Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00196
- credit Snyk Research Team
Description
IAM roles that establish trust with other AWS accounts should use additional security measures such as MFA or external IDs. This can protect your account if the trusted account is compromised and can also prevent the confused deputy problem.
How to fix?
In the aws_iam_role
, configure an assume_role_policy
json policy block with an "aws:multifactorauthpresent"
condition that validates whether MFA is used, or an "sts:externalid"
condition that provides an external ID.
Note that the rule for Terraform assumes that any principal with an AWS account ID is an external account.
Example Configuration
resource "aws_iam_role" "example" {
name = "example"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "Example Corp's AWS Account ID"},
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
})
}