IAM role can be assumed by anyone in the account or anyone in any account Affecting IAM service in AWS

Severity Framework Snyk CCSS

Rule category IAM / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-Controls ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00009
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Using a wildcard in the principal element of a trust policy allows anyone in any account to assume the role. A principal ARN of arn:aws:iam::123456789012:root or 123456789012 allows anyone in the 123456789012 account to assume the role.

How to fix?

Set Principal attribute to a specific principal, e.g. arn:aws:iam::123456789012:role/role-name.

Example Configuration

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/my-role"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}