Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version

Risk Level: High
IAM Policy
Rule ID: D9.AWS.IAM.70
Category: Security, Identity, & Compliance
On December 22, 2021, AWS deployed a new version (v20) of the AWS-managed policy 'AWSSupportServiceRolePolicy' that is used by the IAM Role 'AWSServiceRoleForSupport'. In this new version, AWS added the 's3:getObject' action to the policy, which grants the AWS support team access to all S3 Bucket data.

gsl logic

IamPolicy where name='AWSSupportServiceRolePolicy' should not have versionId='v20' or defaultVersionId='v20'

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language


The 'AWSSupportServiceRolePolicy' policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.
The 'AWSServiceRoleForSuppot' is a unique and mandatory service-linked IAM Role, which trusts the support.amazonaws.com service to assume the role.

1. https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html

Related Links:
Policies and Permissions

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks