Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version
On December 22, 2021, AWS deployed a new version (v20) of the AWS-managed policy 'AWSSupportServiceRolePolicy' that is used by the IAM Role 'AWSServiceRoleForSupport'. In this new version, AWS added the 's3:getObject' action to the policy, which grants the AWS support team access to all S3 Bucket data.
Risk Level: Critical
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.70
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
IamPolicy where name='AWSSupportServiceRolePolicy' should not have versionId='v20' or defaultVersionId='v20'
REMEDIATION
The 'AWSSupportServiceRolePolicy' policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.
The 'AWSServiceRoleForSuppot' is a unique and mandatory service-linked IAM Role, which trusts the support.amazonaws.com service to assume the role.
References
IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS LGPD regulation
- AWS MITRE ATT&CK Framework v11.3
- CloudGuard AWS Default Ruleset
Updated over 1 year ago