Ensure AWS IAM policies do not grant 'assume role' permission across all services

Typically, you use AssumeRole within your account for cross-account access. In order to follow least privilege principles, it is recommended NOT to use AssumeRole across ALL the accounts.

Suggest Edits

Risk Level: High
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.53
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy should not have document.Statement contain-any [ Action='sts:AssumeRole' and Effect = 'Allow' and (Resource regexMatch /\*/ or Resource contain-any [$ regexMatch /\*/]) and Condition.StringEquals isEmpty() and Condition.StringLike isEmpty()]

REMEDIATION

From Portal

  1. Sign in to the AWS Console
  2. Navigate to the 'IAM' service
  3. Identify the reported policy
  4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.

From TF
Note: User with an administrative AWS account can allow a another user to assume an IAM role. To do that, you create a new policy and attach it to that user. The policy must include a statement with the Allow effect on the sts:AssumeRole action, plus the Amazon Resource Name (ARN) of the role in a Resource element, as shown in the following example. Users that get the policy, either through group membership or direct attachment, can switch to the specified role.

resource "aws_iam_role" "CloudTrailRoleForCloudWatchLogs-management-events" {
	name = "CloudTrailRoleForCloudWatchLogs-management-events"
	
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
		{
			"Action": "sts:AssumeRole",
			"Effect": "Allow",
			"Resource": "arn:aws:iam::aws_account_id:role/workdocs_app_role"
		}
		]
	}
	EOF
}

References

  1. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
  2. https://docs.aws.amazon.com/workdocs/latest/developerguide/wd-iam-grantdev.html

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago