IAM role used for trust relationship does not have MFA or external IDs Affecting IAM service in AWS

Snyk CCSS

IAM / Authentication

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM HIPAA NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00196
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

IAM roles that establish trust with other AWS accounts should use additional security measures such as MFA or external IDs. This can protect your account if the trusted account is compromised and can also prevent the confused deputy problem.

How to fix?

In the aws_iam_role, configure an assume_role_policy json policy block with an "aws:multifactorauthpresent" condition that validates whether MFA is used, or an "sts:externalid" condition that provides an external ID.

Note that the rule for Terraform assumes that any principal with an AWS account ID is an external account.

Example Configuration

resource "aws_iam_role" "example" {
  name = "example"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {"AWS": "Example Corp's AWS Account ID"},
      "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
    }
  })
}

Terraform

Resource: aws_iam_role

IAM role used for trust relationship does not have MFA or external IDs Affecting IAM service in AWS

Severity

Description

How to fix?

Example Configuration

Terraform