View a markdown version of this page

Option 2: Create a custom policy with minimum required permissions - Amazon Web Services Support
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Option 2: Create a custom policy with minimum required permissions

You can explicitly allow-list specific actions instead of using wildcards. The following are the required permissions for support interactions, case creation, and case management:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "support:AddAttachmentsToSet", "support:AddCommunicationToCase", "support:CreateCase", "support:DescribeAttachment", "support:DescribeCaseAttributes", "support:DescribeCases", "support:DescribeCommunication", "support:DescribeCommunications", "support:DescribeCreateCaseOptions", "support:DescribeIssueTypes", "support:DescribeServices", "support:DescribeSeverityLevels", "support:DescribeSupportedLanguages", "support:DescribeSupportLevel", "support:GetInteraction", "support:InitiateCallForCase", "support:ListInteractionEntries", "support:ListInteractions", "support:InitiateChatForCase", "support:PutCaseAttributes", "support:ResolveCase", "support:ResolveInteraction", "support:SearchForCases", "support:StartInteraction", "support:UpdateInteraction", "support-console:GetAccountState", "support-console:GetAccountGovCloudEnabled", "support-console:GetCaseDraft", "support-console:CreateCaseDraft", "support-console:DeleteCaseDraft", "support-console:GetBanner", "support-console:DescribeDynamicHelp", "support-console:CreateContact", ], "Resource": "*" } ] }

For Amazon DevOps Agent permissions required by your IAM identity, attach the following Amazon managed policies:

  • AIDevOpsAgentFullAccess. Provides full access to DevOps Agent management actions.

  • AIDevOpsAgentAccessPolicy. Required to create the agent space.

  • AIDevOpsOperatorAppAccessPolicy. Required to enable Operator App access.

For the full list of actions, see DevOps Agent IAM permissions in the Amazon DevOps Agent User Guide.

Your IAM identity needs iam:PassRole on the DevOpsAgentRole-AgentSpace and DevOpsAgentRole-WebappAdmin roles so that the Support Center Console can pass these roles to DevOps Agent when creating them on your behalf during first-time setup. For investigations on Amazon Elastic Kubernetes Service clusters, your IAM identity also needs eks:DescribeAccessEntry, eks:CreateAccessEntry, and eks:AssociateAccessPolicy so that the Support Center Console can create the read-only access entry on the target cluster. For more information about access entries, see Grant IAM users access to Kubernetes with Amazon EKS access entries in the Amazon Elastic Kubernetes Service User Guide.

Note

Using a custom policy requires ongoing maintenance as Amazon Web Services Support releases new features. For more information about the Support Center Console API operations, see Adding IAM policies for the Support Center Console API operations. For more information about each of the Amazon Web Services Support API operations, see Manage access to Amazon Web Services Support Center.