Does granting a user AWSSupportAccess implicitly grant that user an ability to make changes to the AWS account via and AWS support agent?

Hello.

You are able to control access for users with AWS Identity and Access Management (IAM).

Here are a couple of resources to help:

https://aws.amazon.com/iam/features/manage-permissions/ & https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Our Support team is also on hand to assist you directly with this and any further questions you may have, so feel free to reach out:

http://go.aws/phone-support

Regards,

Amy J

Do you have any particular actions in mind? which you believe the user shouldn't be able to do, but support team would?

Premium Support engineers will not be making any mutable actions on your account (like starting or terminating instances), but they have tools and resources to troubleshoot and advise on best practices. Billing&account customer service teams will not be changing any account information either, but they will provide guidance on how you can edit your accounts on your side as a customer (with the relevant permissions)... things like - adding/updating alternate contacts, changing credit card information, updating billing preferrences, editing account names/emails etc... you'd have to change this on your account yourself.

If you don't have relevant permissions to make those changes on the account, the support team may advise which permissions you're lacking. For example, let's say you don't have IAM permissions to view billing, but you submit support case requesting information about billing on the account, the support team shouldn't provide this information to you but should rather advise to contact an account admin or ask someone in your organization with the permissions to share this information with you.