IAM policy grants 'AssumeRole' permission to all services

ID

aws_iam_policy_assume_role

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM policy grants AssumeRole permission to all services. It is more secure grant permissions gradually as necessary.

To fix it, you must configure the policy with the AssumeRole only for necessary resources.

Learn more about this topic at AWS Assume role.

Examples

{
    "Version": "2012-10-17",
    "Statement":[{
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "*"
    }]
}

Mitigation / Fix

{
    "Version": "2012-10-17",
    "Statement":[{
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::aws_account_id:role"
    }]
}