IAM Support Role

Risk Level: High (act today)

Rule ID: IAM-046

Ensure there is an active Amazon IAM Support Role created for your AWS account. A Support Role is an IAM role configured to allow authorized users to manage incidents with AWS Support.

This rule can help you with the following compliance standards:

CISAWSF
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Implementing the Principle of Least Privilege (POLP) by giving the IAM Support Role the minimal set of actions required to perform successfully the desired task (i.e. manage incidents) is very important because only the IAM user that will assume the Support Role will be able to access the AWS Support Center and no one else.

Audit

To check your AWS cloud account for the IAM Support Role, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Roles.

04 Click on the name of the Amazon IAM role that you want to examine.

05 Select the Permissions tab to access the identity-based policies attached to the selected IAM role.

06 In the Permissions policies section, check the list of attached policies for a managed policy named AWSSupportAccess. If there is no IAM policy named AWSSupportAccess attached to the role, the selected Amazon IAM role does not qualify for the IAM Support Role.

07 Repeat steps no. 4 – 6 to check each IAM roles available in your AWS account for IAM Support Role permissions. If none of the verified Amazon IAM roles use the AWSSupportAccess managed policy, there is no IAM Support Role created for your AWS cloud account.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Resource Name (ARN) of the AWSSupportAccess managed policy:

aws iam list-policies
  --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn[]"

02 The command output should return an array with the requested policy ARN:

[
	"arn:aws:iam::aws:policy/AWSSupportAccess"
]

03 Run list-entities-for-policy command (OSX/Linux/UNIX) using the policy ARN returned at the previous step as the identifier parameter and custom query filters to describe the name of each IAM role associated with the AWSSupportAccess managed policy:

aws iam list-entities-for-policy
  --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
  --query "PolicyRoles[*].RoleName"

04 The command output should return the name of each role associated with the AWSSupportAccess policy:

[]

If the list-entities-for-policy command output returns an empty array (i.e. []), as shown in the example above, the AWSSupportAccess managed policy is not attached to an Amazon IAM role, therefore there is no IAM Support Role created for your AWS cloud account.

Remediation / Resolution

To create an Amazon IAM Support Role and configure the role to allow only authorized users to manage incidents with AWS Support, perform the following actions:

Note: Creating and configuring an IAM Support Role using AWS Management Console is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-aws-support-manager"
			}
		},
		"IAMRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "cc-iam-support-role",
				"Description": "IAM Support Role",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/cc-aws-support-manager"
							},
							"Action": "sts:AssumeRole"
						}
					]
				},
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AWSSupportAccess"
				],
				"Path": "/"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-aws-support-manager
	IAMRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: cc-iam-support-role
		Description: IAM Support Role
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/cc-aws-support-manager
				Action: sts:AssumeRole
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AWSSupportAccess
		Path: /

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_user" "iam-user" {
	name = "cc-aws-support-manager"
}

resource "aws_iam_role" "iam-role" {

	name = "cc-iam-support-role"
	path = "/"

	assume_role_policy = <<EOF
	{
			"Version": "2012-10-17",
				"Statement": [
				{
					"Effect": "Allow",
					"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/cc-aws-support-manager"
					},
					"Action": "sts:AssumeRole"
				}
			]
	}
	EOF

	managed_policy_arns = [ "arn:aws:iam::aws:policy/AWSSupportAccess" ]

}

Using AWS CLI

01 Run create-user command (OSX/Linux/UNIX) to create the Amazon IAM user that can assume later the new IAM Support Role:

aws iam create-user
  --user-name cc-aws-support-manager

02 The command output should return the metadata available for the new IAM support user:

{
	"User": {
		"Path": "/",
		"UserName": "cc-aws-support-manager",
		"UserId": "ABCDABCDABCDABCDABCDA",
		"Arn": "arn:aws:iam::<aws-account-id>:user/cc-aws-support-manager",
		"CreateDate": "2021-04-22T10:00:00+00:00"
	}
}

03 Define the trust relationship policy required for the IAM Support Role. To create a trust relationship policy for the IAM Support Role, paste the following policy document to a new JSON file named cc-support-role-trust-policy.json, and replace the <aws-account-id> with the ID number of your current AWS account, within the ARN returned at the previous step:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:user/cc-aws-support-manager"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

04 Run create-role command (OSX/Linux/UNIX) to create the Amazon IAM Support Role using the trust relationship policy defined at the previous step (i.e. cc-support-role-trust-policy.json):

aws iam create-role
  --role-name cc-iam-support-role
  --assume-role-policy-document file://cc-support-role-trust-policy.json

05 The command output should return the metadata available for your new IAM Support Role:

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Principal": {
						"AWS": "arn:aws:iam::<aws-account-id>:user/cc-aws-support-manager"
					}
				}
			]
		},
		"RoleId": "ABCDABCDABCDABCDABCDA",
		"CreateDate": "2021-09-10T15:00:00.002Z",
		"RoleName": "cc-iam-support-role",
		"Path": "/",
		"Arn": "arn:aws:iam::<aws-account-id>:role/cc-iam-support-role"
	}
}

06 Run attach-role-policy command (OSX/Linux/UNIX) using the name of the IAM Support Role created at the previous step to attach the AWSSupportAccess managed policy provided by Amazon IAM, identified by the ARN "arn:aws:iam::aws:policy/AWSSupportAccess" (if successful, the command does not produce an output):

aws iam attach-role-policy
  --policy-arn "arn:aws:iam::aws:policy/AWSSupportAccess"
  --role-name cc-iam-support-role

07 The Amazon IAM user created at step no. 1 can assume now the IAM Manager role in order to manage incidents with AWS Support.

References

AWS Command Line Interface (CLI) Documentation
iam
list-policies
list-entities-for-policy
create-user
create-role
attach-role-policy

Publication date May 7, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

IAM Support Role

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS CLI

References

Related IAM rules