AWSOverview
AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.
Rationale
By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.
Remediation guidance
Using the Amazon unified command line interface:
-
Create an IAM role for managing incidents with AWS:
- Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<span style="font-style: italic;"><iam_user></span>"
},
"Action": "sts:AssumeRole"
}
] }
- Create the IAM role using the above trust policy:
aws iam create-role --role-name <aws_support_iam_role> --assume-role- policy-document file:///tmp/TrustPolicy.json
- Attach
AWSSupportAccessmanaged policy to the created IAM role:
aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name <aws_support_iam_role>
Impact
All AWS Support plans include an unlimited number of account and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month's AWS usage charges, subject to a monthly minimum, billed in advance.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
- https://aws.amazon.com/premiumsupport/pricing/
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
AWS IAMPolicies with support role
Connectors
Covered asset types
Expected check: eq []
{
AWSIAM16 {...AssetFragment}
}
