Service-linked roles for Amazon Macie - Amazon Macie

Service-linked roles for Amazon Macie

Amazon Macie uses an AWS Identity and Access Management (IAM) service-linked role named AWSServiceRoleForAmazonMacie. This service-linked role is an IAM role that's linked directly to Macie. It's predefined by Macie and it includes all the permissions that Macie requires to call other AWS services on your behalf. Macie uses this service-linked role in all the AWS Regions where Macie is available.

A service-linked role makes setting up Macie easier because you don't have to manually add the necessary permissions. Macie defines the permissions of this service-linked role, and unless defined otherwise, only Macie can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide. You can delete a service-linked role only after you delete its related resources. This protects your resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to review the service-linked role documentation for that service.

Service-linked role permissions for Amazon Macie

Amazon Macie uses the service-linked role named AWSServiceRoleForAmazonMacie. This service-linked role trusts the macie.amazonaws.com service to assume the role.

The permissions policy for the role, which is named AmazonMacieServiceRolePolicy, allows Macie to perform tasks such as the following on the specified resources:

  • Use Amazon S3 actions to retrieve information about S3 buckets and objects.

  • Use Amazon S3 actions to retrieve S3 objects.

  • Use AWS Organizations actions to retrieve information about associated accounts.

  • Use Amazon CloudWatch Logs actions to log events for sensitive data discovery jobs.

The role is configured with the following permissions policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "iam:ListAccountAliases", "organizations:DescribeAccount", "organizations:ListAccounts", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudtrail:CreateTrail", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors" ], "Resource": "arn:aws:cloudtrail:*:*:trail/AWSMacieTrail-DO-NOT-EDIT" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:PutBucketPolicy" ], "Resource": [ "arn:aws:s3:::awsmacie-*", "arn:aws:s3:::awsmacietrail-*", "arn:aws:s3:::*-awsmacietrail-*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/macie/*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/macie/*:log-stream:*" ] } ] }

For details about updates to the AmazonMacieServiceRolePolicy policy, see Amazon Macie updates to AWS managed policies.

Amazon Macie and Amazon Macie Classic use the same service-linked role and permissions policy. (This helps Macie Classic users move to and use Macie.) Macie performs all the actions allowed by the policy except the following CloudTrail actions: CreateTrail, StartLogging, StopLogging, UpdateTrail, DeleteTrail, and PutEventSelectors. Only Macie Classic performs those actions on resources, as defined by the policy.

In addition, Macie doesn’t perform actions on the arn:aws:cloudtrail:*:*:trail/AWSMacieTrail-DO-NOT-EDIT resource (trail) or S3 resources (buckets) that have the following Amazon Resource Names: arn:aws:s3:::awsmacie-*, arn:aws:s3:::awsmacietrail-*, and arn:aws:s3:::*-awsmacietrail-*. Only Macie Classic performs actions on those resources, as defined by the policy.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating the service-linked role for Amazon Macie

You don't need to manually create the AWSServiceRoleForAmazonMacie service-linked role for Amazon Macie. When you enable Macie for your AWS account, Macie automatically creates the service-linked role for you.

If you delete the Macie service-linked role and then need to create it again, you can use the same process to re-create the role in your account. When you enable Macie again, Macie creates the service-linked role again for you.

Editing the service-linked role for Amazon Macie

Amazon Macie doesn't allow you to edit the AWSServiceRoleForAmazonMacie service-linked role. After a service-linked role is created, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting the service-linked role for Amazon Macie

If you no longer need to use Amazon Macie, we recommend that you manually delete the AWSServiceRoleForAmazonMacie service-linked role. When you disable Macie, Macie doesn't delete the role for you.

Before you delete the role, you must disable Macie in each AWS Region where you enabled it. You must also manually clean up the resources for the role. To delete the role, you can use the IAM console, the AWS CLI, or the AWS API. For more information, see Deleting a service-linked role in the IAM User Guide.

Note

If Macie is using the AWSServiceRoleForAmazonMacie role when you try to delete the resources, the deletion might fail. If that happens, wait for a few minutes and then try the operation again.

If you delete the AWSServiceRoleForAmazonMacie service-linked role and need to create it again, you can create it again by enabling Macie for your account. When you enable Macie again, Macie creates the service-linked role again for you.

Supported AWS Regions for the Amazon Macie service-linked role

Amazon Macie supports using the AWSServiceRoleForAmazonMacie service-linked role in all the AWS Regions where Macie is available. For a list of Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference.