Ensure IAM role allows only specific services or principals to assume it

ID

iam_role_allows_public_assume

Severity

critical

Vendor

AWS

Resource

IAM

Tags

reachable

Description

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element.

Each AWS service has its own set of actions that describe tasks that you can perform with that service. Specify a value using a namespace that identifies a service, for example, iam, ec2 sqs, sns, s3, followed by the name of the action to be allowed or denied. The name must match an action that is supported by the service.

Setting a "\*" (all principals) would grant access to any authenticated identity across all of AWS can assume the role, which probably is a misconfiguration, since standard security practice is to grant least privilege.

A refined policy describing the specific principals allowed or required by the specific policy holder should be used instead.

Examples

Buildtime

CloudFormation

{
  "Resources": {
    "Role": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "*" (1)
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        }
      }
    }
  }
}
1 Wildcards allowing unrestricted IAM. 
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: "Allow"
          Principal:
            AWS:
              - "*" (1)
          Action:
          - "sts:AssumeRole"
1 Wildcards allowing unrestricted IAM.

Terraform

resource "aws_iam_role" {
  name               = "test-role"
  assume_role_policy = {
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "Service" : "lambda.amazonaws.com" },
        "Effect" : "Allow"
      },
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "AWS" : "*" }, (1)
        "Effect" : "Allow"
      },
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "Service" : "events.amazonaws.com" },
        "Effect" : "Allow"
      }
    ]
  }
}
1 Wildcards allowing unrestricted IAM.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Role": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "application-autoscaling.amazonaws.com" (1)
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        }
      }
    }
  }
}
1 Fine grain permissions set. 
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: |
        {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com" (1)
              }
            }
          ]
        }
1 Fine grain permissions set.

Terraform

resource "aws_iam_role" {
  name               = "test-role"
  assume_role_policy = {
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "Service" : "lambda.amazonaws.com" }, (1)
        "Effect" : "Allow"
      }
    ]
  }
}
1 Ensure fine-grained roles are defined.