IAM Assume role policy without ExternalId or MFA

ID

aws_iam_assume_role_valid

Severity

high

Vendor

AWS

Resource

IAM

Tags

reachable

Description

Cross-Account IAM assume role policy without ExternalId or MFA. IAM roles used to establish a trusted relationship between your AWS cloud account and a third-party entity are using MFA or ExternalID to secure the access to your resources and to prevent confused deputy attacks.

To fix it, you must configure assume role policy with ExternalId and MFA in the Condition section.

Learn more about this topic at AWS IAM external id.

Examples

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }]
}

Mitigation / Fix

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Condition": {
         "Bool": {
            "aws:MultiFactorAuthPresent": "true"
         },
         "StringEquals": {
            "sts:ExternalId": "<external_id>"
         }
      },
      "Action": "sts:AssumeRole"
    }]
}