then need to create it again, you can use the same process to re-create the role in your account. When you enable Macie, Macie creates the service-linked role for you again.