What is IAM Service-Linked Role?
A service-linked role is a special IAM role that is predefined and owned by an AWS service so the service can perform actions on your behalf.
Service-linked roles have a trust policy fixed to a single AWS service and a set of permissions the service requires. You cannot edit the permissions arbitrarily, and in many cases the role is created automatically the first time you use the related feature. This keeps the permissions a service needs predictable and scoped.
Because the service controls the role definition, the main review question is which services have linked roles in the account and whether those services are still in use. Unused service-linked roles can be removed to shrink the surface area.
Common mistake
Treating every role with a service principal as suspicious. Service-linked roles are expected, but you should still confirm the linked service is actually used in the account.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.