IAM role can be assumed by anyone in the account or anyone in any account Affecting IAM service in AWS

Snyk CCSS

IAM/ Access Control

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-ArchitectedCIS-ControlsISO-27001NIST-800-53PCI-DSSSOC-2

Snyk IDSNYK-CC-00009
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Using a wildcard in the principal element of a trust policy allows anyone in any account to assume the role. A principal ARN of arn:aws:iam::123456789012:root or 123456789012 allows anyone in the 123456789012 account to assume the role.

How to fix?

Set Principal attribute to a specific principal, e.g. arn:aws:iam::123456789012:role/role-name.

Example configuration:

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/my-role"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

Set Principal in Properties.AssumeRolePolicyDocument attribute to a specific principal, e.g. arn:aws:iam::1234:role/role-name.

IAM role can be assumed by anyone in the account or anyone in any account Affecting IAM service in AWS

Severity

Is your environment affected by this misconfiguration?

Description

How to fix?