Ensure that Role names cannot be enumerable

Your Role name might be enumerable by an attacker. There are dictionaries of most common role names that exist in the wild, known as Enumerable Role Names. Attackers are able to easily check if this role exists in your account during a Reconnaissance Stage of an attack. It is recommended to change the role's name to better protect your account.

Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.60
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole should not have name in($Enumerable_Role_Names)

REMEDIATION

From Portal:
We can not change the IAM role name once it is created. We have to delete the enumerable role and create new role. Set permission same as deleted role.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose roles.
  3. Identify and delete enumerable roles.
  4. Create new rule with unique name.

From Command Line:
Run following command to create a new IAM execution role, Use unique name for the role.

aws iam create-role --role-name role_name --assume-role-policy-document file://example_policy.json

References:

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset