Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String
Roles that can be assumed by external entities should be validated and secured. To enhance the security of such use-cases, it is recommended to add a Condition String to the Role Trust Policy.
Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.61
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
IamRole should not have assumeRolePolicy.Statement contain-any [ Action='sts:AssumeRole' and Effect = 'Allow' and Principal.AWS regexMatch /(root)|(user)/ and (Condition.StringEquals isEmpty() and Condition.StringLike isEmpty())]
REMEDIATION
Please ensure to include a Condition String to the Role Trust Policy.
Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html
IAM Role
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11
- AWS NIST 800-53 Rev 5
- AWS Risk Management
- AWS Security Risk Management
Updated 7 months ago