Profile Applicability:
Level 1


Description:
This control ensures that an AWS IAM role exists for securely managing support cases and incident response with AWS Support. The support role allows authorized personnel to engage with AWS Support engineers during operational issues, outages, or security incidents without requiring the root account or privileged administrator credentials. This promotes secure, auditable, and least-privilege access to AWS Support resources.

Rationale:
Creating a dedicated AWS Support role enables organizations to maintain a secure and structured process for engaging AWS Support. This ensures that only authorized incident responders or administrators can interact with AWS Support and perform support-related actions. It aligns with security best practices by avoiding use of the root account and limiting permissions to the AWS Support APIs. Having a designated support role also facilitates faster and safer handling of critical incidents, audits, and escalations.

Impact:
Positive Impact:

  • Improves operational security by eliminating the need to use the root account for support tasks.

  • Ensures clear accountability and auditability for AWS Support interactions.

  • Enables efficient and authorized management of incidents and support tickets.
    Negative Impact:

  • Requires IAM role creation and assignment to specific personnel.

  • May need coordination across multiple accounts in an AWS Organization.

Default Value:
By default, AWS does not create a Support role. It must be explicitly created by an administrator or through AWS Organizations using the provided AWS-managed policy.

Pre-Requisite:

  • IAM permissions required: iam:CreateRole, iam:AttachRolePolicy, organizations:EnableAWSServiceAccess, organizations:RegisterDelegatedAdministrator.

  • AWS Support plan (Business or Enterprise) must be active to open and manage support cases.

Test Plan
Using AWS Console:

  1. Sign in to the AWS Management Console as an administrator.

  2. Navigate to IAM → Roles.

  3. Search for a role named AWSServiceRoleForSupport or AWSSupportAccess.

  4. Verify that:

    • A support role exists (typically named AWSSupportAccess or AWSIncidentResponseSupportRole).

    • The role has the AWS managed policy AWSSupportAccess attached.

  5. Review the Trust relationships to ensure that the appropriate accounts or incident response users can assume the role.

  6. If no such role exists, this control is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console with administrative privileges.

  2. Navigate to IAM → Roles → Create role.

  3. Choose AWS account as the trusted entity type.

  4. Under Permissions policies, attach the AWS managed policy AWSSupportAccess.

  5. (Optional) Restrict trust relationships to specific AWS accounts or IAM users responsible for incident management.

  6. Name the role, for example: AWSIncidentResponseSupportRole.

  7. Review and create the role.

  8. (Optional) If managing multiple AWS accounts under an AWS Organization, use AWS CloudFormation StackSets or Service Control Policies (SCPs) to deploy the same role across accounts for centralized management.

Backout Plan:

  1. If the newly created role causes access conflicts or is no longer required, navigate to IAM → Roles → [Role Name] → Delete role.

  2. Before deletion, ensure no automation, users, or incidents depend on this role for AWS Support interaction.

  3. Retain the previous IAM structure or create a new restricted role for future use.

References: