AWS account AWS support actions IAM Access to AWS Trusted Advisor

Manage access to AWS Support Center

You must have permissions to access Support Center and to create a support case.

You can use one of the following options to access Support Center:

Use the email address and password associated with your AWS account. This identity is called the AWS account root user.
Use AWS Identity and Access Management (IAM).

If you have a Business, Enterprise On-Ramp, or Enterprise Support plan, you can also use the AWS Support API to access AWS Support and Trusted Advisor operations programmatically. For more information, see the AWS Support API Reference.

Note

If you can't sign in to Support Center, you can use the Contact Us page instead. You can use this page to get help with billing and account issues.

AWS account

You can sign in to the AWS Management Console and access the Support Center by using your AWS account email address and password. This identity is called the AWS account root user. However, we strongly recommend that you don't use the root user for your everyday tasks, even the administrative ones. Instead, we recommend that you use IAM, which lets you control who can perform certain tasks in your account.

AWS support actions

You can perform the following AWS Support actions in the console. You can also specify these AWS Support actions in an IAM policy to allow or deny specific actions.

Note

If you deny any of the below actions in your IAM policies, it could result in unintended behaviour in Support Center when creating or interacting with a support case.

Action	Description
`DescribeSupportLevel`	Grants permission to return the support level for an AWS account identifier. This is used internally by AWS Support Center to identify your support level.
`InitiateCallForCase`	Grants permission to initiate a call on AWS Support Center. This is used internally by AWS Support Center to start a call on your behalf.
`InitiateChatForCase`	Grants permission to initiate a chat on AWS Support Center. This is used internally by AWS Support Center to start a chat on your behalf.
`RateCaseCommunication`	Grants permission to rate a AWS Support case communication.
`DescribeCaseAttributes`	Grants permission to allow secondary services to read AWS Support case attributes. This is used internally by AWS Support Center to get attributes tagged on your case.
`DescribeIssueTypes`	Grants permission to return issue types for AWS Support cases. This is used internally by AWS Support Center to get available issue types for your account.
`SearchForCases`	Grants permission to return a list of AWS Support cases that matches the given inputs. This is used internally by AWS Support Center to find searched cases.
`PutCaseAttributes`	Grants permission to allow secondary services to attach attributes to AWS Support cases. This is used internally by AWS Support Center to add operational tags to your AWS Support cases.

IAM

By default, IAM users can't access the Support Center. You can use IAM to create individual users or groups. Then, you attach IAM policies to these entities, so that they have permission to perform actions and access resources, such as to open Support Center cases and use the AWS Support API.

After you create IAM users, you can give those users individual passwords and an account-specific sign-in page. They can then sign in to your AWS account and work in the Support Center. IAM users who have AWS Support access can see all cases that are created for the account.

For more information, see Sign in to the AWS Management Console as an IAM user in the IAM User Guide.

The easiest way to grant permissions is to attach the AWS managed policy AWSSupportAccess to the user, group, or role. AWS Support allows action-level permissions to control access to specific AWS Support operations. AWS Support doesn't provide resource-level access, so the Resource element is always set to *. You can't allow or deny access to specific support cases.

Example : Allow access to all AWS Support actions

The AWS managed policy AWSSupportAccess grants an IAM user access to AWS Support. An IAM user with this policy can access all AWS Support operations and resources.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["support:*"],
            "Resource": "*"
        }
    ]
}

For more information about how to attach the AWSSupportAccess policy to your entities, see Adding IAM identity permissions (console) in the IAM User Guide.

Example : Allow access to all actions except the ResolveCase action

You can also create customer managed policies in IAM to specify what actions to allow or deny. The following policy statement allows an IAM user to perform all actions in AWS Support except resolve a case.


{
   "Version": "2012-10-17",
   "Statement": [
   {
      "Effect": "Allow",
      "Action": "support:*",
      "Resource": "*"
   },
   {
       "Effect": "Deny",
       "Action": "support:ResolveCase",
       "Resource": "*"
    }]
}

For more information about how to create a customer managed IAM policy, see Creating IAM policies (console) in the IAM User Guide.

If the user or group already has a policy, you can add the AWS Support-specific policy statement to that policy.

Important

If you can't view cases in the Support Center, make sure that you have the required permissions. You might need to contact your IAM administrator. For more information, see Identity and access management for AWS Support.

Access to AWS Trusted Advisor

In the AWS Management Console, a separate trustedadvisor IAM namespace controls access to Trusted Advisor. In the AWS Support API, the support IAM namespace controls access to Trusted Advisor. For more information, see Manage access to AWS Trusted Advisor.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies for AWS Support Plans

Manage access to AWS Support Plans