A service-linked role is a IAM role linked to AWS service.
- defined by service
- could be created by service or user
- cannot be deleted until not used by a service
Role Separation best-practices
Do role separation with
iam:PassRole
(pass a role to a service): allow one group of users to create/manage role, allow another group (e.g. service) to assume the role, and never give both permissions to the same group.
ARN format
Note that the format of ARN for service roles differ by service and is case-sensitive. Always consult the documentation for ARN format.