Ensure AWS IAM policy does not allow assume role permission across all services
ID |
iam_policy_allows_assume_across_services |
Severity |
critical |
Vendor |
AWS |
Resource |
IAM |
Tags |
asvs50-v8.2.1, reachable |
Description
The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element.
When a user assumes a role, it provides temporary security credentials for a bounded session. So assuming a root role probably is a misconfiguration, since standard security practice is to grant least privilege.
A refined policy assuming only the specific roles required by the specific policy holder should be used instead.
Examples
CloudFormation
{
"Resources": {
"Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789101:root" (1)
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}
}
}| 1 | Too broad permissions set. |
Resources:
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS:
- arn:aws:iam::123456789101:root (1)
Action:
- "sts:AssumeRole"| 1 | Too broad permissions set. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"application-autoscaling.amazonaws.com" (1)
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}
}
}| 1 | Fine grain permissions set. |
Resources:
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: |
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com" (1)
}
}
]
}| 1 | Fine grain permissions set. |