Ensure AWS IAM policy does not allow assume role permission across all services

Error: AWS IAM policy does allow assume role permission across all services

Bridgecrew Policy ID: BC_AWS_IAM_45
Checkov Check ID: CKV_AWS_61
Severity: HIGH

AWS IAM policy does allow assume role permission across all services

Description

The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user, it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. When a user assumes a role, it provides temporary security credentials for a bounded session.

We recommend that you define fine-grained roles for specific services or principles. For example, when settings up an AWS service role it is recommended to include only the permissions required for the service to access the AWS resources required. Alternatively, you can use a Principal as an entity in AWS that can perform actions and access resources. The main benefit of the Principal entity is to limit the use of wildcards in the policy document.

Fix - Buildtime

CloudFormation

  • Resource: AWS::IAM::Role
  • Argument: Properties.AssumeRolePolicyDocument.Statement
Resources:
  ExecutionRole:
      Type: AWS::IAM::Role
      Properties:
      	...
        AssumeRolePolicyDocument:
          ...
          Statement:
          - Effect: "Allow"
            Principal:
                AWS:
-                 - arn:aws:iam::123456789101:root
-									- 123456789101