Check for Untrusted Cross-Account IAM Roles

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Identity and Access Management (IAM), choose Roles.

04 Click on the name (link) of the IAM role that you want to examine.

05 On the Summary page, select the Trust relationships tab and identify the AWS account ID(s) configured for cross-account access, available in the Trusted entities list.

06 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and compare the ID(s) found at the previous step against each account ID defined in the rule configuration section. If the account ID(s) do not match any of the trusted account identifiers listed on your Cloud Conformity management console, the selected Amazon IAM role can be assumed by untrusted AWS entities, therefore the cross-account access is not secured.

07 Repeat steps no. 4 – 6 to determine if other AWS IAM roles, available in your AWS account, are configured to allow unknown cross-account access.

01 Run list-roles command (OSX/Linux/UNIX) to list the names of all IAM roles available within your AWS account:

aws iam list-roles
	--output table
	--query 'Roles[*].RoleName'

02 The command output should return information about the requested identifiers:

----------------------------------
|            ListRoles           |
+--------------------------------+
|  cc-external-mgmt-role         |
|  cc-lambda-admin-role          |
|  ...                           |
|  cc-ec2-admin-role             |
|  cc-prod-manager-role          |
+--------------------------------+

03 Run get-role command (OSX/Linux/UNIX) using the name of the IAM role that you want to examine as identifier parameter, to describe the policy that grants another entity the permission to assume the selected role:

aws iam get-role
	--role-name cc-external-mgmt-role
	--query 'Role.AssumeRolePolicyDocument'

04 The command output should return the trust policy defined for the selected IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "ideo5"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}

05 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and compare the ID returned at the previous step against each account ID listed in the rule configuration section. If the AWS account ID does not match any of the trusted account identifiers listed on your Cloud Conformity management console, the selected Amazon IAM role can be assumed by untrusted AWS accounts, therefore the cross-account access is not authorized.

06 Repeat steps no. 3 – 5 to determine if other AWS IAM roles, available within your AWS account, are configured to allow untrusted cross-account access.

01 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and copy the ID of the AWS account authorized to assume and use your IAM role(s).

02 Sign in to the AWS Management Console.

03 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, under Identity and Access Management (IAM), choose Roles.

05 Click on the name (link) of the cross-account IAM role that you want to reconfigure (see Audit section part I to identify the right resource).

06 On the Summary page, select the Trust relationships tab and click Edit trust relationship button to update the trust policy defined for the selected role.

07 On the Edit Trust Relationship page, in the Policy Document section, replace the 12-digit account number included within the ARN (e.g. "arn:aws:iam::123456789012:root") set as value for the "Principal" element, with the trusted AWS account ID copied at step no. 1. If required, repeat this step for other entities that are authorized to assume the role.

08 Click Update Trust Policy to save the changes and update the required policy for the selected IAM role.

09 Repeat steps no. 5 – 8 to update the trust relationship policy for other AWS IAM roles that are configured to grant unknown cross-account access.

01 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and copy the ID of the AWS account authorized to assume and use your IAM role(s).

02 Redefine the trust relationship policy for the IAM role that you want to reconfigure (see Audit section part II to identify the right role), to authorize only trusted AWS accounts to assume the selected role. Replace the 12-digit account number included in the ARN (e.g. "arn:aws:iam::123456789012:root") set as value for the "Principal" element, with the trusted AWS account ID copied at step no. 1 and save the policy to a JSON file named trusted-cross-account-access.json, e.g.:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "ideo5"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123412341234:root"
            }
        }
    ]
}

03 Run update-assume-role-policy command (OSX/Linux/UNIX) to replace the trust policy available for the selected Amazon IAM role with the one defined at the previous step, i.e. trusted-cross-account-access.json, (the command does not produce an output):

aws iam update-assume-role-policy
	--role-name cc-external-mgmt-role
	--policy-document file://trusted-cross-account-access.json

04 Repeat steps no. 1 – 3 to update the trust relationship policy for other AWS IAM roles that are configured to allow untrusted cross-account access.