Ensure Support Role for Managing Incidents - Rule
This rule ensures creation of a support role for managing incidents with AWS Support.
| Rule | Ensure a support role has been created to manage incidents with AWS Support |
| Framework | cis_v140 |
| Severity | ✔ Medium |
Ensure a Support Role Has Been Created to Manage Incidents with AWS Support for CIS v1.4.0
Creating a dedicated support role within your AWS account allows you to manage incidents with AWS Support more effectively. It adheres to the Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark v1.4.0.
Description of the Rule
This rule requires an AWS Identity and Access Management (IAM) role specifically designed for managing incidents and support cases with AWS Support. This role is assumed by authorized AWS personnel when they need to access your AWS environment to assist with support-related tasks.
The role must have permissions that are narrowly scoped to enable AWS Support to perform necessary actions while adhering to the principle of least privilege. AWS provides an AWS-managed policy called
AWSSupportAccessTroubleshooting Steps
If you confirm that a support role has not been created or has been misconfigured, follow these steps to address the issue:
- 1.Log in to your AWS Management Console.
- 2.Navigate to the IAM dashboard.
- 3.Check if the support role exists and has the correct permissions.
- 4.If the role does not exist, create it. If the role exists but has incorrect permissions, update the associated policy.
Necessary Policies and Permissions
The support role must have the
AWSSupportAccessStep by Step Guide for Remediation
Step 1: Create the Support Role
- 1.Open the AWS IAM console.
- 2.Click on
on the left sidebar and thenRoles
.Create role - 3.Select
for the role type, and provide the AWS account ID as per AWS Support's instructions.Another AWS account - 4.Do not check
andRequire external ID
for this role.Require MFA - 5.Click
.Next: Permissions - 6.Search and attach the
managed policy.AWSSupportAccess - 7.Click
(optional step to add any metadata tags).Next: Tags - 8.Click
.Next: Review - 9.Name the role (e.g.,
) and provide a description.AWS_Support_Role - 10.Review the role and click
.Create role
Step 2: Verify Role Configuration
- 1.In the IAM console, click on
.Roles - 2.Search for the
to check its details.AWS_Support_Role - 3.Ensure
is listed under Attached Policies.AWSSupportAccess
Step 3: Test the Role (Optional)
- 1.Simulate an AWS Support interaction to confirm they can assume the support role.
- 2.Use the AWS STS
API to test the role assumption process.AssumeRole
CLI Commands Required
To create the support role via AWS CLI, you can use the following command:
aws iam create-role \ --role-name AWS_Support_Role \ --assume-role-policy-document file://support-role-trust-policy.json
Replace
support-role-trust-policy.jsonAWSSupportAccessaws iam attach-role-policy \ --role-name AWS_Support_Role \ --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
Note: Be sure to have the AWS CLI installed and configured with the necessary permissions to perform these operations.
Conclusion
By following this detailed guide, you can ensure a support role has been created to align with the CIS Amazon Web Services Foundation Benchmark v1.4.0 standards. Proper configuration and testing of this role will facilitate efficient incident management with AWS Support.
For additional assurance of compliance and optimization for SEO, regularly review the role and attached policy to ensure that it's configured according to the latest AWS best practices and CIS benchmarks.