iCompaas Support

Profile Applicability:
 • Level 2

Description:

Service-linked roles are IAM roles that allow AWS services to perform actions on behalf of the user. For AWS Backup to function properly, it must have a service-linked role, which AWS automatically creates when the backup service is first enabled. These roles are necessary for AWS Backup to interact with other AWS services and resources like EC2, RDS, and S3.

Rationale:

Service-linked roles enable AWS services like AWS Backup to perform required actions and interact with other AWS resources. Without these roles, AWS Backup would be unable to operate correctly, making it impossible to back up or restore data. Ensuring that the service-linked role is in place is crucial for smooth operation, security, and compliance.

Impact:

Pros:

• Ensures that AWS Backup can interact with other AWS resources

• Prevents operational failures caused by missing service roles

• Simplifies the management of permissions since AWS automatically manages the permissions for service-linked roles

Cons:

• Lack of manual control over the IAM permissions that AWS services have

• Potential risks if service-linked roles are inadvertently deleted or modified

• May require periodic monitoring to ensure the role exists and is configured properly

Default Value:

AWS automatically creates the service-linked role when the AWS Backup service is first used. If the role is deleted or becomes corrupted, AWS Backup may not function properly.

Pre-requisites:

• IAM permissions to view and manage IAM roles

• AWS Backup service must be enabled

• No modifications should be made to the service-linked role unless necessary for troubleshooting

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console

2. Navigate to IAM > Roles

3. Verify that the service-linked role for AWS Backup exists, usually named AWSServiceRoleForBackup

4. Confirm that the role has the correct trust relationships to allow AWS Backup to assume it

5. Check that the role has the necessary policies attached for AWS Backup operations

Using AWS CLI:

1. List IAM roles to check if the service-linked role exists:

    aws iam list-roles --query "Roles[?RoleName=='AWSServiceRoleForBackup']"

2. Describe the service-linked role:

    aws iam get-role --role-name AWSServiceRoleForBackup

3. Verify the trust relationship and permissions:

    aws iam get-role-policy --role-name AWSServiceRoleForBackup --policy-name <policy-name>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console

2. Navigate to IAM > Roles

3. If the role does not exist, AWS Backup will automatically create the service-linked role upon service activation

4. Ensure that no unauthorized users or services can modify or delete the role

5. Enable AWS Backup and let AWS automatically create the service-linked role if it does not already exist

Using AWS CLI:

1. If the service-linked role is missing, re-enable the AWS Backup service to automatically create the role:

    aws backup enable-backup-vault-notifications

2. Alternatively, create the service-linked role manually (use with caution and only when necessary):

    aws iam create-role --role-name AWSServiceRoleForBackup --assume-role-policy-document file://trust-policy.json

Backout Plan:

Using AWS Console:

1. If the service-linked role has been deleted or altered, disable the AWS Backup service to allow AWS to recreate the role

2. If necessary, delete the manually created service-linked role and re-enable AWS Backup to recreate it automatically

Using AWS CLI:

1. If the role has been deleted, re-enable the AWS Backup service:

    aws backup enable-backup-vault-notifications

2. If the role was manually created, delete it:

    aws iam delete-role --role-name AWSServiceRoleForBackup
   
   

3. Allow AWS Backup to automatically recreate the service-linked role

References:

• AWS Backup Documentation – Service-Linked Roles

• AWS IAM Service-Linked Roles

• AWS CLI IAM Documentation