Posted On: Feb 20, 2018

Today, Amazon EC2 Auto Scaling is introducing support for using AWS Identity and Access Management (IAM) service-linked roles, a new type of role that allows you to easily delegate permissions to AWS services. 

EC2 Auto Scaling service-linked roles are predefined by EC2 Auto Scaling and include all the permissions that the service requires to call other AWS services on your behalf. Some of the actions that EC2 Auto Scaling performs on your behalf include launching and terminating EC2 instances or creating Amazon CloudWatch alarms when you create a target tracking scaling policy. EC2 Auto Scaling will automatically create a default EC2 Auto Scaling service-linked role in your account if one does not already exist when you create an EC2 Auto Scaling group. Alternatively, you can create a service-linked role other than the default through IAM and then pass it to the EC2 Auto Scaling group.

Unlike a normal IAM role, you cannot delete the service-linked role if it is still in use by one or more EC2 Auto Scaling groups. This protects you from inadvertently revoking permissions required by EC2 Auto Scaling. The addition of service-linked roles to EC2 Auto Scaling also helps with monitoring and auditing requirements in AWS CloudTrail by logging actions performed by EC2 Auto Scaling against the respective service-linked role.

Service-linked roles for EC2 Auto Scaling will be enabled in all public AWS regions and in the AWS GovCloud (US) region over the next few weeks. There is no action required from any EC2 Auto Scaling customers and you can continue using the service the way you do today. For existing EC2 Auto Scaling customers, EC2 Auto Scaling will add a default EC2 Auto Scaling service-linked role in your account and your existing Auto Scaling groups will be updated to use this role over the next few weeks. You can learn more about how EC2 Auto Scaling uses service-linked roles by referring to our documentation.