Service-linked roles for Amazon Macie - Amazon Macie

Service-linked roles for Amazon Macie

Amazon Macie uses an AWS Identity and Access Management (IAM) service-linked role named AWSServiceRoleForAmazonMacie. The service-linked role is a unique type of IAM role that's linked directly to Macie. It's predefined by Macie and includes all the permissions that Macie needs to call other AWS services on your behalf. Macie uses the service-linked role in all the AWS Regions where Macie is available.

A service-linked role makes setting up Macie easier because you don't have to manually add the necessary permissions. Macie defines the permissions of its service-linked role, and unless defined otherwise, only Macie can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.

You can delete the Macie service-linked role only after you first disable Macie in all the Regions where it's enabled. This protects your Macie resources because you can't inadvertently remove permissions to access the resources.

Service-linked role permissions for Macie

Macie uses the service-linked role named AWSServiceRoleForAmazonMacie. This role trusts the macie.amazonaws.com service to assume the role.

The permissions policy for the role allows Macie to perform tasks such as:

  • Use Amazon S3 actions to retrieve information about S3 buckets and objects.

  • Use Amazon S3 actions to retrieve S3 objects.

  • Use AWS Organizations actions to describe associated accounts.

  • Use Amazon CloudWatch Logs actions to log events for sensitive data discovery jobs.

The role is configured with the following permissions policy, named AmazonMacieServiceRolePolicy.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "iam:ListAccountAliases", "organizations:DescribeAccount", "organizations:ListAccounts", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "cloudtrail:CreateTrail", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors" ], "Resource":"arn:aws:cloudtrail:*:*:trail/AWSMacieTrail-DO-NOT-EDIT" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:PutBucketPolicy" ], "Resource":[ "arn:aws:s3:::awsmacie-*", "arn:aws:s3:::awsmacietrail-*", "arn:aws:s3:::*-awsmacietrail-*" ] }, { "Effect":"Allow", "Action":[ "logs:CreateLogGroup" ], "Resource":[ "arn:aws:logs:*:*:log-group:/aws/macie/*" ] }, { "Effect":"Allow", "Action":[ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource":[ "arn:aws:logs:*:*:log-group:/aws/macie/*:log-stream:*" ] } ] }

For details about updates to the AmazonMacieServiceRolePolicy policy, see Macie updates to AWS managed policies.

Amazon Macie and Amazon Macie Classic use the same service-linked role and permissions policy. (This helps Macie Classic users move to and use Macie.) Macie performs all the actions allowed by the policy except CreateTrail, StartLogging, StopLogging, UpdateTrail, PutEventSelectors, and DeleteTrail. Only Macie Classic performs those actions on resources, as defined by the policy.

In addition, Macie doesn’t perform actions on the arn:aws:cloudtrail:*:*:trail/AWSMacieTrail-DO-NOT-EDIT trail or S3 buckets that have the following Amazon Resource Names: arn:aws:s3:::awsmacie-*, arn:aws:s3:::awsmacietrail-*, and arn:aws:s3:::*-awsmacietrail-*. Only Macie Classic performs actions on those resources, as defined by the policy.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Create a service-linked role for Macie

You don't need to manually create a service-linked role for Macie. When you enable Macie, Macie automatically creates the AWSServiceRoleForAmazonMacie service-linked role for you.

Edit a service-linked role for Macie

You can edit the description of the AWSServiceRoleForAmazonMacie service-linked role by using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Delete a service-linked role for Macie

If you no longer need to use Macie, we recommend that you delete the AWSServiceRoleForAmazonMacie service-linked role. Before you can delete the role, you must disable Macie in each AWS Region where it's enabled. When you disable Macie, it doesn't delete the role for you. Therefore, if you enable Macie again, it can use the existing role.

You can use the IAM console, the AWS CLI, or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role. You can then manually delete the role. For more information, see Deleting a service-linked role in the IAM User Guide.

If you delete this service-linked role and then need to create it again, you can use the same process to re-create the role in your account. When you enable Macie, Macie re-creates the service-linked role for you.