In AWS we use Identity & Access Management (IAM) Roles to provide temporary credentials for accessing AWS Resources. Permissions are assigned to Roles through IAM Policies, which determine the actions the consumer of the Role can carry out.

AWS Service Roles are a way in which an AWS Service can assume an IAM Role to access AWS resources on your behalf. An example of an AWS Service Role is an Elastic Compute Cloud (EC2) Instance Role, which can be given the permissions to access an S3 Bucket. This allows us to move away from local credentials, which is recommended best practice, and use IAM Roles instead.

AWS Service Roles also provide us with reusability. The same IAM Role can be assumed by multiple instances, we don't need to manage credentials across each instance. This also means we can control permissions in a central location, and any changes are reflected immediately across instances that assume that IAM Role.

AWS Service Linked Roles work in much the same way, but they are read-only AWS Managed IAM Roles, which are required for some AWS services to function. They come pre-configured with AWS managed IAM Policies attached, trust relationship, and permissions; allowing only the required AWS service to carry out specific actions.

An example AWS Service Linked Role is the AWSServiceRoleForECS, which is used to manage Elastic Container Service (ECS) clusters. As the image below shows, it comes pre-configured with a trust relationship, meaning it can only be assumed by the ECS service.

The trust relationship of the AWSServiceRoleForECS Service Linked Role
The trust relationship of the AWSServiceRoleForECS Service Linked Role

You can take a look at the AWS Service Linked Roles in your AWS account, which are located within the IAM Role section of the IAM service dashboard. They're worth exploring to learn more about how AWS services communicate with other AWS services to function. When you navigate to the IAM Roles section of the dashboard, they will look something like this:

AWS Service Linked Roles shown in the AWS Console IAM service dashboard

AWS Service Roles

Allow you to provide your own customer managed or AWS Managed Policies

AWS Service Linked Roles

Pre-configured with a specific set of read-only AWS Managed Policies that are only used by a single service

You can find out more about the AWS services which work with IAM here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html