IAM role does not allow only specific services or principals to be assumed

Description

An IAM role is an identity within AWS that is associated with specific permissions, allowing it to perform actions on AWS resources. Similar to an IAM user, an IAM role has an AWS identity and is governed by permission policies that specify the allowed and denied actions. When a user assumes a role, they are granted temporary security credentials for a limited session, enabling them to act under the permissions defined by that role.

To minimize the attack surface and enforce least-privilege access, the set of principals authorized to assume a role should be restricted as much as possible. The use of "*" (wildcard) in the Principal field, which would allow any authenticated identity across AWS to assume the role, should be avoided.

It is recommended to define granular roles tailored for specific services or principals. For example, when creating an AWS service role, ensure it includes only the permissions required for that service to access necessary resources. Alternatively, specifying a particular principal as the entity allowed to perform actions or access resources can provide a more controlled and secure access model. This approach helps avoid the use of wildcards in policy documents, thereby improving the precision and security of your role-based access control.

Fix - Runtime

AWS IAM Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. Click Roles, and find the role to update.
  4. Click the Trust relationships tab.
  5. Click Show policy document or Edit trust relationship to view the policy document.
  6. After clicking Edit trust relationship, remove any “Allow” statements that have an AWS Principal including “*”.
  7. Click Update Trust Policy.

Fix - Buildtime

Terraform

resource "aws_iam_role" "test_role" {
  name = "test_role"
    ...
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": [
-         "*"
        ]
      },
      "Effect": "Allow",
      "Sid": ""
    }

CloudFormation

  • Resource: AWS::IAM::Role
  • Argument: Properties.AssumeRolePolicyDocument.Statement
Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              "AWS":
-               - "*"
ReLambda