Profile Applicability: Level 1


Description: 

A support role is an IAM role configured to allow authorized users to manage incidents with AWS Support. AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.

AWS Support provides a mix of tools and technology, people and programs designed to proactively help you optimize performance, lower costs, and innovate faster.


Rationale

By implementing the least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access to manage Incidents with AWS Support.


Impact:

All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plans have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month’s AWS usage charges, subject to a monthly minimum, billed in advance.


Default Value:


By default, AWS will not attach AWSSupportAccess policy to any role.


Audit:

Via AWS Console

 Step 1: Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/

Step 2: Click on Roles in the left navigation panel

Step 3: Click on the IAM role that you want to audit

Step 4:  Click on the Permissions tab 

Step 5: Check for a policy named “AWSSupportAccess” in the list of attached policies. If there is no policy named “AWSSupportAccess” currently attached, the selected IAM role does not qualify for the IAM Support Role. 

The above auditing steps perform for all other IAM roles also. If “AWSSupportAccess” is not contained in any role it means there is no IAM Support Role currently available within your AWS account.

Via CLI:

Step 1: To get the list of all policies write the below command

aws iam list-policies --query “Policies[?PolicyName == ‘AWSSupportAccess’].Arn[]”

Step 2: to get the list the name of each IAM user, group, or role with the “AWSSupportAcces” policy currently attached

aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --query ”PolicyRoles[*].RoleName”

This command returns the name of the AWS IAM entity associated with the associated “AWSSupportAccess” policy. if the command gives an empty array i.e. [ ] it means the specified policy is not currently attached to an IAM entity available, therefore there is no active IAM Support Role within your AWS account.


Remediation:

Pre-Requisite:

  1. Login to AWS console as admin or authorized user

  2. After Auditing if the IAM role is not containing “AWSSupportAccess” then follow the Implementation Steps and create a new role that contains the “AWSSupportAccess” policy


Implementation Steps:

Via AWS Console:

Method 1: create a new role and attach a policy

Step 1: Log in to AWS Console with Admin access and go to IAM dashboard at https://console.aws.amazon.com/iam/.

Step 2: Click on Roles in the left navigation panel

Step 3: For creating a new role click on create role button

Step 4: Select type of trusted entity and in choose a use case and select EC2 then click on Next: Permissions button

Step 5: Select the “AWSSupportAccess”  policy with all other policy what you need to add in this role and then click on Next: Tags button

Add tags is optional you can leave or you want to Add some key-value all depends on you here we skip these steps. and click on the Next: Review button.

Step 6: In Review  give the role name and click on create role button

After creating this role you Launch a new instance with identical settings and assign it with this role.


Method 2: Attach policy to the existing role

Step 1: Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/.

Step 2: Click on Roles in the left navigation panel

Step 3: Select any role in which you want to give AWSSupportAccess policy (note do not select any default role)

Step 4: Click on attach policy button

Step 5: Select AWSSupportAccess policy and click on Attach Policy button.


Via CLI:

Step 1: Create an IAM user for managing support incidents with AWS. The output returns an ARN for the user

aws iam create-user --user-name <support-username>


Step 2: Create a Trus policy in your local machine

→ Before this creates a trust relationship policy document that allows <iam_user> which manage AWS incidents in your local machine 

 → We create a JSON file in the temp directory of your local machine  /tmp/TrustPolicy.json

{
 "Version": "2012-10-17", 
"Statement": [ 
     { 
"Effect": "Allow","Principal": {     "AWS": "<span style="font-style: italic;"><iam_user>     </span>" 
                   }, 
                   "Action": "sts:AssumeRole" 
             }
 ]
 }

Step 3: Using the above trust policy create an IAM role

aws iam create-role --role-name <aws_support_iam_role_name> --assume-role-policy-document file://tmp/TrustPolicy.json


Step 4: Attach the AWSSupportAccess policy to the newly created IAM support role

aws iam attach-role-policy --policy-arn “arn:aws:iam::aws:policy/AWSSupportAccess” --role-name <aws_support_iam_role>

Backout Plan:
Step 1: Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/.

Step 2: Click on Roles in the left navigation panel

Step 3: Select the role in which you attach the AWSSupportAccess policy

Step 4: Click on the remove button or cross button to remove AWSSupportAccess policy from your role


Reference:

  1. AWS Support

  2. list-policies — AWS CLI 1.19.111 Command Reference 

  3. Tagging IAM resources - AWS Identity and Access Management 

  4. IAM Identity permission 

  5. Adding IAM Policies