# Using service-linked roles for AMS Accelerate
AMS Accelerate uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role (SLR) is a unique type of IAM role that is linked directly to AMS Accelerate. Service-linked roles are predefined by AMS Accelerate and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AMS Accelerate easier because you don’t have to manually add the necessary permissions. AMS Accelerate defines the permissions of its service-linked roles, and unless defined otherwise, only AMS Accelerate can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes**in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Deployment toolkit service-linked role for AMS Accelerate
AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForAWSManagedServicesDeploymentToolkit** – this role deploys AMS Accelerate infrastructure into customer accounts.
**Note**
This policy has recently been updated; for details, see [Accelerate updates to service-linked roles](#slr-updates).
### AMS Accelerate deployment toolkit SLR
The AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role trusts the following services to assume the role:
+ `deploymenttoolkit.managedservices.amazonaws.com`
The policy named [AWSManagedServicesDeploymentToolkitPolicy](security-iam-awsmanpol.html#security-iam-awsmanpol-DeploymentToolkitPolicy) allows AMS Accelerate to perform actions on the following resources:
+ `arn:aws*:s3:::ams-cdktoolkit*`
+ `arn:aws*:cloudformation:*:*:stack/ams-cdk-toolkit*`
+ `arn:aws:ecr:*:*:repository/ams-cdktoolkit*`
This SLR grants Amazon S3 permissions to create and manage the deployment bucket used by AMS to upload resources, like CloudFormation templates or Lambda asset bundles, into the account for component deployments. This SLR grants CloudFormation permissions to deploy the CloudFormation stack that defines the deployment buckets. For details or to download the policy, see [AWSManagedServices\$1DeploymentToolkitPolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-DeploymentToolkitPolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [ Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
### Creating an deployment toolkit SLR for AMS Accelerate
You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you were using the AMS Accelerate service before June 09, 2022, when it began supporting service-linked roles, then AMS Accelerate created the AWSServiceRoleForAWSManagedServicesDeploymentToolkit role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again.
### Editing an deployment toolkit SLR for AMS Accelerate
AMS Accelerate does not allow you to edit the AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
### Deleting an deployment toolkit SLR for AMS Accelerate
You don't need to manually delete the AWSServiceRoleForAWSManagedServicesDeploymentToolkit role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.
You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AMS Accelerate resources used by the AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role**
Delete `ams-cdk-toolkit` stack from all Regions your account was onboarded to in AMS (you might have to manually empty the S3 buckets first).
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role. For more information, see [ Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Detective controls service-linked role for AMS Accelerate
AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForManagedServices\$1DetectiveControlsConfig** – AWS Managed Services uses this service-linked role to deploy config-recorder, config rules and S3 bucket detective controls..
Attached to the **AWSServiceRoleForManagedServices\$1DetectiveControlsConfig** service-linked role is the following managed policy: [AWSManagedServices\$1DetectiveControlsConfig\$1ServiceRolePolicy](security-iam-awsmanpol.html#security-iam-awsmanpol-DetectiveControlsConfig). For updates to this policy, see [Accelerate updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
### Permissions for detective controls SLR for AMS Accelerate
The AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role trusts the following services to assume the role:
+ `detectivecontrols.managedservices.amazonaws.com`
Attached to this role is the `AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy` AWS managed policy (see [AWS managed policy: AWSManagedServices\$1DetectiveControlsConfig\$1ServiceRolePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-DetectiveControlsConfig) The service uses the role to create configure AMS Detective Controls in your account, which requires deployment of resources like s3 buckets, config rules and an aggregator. You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *AWS Identity and Access Management* User Guide.
### Creating a detective controls SLR for AMS Accelerate
You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you were using the AMS Accelerate service before June 09, 2022, when it began supporting service-linked roles then AMS Accelerate created the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again.
### Editing a detective controls SLR for AMS Accelerate
AMS Accelerate does not allow you to edit the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [ Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
### Deleting a detective controls SLR for AMS Accelerate
You don't need to manually delete the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.
You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AMS Accelerate resources used by the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role**
Delete `ams-detective-controls-config-recorder`, `ams-detective-controls-config-rules-cdk` and `ams-detective-controls-infrastructure-cdk` stacks from all Regions your account was onboarded to in AMS (you might have to manually empty the S3 buckets first).
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Amazon EventBridge rule service-linked role for AMS Accelerate
AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForManagedServices\$1Events**. This role trusts one of the AWS Managed Services service principals (events.managedservices.amazonaws.com) to assume the role for you. The service uses the role to create Amazon EventBridge managed rule. This rule is the infrastructure required in your AWS account to deliver alarm state change information from your account to AWS Managed Services.
### Permissions for EventBridge SLR for AMS Accelerate
The AWSServiceRoleForManagedServices\$1Events service-linked role trusts the following services to assume the role:
+ `events.managedservices.amazonaws.com`
Attached to this role is the `AWSManagedServices_EventsServiceRolePolicy` AWS managed policy (see [AWS managed policy: AWSManagedServices\$1EventsServiceRolePolicy](security-iam-awsmanpol.md#EventsServiceRolePolicy)). The service uses the role to deliver alarm state change information from your account to AMS. You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *AWS Identity and Access Management User Guide*.
You can download the JSON AWSManagedServices\$1EventsServiceRolePolicy in this ZIP: [EventsServiceRolePolicy.zip](samples/EventsServiceRolePolicy.zip).
### Creating an EventBridge SLR for AMS Accelerate
You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you were using the AMS Accelerate service before February 7, 2023, when it began supporting service-linked roles then AMS Accelerate created the AWSServiceRoleForManagedServices\$1Events role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again.
### Editing an EventBridge SLR for AMS Accelerate
AMS Accelerate does not allow you to edit the AWSServiceRoleForManagedServices\$1Events service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
### Deleting an EventBridge SLR for AMS Accelerate
You don't need to manually delete the AWSServiceRoleForManagedServices\$1Events role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.
You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AMS Accelerate resources used by the AWSServiceRoleForManagedServices\$1Events service-linked role**
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForManagedServices\$1Events service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Contacts service-linked role for AMS Accelerate
AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForManagedServices\$1Contacts** – This role facilitates automated notifications when incidents occur by allowing the service to read the existing tags of the affected resource and retrieve the configured email of the appropriate point of contact.
This is the only service that uses this service-linked role.
Attached to the **AWSServiceRoleForManagedServices\$1Contacts** service-linked role is the following managed policy: [AWSManagedServices\$1ContactsServiceRolePolicy](security-iam-awsmanpol.html#ContactsServiceManagedPolicy). For updates to this policy, see [Accelerate updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
### Permissions for Contacts SLR for AMS Accelerate
The AWSServiceRoleForManagedServices\$1Contacts service-linked role trusts the following services to assume the role:
+ `contacts-service.managedservices.amazonaws.com`
Attached to this role is the `AWSManagedServices_ContactsServiceRolePolicy` AWS managed policy (see [AWS managed policy: AWSManagedServices\$1ContactsServiceRolePolicy](security-iam-awsmanpol.md#ContactsServiceManagedPolicy)). The service uses the role to read the tags on any AWS resource and find the email contained in the tag, of the appropriate point of contact for when incidents occur. This role facilitates automated notifications when incidents occur by allowing AMS to read that tag on an affected resource and retrieve the email. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *AWS Identity and Access Management* User Guide.
**Important**
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. AMS uses tags to provide you with administration services. Tags are not intended to be used for private or sensitive data.
The role permissions policy named AWSManagedServices\$1ContactsServiceRolePolicy allows AMS Accelerate to complete the following actions on the specified resources:
+ Action: Allows the Contacts Service to read the tags specifically set up to contain the email for AMS to send incident notifications on any AWS resource.
You can download the JSON AWSManagedServices\$1ContactsServiceRolePolicy in this ZIP: [ContactsServicePolicy.zip](samples/ContactsServicePolicy.zip).
### Creating a Contacts SLR for AMS Accelerate
You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you were using the AMS Accelerate service before February 16, 2023, when it began supporting service-linked roles then AMS Accelerate created the AWSServiceRoleForManagedServices\$1Contacts role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again.
### Editing a Contacts SLR for AMS Accelerate
AMS Accelerate does not allow you to edit the AWSServiceRoleForManagedServices\$1Contacts service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
### Deleting a Contacts SLR for AMS Accelerate
You don't need to manually delete the AWSServiceRoleForManagedServices\$1Contacts role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.
You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AMS Accelerate resources used by the AWSServiceRoleForManagedServices\$1Contacts service-linked role**
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForManagedServices\$1Contacts service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported regions for AMS Accelerate service-linked roles
AMS Accelerate supports using service-linked roles in all of the regions where the service is available. For more information, see [AWS regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
## Accelerate updates to service-linked roles
View details about updates to Accelerate service-linked roles since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Accelerate [Document history for AMS Accelerate User Guide](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| Updated policy – [Deployment Toolkit](#slr-deploy-acc) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/using-service-linked-roles.html) | April 4, 2024 |
| Updated policy – [Deployment Toolkit](#slr-deploy-acc) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/using-service-linked-roles.html) | May 09, 2023 |
| Updated policy – [Detective Controls](#slr-deploy-detect-controls) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/using-service-linked-roles.html) | April 10, 2023 |
| Updated policy – [Detective Controls](#slr-deploy-detect-controls) | Updated the policy and added the permissions boundary policy. | March 21, 2023 |
| New service-linked role – [Contacts SLR](#slr-contacts-service) | Accelerate added a new service-linked role for the Contacts service. This role facilitates automated notifications when incidents occur by allowing the service to read the existing tags of the affected resource and retrieve the configured email of the appropriate point of contact. | February 16, 2023 |
| New service-linked role – [EventBridge](#slr-evb-rule) | Accelerate added a new service-linked role for an Amazon EventBridge rule. This role trusts one of the AWS Managed Services service principals (events.managedservices.amazonaws.com) to assume the role for you. The service uses the role to create Amazon EventBridge managed rule. This rule is the infrastructure required in your AWS account to deliver alarm state change information from your account to AWS Managed Services. | February 7, 2023 |
| Updated service-linked role – [Deployment Toolkit](#slr-deploy-acc) | Accelerate updated AWSServiceRoleForAWSManagedServicesDeploymentToolkit with new S3 permissions. These new permissions were added: "s3:GetLifecycleConfiguration",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:PutLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:GetObject*"
| January 30, 2023 |
| Accelerate started tracking changes | Accelerate started tracking changes for its service-linked roles. | November 30, 2022 |
| New service-linked role – [Detective Controls](#slr-deploy-detect-controls) | Accelerate added a new service-linked role to deploy Accelerate detective controls. AWS Managed Services uses this service-linked role to deploy config-recorder, config rules and S3 bucket detective controls. | October 13, 2022 |
| New service-linked role – [Deployment Toolkit](#slr-deploy-acc) | Accelerate added a new service-linked role to deploy Accelerate infrastructure. this role deploys AMS Accelerate infrastructure into customer accounts. | June 09, 2022 |