AWS-IAM-AWS-Support-Role

Severity: Medium

Description: This control ensures that the account has at least one role with AWSSupportAccess policy assigned to it. AWS provides support center that can be used for incident notification and response, to check status of any recent support cases, explore the listed resources, check the health of AWS services, or open a new support case along with technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.

Remediation Steps:

Perform following to update IAM role for support role using AWS cli:

Create an IAM role for managing incidents with AWS:Create a trust relationship policy document that allows to manage AWS incidents, and save it locally as <path-to-file>/TrustPolicy.json:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "[iam_user]" }, "Action": "sts:AssumeRole" } ] }
Create the IAM role using the above trust policy: aws iam create-role --role-name [aws_support_iam_role] --assume-role-policy-document file:///<path-to-file>/TrustPolicy.json .
Attach AWSSupportAccess managed policy to the created IAM role: aws iam attach-role-policy --policy-arn [iam_policy_arn] --role-name [aws_support_iam_role].

Important:

Reference:

CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.17