Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.60
Covered by Spectral: No
Category: Security, Identity, & Compliance
IamRole should not have name in($Enumerable_Role_Names)
We can not change the IAM role name once it is created. We have to delete the enumerable role and create new role. Set permission same as deleted role.
- Open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose roles.
- Identify and delete enumerable roles.
- Create new rule with unique name.
From Command Line:
Run following command to create a new IAM execution role, Use unique name for the role.
aws iam create-role --role-name role_name --assume-role-policy-document file://example_policy.json
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated 2 months ago