- Newest
- Most votes
- Most comments
The roles related to "pump" don't sound like anything standard in AWS, but in general, you can usually get an idea of what they do in two ways: first, look at the trust policy of the role. Especially if the role is used by an AWS service, you'll usually see its name as the "Service" in the "Principal" element. If it's a custom cross-account role, as the case might be for the "pump" roles, you'll usually see the AWS account ID from where the role is allowed to be assumed.
Secondly, look at the permissions policies attached to the role. Unless the policy is overly permissive, it will usually show at least which services are used, and potentially in greater detail which exact resources, such as S3 buckets or SQS queues, are used by whoever is using the role.
You can also see on the "access advisor" tab of the role which services it has recently been used to access, even when the policy is excessively permissive and non-specific.
AWSServiceRoleForSupport is for AWS's support team to access your environment if you ask them to assist. It won't involve any notable costs: https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html
AWSServiceRoleForTrustedAdvisor is used by Trusted Advisor (https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-ta.html), which gives you suggestions on potential suboptimal or incorrect configurations in your environment that might improve your security, decrease costs, or otherwise be beneficial for you to look into and possibly remedy.
Neither of those AWSServiceRole* roles will incur any notable charges. Support might look around your environment and incur tiny costs for a small number of API calls, but it would probably round down to zero cents in your bill.
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 4 months ago
