Ensure a support role has been created to manage incidents with AWS Support

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.25
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy where name='AWSSupportAccess' should not have users isEmpty() and roles isEmpty() and groups isEmpty()

REMEDIATION

From Portal:

  1. Sign into the AWS console and open the IAM Dashboard.
  2. In the left navigation pane, click Roles and then choose Create Role.
  3. For Role type, choose the Another AWS account.
  4. For Account ID, enter the AWS account ID of the AWS account to which you want to grant access to your resources.
  5. Choose Next: Permissions.
  6. Search for the managed policy AWSSupportAccess.
  7. Select the check box for the AWSSupportAccess managed policy.
  8. Choose Next: Tags.
  9. Choose Next: Review.
  10. For Role name, enter a name for your role. Then click Create role.

From Command Line:

  1. Create an IAM role for managing incidents with AWS:
  • Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{
	"Version":"2012-10-17",
	"Statement":[
	{
		"Effect":"Allow",
		"Principal":{
			"AWS":"<iam_user>"
		},
		"Action":"sts:AssumeRole"
	}
	]
}
  1. Create the IAM role using the above trust policy:
aws iam create-role --role-name aws_support_iam_role --assume-role-policy-document file:///tmp/TrustPolicy.json
  1. Attach 'AWSSupportAccess' managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name aws_support_iam_role

References:

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
  5. https://docs.aws.amazon.com/cli/latest/reference/iam/create-user.html
  6. https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html
  7. https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html
  8. https://workbench.cisecurity.org/benchmarks/679

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • CloudGuard AWS All Rules Ruleset