Automating AWS Support Role Creation Across Your Organization

The Challenge

Organizations with multiple AWS accounts need consistent support role configuration to satisfy compliance requirements and ensure incident response capabilities. Manual creation of support roles across hundreds of accounts becomes impractical and creates compliance gaps. Organizations need automated deployment that creates designated support roles organization-wide for AWS Support case management.

This best practice is supported by CIS AWS Foundations Benchmark v3.0.0 IAM.18 control, which requires that a support role has been created to manage incidents with AWS Support.

Manual vs Automated Support Role Creation

Manual support role configuration creates compliance gaps and operational overhead compared to automated organization-wide deployment:

Manual Configuration Problems:

• Scale management across hundreds of accounts
• Inconsistent role configurations
• New accounts may lack required support roles

Automated Benefits:

• Organization-wide consistency and automatic application to new accounts
• Guaranteed compliance without manual intervention
• Ensures support case creation capability in all accounts

Implementation Approach

CloudFormation StackSets provide scalable deployment of IAM support roles across all accounts in an organization. The solution creates a standardized role with AWS Support permissions using the AWS managed policy AWSSupportAccess. StackSets enable automatic deployment to new accounts and provide centralized management of support role configuration.

CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create AWS Support role for CIS IAM.18 compliance'

Parameters:
  SupportRoleName:
    Type: String
    Default: 'AWSSupportRole'
    Description: 'Name for the AWS Support role'

Resources:
  AWSSupportRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref SupportRoleName
      Description: 'Role for managing AWS Support cases - CIS IAM.18 compliance'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: sts:AssumeRole
            Condition:
              Bool:
                'aws:MultiFactorAuthPresent': 'true'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSSupportAccess
      Tags:
        - Key: Purpose
          Value: 'CIS-IAM-18-Compliance'
        - Key: CreatedBy
          Value: 'CloudFormation-StackSet'

Outputs:
  SupportRoleArn:
    Description: 'ARN of the created AWS Support role'
    Value: !GetAtt AWSSupportRole.Arn
    Export:
      Name: !Sub '${AWS::StackName}-SupportRoleArn'

Deployment Strategy

Deploy using CloudFormation StackSets from the management account or delegated administrator. Target the entire organization and enable automatic deployment for new accounts.

# Create StackSet with auto-deployment enabled
aws cloudformation create-stack-set \
  --stack-set-name aws-support-role-stackset \
  --template-body file://aws-support-role.yaml \
  --capabilities CAPABILITY_NAMED_IAM \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false \
  --parameters ParameterKey=SupportRoleName,ParameterValue=AWSSupportRole

# Deploy to entire organization
aws cloudformation create-stack-instances \
  --stack-set-name aws-support-role-stackset \
  --deployment-targets OrganizationalUnitIds=r-1234567890abcdef \
  --regions us-east-1 \
  --operation-preferences MaxConcurrentPercentage=100

Deployment Targets:

• r-1234567890abcdef - Organization root ID (targets entire organization)
• ou-1234567890abcdef - Organizational unit ID (targets specific OU)

Auto-Deployment: New accounts added to the organization automatically receive the support role without manual intervention.

CIS Compliance Verification

This implementation satisfies CIS AWS Foundations Benchmark v3.0.0 IAM.18 control requirements:

Control Requirement: "Ensure a support role has been created to manage incidents with AWS Support"

Implementation Verification:

• Support role exists in each account
• Role has appropriate AWS Support permissions via AWSSupportAccess managed policy
• Role is properly tagged for identification and compliance tracking
• Role includes MFA requirement for enhanced security

AWS Support Permissions

The AWSSupportAccess managed policy provides comprehensive permissions for AWS Support operations:

Key Permissions Included:

• support:* - Full AWS Support API access
• support:CreateCase - Create support cases
• support:DescribeCases - View existing support cases
• support:AddCommunicationToCase - Add communications to cases
• support:ResolveCase - Resolve support cases

Operations and Maintenance

Support roles are persistent and require no ongoing maintenance once created. The roles provide the foundation for AWS Support case management but require additional configuration to assign users or groups that can assume the role for actual incident response.

AWS Security Hub provides built-in detective controls to monitor accounts without proper support role configuration through CIS compliance checks.

Role Usage Configuration

While this implementation creates the support role for CIS compliance, organizations must separately configure who can assume the role:

Example: Specific Users/Groups

# Allow specific IAM group to assume the support role
aws iam update-assume-role-policy \
  --role-name AWSSupportRole \
  --policy-document file://trust-policy-with-group.json

Testing and Validation

Validate the support role deployment and functionality:

Check Role Creation:

# Verify support role exists
aws iam get-role --role-name AWSSupportRole

Test Support Access:

# Assume the support role (requires proper trust policy configuration)
aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/AWSSupportRole \
  --role-session-name support-test

# Test support case creation (with assumed role credentials)
aws support create-case \
  --subject "Test Case" \
  --service-code "general-info" \
  --severity-code "low" \
  --category-code "other" \
  --communication-body "Test support case creation"

Limitations and Considerations

This implementation focuses on CIS compliance rather than operational readiness:

CIS Compliance Focus:

• Creates required support role
• Applies appropriate AWS Support permissions
• Satisfies CIS IAM.18 control requirements

Operational Considerations:

• Role can be assumed by any user/role in the account (with MFA)
• Additional trust policy configuration required for actual use
• Organizations must define incident response procedures separately

Security Enhancements:

• MFA requirement included in trust policy
• Proper tagging for compliance tracking
• Uses AWS managed policy for consistent permissions

Next Steps

While this implementation satisfies CIS IAM.18 compliance requirements, the current trust policy allows any user or role in the account to assume the support role (with MFA). Organizations should restrict access by updating the trust policy to allow only specific users or groups to assume the role, or alternatively, create IAM Identity Center permission sets with support operations for centralized access management across your organization.

---

This implementation supports security best practices and satisfies CIS AWS Foundations Benchmark v3.0.0 IAM.18 control requirements.