Resources created for AWS DevOps Agent activated from AWS Support

AWS DevOps Agent

Agent space

DevOpsAgentSpace

Not applicable

Container for the account association, operator web app configuration, and data the agent generates while it operates.

AWS Identity and Access Management (IAM)

Role

DevOpsAgentRole-AgentSpace-suffix

Trusted by aidevops.amazonaws.com with aws:SourceAccount and aws:SourceArn conditions that scope the role to agent spaces in your own account (confused-deputy protection).

Grants the agent the read-only investigation permissions across AWS services that it needs to investigate resources in your account. Permissions come from the AWS-managed AIDevOpsAgentAccessPolicy attached at activation time. For the full list, see AIDevOpsAgentAccessPolicy in the AWS DevOps Agent User Guide. The customer-managed AIDevOpsAllowAwsSupportActionsPolicy-suffix policy is also attached.

AWS Identity and Access Management (IAM)

Role

DevOpsAgentRole-WebappAdmin-suffix

Trust policy scoped to a specific agent space, so only that agent space's operator web app can assume it.

Grants the operator web app the permissions it needs for chat, journal, recommendations, and Support integration. Permissions come from the AWS-managed AIDevOpsOperatorAppAccessPolicy. For the full list, see AIDevOpsOperatorAppAccessPolicy in the AWS DevOps Agent User Guide.

AWS Identity and Access Management (IAM)

Customer-managed policy

AIDevOpsAllowAwsSupportActionsPolicy-suffix

Attached to the DevOpsAgentRole-AgentSpace-suffix role.

Grants iam:CreateServiceLinkedRole, scoped to the AWS Resource Explorer service-linked role ARN (arn:aws:iam::ACCOUNT_ID:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer). This permission allows the agent to create the AWS Resource Explorer service-linked role on your behalf if it doesn't already exist, so the agent can use AWS Resource Explorer for topology discovery.