Profile Applicability:
Level 1
Description
AWS provides a Support Center for incident response, technical support, and customer service. To securely manage incidents with AWS Support, an IAM role should be created and assigned appropriate policies to control access to AWS Support.
Rationale:
Least Privilege Access:
Ensures that only authorized users can access AWS Support to manage incidents.
Prevents unauthorized users from opening or modifying AWS Support cases.
Incident Management Readiness:
Allows designated personnel to quickly escalate and manage AWS Support cases.
Compliance & Accountability:
Ensures proper access control for security and compliance requirements (SOC 2, ISO 27001, etc.).
Impact
Benefits:
- Securely manage AWS support cases without granting full admin access.
- Enhances security by implementing the principle of least privilege.
- Improves compliance with security and incident response best practices.
Potential Challenges:
- If no support role exists, incidents may be delayed due to lack of access.
- Overuse of admin privileges increases security risks if AWS Support permissions are assigned to all users.
Default Value:
By default, AWS accounts do not have a dedicated IAM role for managing support cases.
AdministratorAccess and other policies may already grant AWS Support access, but it is best practice to use a dedicated support role.
Pre-Requisites:
AWS Account Access:
IAM permissions to create roles and policies.
Required IAM Permissions:
{
"Action": [
"iam:ListPolicies",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:ListEntitiesForPolicy"
],
"Effect": "Allow",
"Resource": "*"
}AWS Support Plan:
A Business or Enterprise Support Plan is required to open technical support cases.
Remediation
Test Plan: Ensure that an IAM role with AWS Support access exists and is assigned the AWSSupportAccess managed policy.
Using AWS CLI:
- List IAM policies and filter for 'AWSSupportAccess':
aws iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess']"
- Check if the 'AWSSupportAccess' policy is attached to any IAM role:
aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
- If the output does not return any attached roles, the AWS Support role must be created.
Implementation Steps:
Using AWS Console:
Login to AWS Console with IAM permissions.
Navigate to IAM Service: AWS IAM Console.
Click Roles in the left navigation panel.
Click Create Role → AWS Service → Select AWS Support as the use case.
Click Next: Permissions and attach the AWSSupportAccess policy.
Click Next: Tags, add metadata if needed.
Click Next: Review, enter a role name like "AWS_Support_Role", and click Create Role.
Using AWS CLI:
- Create a trust policy for the AWS Support role and save it as TrustPolicy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_User>"
},
"Action": "sts:AssumeRole"
}
]
}- Create the IAM role using the above trust policy:
aws iam create-role --role-name AWS_Support_Role --assume-role-policy-document file://TrustPolicy.json
- Attach the 'AWSSupportAccess' managed policy to the role:
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name AWS_Support_Role
- Verify that the role has been created successfully:
aws iam list-roles --query "Roles[?RoleName=='AWS_Support_Role']"
If the support role causes issues: Remove the AWS Support IAM role:
aws iam delete-role --role-name AWS_Support_Role
Verify that no AWS Support access is granted to unauthorized users:
aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
Recreate the role if required, following the implementation steps.