Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.25
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy where name='AWSSupportAccess' should not have users isEmpty() and roles isEmpty() and groups isEmpty()

REMEDIATION

From Portal:

Sign into the AWS console and open the IAM Dashboard.
In the left navigation pane, click Roles and then choose Create Role.
For Role type, choose the Another AWS account.
For Account ID, enter the AWS account ID of the AWS account to which you want to grant access to your resources.
Choose Next: Permissions.
Search for the managed policy AWSSupportAccess.
Select the check box for the AWSSupportAccess managed policy.
Choose Next: Tags.
Choose Next: Review.
For Role name, enter a name for your role. Then click Create role.

From Command Line:

Create an IAM role for managing incidents with AWS:

Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:

{
	"Version":"2012-10-17",
	"Statement":[
	{
		"Effect":"Allow",
		"Principal":{
			"AWS":"<iam_user>"
		},
		"Action":"sts:AssumeRole"
	}
	]
}

Create the IAM role using the above trust policy:

aws iam create-role --role-name aws_support_iam_role --assume-role-policy-document file:///tmp/TrustPolicy.json

Attach 'AWSSupportAccess' managed policy to the created IAM role:

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name aws_support_iam_role

References:

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

AWS CIS Foundations v. 1.1.0
AWS CIS Foundations v. 1.2.0
AWS CIS Foundations v. 1.3.0
AWS CIS Foundations v. 1.4.0
AWS CIS Foundations v. 1.5.0
AWS CIS Foundations v. 2.0.0
AWS CloudGuard CheckUp
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS GDPR Readiness
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
CloudGuard AWS All Rules Ruleset