Open menu
-->

AWS IAM Support Role

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 15 September 2017
Security

Risk level: High (act today)

Ensure there is an active IAM Support Role available within your AWS account. A Support Role is an IAM role configured to allow authorized users to manage incidents with AWS Support.

Implementing the principle of least privilege by giving the Support Role the minimal set of actions required to perform successfully the desired task (i.e. manage incidents) is very important because only the IAM user(s) that will assume the Support Role will be able to access the AWS Support Center and no one else.

Audit

To verify your AWS account for any IAM Support Roles, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and section, check the list of attached policies for a policy named "AWSSupportAccess". If there is no policy named "AWSSupportAccess" currently attached, the selected IAM role does not qualify for the IAM Support Role.

07 Repeat steps no. 4 – 6 to verify other IAM roles available in your AWS account for Support Role permissions. If the condition applied at step no. 6 is not met for all the verified roles, there is no IAM Support Role currently available within your AWS account.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) using custom query filters to return the Amazon Resource Name (ARN) of the "AWSSupportAccess" managed policy:

aws iam list-policies
	--query "Policies[?PolicyName == 'AWSSupportAccess'].Arn[]"

02 The command output should return an array that contains the requested policy ARN:

[
    "arn:aws:iam::aws:policy/AWSSupportAccess"
]

03 Now run list-entities-for-policy command (OSX/Linux/UNIX) using the ARN returned at the previous step and custom query filters to list the name of each IAM user, group or role with the "AWSSupportAccess" policy currently attached:

aws iam list-entities-for-policy
	--policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
	--query "PolicyRoles[*].RoleName"

04 The command output should return the name of the AWS IAM entity associated with the "AWSSupportAccess" policy:

[]

05 If the command output returns an empty array, i.e. [ ], (as shown in the example above), the specified policy is not currently attached to any IAM entity available, therefore there is no active IAM Support Role within your AWS account.

Remediation / Resolution

To create an AWS IAM Support Role and configure it to allow only authorized users to manage incidents with AWS Support, perform the following:

Note: Creating and configuring an IAM Support Role using AWS Management Console is not currently supported.

Using AWS CLI

01 Run create-user command (OSX/Linux/UNIX) to create the IAM user that can assume later the IAM Support Role. The following command example creates an IAM user named "AWS-Support":

aws iam create-user
	--user-name AWS-Support

02 The command output should return the new IAM user metadata (including its ARN):

{
    "User": {
        "UserName": "AWS-Support",
        "Path": "/",
        "CreateDate": "2017-05-04T12:30:47.838Z",
        "UserId": "CUDAI4US3TN67FTJSRVBY",
        "Arn": "arn:aws:iam::123456789012:user/AWS-Support"
    }
}

03 Now you need to define the required trust relationship policy for the IAM Support Role. To create the trust relationship policy for the IAM Support Role, paste the following information into a new policy document named support-role-trust-policy.json then replace the <iam_support_user_arn> with the ARN of your AWS IAM user, returned at the previous step:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<iam_support_user_arn>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

04 Run create-role command (OSX/Linux/UNIX) to create the IAM Support Role using the trust relationship policy defined at the previous step (i.e. support-role-trust-policy.json):

aws iam create-role
	--role-name IAM-Support-Role
	--assume-role-policy-document file://support-role-trust-policy.json

05 The command output should return the IAM Support Role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                       "AWS": "arn:aws:iam::123456789012:user/AWS-Support"
                    }
                }
            ]
        },
        "RoleId": "ADYUJVEK79RRVMCZDZQBT",
        "CreateDate": "2017-05-04T12:36:39.502Z",
        "RoleName": "IAM-Support-Role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/IAM-Support-Role"
    }
}

06 Run attach-role-policy command (OSX/Linux/UNIX) using the name of the IAM Support Role created at the previous step to attach the "AWSSupportAccess" managed policy provided by Amazon Identity and Access Management, identified by the ARN "arn:aws:iam::aws:policy/AWSSupportAccess" (the command does not return an output):

aws iam attach-role-policy
	--policy-arn "arn:aws:iam::aws:policy/AWSSupportAccess"
	--role-name IAM-Support-Role

The AWS IAM user created at step no. 1 can assume now the IAM Manager role in order to manage incidents with AWS Support.

References

Publication date May 7, 2017