Ensure AWS IAM policies do not grant 'assume role' permission across all services
Typically, you use AssumeRole within your account for cross-account access. In order to follow least privilege principles, it is recommended NOT to use AssumeRole across ALL the accounts.
Risk Level: High
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.53
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
IamPolicy should not have document.Statement contain-any [ Action='sts:AssumeRole' and Effect = 'Allow' and (Resource regexMatch /\*/ or Resource contain-any [$ regexMatch /\*/]) and Condition.StringEquals isEmpty() and Condition.StringLike isEmpty()]
REMEDIATION
From Portal
- Sign in to the AWS Console
- Navigate to the 'IAM' service
- Identify the reported policy
- Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.
From TF
Note: User with an administrative AWS account can allow a another user to assume an IAM role. To do that, you create a new policy and attach it to that user. The policy must include a statement with the Allow effect on the sts:AssumeRole action, plus the Amazon Resource Name (ARN) of the role in a Resource element, as shown in the following example. Users that get the policy, either through group membership or direct attachment, can switch to the specified role.
resource "aws_iam_role" "CloudTrailRoleForCloudWatchLogs-management-events" {
name = "CloudTrailRoleForCloudWatchLogs-management-events"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::aws_account_id:role/workdocs_app_role"
}
]
}
EOF
}
References
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- https://docs.aws.amazon.com/workdocs/latest/developerguide/wd-iam-grantdev.html
IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago