Service-Linked Roleとは
Service-Linked Roleは、AWSサービスがユーザーの代わりに操作を実行するために使用する特別な種類のサービスロールです。これらのロールはAWSサービスにリンクされており、AWSが事前定義した許可ポリシーを持っています。Service-linked rolesは、必要な権限があらかじめ定義されているため、AWSサービスをセットアップする過程を簡素化します。これらのロールは特定のAWSサービスにのみ関連付けられ、サービスに必要な操作をAWSリソース上で実行できるようにします(using-service-linked-roles)。
権限の設計
サービスロールを事前に作成するか操作するユーザにCreateRole権限を付与する必要があります。
例えば、以下権限だけを許可してもRDS利用するサービスロールを存在しない場合、RDSを作れないです。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRDSALL",
"Effect": "Allow",
"Action": "rds:",
"Resource": ""
}
]
}
なぜかというと、リソース作成時、AWSServiceRoleForRDSは自動的に作られる必要があるから、
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ServiceLinkedRoles.html
対象サービス一覧「2024/3/22現在」
| Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
|---|---|---|---|---|---|---|
| Amazon API Gateway | Yes | Yes | Yes | No | Yes | Yes |
| Amazon AppIntegrations | Yes | Yes | No | Yes | Yes | Yes |
| Application Auto Scaling | Yes | Yes | No | Yes | Yes | Yes |
| AWS Application Discovery Service | Yes | No | No | No | Yes | Yes |
| AWS Application Migration Service | Yes | Yes | No | Yes | Yes | Yes |
| AWS App Mesh | Yes | Yes | No | Yes | Yes | Yes |
| AWS App Mesh Preview | Yes | Yes | No | No | Yes | Yes |
| AWS App Runner | Yes | Yes | No | Yes | Yes | Yes |
| AWS Audit Manager | Yes | Yes | No | Yes | Yes | Yes |
| AWS Auto Scaling | Yes | No | No | No | Yes | Yes |
| AWS Backup | Yes | Yes | Yes | Yes | Yes | Yes |
| AWS Batch | Yes | Partial | No | Yes | Yes | Yes |
| Amazon Braket | Yes | Yes | No | Yes | Yes | Yes |
| AWS BugBust | Yes | Yes | No | Yes | Yes | Yes |
| AWS Certificate Manager (ACM) | Yes | Yes | No | Yes | Yes | Yes |
| AWS Chatbot | Yes | Yes | No | No | Yes | Yes |
| Amazon Chime | Yes | Yes | No | Yes | Yes | Yes |
| AWS Client VPN | Yes | Yes | No | No | Yes | Yes |
| AWS Cloud9 | Yes | Yes | Yes | Yes | Yes | Yes |
| Amazon CloudFront | Yes | Yes | No | Yes | Yes | Partial (Info) |
| AWS CloudHSM | Yes | Yes | No | Yes | Yes | Yes |
| AWS CloudTrail | Yes | Yes | Partial (Info) | Partial (Info) | Yes | Yes |
| Amazon CloudWatch | Yes | Yes | No | Yes | Yes | Partial (Info) |
| Amazon CloudWatch Logs | Yes | Yes | Yes | Partial | Yes | Yes |
| Amazon CodeCatalyst | Yes | Yes | No | Yes | Yes | Yes |
| Amazon CodeGuru Profiler | Yes | Yes | No | Yes | Yes | Yes |
| Amazon CodeGuru Reviewer | Yes | Yes | No | Yes | Yes | Yes |
| AWS CodeStar Connections | Yes | Yes | No | Yes | Yes | Yes |
| AWS CodeStar Notifications | Yes | Yes | No | Yes | Yes | Yes |
| Amazon CodeWhisperer | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Cognito | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Cognito Sync | Yes | Yes | No | No | Yes | Yes |
| Amazon Cognito user pools | Yes | Yes | No | Yes | Yes | Yes |
| AWS Compute Optimizer | Yes | No | No | No | Yes | Yes |
| AWS Config | Yes | Partial (Info) | No | Yes | Yes | Yes |
| Amazon Connect | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Connect Customer Profiles | Yes | Yes | No | Yes | Yes | Yes |
| AWS Database Migration Service | Yes | Yes | No (Info) | Yes | Yes | Yes |
| AWS DataSync | Yes | Yes | No | Yes | Yes | Yes |
| AWS DeepRacer | Yes | Yes | No | Yes | Yes | Yes |
| AWS Device Farm | Yes | Yes | No | Yes | Yes | Yes |
| Amazon DevOps Guru | Yes | Yes | No | No | Yes | Yes |
| AWS Direct Connect | Yes | Yes | No | Yes | Yes | Yes |
| Amazon DynamoDB Accelerator (DAX) | Yes | Yes | No | No | Yes | Yes |
| Amazon Elastic Compute Cloud (Amazon EC2) | Yes | Partial | No | Yes | Yes | Partial (Info) |
| Amazon EC2 Auto Scaling | Yes | Yes | No | Yes | Yes | Yes |
| EC2 Image Builder | Yes | Yes | No | Yes | Yes | Yes |
| Amazon EC2 Instance Connect | Yes | Yes | No | No | Yes | Yes |
| Amazon ElastiCache | Yes | Yes | No | Yes | Yes | Yes |
| AWS Elastic Beanstalk | Yes | Partial | No | Yes | Yes | Yes |
| Amazon Elastic Container Registry (Amazon ECR) | Yes | Yes | Yes | Yes | Yes | Yes |
| Amazon Elastic Container Service (Amazon ECS) | Yes | Partial (Info) | No | Yes | Yes | Yes |
| AWS Elastic Disaster Recovery | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Elastic File System (Amazon EFS) | Yes | Yes | Yes | Partial | Yes | Yes |
| Amazon Elastic Kubernetes Service (Amazon EKS) | Yes | Yes | No | Yes | Yes | Yes |
| AWS Elastic Load Balancing | Yes | Partial | No | Partial | Yes | Yes |
| AWS Elemental MediaConnect | Yes | Yes | No | No | Yes | Yes |
| AWS Elemental MediaPackage | Yes | Yes | No | Yes | Yes | Partial (Info) |
| AWS Elemental MediaPackage VOD | Yes | Yes | No | Yes | Yes | Partial (Info) |
| AWS Elemental MediaTailor | Yes | Yes | No | Yes | Yes | Yes |
| Amazon EMR | Yes | Yes | No | Yes | Yes | Yes |
| Amazon EMR on EKS | Yes | Yes | No | Yes | Yes | Yes |
| Amazon EMR Serverless | Yes | Yes | No | Yes | Yes | Yes |
| AWS Fault Injection Service | Yes | Yes | No | Yes | Yes | Yes |
| Amazon FinSpace | Yes | Yes | No | Yes | Yes | Yes |
| AWS Firewall Manager | Yes | Yes | No | Yes | Yes | Partial |
| Amazon FSx | Yes | Yes | No | Yes | Yes | Yes |
| AWS Global Accelerator | Yes | Yes | No | Yes | Yes | Yes |
| AWS Ground Station | Yes | Yes | No | Yes | Yes | Yes |
| Amazon GuardDuty | Yes | Yes | No | Yes | Yes | Yes |
| AWS IAM Identity Center | Yes | Yes | No | Partial | Yes | Yes |
| AWS Identity and Access Management Access Analyzer | Yes | Yes | No | Yes | Yes | Partial |
| AWS Identity and Access Management Roles Anywhere | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Inspector | Yes | Yes | No | Yes | Yes | |
| Amazon Inspector Classic | Yes | No | No | No | Yes | Yes |
| Amazon Interactive Video Service | Yes | Yes | No | Yes | Yes | Yes |
| AWS IoT SiteWise | Yes | Yes | No | Yes | Yes | Yes |
| AWS IoT TwinMaker | Yes | Yes | No | Yes | Yes | Yes |
| AWS IQ | Yes | Yes | No | No | Yes | Yes |
| AWS Key Management Service (AWS KMS) | Yes | Yes | Yes | Yes | Yes | Yes |
| Amazon Keyspaces (for Apache Cassandra) | Yes | Yes | No | Yes | Yes | Yes |
| AWS Lake Formation | Yes | No | No | No | Yes | Yes |
| AWS Lambda | Yes | Yes | Yes | Partial (Info) | Yes | Partial (Info) |
| Amazon Lex | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Lex V2 | Yes | Yes | Yes | Yes | Yes | Yes |
| AWS License Manager | Yes | Yes | No | Yes | Yes | Yes |
| AWS License Manager User Subscriptions | Yes | No | No | No | Yes | Yes |
| Amazon Lightsail | Yes | Partial (Info) | No | Partial (Info) | Yes | Yes |
| Amazon Macie | Yes | Yes | No | Yes | Yes | Yes |
| AWS Mainframe Modernization | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Managed Grafana | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Managed Streaming for Apache Kafka (MSK) | Yes | Yes | Partial (Info) | Yes | Yes | Yes |
| Amazon Managed Streaming for Kafka Connect | Yes | Yes | No | No | Yes | Yes |
| AWS Marketplace | Yes | No | No | No | Yes | Yes |
| Amazon MemoryDB for Redis | Yes | Yes | No | Yes | Yes | Yes |
| AWS Migration Hub | Yes | Yes | No | No | Yes | Yes |
| AWS Migration Hub Orchestrator | Yes | Yes | No | Yes | Yes | Yes |
| AWS Migration Hub Refactor Spaces | Yes | Yes | Yes | Yes | Yes | Yes |
| AWS Migration Hub Strategy Recommendations | Yes | No | No | No | Yes | Yes |
| Amazon Monitron | Yes | Yes | No | Yes | Yes | Yes |
| Amazon MQ | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Neptune | Yes | Yes | No | No | Yes | Yes |
| AWS Network Firewall | Yes | Yes | No | Yes | Yes | Yes |
| AWS Network Manager | Yes | Yes | No | Yes | Yes | Yes (Info) |
| Amazon OpenSearch Ingestion | Yes | Yes | No | Yes | Yes | Yes |
| Amazon OpenSearch Serverless | Yes | Yes | No | Yes | Yes | Yes |
| Amazon OpenSearch Service | Yes | Yes | Yes | Yes | Yes | Yes |
| AWS Organizations | Yes | Yes | Yes | Yes | No | Yes |
| AWS Outposts | Yes | Yes | No | Yes | Yes | Yes |
| AWS Panorama | Yes | Yes | No | Yes | Yes | Yes |
| AWS Proton | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Redshift | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Relational Database Service (Amazon RDS) (Info) | Yes | Yes | No | Yes | Yes | Yes |
| AWS re:Post Private | Yes | Yes | No | Yes | Yes | Yes |
| AWS Resource Access Manager (AWS RAM) | Yes | Yes | No | Yes | Yes | Yes |
| AWS Resource Explorer | Yes | Yes | No | Yes | Yes | Yes |
| AWS RoboMaker | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Route 53 Recovery Readiness | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Route 53 Resolver | Yes | Yes | No | Yes | Yes | Yes |
| Amazon SageMaker | Yes | Yes | No | Yes | Yes | Partial (Info) |
| AWS Security Hub | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Security Lake | Yes | Yes | No | No | Yes | Yes |
| AWS Service Catalog | Yes | Yes | No | Yes | Yes | Yes |
| AWS Shield | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Simple Storage Service (Amazon S3) | Yes | Yes | Yes | Partial (Info) | Yes | Partial (Info) |
| Amazon Simple Storage Service (Amazon S3) on AWS Outposts | Yes | Yes | Yes | No | Yes | Yes |
| AWS Site-to-Site VPN | Yes | Yes | No | No | Yes | Yes |
| AWS Support | Yes | No | No | No | Yes | Yes |
| AWS Systems Manager | Yes | Yes | No | Yes | Yes | Yes |
| AWS Systems Manager Incident Manager | Yes | Yes | Yes | Yes | Yes | Yes |
| Amazon Timestream Influxdb | Yes | Yes | No | Yes | Yes | Yes |
| AWS Trusted Advisor | Partial (Info) | Yes | No | No | Partial | Yes |
| AWS User Notifications | Yes | Yes | No | Yes | Yes | Yes |
| Amazon Virtual Private Cloud (Amazon VPC) | Yes | Partial (Info) | Partial (Info) | Yes | Yes | Partial (Info) |
| AWS WAF | Yes | Yes | No | Yes | Yes | Yes |
| AWS WAF Classic | Yes | Yes | No | Yes | Yes | Yes |
| AWS WAF Regional | Yes | Yes | No | Yes | Yes | Yes |
| Amazon WorkMail | Yes | Yes | No | Yes | Yes | Yes |
| Amazon WorkSpaces Web | Yes | Yes | No | Yes | Yes | Yes |
まとめ
Service-linked Rolesは、特定のAWSサービスがAWSリソースをより安全にかつ効率的に管理するために重要な役割を果たします。新しいサービスや機能が追加されるにつれて、サポートされるサービスのリストは変更されることがあります。最新の情報については常にAWSの公式ドキュメンテーション(service-linked-role-permissions)を確認してください。