Ensure AWS IAM policy does not allow assume role permission across all services
Error: AWS IAM policy does allow assume role permission across all services
Bridgecrew Policy ID: BC_AWS_IAM_45
Checkov Check ID: CKV_AWS_61
AWS IAM policy does allow assume role permission across all services
The IAM role is an identity with specific permissions. An IAM role is similar to an IAM user, it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. When a user assumes a role, it provides temporary security credentials for a bounded session.
We recommend that you define fine-grained roles for specific services or principles. For example, when settings up an AWS service role it is recommended to include only the permissions required for the service to access the AWS resources required. Alternatively, you can use a Principal as an entity in AWS that can perform actions and access resources. The main benefit of the Principal entity is to limit the use of wildcards in the policy document.
Fix - Buildtime
- Resource: AWS::IAM::Role
- Argument: Properties.AssumeRolePolicyDocument.Statement
Resources: ExecutionRole: Type: AWS::IAM::Role Properties: ... AssumeRolePolicyDocument: ... Statement: - Effect: "Allow" Principal: AWS: - - arn:aws:iam::123456789101:root - - 123456789101
Updated 4 months ago