Ensure a support role has been created to manage incidents with AWS Support


AWS provides a support center that may need access to an AWS account to help manage incidents. To implement least privilege for access control, an IAM role should be created with the managed AWSSupportAccess IAM policy attached.

Console Remediation Steps

  • Logged in as the root account user, from the top navigation, select your account name > My Account.

  • In the Configure Security Questions section, click Edit.

  • Click on each Question and perform the following for all 3 questions:

    • Select a question from the drop-down.

    • Enter the answer.

  • Click Update.

  • Place the Questions and Answers in a secure physical location.

CLI Remediation Steps

  • Create an IAM user for managing support incidents with AWS. The output returns an ARN for the user:

    • aws iam create-user --user-name <support-username>

  • Create this file and save it as TrustPolicy.json.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "<iam_user_arn>"
      "Action": "sts:AssumeRole"
  • Create an IAM role using the above trust policy. The output returns an IAM role ARN:

    • aws iam create-role --role-name <aws_support_iam_role_name> --assume-role-policy-document file://TrustPolicy.json

  • Attach the AWSSupportAccess managed policy provided by AWS to the newly created IAM support role ARN:

    • aws iam attach-role-policy --policy-arn "arn:aws:iam::aws:policy/AWSSupportAccess" --role-name <aws_support_iam_role>