Ensure that IAM Role cannot be assumed by anyone
If a role can be assumed by anyone, everyone can perform actions granted in the attached policies. Set principal attribute to a specific service or account.
Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.CFT.IAM.20
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_IAM_Role should not have AssumeRolePolicyDocument.Statement contain-any [ Effect='Allow' and Principal.AWS='*' ]
REMEDIATION
From CFT
Set AWS::IAM::Role Principal
attribute in AssumeRolePolicyDocument.Statement to a specific service or account. e.g. Service: ec2.amazonaws.com
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
IAM Role
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago