Skip to main content

Ensure an IAM Role with AWS Support Access Exists

Overview

This check verifies that your AWS account has at least one IAM role with the AWSSupportAccess managed policy attached. This dedicated role allows your team to interact with AWS Support Center without needing to use administrator or root credentials.

Risk

Without a dedicated support role, your organization faces several risks:

  • Delayed incident response: Creating support cases and escalating issues becomes harder, which can prolong outages
  • Privilege escalation: Team members may resort to using admin or root credentials to access support, expanding the blast radius if those credentials are compromised
  • Weak audit trails: Support actions become harder to track, complicating security investigations

Remediation Steps

Prerequisites

You need an AWS account with permission to create or modify IAM roles. Specifically, you need the iam:CreateRole and iam:AttachRolePolicy permissions.

AWS Console Method

  1. Sign in to the AWS IAM Console
  2. In the left navigation, click Roles
  3. Click Create role
  4. For "Trusted entity type", select AWS account
  5. Select This account (your current account ID will be shown)
  6. Check Require MFA for added security (recommended)
  7. Click Next
  8. In the search box, type AWSSupportAccess
  9. Check the box next to AWSSupportAccess (this is an AWS managed policy)
  10. Click Next
  11. Enter a role name (e.g., AWSSupportRole)
  12. Optionally add a description like "Role for AWS Support Center access"
  13. Click Create role
AWS CLI (optional)

Option A: Attach the policy to an existing role

If you already have a role you want to use for support access:

aws iam attach-role-policy \
  --role-name <your-existing-role-name> \
  --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess \
  --region us-east-1

Option B: Create a new dedicated support role

  1. Create a trust policy file:
cat > trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<your-account-id>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
EOF
  1. Create the role:
aws iam create-role \
  --role-name AWSSupportRole \
  --assume-role-policy-document file://trust-policy.json \
  --description "Role for AWS Support Center access" \
  --region us-east-1
  1. Attach the AWSSupportAccess policy:
aws iam attach-role-policy \
  --role-name AWSSupportRole \
  --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess \
  --region us-east-1
CloudFormation (optional)

Deploy this template to create a dedicated AWS Support role with MFA requirement:

AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role with AWSSupportAccess policy for AWS Support interactions

Parameters:
  RoleName:
    Type: String
    Default: AWSSupportRole
    Description: Name of the IAM role for AWS Support access

Resources:
  AWSSupportRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      Description: Role for AWS Support Center access
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'sts:AssumeRole'
            Condition:
              Bool:
                'aws:MultiFactorAuthPresent': 'true'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSSupportAccess
      Tags:
        - Key: Purpose
          Value: AWSSupportAccess

Outputs:
  RoleArn:
    Description: ARN of the AWS Support role
    Value: !GetAtt AWSSupportRole.Arn
  RoleName:
    Description: Name of the AWS Support role
    Value: !Ref AWSSupportRole

Deploy the stack:

aws cloudformation create-stack \
  --stack-name aws-support-role \
  --template-body file://template.yaml \
  --capabilities CAPABILITY_NAMED_IAM \
  --region us-east-1
Terraform (optional)
# AWS Support Role with AWSSupportAccess managed policy
# This satisfies the Prowler check: iam_support_role_created

variable "role_name" {
  description = "Name of the IAM role for AWS Support access"
  type        = string
  default     = "AWSSupportRole"
}

variable "trusted_principals" {
  description = "List of IAM principal ARNs allowed to assume this role"
  type        = list(string)
  default     = []
}

data "aws_caller_identity" "current" {}

# IAM Role for AWS Support access
resource "aws_iam_role" "support_role" {
  name        = var.role_name
  description = "Role for AWS Support Center access"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = length(var.trusted_principals) > 0 ? var.trusted_principals : ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
        }
        Action = "sts:AssumeRole"
        Condition = {
          Bool = {
            "aws:MultiFactorAuthPresent" = "true"
          }
        }
      }
    ]
  })

  tags = {
    Purpose = "AWSSupportAccess"
  }
}

# Attach the AWS managed AWSSupportAccess policy
resource "aws_iam_role_policy_attachment" "support_policy" {
  role       = aws_iam_role.support_role.name
  policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
}

output "role_arn" {
  description = "ARN of the AWS Support role"
  value       = aws_iam_role.support_role.arn
}

output "role_name" {
  description = "Name of the AWS Support role"
  value       = aws_iam_role.support_role.name
}

Deploy:

terraform init
terraform plan
terraform apply

Verification

After creating the role, verify it exists and has the correct policy attached:

  1. Go to the IAM Roles Console
  2. Search for your role name (e.g., AWSSupportRole)
  3. Click on the role and check the Permissions tab
  4. Confirm that AWSSupportAccess appears in the list of attached policies
CLI verification commands

List roles with AWSSupportAccess attached:

aws iam list-entities-for-policy \
  --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess \
  --entity-filter Role \
  --region us-east-1

Verify a specific role has the policy:

aws iam list-attached-role-policies \
  --role-name AWSSupportRole \
  --region us-east-1

Re-run Prowler to confirm the check passes:

prowler aws -c iam_support_role_created --region us-east-1

Additional Resources

Notes

  • MFA Requirement: The examples above require MFA when assuming the role. This is a security best practice but can be removed if your organization has different requirements.
  • Trust Policy: By default, the role trusts the account root, meaning any IAM user/role in the account with sts:AssumeRole permission can assume it. You can restrict this to specific users or roles by modifying the trust policy's Principal element.
  • Existing Roles: If you already have a role used by your support team, you can simply attach the AWSSupportAccess policy to it instead of creating a new role.
  • This is a low-severity check: While important for operational readiness, the absence of this role does not represent an immediate security vulnerability.