Adding IAM policies for the Support Center Console API operations - Amazon Web Services Support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding IAM policies for the Support Center Console API operations

Before November 2, 2026, you must create Amazon Identity and Access Management policies for the Support Center Console API operations. If you don't create these policies by November 2, 2026, you will receive AccessDenied errors.

To add these operations to your IAM policies, see Create IAM policies (console) in the Amazon Identity and Access Management User Guide.

The following table summarizes the console operations.

Note

These operations are for the console only. They're not available for use in the Amazon SDK or the Amazon CLI.

Operation Access level Description

GetAccountState

READ

Grants permission for the console to show the current account state.

GetAccountGovCloudEnabled

READ

Grants permission to determine if your account is GovCloud enabled.

GetCaseDraft

READ

Grants permission for the console to show the case draft that you previously created.

CreateCaseDraft

WRITE

Grants permission to create or update a case draft for the given case type.

DeleteCaseDraft

WRITE

Grants permission to delete a case draft for the given case type.

GetBanner

READ

Grants permission for the console to show the Amazon Web Services Support banner displayed during customer impacting events.

DescribeDynamicHelp

READ

Grants permission for the console to show dynamic help resources for the selected service and category.

CreateContact

WRITE

Grants permission for the console to create an authenticated contact for the selected contact type.

CheckSubscription

READ

Grants permission for the console to verify if your account has access to the selected product.

GetQuestionnaire

READ

Grants permission for the console to show the customer feedback questionnaire.

SaveFeedback

WRITE

Grants permission to save questionnaire feedback.
Note

If you have a custom VPN configuration, make sure that you configure your VPN to correctly forward your client IP address to the Support Center Console API endpoint. When using a VPN with Amazon Identity and Access Management policies that include aws:SourceIp conditions, the client IP address specified in your IAM policy must be forwarded to the API endpoint, not the VPN's IP address. If the VPN forwards its own IP address instead of the client IP address, authorization might fail because the IP address doesn't match the aws:SourceIp condition in your IAM policy. The following table provides the Support Center Console API endpoints by Amazon Web Services Region.

Amazon Web Services Region Support Center Console API endpoint

https://api.us-east-1.prod.support-console.support.aws.dev

US East (N. Virginia)

https://api.us-west-2.prod.support-console.support.aws.dev

US West (Oregon)

https://api.eu-west-1.prod.support-console.support.aws.dev

Europe (Ireland)