Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version

On December 22, 2021, AWS deployed a new version (v20) of the AWS-managed policy 'AWSSupportServiceRolePolicy' that is used by the IAM Role 'AWSServiceRoleForSupport'. In this new version, AWS added the 's3:getObject' action to the policy, which grants the AWS support team access to all S3 Bucket data.

Risk Level: Critical
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.70
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy where name='AWSSupportServiceRolePolicy' should not have versionId='v20' or defaultVersionId='v20'

REMEDIATION

The 'AWSSupportServiceRolePolicy' policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.
The 'AWSServiceRoleForSuppot' is a unique and mandatory service-linked IAM Role, which trusts the support.amazonaws.com service to assume the role.

References:

  1. https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS LGPD regulation
  • AWS MITRE ATT&CK Framework v11.3