Ensure cross-account IAM Role uses MFA or external ID as a condition
Ensuring your cross-account IAM Roles use Multi-Factor Authentication (MFA) or external ID is recommended as a security best practice.
Risk Level: Low
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.99
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
IamRole where assumeRolePolicy.Statement contain [ Effect = 'Allow' and Action = 'sts:AssumeRole' and Principal regexMatch /arn:aws:iam/ and not ~getValue('accountNumber') in (Principal.AWS split(':')) ] should have assumeRolePolicy.Statement contain [ Effect = 'Allow' and Action = 'sts:AssumeRole' and ( Condition.Bool.aws:MultiFactorAuthPresent= true or Condition.StringEquals.sts:ExternalId ) ]
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Roles'
- For each incompliant IAM Role:
- Go to 'Trust relationships' and click 'Edit trust policy'
- Edit the trust policy
- Click 'Update policy'
From TF
To update the trust policy, edit the 'assume_role_policy' argument:
resource "aws_iam_role" "example_iam_role" {
..
assume_role_policy = POLICY-DOCUMENT
..
}
From Command Line
To update the trust policy, run:
update-assume-role-policy --role-name ROLE-NAME --policy-document POLICY-DOCUMENT
References
- https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy
IAM Role
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago