IAM policy grants 'AssumeRole' permission to all principals

ID

aws_iam_policy_assume_role_principals

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM policy grants AssumeRole permission to all principals. It is more secure grant permissions gradually as necessary.

To fix it, you must configure the policy with the AssumeRole only for necessary principals.

Learn more about this topic at AWS Assume role.

Examples

{
    "Version": "2012-10-17",
    "Statement":[{
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Principal": "*"
        "Resource": "arn:aws:iam::aws_account_id:role"
    }]
}

Mitigation / Fix

{
    "Version": "2012-10-17",
    "Statement":[{
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "s3.amazonaws.com"
        },
        "Resource": "arn:aws:iam::aws_account_id:role"
    }]
}