# Deployed IAM Resources

The following is the list of IAM roles and policies that are created by the Code Ocean VPC CloudFormation stack, along with their logical ID and description.

* **BackupRole**: Provides AWS Backup permission to create backups and perform restores on your behalf across AWS services.
* **BatchInstanceRole**: Allows EC2 instances in a Code Ocean AWS Batch ECS cluster to access ECS and other required AWS services.\
  BatchInstancePolicy: Core set of permissions.
* **BatchJobRole**: Allows Code Ocean AWS Batch jobs to access to AWS services.\
  BatchJobPolicy: Core set of permissions.
* **CleanupDnsRecordSetsRole**: Allows AWS Lambda to call AWS services to delete internal code ocean dns records on cloudformation stack deletion.\
  CustomResourcePolicy: Core set of permissions.
* **S3PipelineStagingReplicationRole**: Allows S3 to replicate objects from the PipelineStaging bucket.\
  S3PipelineStagingReplicationPolicy: Core set of permissions.
* **ServicesInstanceRole**: Allows EC2 services instances to call AWS services.\
  ServicesInstancePolicy: Core set of permissions.\
  ServicesInstanceDedicatedMachinesAccess: Permissions to manage EC2 instances under the Dedicated Machine Code Ocean feature.\
  ServicesAssumeRolePolicy: Permissions to assume the list of IAM roles configured through the `Assumable Roles` CloudFormation parameter.
* **WorkerInstanceRole**: Allows EC2 worker instances to call AWS services.\
  WorkerInstancePolicy: Core set of permissions.\
  WorkerAssumeRolePolicy: Permissions to assume the list of IAM roles configured through the `Assumable Roles` CloudFormation parameter.