At least one IAM role has the AWSSupportAccess managed policy attached
iam_support_role_created
Presence of an IAM role that has the AWS managed AWSSupportAccess policy attached, designating a support role for interacting with AWS Support Center and related tooling.
Risk
Without a dedicated support role:
- Case creation and escalation can be delayed, prolonging outages (availability)
- Teams may use admin/root, increasing blast radius (confidentiality/integrity)
- Audit trails of support actions are weaker, hindering investigations
Run this check with Prowler CLI
prowler aws --checks iam_support_role_created
Recommendation
Create a dedicated IAM role for AWS Support with AWSSupportAccess and:
- Restrict who can assume it; require MFA and time-bound access
- Enforce least privilege and separation of duties
- Monitor usage via audit logs and review assignments regularly
Remediation
CLI
aws iam attach-role-policy --role-name <example_resource_name> --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess
Native IaC
Terraform
Other
- In the AWS console, go to IAM > Roles
- Select any existing role you can use for support access
- Click Add permissions (or Attach policies)
- Search for "AWSSupportAccess" and select it
- Click Attach policies to save
This immediately ensures at least one role has the AWSSupportAccess managed policy (PASS).
Source Code
Resource Type
AwsIamRole
References
- https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/support-role.html
- https://icompaas.freshdesk.com/support/solutions/articles/62000081064-ensure-a-support-role-has-been-created-to-manage-incidents-with-aws-support
- https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSupportAccess.html