AWS awssupport high security documentation change
Summary
Updated instructions for validating IAM policies and troubleshooting missing permissions using CloudTrail. Added step-by-step guidance to identify missing permissions through event analysis and remediation steps.
Security assessment
The changes explicitly document how to detect and remediate missing IAM permissions for Support Center API access, which directly relates to preventing AccessDenied errors and unauthorized access. The addition of steps to identify missing permissions via authZHeader in CloudTrail provides concrete evidence of addressing authorization security gaps.
Diff
diff --git a/awssupport/latest/user/support-console-access-control-test.md b/awssupport/latest/user/support-console-access-control-test.md index bf52a9ea4..8deeebca1 100644 --- a//awssupport/latest/user/support-console-access-control-test.md +++ b//awssupport/latest/user/support-console-access-control-test.md @@ -9 +9 @@ -To validate that API calls to the console work, open the [AWS Support Center Console](https://console.aws.amazon.com/support). If the calls aren't successful, then you see a banner outlining the errors. +To validate that your IAM policies are correctly configured for Support Center Console API operations, open the [AWS Support Center Console](https://console.aws.amazon.com/support) to generate recent API calls. @@ -11 +11 @@ To validate that API calls to the console work, open the [AWS Support Center Con -You can use AWS CloudTrail to debug the API calls made to the Support Center Console. The CloudTrail event for the API call shows if you have missing IAM policies. You can also investigate IP address forwarding issues by comparing your browser's IP addresses to the client IP address in the CloudTrail event. +To check for missing IAM permissions, complete the following steps: @@ -13 +13 @@ You can use AWS CloudTrail to debug the API calls made to the Support Center Con -To view CloudTrail events for calls to the Support Center Console, complete the following steps: + 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail](https://console.aws.amazon.com/cloudtrail). @@ -15 +15 @@ To view CloudTrail events for calls to the Support Center Console, complete the - 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). + 2. Check the AWS Region dropdown to make sure that you're in the **US East (N. Virginia)** Region. @@ -17 +17 @@ To view CloudTrail events for calls to the Support Center Console, complete the - 2. In the navigation pane, choose **Event history**. You see a filtered list of events with the most recent events showing first. The default filter for events is **Read only** , set to **false**. To clear the filter, choose **X** at the right of the filter. + 3. In the navigation pane, choose **Event history**. @@ -19 +19,9 @@ To view CloudTrail events for calls to the Support Center Console, complete the - 3. Choose the event source **support-console.amazonaws.com**. On the event details page, you can view details about the event, see any referenced resources, and view the event record. + 4. Filter by event source **support-console.amazonaws.com**. + + 5. Match the event names to the list of `support-console:*` operations in [Adding IAM policies for the Support Center Console API operations](./support-console-access-control.html) (for example, `GetAccountState`). + + 6. Open the matching events and check for an `additionalEventData` field containing an `authZHeader` entry. If present, your IAM policy is missing the permission listed in that entry. + + 7. Add the specific `support-console` permission to your IAM policy. You can grant access to all operations using `support-console:*`, or select individual operations for fine-grained control. For the full list of operations, see [Adding IAM policies for the Support Center Console API operations](./support-console-access-control.html). + + 8. To verify the fix, revisit the AWS Support Center Console to generate new API calls, then repeat steps 1–6. Make sure that the new events no longer contain an `additionalEventData` field.