Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.60
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole should not have name in($Enumerable_Role_Names)

REMEDIATION

From Portal:
We can not change the IAM role name once it is created. We have to delete the enumerable role and create new role. Set permission same as deleted role.

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose roles.
Identify and delete enumerable roles.
Create new rule with unique name.

From Command Line:
Run following command to create a new IAM execution role, Use unique name for the role.

aws iam create-role --role-name role_name --assume-role-policy-document file://example_policy.json

References:

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset