For cloud servers we need access to Amazon EC2 and Cloudwatch. To manage DNS we need access to Route53. For backups, we need access to Amazon S3 buckets with the tklbam-* prefix.
Follow the step-by-step instructions on the Amazon account setup page. Even if you've never created an IAM role before, this should only take a minute or so.
IAM is AWS's Identity and Access Management system. An IAM role is the secure, recommended way to authorize apps to call the AWS API on your behalf.
Before IAM roles, the only way to provide access was to share secret keys which could get stolen. Worse, there was no way to tell who was using those keys to access your account or what they were doing.
With IAM roles, there are no keys to steal and it is possible to log access by role to keep track of all actions performed on your behalf by 3rd party apps.
We recommend enabling AWS CloudTrail to log all API calls performed on your account from all apps.
The role tells AWS which app to authorize (e.g., the TurnKey Hub) and what resources to give it access to. The app can then assume that role by getting short-lived credentials from the AWS Secure Token Service. All actions by the app can be logged & audited.
Read more: IAM roles - AWS Identity and Access Management
As long as you don't revoke the IAM role. You can revoke an IAM role at any time through the AWS Console, but then we won't be able to provide you with service until you setup a new IAM role.