🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1.17 Ensure a support role has been created to manage incidents with AWS Support

Description

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role, with the appropriate policy assigned, to allow authorized users to manage incidents with AWS Support.

By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Remediation

From Command Line:

  1. Create a IAM policy for managing incidents with AWS.
    • Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json.
      {
        "Version":"2012-10-17",
        "Statement":[
          {
            "Effect":"Allow",
            "Principal":{
              "AWS":"<iam_user>"
            },
            "Action":"sts:AssumeRole"
          }
        ]
      }
  1. Create the IAM role using the above trust policy.
aws iam create-role --role-name <aws_support_iam_role> --assume-role-policy- document file:///tmp/TrustPolicy.json
  1. Attach 'AWSSupportAccess' managed policy to the created IAM role:
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v200_1_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v200_1_17 --share

SQL

This control uses a named query:

-- pgFormatter-ignore
with support_role_count as
(
  select
    'arn:' || a.partition || ':::' || a.account_id as resource,
    count(policy_arn),
    a.account_id,
    a._ctx
  from
    aws_account as a
    left join aws_iam_role as r on r.account_id = a.account_id
    left join jsonb_array_elements_text(attached_policy_arns) as policy_arn  on true
  where
    split_part(policy_arn, '/', 2) = 'AWSSupportAccess'
    or policy_arn is null
  group by
    a.account_id,
    a.partition,
    a._ctx
)
select
  resource,
  case
    when count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when count = 1 then 'AWSSupportAccess policy attached to 1 role.'
    when count > 1 then 'AWSSupportAccess policy attached to ' || count || ' roles.'
    else 'AWSSupportAccess policy not attached to any role.'
  end  as reason
  , account_id
from
  support_role_count;

Tags

category = Compliance
cis = true
cis_item_id = 1.17
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = aws
service = AWS/IAM