An IAM role should be created to manage incidents with AWS Support

문서 > Datadog 보안 > OOTB Rules > An IAM role should be created to manage incidents with AWS Support

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.

Rationale

By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.

Impact

All AWS Support plans include an unlimited number of accounts and billing support cases, with no long-term contracts. Support billing calculations are performed on a per-account basis for all plans. Enterprise Support plan customers have the option to include multiple enabled accounts in an aggregated monthly billing calculation. Monthly charges for the Business and Enterprise support plans are based on each month’s AWS usage charges, subject to a monthly minimum, billed in advance.

Remediation

From the command line

Create an IAM role for managing incidents with AWS:

Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:

{
   "Version": "2012-10-17",
   "Statement": [
      {
       "Effect": "Allow",
       "Principal": {
          "AWS": "<iam_user>"
        },
       "Action": "sts:AssumeRole"
      }
   ]
}

Create the IAM role using the above trust policy:

aws iam create-role --role-name <aws_support_iam_role> --assume-role-policydocument file:///tmp/TrustPolicy.json

Attach ‘AWSSupportAccess’ managed policy to the created IAM role:

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name <aws_support_iam_role>