Implement AWS Partner-Led Support access for AWS Diagnostic Tools across your organization

Introduction

AWS Partner-Led Support is a program that allows AWS Partners to provide frontline technical support to customers, while partners maintain access to AWS expertise and resources. With this program, partners can deliver comprehensive support services and make sure that customers receive timely, expert assistance for their AWS implementations.

With the recent announcement of AWS managed policies for AWS Partner-Led Support, partners can now access AWS Diagnostic Tools across an organization.

Understand the AWSPartnerLedSupportReadOnlyAccess policy

The AWSPartnerLedSupportReadOnlyAccess policy is a managed policy that AWS created to provide partners with the necessary read-only permissions. These permissions allow partners to access diagnostic tools and relevant information across a customer's Organization. The new policy addresses challenges that partners face related to the following:

• Data access risks

• Scalability issues

• Frequent manual updates

For partners, the managed policy includes the following benefits.

Simplified access management

Partners don't need to create and maintain custom AWS Identity and Access Management (IAM) policies for each customer. The managed policy provides a standardized set of permissions that you can attach to cross-account IAM roles.

Automatic updates

As AWS introduces new services, features, and diagnostic tools, the policy is automatically updated. These automatic updates make sure that partners can access the latest resources without any manual intervention.

Enhanced security

The managed policy follows the principle of least privilege, and grants only the necessary permissions required for effective support. This limit minimizes the risk of unauthorized data access.

Improved scalability

Partners can efficiently support multiple customers across various AWS accounts without the need for custom policy management for each account.

Use StackSets to deploy AWSPartnerLedSupportReadOnlyAccess across your organization

To deploy the AWSPartnerLedSupportReadOnlyAccess role across your organization, you can use StackSets. With StackSets, you can consistently deploy the role across all accounts in your organization. And because this solution primarily uses CloudFormation and IAM, there's no additional costs to your organization.

Prerequisites:

• AWS Organizations turned on in your account.

• Administrator-level access to the organization's management account with credentials that can create CloudFormation stacks and IAM roles.

• StackSets turned on in your organization.

Create a CloudFormation template

To deploy the role across your organization, you can create a CloudFormation template that uses the partner-led-support-diagnostic-tools-access-stackset.yaml file.

To create a YAML file, edit the following example to meet your organization's security requirements. Then, save the example as a YAML file. For more information, see CloudFormation template format.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation StackSet to deploy Partner-Led Support Diagnostic Tools Role across AWS Organization'
Parameters:
  Path:
    Type: String
    Default: '/PLS/'
    Description: Path for the IAM role
    MinLength: 1
    MaxLength: 512
    AllowedPattern: '^\/.*\/$'
    ConstraintDescription: Must begin and end with forward slash (/)   
  RoleNamePrefix:
    Type: String
    Default: Diagnostic_Tools
    Description: Prefix for the IAM roles to be created (e.g., Diagnostic_Tools_Role, Diagnostic_Tools_Service)
    MinLength: 3
    MaxLength: 64
    AllowedPattern: '[a-zA-Z0-9+=,.@\-_]+'
  RootOrganizationArn:
    Type: String
    Description: The ARN of the AWS Organizations root (e.g., arn:aws:organizations::123456789012:root/o-exampleid/r-exampleid)
    AllowedPattern: '^arn:aws:organizations::[0-9]{12}:root/o-[a-z0-9]{10,32}/r-[a-z0-9]{4,32}$'
    ConstraintDescription: Must be a valid AWS Organizations root ARN
  PrincipalArn:
    Type: String
    Description: Principal ARN that can assume the role (e.g., arn:aws:iam::123456789012:root, arn:aws:iam::123456789012:role/RoleName or arn:aws:iam::123456789012:user/user-name).  # Review valid principals based on Partner preference.
    AllowedPattern: '^arn:aws:iam::[0-9]{12}:(root|role/[a-zA-Z0-9+=,.@\-_/]+|user/[a-zA-Z0-9+=,.@\-_/]+)$'
    ConstraintDescription: Must be a valid IAM role ARN, user ARN, or root account ARN   
  MaxSessionDuration:
    Type: Number
    Default: 43200
    MinValue: 3600
    MaxValue: 43200
    Description: Maximum session duration in seconds (1-12 hours)
    ConstraintDescription: "Session duration must be between 1 and 12 hours"

Resources:
  PartnerLedSupportStackSet:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName: PartnerLedSupportDiagnosticToolsRole
      Description: Deploys Partner-Led Support Diagnostic Tools Role to all accounts in Organization
      Parameters:
        - ParameterKey: PrincipalArn
          ParameterValue: !Ref PrincipalArn
        - ParameterKey: RoleNamePrefix
          ParameterValue: !Ref RoleNamePrefix
        - ParameterKey: MaxSessionDuration
          ParameterValue: !Ref MaxSessionDuration
        - ParameterKey: Path
          ParameterValue: !Ref Path   
        - ParameterKey: OrganizationId
          ParameterValue: !Select [1, !Split ['/', !Ref RootOrganizationArn]]
      Capabilities:
        - CAPABILITY_IAM
        - CAPABILITY_NAMED_IAM
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: false
      OperationPreferences:
        FailureTolerancePercentage: 10
        MaxConcurrentPercentage: 50                 # Increase to 100 if rapid deployment is needed
        RegionConcurrencyType: SEQUENTIAL           # Change from SEQUENTIAL to PARALLEL for faster multi-region deployment
      ManagedExecution:
        Active: true
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Select [2, !Split ['/', !Ref RootOrganizationArn]]
          Regions:
            - us-east-1
      TemplateBody: |
        AWSTemplateFormatVersion: '2010-09-09'
        Description: 'CloudFormation template to deploy Partner_Led_Support Diagnostic Tools Role across AWS Organizations'
        Parameters:
          PrincipalArn:
            Type: String
            Description: Principal ARN that can assume the role (e.g., arn:aws:iam::123456789012:root, arn:aws:iam::123456789012:role/RoleName or arn:aws:iam::123456789012:user/user-name).  # Review valid principals based on Partner preference.
            AllowedPattern: '^arn:aws:iam::[0-9]{12}:(root|role/[a-zA-Z0-9+=,.@\-_/]+|user/[a-zA-Z0-9+=,.@\-_/]+)$'
          RoleNamePrefix:
            Type: String
            Default: Diagnostic_Tools
            Description: Prefix for the IAM roles to be created (e.g., Diagnostic_Tools_Role, Diagnostic_Tools_Service)
            MinLength: 3
            MaxLength: 64
            AllowedPattern: '[a-zA-Z0-9+=,.@\-_]+'
          MaxSessionDuration:
            Type: Number
            Default: 43200
            MinValue: 3600
            MaxValue: 43200
            Description: Maximum session duration in seconds (1-12 hours)
            ConstraintDescription: "Session duration must be between 1 and 12 hours"
          Path:
            Type: String
            Default: '/PLS/'
            Description: Path for the IAM role
            AllowedPattern: '^\/.*\/$'
            ConstraintDescription: Must begin and end with forward slash (/)
          OrganizationId:
            Type: String
            Description: AWS Organization ID
            AllowedPattern: '^o-[a-z0-9]{10,32}$'

        Conditions:
          IsRoleNameAvailable: !Not [!Equals [!Ref RoleNamePrefix, '']]

        Resources:
          PartnerLedSupportRole:
            Type: 'AWS::IAM::Role'
            Condition: IsRoleNameAvailable
            DeletionPolicy: Delete
            Properties:
              RoleName: !Sub '${RoleNamePrefix}_Role'
              Description: Role for Partner-Led Support access
              MaxSessionDuration: !Ref MaxSessionDuration
              AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Effect: Allow
                    Principal:
                      AWS: !Ref PrincipalArn
                    Action: 'sts:AssumeRole'
                    Condition:
                      StringEquals:
                        'aws:PrincipalOrgID': !Ref OrganizationId   # Review and restrict trust Policy to ensure that only authorized principals under specific conditions can assume the role, reducing the risk of unauthorized access.
              Policies:
                - PolicyName: DiagnosticToolsAccess
                  PolicyDocument:
                    Version: '2012-10-17'
                    Statement:
                      - Effect: Allow
                        Action:
                          - 'iam:PassRole'
                        Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role${Path}${RoleNamePrefix}_Service'
                        Condition:
                          StringEquals:
                            'iam:PassedToService': 'ts.amazonaws.com'
                      - Effect: Allow
                        Action: 'iam:ListRoles'
                        Resource: '*'
                      - Effect: Allow
                        Action: [
                          'ts:GetExecution',
                          'ts:GetExecutionOutput',
                          'ts:GetTool',
                          'ts:ListExecutions',
                          'ts:ListTagsForResource',
                          'ts:ListTools',
                          'ts:StartExecution',
                          'ts:TagResource',
                          'ts:UntagResource'
                        ]
                        Resource: '*'                         
              Path: !Ref Path

          ServiceDiagnosticRole:
            Type: 'AWS::IAM::Role'
            DeletionPolicy: Delete
            Properties:
              RoleName: !Sub '${RoleNamePrefix}_Service'
              Description: Role for AWS Diagnostic Tools Service access
              MaxSessionDuration: !Ref MaxSessionDuration
              AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Effect: Allow
                    Principal:
                      Service: 'ts.amazonaws.com'
                    Action: 'sts:AssumeRole'                 
              ManagedPolicyArns:
                - 'arn:aws:iam::aws:policy/AWSPartnerLedSupportReadOnlyAccess'               
              Path: !Ref Path

        Outputs:
          RoleArn:
            Description: ARN of the created IAM role
            Value: !GetAtt PartnerLedSupportRole.Arn
            Export:
              Name: !Sub '${AWS::StackName}-RoleArn'
          ServiceRoleArn:
            Description: ARN of the created Service IAM role
            Value: !GetAtt ServiceDiagnosticRole.Arn
            Export:
              Name: !Sub '${AWS::StackName}-ServiceRoleArn'         
          
Outputs:
  StackSetId:
    Description: ID of the created StackSet
    Value: !Ref PartnerLedSupportStackSet

With the YAML file, create a CloudFormation template that uses a StackSet to deploy IAM roles across multiple accounts in an organization.

For the template, include the following parameters:

• Path: The IAM path for the roles. The path must begin and end with a forward slash.

• RoleNamePrefix: A prefix for the IAM roles, such as "Diagnostic_Tools".

• RootOrganizationArn: The organization's root Amazon Resource Name (ARN).

• PrincipalArn: The ARN of the entity that assumes the role.

• MaxSessionDuration: Session duration in seconds. The duration can range from 1 hour to 12 hours.

The StackSet uses a SERVICE_MANAGED permission model with automatic deployment turned on. The model includes operational preferences, such as 10% failure tolerance and 50% maximum concurrent deployment percentage, and deploys across Regions sequentially. The ManagedExecution feature makes sure that AWS handles deployment mechanics across accounts.

The template creates two different IAM roles in each account:

PartnerLedSupportRole: Diagnostic_Tools_Role

• The PrincipalArn identity can assume this role

• Includes a trust policy condition that checks aws:PrincipalOrgID

• Contains custom policies that allow the following actions:
  The iam:PassRole to pass the role to an AWS service
  The iam:ListRoles to list roles
  Various Trusted Service permissions to access diagnostic tools

ServiceDiagnosticRole: Diagnostic_Tools_Service

• The ts.amazonaws.com service identity can assume this role

• Has the AWSPartnerLedSupportReadOnlyAccess managed policy attached

The template includes security controls, such as organization ID verification in trust relationships and role path restrictions. To minimize risks during the deployment, the deployment strategy uses sequential Region deployment.

The StackSet outputs include the IDs of both created roles, and are exported for potential cross-stack references. The template deploys across the organization and maintains proper security boundaries through role separation and defined permissions.

This infrastructure as code approach provides a secure and manageable way for partners to provide support across multiple AWS accounts and maintain security controls and audit capabilities.

To further restrict the role capabilities, organizations can add more guardrails through Service Control Policies (SCPs) or permissions boundaries. For example, add conditions to the trust policy to limit role assumption based on specific IP ranges or time windows, or require multi-factor authentication. Or, reduce the scope of the PassRole permissions and resource-level access in the DiagnosticToolsAccess policy to specific resources or Regions based on organizational requirements.

Note: It's a best practice to evaluate the maximum session duration and adjust it according to your organization's security policies.

Deploy the CloudFormation template

To deploy the Partner-Led solution, you can create a CloudFormation template in the AWS Management Console.

Note: Before you deploy the template to an entire organization, it's a best practice to deploy the template out to a single account as a test.

Prerequisites:

• Sign in to the AWS Management Console with an account with sufficient permissions.

• You have access to your organization's root ARN.

• You have access to the Partner ARN.

To deploy the solution, complete the following steps:

1. Open the CloudFormation console in your AWS Region.

2. In the navigation pane, under Stacks, choose Create stack, and then select With new resources (standard).

3. On the Create stack screen, under Prepare template, select Choose an existing template.

4. Under Specify template, choose Upload a template file, and then select Choose file.

5. Select the partner-led-support-diagnostic-tools-access-stackset.yaml file.

6. Choose Next.

7. On the Specify stack details page, enter the following information:
   For Stack name, enter a name for your stack, such as partner-led-support-diagnostic.
   For Path, enter an IAM path.
   For Role name, enter a name for the role.
   For PrincipalArn, enter the principal ARN that you want to assume this role.
   For RootOrganizationArn, enter your organization's root ARN.

8. Choose Next.

9. On the Configure stack options page, configure your options as needed, and then choose Next.

10. On the Review and create page, select the check box that acknowledges that CloudFormation might create IAM resources. Then, choose Next.

Review your deployment

After you deploy the template, review the specific accounts to verify that the deployment succeeded. You can also monitor Amazon CloudWatch Logs and IAM for security concerns.

Remove the deployment

After your deployment is complete, complete the following steps to remove the deployment from your account:

1. Open the CloudFormation console in your AWS Region.

2. In the navigation pane, choose Stacks.

3. Select the stack, and then choose Delete.

4. In the pop-up box, choose Delete.

Follow best practices

For partner-managed customers, follow these best practices:

• To protect access to customer environments, implement proper security measures within your own organization.
• Educate your support team on the proper use of AWS Diagnostic Tools and the importance of maintaining customer data privacy.
• Regularly communicate with customers about the access that you have and how it's being used to support their AWS environments.

Conclusion     

The AWSPartnerLedSupportReadOnlyAccess policy strengthens the AWS Partner-Led Support program and provides partners with secure, standardized access to AWS Diagnostic Tools across customer organizations. This managed policy eliminates the need to maintain complex IAM policies and makes sure that partners have the necessary permissions to provide technical support.

When you use CloudFormation StackSets to deploy this role, you can efficiently manage access across your organization, maintain consistent security controls, and streamline your operations. This combination of managed policy and automated deployment helps you focus on delivering exceptional customer support, rather than managing access permissions.

To learn more about how AWS Partner-Led Support can help you provide better service to your customers, visit the AWS Partner-Led Support page.

About the authors

Marco Frattallone is a Senior Technical Account Manager at AWS who focuses on supporting partners. He works closely with partners to help them build, deploy, and optimize their solutions on AWS, and provides guidance and best practices. Marco is passionate about technology and helps partners stay at the forefront of innovation. Outside of work, he enjoys outdoor cycling, sailing, and exploring new cultures.