Manage access to Amazon Web Services Support Plans
Topics
Permissions for the Support Plans console
To access the Support Plans console, a user must have a minimum set of permissions. These permissions must allow the user to list and view details about the Support Plans resources in your Amazon Web Services account.
You can create an Amazon Identity and Access Management (IAM) policy with the supportplans
namespace. You can use this policy to specify permissions for actions and
resources.
When you create a policy, you can specify the namespace of the service to allow or
deny an action. The namespace for Support Plans is supportplans
.
You can use Amazon managed policies and attach them to your IAM entities. For more information, see Amazon managed policies for Amazon Web Services Support Plans.
Support Plans actions
You can perform the following Support Plans actions in the console. You can also specify these Support Plans actions in an IAM policy to allow or deny specific actions.
Action | Description |
---|---|
|
Grants permission to view details about the current support plan for this Amazon Web Services account. |
|
Grants permission to view details about the status for a request to update a support plan. |
|
Grants permission to start the request to update the support plan for this Amazon Web Services account. |
|
Grants permission to create support plan schedules for this Amazon Web Services account. |
|
Grants permission to view a list of all support plan modifiers for this Amazon Web Services account. |
Example IAM policies for Support Plans
You can use the following example policies to manage access to Support Plans.
Full access to Support Plans
The following policy allows users full access to Support Plans.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "supportplans:*", "Resource": "*" } ] }
Read-only access to Support Plans
The following policy allows read-only access to Support Plans.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "supportplans:Get*", "Resource": "*" }, { "Effect": "Allow", "Action": "supportplans:List*", "Resource": "*" }, ] }
Deny access to Support Plans
The following policy doesn't allow users access to Support Plans.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "supportplans:*", "Resource": "*" } ] }
Troubleshooting
See the following topics to manage access to Support Plans.
When I try to view or change my support
plan, the Support Plans console says that I'm missing the
GetSupportPlan
permission
IAM users must have the required permissions to access the Support Plans console. You can update your IAM policy to include the missing permission or use an Amazon managed policy, such as AWSSupportPlansFullAccess or AWSSupportPlansReadOnlyAccess. For more information, see Amazon managed policies for Amazon Web Services Support Plans.
If you don't have access to update your IAM policies, contact your Amazon Web Services account administrator.
Related information
For more information, see the following topics in the IAM User Guide:
I have the correct Support Plans permissions, but I still get the same error
If your Amazon Web Services account is a member account that's part of Amazon Organizations, the service control policy (SCP) might need to be updated. SCPs are a type of policy that manages permissions in an organization.
Because Support Plans is a global service, policies that restrict Amazon Web Services Regions might prevent member accounts from viewing or changing their support plan. To allow global services for your organization, such as IAM and Support Plans, you must add the service to the exclusion list in any applicable SCP. This means that accounts in the organization can access these services, even if the SCP denies a specified Amazon Web Services Region.
To add Support Plans as an exception, enter "supportplans:*"
to the
"NotAction"
list in the SCP.
"supportplans:*",
Your SCP might appear as the following policy snippet.
Example : SCP that allows Support Plans access in an organization
{ "Version": "2012-10-17",
"Statement": [
{ "Sid": "GRREGIONDENY",
"Effect": "Deny",
"NotAction": [
"aws-portal:*",
"budgets:*",
"chime:*"
"iam:*",
"supportplans:*",
....
If you have a member account and can't update the SCP, contact your Amazon Web Services account administrator. The management account might need to update the SCP so that all member accounts can access Support Plans.
Notes for Amazon Control Tower
-
If your organization uses an SCP with Amazon Control Tower, you can update the Deny access to Amazon based on the requested Amazon Web Services Region control (commonly referred to as the Region deny control).
-
If you update the SCP for Amazon Control Tower to allow
supportplans
, repairing the drift will remove your update to the SCP. For more information, see Detect and resolve drift in Amazon Control Tower.
Related information
For more information, see the following topics:
-
Service control policies (SCPs) in the Amazon Organizations User Guide.
-
Configure the Region deny control in the Amazon Control Tower User Guide
-
Deny access to Amazon based on the requested Amazon Web Services Region in the Amazon Control Tower User Guide