turbot/aws_compliance
Loading controls...

Control: 1.20 Ensure a support role has been created to manage incidents with AWS Support

Description

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.

By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Remediation

Using the Amazon unified command line interface:

  • Create an IAM role for managing incidents with AWS:

    • Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "<span style="font-style: italic;"><iam_user></span>"
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }
    • Create the IAM role using the above trust policy:
    aws iam create-role --role-name <aws_support_iam_role> --assume-role- policy-document file:///tmp/TrustPolicy.json
    • Attach 'AWSSupportAccess' managed policy to the created IAM role:
    aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name <aws_support_iam_role>

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v120_1_20

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v120_1_20 --share

SQL

This control uses a named query:

iam_support_role

Tags