MEDIUM IAM · CIS 1.17

Support role exists

Check ID: aws-iam-011

AWS-IAM-011 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if an IAM role, user, or group has the AWSSupportAccess managed policy attached. Without this, no one can manage incidents through AWS Support.

Why it matters

The AWSSupportAccess policy grants permission to create and manage AWS Support cases, which is essential during security incidents, service outages, or account compromise. Without a designated support role, teams must use the root account to contact AWS Support, which violates the principle of least privilege and requires sharing root credentials. During a security incident, the ability to quickly open a support case for AWS to investigate suspicious activity, request emergency account lockdown, or report compromised credentials can significantly reduce the blast radius. CIS requires this role to exist so that support operations do not depend on root account access and can be delegated to the appropriate operations team.

Common causes

The AWSSupportAccess policy is an AWS-managed policy that must be explicitly attached; it is not granted by default even to administrator roles. Organizations that use AWS Organizations may have support cases managed at the management account level, not realizing that individual member accounts also need support access. Teams that have never needed to contact AWS Support may not discover this gap until an urgent incident requires it.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam create-role --role-name aws-support-role --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::ACCOUNT_ID:root"},"Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name aws-support-role --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess

Remediation: Terraform

resource "aws_iam_role" "support" {
  name = "aws-support-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect    = "Allow"
      Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
      Action    = "sts:AssumeRole"
    }]
  })
}

resource "aws_iam_role_policy_attachment" "support" {
  role       = aws_iam_role.support.name
  policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
}

Compliance mapping

This check maps to CIS 1.17 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks