Skip to main content

πŸ“ AWS Support Role is not created 🟒

  • Contextual name: πŸ“ AWS Support Role is not created 🟒
  • ID: /ce/ca/aws/account/aws-support-role
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-9146aafe1

Logic​

Description​

Open File

Description​

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role, with the appropriate policy assigned, to allow authorized users to manage incidents with AWS Support.

Rationale​

By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Impact​

All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.

When assigning rights, keep in mind that other policies may grant access to Support as well. This may include AdministratorAccess and other policies including customer managed policies. Utilizing the AWS managed 'AWSSupportAccess' role is one simple way of ensuring that this permission is properly granted.

... see more

Remediation​

Open File

Remediation​

From Command Line​

  1. Create an IAM role for managing incidents with AWS:
    • Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Principal": { 
                "AWS": "<iam_user>"
            },
            "Action": "sts:AssumeRole"
            }
        ]
    }
  1. Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy-document file:///tmp/TrustPolicy.json
  1. Attach AWSSupportAccess managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.20 Ensure a support role has been created to manage incidents with AWS Support1
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support - Level 1 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support - Level 1 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support - Level 1 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.17 Ensure a support role has been created to manage incidents with AWS Support (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.16 Ensure a support role has been created to manage incidents with AWS Support (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Role-Based Access Control (RBAC) Management9