Ensure AWS IAM policy does not allow assume role permission across all services

ID

iam_policy_allows_assume_from_account

Severity

critical

Vendor

AWS

Resource

IAM

Tags

asvs50-v8.2.1, reachable

Description

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element.

When a user assumes a role, it provides temporary security credentials for a bounded session. So assuming a root role probably is a misconfiguration, since standard security practice is to grant least privilege.

A refined policy assuming only the specific roles required by the specific policy holder should be used instead.

Examples

Buildtime

Terraform

resource "aws_iam_role" {
  name               = "test-role"
  assume_role_policy = {
    "Version" : "2020-10-1",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "AWS" : "arn:aws:iam::123123123123:root" }, (1)
        "Effect" : "Allow",
        "Sid" : ""
      }
    ]
  }
}
1 Permissions are too broad.

Mitigation / Fix

Buildtime

Terraform

resource "aws_iam_role" "pass" {
  name               = "test-role"
  assume_role_policy = {
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : { "Service" : "ecs-tasks.amazonaws.com" }, (1)
        "Effect" : "Allow",
        "Sid" : ""
      }
    ]
  }
}
1 Specific service/s set.