Rule: Ensure a support role for managing incidents with AWS Support
The rule focuses on creating a support role for managing incidents with AWS Support.
| Rule | Ensure a support role has been created to manage incidents with AWS Support |
| Framework | cis_v130 |
| Severity | ✔ Low |
Ensure a Support Role Has Been Created to Manage Incidents with AWS Support (CIS v1.3.0)
Having a dedicated IAM (Identity and Access Management) role for managing incidents with AWS Support is a best practice as recommended by the Center for Internet Security (CIS) benchmarks. This role allows authorized users to interact efficiently with AWS Support and ensures that permissions are limited to what's necessary for the role.
Description of the Rule
The rule requires creating an IAM role designated for contacting and managing incidents with AWS Support. This role would have the required permissions to create, manage, and close support cases and to perform any actions necessary in the incident management process.
Key Components of the Support Role:
- The support role must have a trust policy allowing trusted entities (specific users, groups, or services) to assume the role.
- The support role should have permissions limited to managing support tickets and other relevant support operations.
- IAM policies should follow the principle of least privilege.
Troubleshooting Steps
If the rule has not been satisfied, you will need to investigate whether:
- 1.The support role exists.
- 2.The support role has the correct permissions.
- 3.The trust relationship for the support role is correctly configured.
Necessary Codes and CLI Commands
Step 1: Create the Support Role
# Create a support role with a trust relationship to IAM users. aws iam create-role \ --role-name AWSSupportAccess \ --assume-role-policy-document file://trust-policy.json
In
trust-policy.json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Step 2: Attach Policies to the Role
Run the following command to attach the AWS managed policy for support access to the new role:
aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess \ --role-name AWSSupportAccess
Step by Step Guide for Remediation
- 1.
Create the Trust Relationship Policy:
- Draft a policy defining who can assume the support role, typically the support team members.
- 2.
Create the Support Role: Any AWS Command Line Interface (CLI) commands given above need to be run by a user or role with the necessary permissions to create IAM roles and policies.
- 3.
Attach Required Permissions: Attach the AWS defined policy or custom policies tailored to support activities.
- 4.
Verify the Role:
- Assume the role using the
action and validate that you have the necessary permissions to interact with AWS Support.sts:AssumeRole - Test creating, updating, and closing support tickets.
- 5.
Document and Train:
- Document the role and policies for your organization.
- Provide training for the support team on how to assume and use the role.
Remediation CLI Commands
To verify that the role and policies are working correctly, you can use the following CLI command to assume the support role:
aws sts assume-role \ --role-arn arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/AWSSupportAccess \ --role-session-name "AWSSupportSession"
After assuming the role, you should verify that the session allows performing support-related tasks without any issues.
In conclusion, for SEO and user-friendliness, it's crucial to ensure clarity, use SEO keywords naturally (like AWS, IAM, incident management), and provide straightforward instructions without any unnecessary jargon or filler content.