iCompaas Support

Profile Applicability

• Level 1

Description:

AWS Support provides a range of services to help resolve issues with AWS infrastructure, from basic technical support to full enterprise-grade support. To streamline the management of incidents, it is important that a dedicated support role is created with permissions that allow for interaction with AWS Support in the event of an incident. This role should be used to interact with AWS Support, rather than relying on the root account or general administrative accounts, thus limiting the exposure of sensitive permissions.

Creating a support role with specific permissions ensures that AWS incidents can be managed in a controlled and secure manner while enforcing the principle of least privilege.

Rationale:

Creating a dedicated support role provides the following benefits:

• Security: Restricts access to AWS Support to only authorized users or roles, reducing the risk of accidental or malicious access to sensitive resources.
  

• Least privilege: Ensures that users can only access the necessary permissions needed for incident management without exposing unnecessary privileges.
  

• Compliance: Meets security best practices and regulatory standards by ensuring controlled access to AWS Support.
  

• Auditability: Enhances accountability and traceability by restricting AWS Support access to a single, auditable role.
  

Without a dedicated support role, there is a risk of granting unnecessary permissions or exposing sensitive data to unauthorized users when interacting with AWS Support.

Impact:

Failure to create a dedicated support role for managing AWS incidents can result in:

• Excessive permissions: If the root account or general administrative accounts are used to interact with AWS Support, sensitive permissions may be unnecessarily exposed.
  

• Security risks: Unauthorized users could gain access to AWS Support and potentially sensitive account information.
  

• Non-compliance: Violations of security best practices or regulatory standards that require controlled access to AWS Support.
  

Creating a support role ensures that incident management is done in a secure, controlled, and compliant manner.

Default Value:

By default, there is no dedicated support role for AWS Support incidents. AWS provides a Support API that is accessible by accounts with appropriate permissions, but it is up to the organization to create and manage a dedicated support role.

Pre-Requisites:

• AWS CLI installed and configured
  

• IAM permissions:
  

  • iam:CreateRole
    

  • iam:AttachRolePolicy
    

  • iam:PutRolePolicy
    

  • aws-portal:ViewAccount
    

• IAM role management permissions must be in place to create and modify support roles
  

Remediation:

Test Plan:

Using AWS Console:

1. Go to the IAM Console.
   

2. Under Roles, verify if a dedicated support role exists. This role should have limited permissions appropriate for managing incidents with AWS Support.
   

3. Review the policy attached to the role and ensure it includes necessary permissions such as AWSSupportAccess or equivalent, allowing access to AWS Support.
   

4. If no such role exists, create the support role following the steps below.
   

Using AWS CLI:

aws iam list-roles --query "Roles[?RoleName=='AWSSupportAccessRole']" --output table

To check permissions associated with the role:

aws iam list-attached-role-policies --role-name AWSSupportAccessRole --output table

Implementation Plan:

Using AWS Console:

1. Create a support role for AWS Support:
   

   • Go to the IAM Console.
     

   • Select Roles and click Create role.
     

   • Choose AWS Service and select Support from the list of services.
     

   • Attach the AWSSupportAccess policy or a similar policy that allows necessary permissions for AWS Support.
     

   • Provide a descriptive name for the role, such as AWSSupportAccessRole, and click Create role.
     

2. Verify the support role:
   

   • In the Roles section, search for AWSSupportAccessRole and ensure that it has the appropriate permissions for accessing AWS Support.
     

Using AWS CLI:

1. Create a support role for AWS Support:
   

aws iam create-role --role-name AWSSupportAccessRole --assume-role-policy-document file://support-role-trust-policy.json

The trust policy should allow AWS Support to assume this role. Example trust policy (support-role-trust-policy.json):

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "Service": "support.amazonaws.com"

      },

      "Action": "sts:AssumeRole"

    }

  ]

}

2. Attach the AWSSupportAccess policy to the role:
   

aws iam attach-role-policy --role-name AWSSupportAccessRole --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess

3. Verify the role and permissions:
   

aws iam get-role --role-name AWSSupportAccessRole --output table

aws iam list-attached-role-policies --role-name AWSSupportAccessRole --output table

Backout Plan:

Using AWS Console:

1. If the support role causes issues with access:
   

   • Go to the IAM Console.
     

   • If the role needs to be removed or modified, select the AWSSupportAccessRole and delete or adjust the permissions as necessary.
     

2. Modify IAM policies to restrict the role's permissions or grant additional access based on your needs.
   

Using AWS CLI:

1. Remove the support role:
   

aws iam delete-role --role-name AWSSupportAccessRole

2. Revert any policy changes:
   

aws iam detach-role-policy --role-name AWSSupportAccessRole --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess

References:

• AWS IAM Documentation
  

• AWS Support Documentation
  

• AWS CLI Command Reference for IAM
  

CIS Controls Mapping: