# Using Service-Linked Roles for User Notifications Using Service-Linked Roles AWS User Notifications uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to User Notifications. Service-linked roles are predefined by User Notifications and include all the permissions that the service requires to call other AWS services on your behalf. A service-linked role streamlines setting up User Notifications because you don’t have to manually add the necessary permissions. User Notifications defines the permissions of its service-linked roles. Unless defined otherwise, only User Notifications can assume its roles. The defined permissions include the trust policy and the permissions policy. That permissions policy can't be attached to any other IAM entity. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. **Topics** + [ # AWS User Notifications service-Linked Role for calling AWS services, publishing metrics, and using AWS Organizations ](slr-call-services.md) + [ ## Supported Regions for User Notifications Service-Linked Roles ](#slr-regions) + [ # Amazon EventBridge managed rules in AWS User Notifications ](ev-managed-rules.md) # AWS User Notifications service-Linked Role for calling AWS services, publishing metrics, and using AWS Organizations Service-linked role for calling AWS services, publishing metrics, and using AWS Organizations User Notifications uses the service-linked role named **AWSServiceRoleForAWSUserNotifications**. This role allows User Notifications to call AWS services on your behalf and use AWS Organizations to manage your notification configurations across your organizations. It also allows the role to publish metrics in the `AWS/Notifications` namespace. ## Service-Linked Role Permissions for User Notifications User Notifications uses the service-linked role named **AWSServiceRoleForAWSUserNotifications**. This role allows User Notifications to call AWS services on your behalf and use AWS Organizations to manage your notification configurations across your organizations. It also allows the role to publish metrics in the `AWS/Notifications` namespace. The **AWSServiceRoleForAWSUserNotifications** service-linked role trusts the following services to assume the role: + `notifications.amazonaws.com` You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. When you create a notification hub or a notification configuration, it creates the `AWSUserNotificationsServiceLinkedRolePolicy`. For more information, see [AWS managed policy: AWSUserNotificationsServiceLinkedRolePolicy](security-iam-awsmanpolicy.md#managed-policy-uno) You don't need to take any action to support this role beyond using User Notifications. ## Creating a Service-Linked Role for User Notifications Creating a Service-Linked Role You don't need to manually create a service-linked role. When you create a notification hub or a notification configuration in the AWS Management Console, or when you enable service trust with AWS Organizations, User Notifications creates the service-linked role for you. If you delete this service-linked role and need to create it again later, you can use the same process to recreate the role in your account. When you create a notification hub or a notification configuration, User Notifications creates the service-linked role for you again. ## Editing a Service-Linked Role for User Notifications Editing a Service-Linked Role User Notifications doesn't allow you to edit the AWSServiceRoleForAWSUserNotifications service-linked role. After you create a service-linked role, you can't change the name of the role. This is because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Manually deleting a Service-Linked Role for User Notifications Manually deleting a Service-Linked Role Under specific circumstances, you can manually delete the AWSServiceRoleForAWSUserNotifications service-linked role. To delete the User Notifications service-linked role, you must first delete all notification configurations in the account. You can delete all User Notifications notification configurations using the User Notifications console. You then use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAWSUserNotifications service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. **Note** If the User Notifications service is using the role when you try to delete the resources, the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To delete notification configurations** 1. Open User Notifications in the [AWS Management Console](https://console.aws.amazon.com/). 1. In the navigation pane, choose **Notification configurations**. 1. Select the configuration you want to delete. 1. Choose **Delete**. ## Supported Regions for User Notifications Service-Linked Roles User Notifications supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html). # Amazon EventBridge managed rules in AWS User Notifications Managed rules AWS User Notifications uses Amazon EventBridge managed rules. A managed rule is a unique type of rule that is directly linked to User Notifications. These rules match incoming events and send them to targets for processing. Managed rules are predefined by User Notifications and include event patterns that are required by the service to manage customer notifications, and unless defined otherwise, only the owning service can utilize these managed rules. For more information, see [Rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html) in the *Amazon EventBridge User Guide*. User Notifications managed rules are linked to `notifications.amazonaws.com` service principal. These managed rules are managed through the [`AWSUserNotificationsServiceLinkedRolePolicy` service-linked role](slr-call-services.md). To delete these rules, a special confirmation by the customer is required. For more information, see [Deleting managed rules for AWS User Notifications](#delete-rules). ## Amazon EventBridge managed rules deployed by AWS User Notifications The followng table displays Amazon EventBridge managed rules: | Rule name | Description | Definition | | --- | --- | --- | | AWSUserNotificationsManagedRule- | AWS User Notifications rule for source. This can be any Amazon EventBridge source. For example, `aws.cloudwatch`. | Example: 
{"source": ["aws.cloudwatch"],"detail-type": ["CloudWatch Alarm State Change"]}
| **Note** The managed rule User Notifications creates in EventBridge only contains source and detail-type fields, regardless of whether the User Notifications event rule includes additional filters. User Notifications always filters based on the User Notifications event rule. For example, the User Notifications event rule for Amazon Elastic Compute Cloud instance state changed to "terminated", "stopping", "stopped", or "shutting-down" shows: ``` { "source": ["aws.ec2"], "detail-type": ["EC2 Instance State-change Notification"], "detail": { "state": ["terminated", "stopping", "stopped", "shutting-down"] } } ``` The corresponding EventBridge managed rule shows: ``` { "source": ["aws.ec2"], "detail-type": ["EC2 Instance State-change Notification"] } ``` This rule only generates notifications for Amazon EC2 instance state changed to "terminated", "stopping", "stopped", or "shutting-down". It won't generate notifications for other state changes. ## Creating managed rules for AWS User Notifications Creating managed rules You don’t need to manually create Amazon EventBridge managed rules. Managed rules are automatically created for you based on your specified event rules when you create notification configurations. User Notifications creates one managed rule per source (for example, EC2, S3). Newly created event rules correspond to existing managed rules if applicable. If no existing managed rules are found, User Notifications creates a new managed rule. ## Editing managed rules for AWS User Notifications Editing managed rules User Notifications doesn't allow you to edit managed rules. The name, description, and event pattern for each managed rule are predefined by User Notifications. ## Deleting managed rules for AWS User Notifications Deleting managed rules **Warning** Don't delete User Notifications managed rules unless you're certain all dependent event rules are removed. Deleting managed rules that are being used by User Notifications may cause some notifications to stop working. For more information, see [Rules managed by AWS services](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html#eb-rules-managed) in the *Amazon EventBridge User Guide*. You don’t need to manually delete managed rules. When you delete a notification configuration or specific event rule in a notification configuration, User Notifications cleans up the resources and deletes applicable managed rules owned by User Notifications for you.