turbot/steampipe-mod-aws-compliance

Control: 2.16 Ensure a support role has been created to manage incidents with AWS Support

Description

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role, with the appropriate policy assigned, to allow authorized users to manage incidents with AWS Support.

Remediation

From Console:

  1. From All Services, click IAM.
  2. Under Access Management, click Policies.
  3. In the Policies search field, search for 'AWSSupportAccess'.
  4. Click the policy name 'AWSSupportAccess'.
  5. Click the Entities Attached menu and click Attach.
  6. Add the appropriate role or roles and click Attach policy.

From Command Line:

  1. Create an IAM role for managing incidents with AWS:
  • Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<iam_user>"
},
"Action": "sts:AssumeRole"
]
}
  1. Create the IAM role using the above trust policy:
  2. aws iam create-role --role-name <aws_support_iam_role> --assume-rolepolicy-document file:///tmp/TrustPolicy.json
  3. Attach 'AWSSupportAccess' managed policy to the created IAM role:
  4. aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>

Default Value:

By default, AWS does not create a dedicated support role. IAM users and roles with sufficient privileges (such as AdministratorAccess) can access the Support Center unless a specific role with the AWSSupportAccess policy is created.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_16 --share

SQL

This control uses a named query:

-- pgFormatter-ignore
with support_role_count as
(
select
'arn:' || a.partition || ':::' || a.account_id as resource,
count(policy_arn),
a.account_id,
a._ctx
from
aws_account as a
left join aws_iam_role as r on r.account_id = a.account_id
left join jsonb_array_elements_text(attached_policy_arns) as policy_arn on true
where
split_part(policy_arn, '/', 2) = 'AWSSupportAccess'
or policy_arn is null
group by
a.account_id,
a.partition,
a._ctx
)
select
resource,
case
when count > 0 then 'ok'
else 'alarm'
end as status,
case
when count = 1 then 'AWSSupportAccess policy attached to 1 role.'
when count > 1 then 'AWSSupportAccess policy attached to ' || count || ' roles.'
else 'AWSSupportAccess policy not attached to any role.'
end as reason
, account_id
from
support_role_count;

Tags