- Newest
- Most votes
- Most comments
You're correct that service-linked roles are not affected by Resource Control Policies (RCPs). According to the documentation, RCPs do not apply to calls made by service-linked roles. Service-linked roles enable AWS services to perform necessary actions on your behalf and can't be restricted by RCPs.
Service-linked roles are a unique type of IAM role that is directly linked to an AWS service. These roles are predefined by the AWS service and include all the permissions that the service requires to call other AWS services on your behalf. The permissions for service-linked roles are defined by the AWS service that owns the role, and these permissions cannot be attached to any other IAM entity.
The permissions of a service-linked role include a trust policy and a permissions policy. The trust policy defines which service can assume the role, and the permissions policy defines what actions the role can perform. These policies are predefined by the AWS service and cannot be modified by users, except in some cases where you might be able to edit the description of the role.
In summary, service-linked roles have their own predefined permissions policies that are managed by the respective AWS service, and they are not affected by RCPs. The permissions of service-linked roles are determined solely by the AWS service that owns them.
Sources
Resource control policies (RCPs) - AWS Organizations
Using service-linked roles for AWS Marketplace - AWS Marketplace
Using Service-Linked Roles for AWS Config - AWS Config
To add to repost answer, SCP does not impact service linked either. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#not-restricted-by-scp
Relevant content
- asked 3 years ago
- asked 3 years ago
Unfortunately this answer does not answer my question, which in simpler words is: are service-linked roles affected by resource-based policies?