Indirect permissions with service-linked roles

Question

Hello,
I am creating  the assumed roles for the **users **of my organization.
I am attaching an **AWS managed **policy such as **arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess.**
I have seen that this policy has the following statement:

```
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "replication.dynamodb.amazonaws.com",
                        "dax.amazonaws.com",
                        "dynamodb.application-autoscaling.amazonaws.com",
                        "contributorinsights.dynamodb.amazonaws.com",
                        "kinesisreplication.dynamodb.amazonaws.com".
                    ]
                }
            }
        }
```
So is supposed to "Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf."
If I wanted to create a custom policy for a **user role**, and include a statement as the example.

```
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        **"s3.amazonaws.com",**
                        **"lambda.amazonaws.com",**
                        "dynamodb.application-autoscaling.amazonaws.com",
                    ]
                }
            }
        }
```

1) What impact would these service-linked roles have for the user who assumes this role with this attached policy? 
Would the user have indirect permissions for lambda or S3?

2) Would it be good practice to use service-linked roles? Or should it be used only for service roles?

ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

Accepted Answer

Service linked roles (SLR) can be assumed only by AWS services to call other AWS services on your behalf. The permissions in the second policy allow an IAM principal to create the SLR for the specific services. Once that the SLR are created, the respective AWS services can operate in the account.
Without the required SLRs, the respective services will not work.

Service Linked Roles and [Service Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) are very different: you control Service Roles and their policies, while Service Linked Roles are managed by AWS - you can only allow the creation of the SLR, but you can't control their policies. For example, AWS Lambda can use service roles for allowing a function to access AWS services: you will define what permissions are required by your application. On the other hand, to [create an Amazon EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks.html#service-linked-role-permissions-eks) you must have an SLR that allows EKS to create the required resources. If the SLR required by EKS does not exist in the account already, and the principal trying to create the EKS cluster does not have the permissions to create the SLR, then the creation of the cluster will fail.

Indirect permissions with service-linked roles

관련 콘텐츠