# Deployed IAM Resources

The following is the list of IAM roles and policies that are created by the Code Ocean VPC CloudFormation stack, along with their logical ID and description.

* **BackupRole**: Provides AWS Backup permission to create backups and perform restores on your behalf across AWS services.
* **BackupCopyRole**: Allows BackupCopyFunction lambda to call AWS services as part of AWS Backup snapshot copy automation.\
  BackupCopyPolicy: Core set of permissions.
* **BackupEventBridgeRole**: Allows EventBridge to call AWS services as part of AWS Backup snapshot copy automation.
* **BatchInstanceRole**: Allows EC2 instances in a Code Ocean AWS Batch ECS cluster to access ECS and other required AWS services.\
  BatchInstancePolicy: Core set of permissions.
* **BatchJobRole**: Allows Code Ocean AWS Batch jobs to access to AWS services.\
  BatchJobPolicy: Core set of permissions.
* **CleanupDnsRecordSetsRole**: Allows AWS Lambda to call AWS services to delete internal code ocean dns records on CloudFormation stack deletion.\
  CustomResourcePolicy: Core set of permissions.
* **JobsInstanceRole**: Allows Code Ocean EC2 jobs instances to call AWS services.\
  JobsInstancePolicy: Core set of permissions.
* **ServicesInstanceRole**: Allows EC2 services instances to call AWS services.\
  ServicesInstancePolicy: Core set of permissions.\
  ServicesInstanceDedicatedMachinesAccess: Permissions to manage EC2 instances under the Dedicated Machine Code Ocean feature.\
  ServicesAssumeRolePolicy: Permissions to assume the list of IAM roles configured through the `Assumable Roles` CloudFormation parameter.
* **S3BackupRole**: Provides AWS S3 permissions to backup buckets.\
  S3BackupReplicationPolicy: Core set of permissions.
* **WorkerInstanceRole**: Allows EC2 worker instances to call AWS services.\
  WorkerInstancePolicy: Core set of permissions.\
  WorkerAssumeRolePolicy: Permissions to assume the list of IAM roles configured through the `Assumable Roles` CloudFormation parameter.