AWS Service: config (Service-Linked Role)

0

Hello,

My AWS account was recently hacked and we have spent days trying to find the source. Have added multiple layers of security. Having been bitten once, I have been proactively checking my AWS account. I have also raised this issue with AWS and I am awaiting their revert. Few minutes ago, I found these new entries in my roles/policies under IAM. Are these to worry about? Or are they AWS generated? I am concerned over some activities as recent as 44 minutes - 2 hours which have not been initiated by me.

AWSServiceRoleForConfig AWS Service: config (Service-Linked Role) 1 hour ago

AWSServiceRoleForResourceExplorer AWS Service: resource-explorer-2 (Service-Linked Role) 44 minutes ago

AWSServiceRoleForSecurityHub AWS Service: securityhub (Service-Linked Role) 2 hours ago

AWSServiceRoleForSupport AWS Service: support (Service-Linked Role) 21 hours ago

AWSServiceRoleForTrustedAdvisor AWS Service: trustedadvisor (Service-Linked Role)

3 Answers
0

They are AWS service-linked roles used by AWS services to perform tasks in your AWS account and to allow them to interact with your resources. As you are now using SecurityHub and haven’t received a threat I’d not consider those harmful but rather related to some service, like TrustedAdvisor, Config, that perform checks in the background ti make assessments.

Of course I assumed you have changed accounts passwords, access keys, secret for all users , enabled MFA for all and review access as you are going in cloud trail and security hub

profile picture
EXPERT
answered 2 years ago
0

A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. These are not a threat to the security of your account.

In case of AWS Config example : Service-linked roles are predefined by AWS Config and include all the permissions that the service requires to call other AWS services on your behalf.

AWS Config service-linked role - https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html

Also make sure you follow the steps mentioned in this account compromised article - https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

AWS
Sejalk
answered 2 years ago
0

And just to add some information about service-linked roles (and give you peace of mind about it), by definition those types of roles can only be assumed by the specific AWS service that they are linked with. This is done through the Trust Policy in the role (which you can incidentally also view). In other words, it’s impossible for any other principal to assume and use that role.

AWS
AWS_Or
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions