Configuring AWS Business Support+
AWS Business Support+ is AWS’s paid support tier that combines 24/7 expert access, AI-assisted troubleshooting, Trusted Advisor and health-oriented guidance, and targeted initial response commitments for business-critical issues (see official plan page for current feature wording and pricing). This guide focuses on how to turn it on and who can do it: console enrollment, organization-wide versus single-account subscription, IAM for the Support Plans console, and Organizations SCP pitfalls when regions are restricted.
1. Overview
- Open the AWS Support Plans console and upgrade from Basic to Business Support+
- Choose organization-wide (management account, Organizations all features) or account-only enrollment
- Grant IAM access to change plans (
supportplans:*or AWS managed policies) and fix SCP denies if Support Plans fails in member accounts - Know how to downgrade (console path) and where to compare pricing before you confirm
2. Prerequisites
- Root user or an IAM principal allowed to change support plans (see Manage access to AWS Support Plans)
- For organization-level Business Support+: the account must be the Organizations management account, with all features enabled for the organization
- Billing in good standing; paid support has a minimum one-month commitment (Support FAQs)
3. Subscribe from the Support Plans console
Open the console
Sign in and go to AWS Support Plans.
Optional but recommended before you subscribe:
- Choose Compare all Support plans and features to line up Business Support+ against other tiers
- Use Pricing calculator (in the console) to estimate support charges from expected monthly AWS usage
Upgrade from Basic to Business Support+
Steps follow Changing AWS Support plans:
- In the AWS Business Support+ section, choose Get started
- Choose scope:
- My organization — only if you use AWS Organizations with all-feature mode; only the management account can enroll the whole org. New accounts created in the org are automatically on Business Support+. In the console, My organization is disabled when it does not apply (for example, you are signed in to a member account, Organizations is not in use, or all features are not enabled for the organization)
- My account — subscribe this account only
- Review plan details and pricing (AWS Support pricing)
- Accept the subscription terms (checkbox)
- Choose Confirm upgrade
After enrollment: confirm the tier in AWS Support Center (the console shows your current plan) and verify you can open a support case with the severity options you expect.
4. IAM: who may view or change the plan
Users need supportplans API permissions. Common actions (docs):
-
supportplans:GetSupportPlan— view current plan -
supportplans:StartSupportPlanUpdate— start an upgrade or downgrade request -
supportplans:GetSupportPlanUpdateStatus— poll update status
AWS managed policies (names may evolve; confirm in IAM):
-
AWSSupportPlansFullAccess— change plans -
AWSSupportPlansReadOnlyAccess— view only
Example read-only custom policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"supportplans:Get*",
"supportplans:List*"
],
"Resource": "*"
}
]
}
Example full access (delegate carefully):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "supportplans:*",
"Resource": "*"
}
]
}
5. Organizations: SCPs and global services
If member accounts see errors even with correct IAM, an SCP that denies by Region can block Support Plans because it is a global console/API.
Per Manage access to AWS Support Plans, add supportplans:* to the NotAction list on any broad Region-deny SCP (exact structure depends on your org’s policy layout). If you use AWS Control Tower Region deny controls, read AWS guidance on drift before hand-editing SCPs, because repairs can revert custom exceptions.
6. Downgrades and higher tiers
- Downgrade from Business Support+: on Manage Support Plans, use Review downgrade in the Basic Support section (Changing AWS Support plans)
- Enterprise Support or Unified Operations: use Contact sales in the console; Enterprise downgrades go through your TAM
- Account leaves the org after org-level Business Support+: AWS documents that the account drops to Basic support
7. Optional follow-on configuration
These are not strictly “subscription” steps but are how teams use paid support day to day:
- AWS Support App in Slack — create and update cases from Slack
- AWS Support API — automate case operations (separate IAM/service permissions)
- Trusted Advisor and AWS Health — visible in console once the plan includes them; use Trusted Advisor and AWS Health docs for check types and alerts
Promotional trial or pricing offers change over time; use the Business Support+ plan page and in-console offer links for current eligibility and refund rules.
8. Summary: Copy-Paste
Console entry points (sign in first):
https://console.aws.amazon.com/support/plans/home
https://console.aws.amazon.com/support/home
IAM: attach AWSSupportPlansFullAccess to a named role used only for billing/support changes, or merge the JSON examples in section 4 into your least-privilege model.
Organizations: if Region-deny SCPs exist, ensure supportplans:* is excluded from the deny per AWS documentation.
9. Troubleshooting
Access Denied on Support Plans: Attach AWSSupportPlansFullAccess (or equivalent supportplans:*) to the role or user; confirm you are not using a member account when only the management account may enroll the org.
Member account cannot open the page: Check SCP Region denies and add supportplans:* to NotAction as documented; verify Control Tower drift if that platform manages SCPs.
Wrong scope after the fact: Org-wide subscription is a management-account decision; single-account subscription does not extend to siblings. Adjust scope only by following AWS change plan / downgrade flows and org enrollment rules.
Charges surprise you: Revisit the console Pricing calculator and Support pricing; support fees are separate from service usage on the bill.
Top comments (0)