CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00196
- creditSnyk Research Team
Description
IAM roles that establish trust with other AWS accounts should use additional security measures such as MFA or external IDs. This can protect your account if the trusted account is compromised and can also prevent the confused deputy problem.
How to fix?
In the aws_iam_role, configure an assume_role_policy json policy block with an "aws:multifactorauthpresent" condition that validates whether MFA is used, or an "sts:externalid" condition that provides an external ID.
Note that the rule for Terraform assumes that any principal with an AWS account ID is an external account.
Example configuration:
resource "aws_iam_role" "example" {
name = "example"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "Example Corp's AWS Account ID"},
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
})
}