Profile Applicability: Level 1
Description:
A support role is an IAM role configured to allow authorized users to manage incidents with AWS Support. AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.
AWS Support provides a mix of tools and technology, people and programs designed to proactively help you optimize performance, lower costs, and innovate faster.
Rationale:
By implementing the least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access to manage Incidents with AWS Support.
Impact:
All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plans have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month’s AWS usage charges, subject to a monthly minimum, billed in advance.
Default Value:
By default, AWS will not attach AWSSupportAccess policy to any role.
Pre-Requisite:
Login to AWS console as admin or authorized user.
After Auditing if the IAM role is not containing “AWSSupportAccess” then follow the Implementation Steps and create a new role that contains the “AWSSupportAccess” policy.
Remediation:
Test Plan:
- Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/.
- Click on Roles in the left navigation panel.
- Click on the IAM role that you want to audit.
- Click on the Permissions tab.
- Check for a policy named “AWSSupportAccess” in the list of attached policies. If there is no policy named “AWSSupportAccess” currently attached, the selected IAM role does not qualify for the IAM Support Role.
- The above auditing steps perform for all other IAM roles also. If “AWSSupportAccess” is not contained in any role it means there is no IAM Support Role currently available within your AWS account.
Using AWS CLI:
Step 1: To get the list of all policies write the below command.
aws iam list-policies --query “Policies[?PolicyName == ‘AWSSupportAccess’].Arn[]”
Step 2: to get the list of the name of each IAM user, group, or role with the “AWSSupportAcces” policy currently attached.
aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --query ”PolicyRoles[*].RoleName”
This command returns the name of the AWS IAM entity associated with the associated “AWSSupportAccess” policy. if the command gives an empty array i.e. [ ] it means the specified policy is not currently attached to an IAM entity available, therefore there is no active IAM Support Role within your AWS account.
Implementation Steps:
Method 1: create a new role and attach a policy
- Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/.
- Click on Roles in the left navigation panel.
- For creating a new role click on create role button.
- Select type of trusted entity and in choose a use case and select EC2 then click on Next: Permissions button.
- Select the “AWSSupportAccess” policy with all other policies that you need to add to this role and then click on the Next: Tags button.
- Add tags is optional you can leave or you want to Add some key-value all depends on you here we skip these steps. and click on the Next: Review button.
- In Review give the role name and click on create role button.
After creating this role you Launch a new instance with identical settings and assign it with this role.
Method 2: Attach policy to the existing role
- Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/.
- Click on Roles in the left navigation panel.
- Select any role in which you want to give AWSSupportAccess policy. (note do not select any default role)
- Click on Attach policies button.
- Select AWSSupportAccess policy and click on Attach Policy button.
Using AWS CLI:
Step 1: Create an IAM user for managing support incidents with AWS. The output returns an ARN for the user.
aws iam create-user --user-name <support-username>
Step 2: Create a Trus policy in your local machine
→ Before this creates a trust relationship policy document that allows <iam_user> which manage AWS incidents in your local machine .
→ We create a JSON file in the temp directory of your local machine /tmp/TrustPolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow","Principal": { "AWS": "<span style="font-style: italic;"><iam_user> </span>"
},
"Action": "sts:AssumeRole"
}
]
}
Step 3: Using the above trust policy create an IAM role.
aws iam create-role --role-name <aws_support_iam_role_name> --assume-role-policy-document file://tmp/TrustPolicy.json
Step 4: Attach the AWSSupportAccess policy to the newly created IAM support role.
aws iam attach-role-policy --policy-arn “arn:aws:iam::aws:policy/AWSSupportAccess” --role-name <aws_support_iam_role>
Backout Plan:- Log in to AWS Console with Admin access and go to the IAM dashboard at https://console.aws.amazon.com/iam/.
- Click on Roles in the left navigation panel.
- Select the role in which you attach the AWSSupportAccess policy.
- Click on the remove button or cross button to remove the AWSSupportAccess policy from your role.
- Click on delete.