Ensure IAM role allows only specific services or principals to be assumed

Error: IAM role does not allow only specific services or principals to be assumed

Bridgecrew Policy ID: BC_AWS_IAM_44
Checkov Check ID: CKV_AWS_60
Severity: HIGH

IAM role does not allow only specific services or principals to be assumed

Description

The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user: it has an AWS identity with permission policies that determine what the identity can and cannot do in AWS. When a user assumes a role, it is provided with temporary security credentials for a bounded session.

The list of principals able to assume a role should be limited as much as possible, and should not include "*", meaning that any authenticated identity across all of AWS can assume the role.

We recommend that you define fine-grained roles for specific services or principles. For example, when setting up an AWS service role it is recommended to include only the permissions required for the service to access the AWS resources required. Alternatively, you can use a principal as an entity that can perform actions and access resources. The main benefit of the principal entity is to limit the use of wildcards in the policy document.

Fix - Runtime

AWS IAM Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. Click Roles, and find the role to update.
  4. Click the Trust relationships tab.
  5. Click Show policy document or Edit trust relationship to view the policy document.
  6. After clicking Edit trust relationship, remove any "Allow" statements that have an AWS Principal including "*".
  7. Click Update Trust Policy.

Fix - Buildtime

Terraform

resource "aws_iam_role" "test_role" {
  name = "test_role"
	...
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": [
-         "*"
        ]
      },
      "Effect": "Allow",
      "Sid": ""
    }

CloudFormation

  • Resource: AWS::IAM::Role
  • Argument: Properties.AssumeRolePolicyDocument.Statement
Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              "AWS":
-               - "*"