Rule: Ensure Support Role for Incident Management with AWS Support
This rule ensures the creation of a support role to manage incidents with AWS Support
| Rule | Ensure a support role has been created to manage incidents with AWS Support |
| Framework | cis_v150 |
| Severity | ✔ Medium |
Ensure a Support Role Has Been Created to Manage Incidents with AWS Support (CIS v1.5.0)
Introduction
Having a dedicated support role in Amazon Web Services (AWS) is critical for efficient incident management and rapid response to technical issues. The Center for Internet Security (CIS) Benchmark for AWS recommends creating a role that allows AWS Support to access your account in case of an incident. This ensures that your team or AWS personnel can quickly address and rectify any issues without unnecessary delays.
Detailed Description of the Rule
The rule ensures that an IAM (Identity and Access Management) role is available, which has the necessary permissions to allow AWS Support staff to assist with incident management. This is often referred to as the "AWSSupportAccess" role. CIS benchmarks require that this role has a managed policy
AWSSupportAccessTroubleshooting Steps
If an issue arises with creating or configuring the support role, the following troubleshooting steps can be taken:
- 1.
Check Permissions: Ensure that the user or process attempting to create the support role has the necessary IAM permissions to create roles and assign policies.
- 2.
Verify Policy Attachment: Ensure that the
managed policy is correctly attached to the role.AWSSupportAccess - 3.
Role Trust Relationship: Ensure that the trust relationship is correctly configured to allow AWS Support to assume the role.
Necessary Code or CLI Commands
To create the support role and attach the
AWSSupportAccessStep-by-Step Guide for Remediation
- 1.Verify if the AWSSupportAccess role already exists:
aws iam get-role --role-name AWSSupportAccess
- 1.If the role doesn't exist, create the AWSSupportAccess role with the necessary trust relationship:
aws iam create-role --role-name AWSSupportAccess --assume-role-policy-document file://TrustPolicyForAWSSupport.json
Create a file
TrustPolicyForAWSSupport.json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "support.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- 1.Attach the
managed policy to the role:AWSSupportAccess
aws iam attach-role-policy --role-name AWSSupportAccess --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
Conclusion
Creating and properly configuring a support role in accordance with the CIS AWS Benchmark v1.5.0 enhances your ability to manage incidents effectively. By following the guideline and using the steps provided, you will ensure that the AWS Support team can assist you promptly and securely when needed, without impacting your SEO efforts.
Remember, changes in IAM can have significant security implications, so ensure that you understand the permissions that are being granted and routinely audit your IAM roles and policies to maintain security hygiene.