Ensure AWS IAM policy does not allow assume role permission across all services

ID

iam_policy_allows_assume_from_account

Severity

critical

Vendor

AWS

Resource

IAM

Tags

reachable

Description

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element.

When a user assumes a role, it provides temporary security credentials for a bounded session. So assuming a root role probably is a misconfiguration, since standard security practice is to grant least privilege.

A refined policy assuming only the specific roles required by the specific policy holder should be used instead.

Examples

Buildtime

Terraform

resource "aws_iam_role" {
  name               = "test-role"
  assume_role_policy = {
    "Version" : "2020-10-1",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "AWS" : "arn:aws:iam::123123123123:root" }, (1)
        "Effect" : "Allow",
        "Sid" : ""
      }
    ]
  }
}
1 Permissions are too broad.

Mitigation / Fix

Buildtime

Terraform

resource "aws_iam_role" "pass" {
  name               = "test-role"
  assume_role_policy = {
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "Service" : "ecs-tasks.amazonaws.com" }, (1)
        "Effect" : "Allow",
        "Sid" : ""
      }
    ]
  }
}
1 Specific service/s set.