Check for Untrusted Cross-Account IAM Roles

Risk level: Medium (should be achieved)

Rule ID: IAM-057

Ensure that your Amazon Identity and Access Management (IAM) roles are configured to be used only by trusted (friendly) AWS accounts in order to protect against unauthorized cross-account access. Prior to running this rule by the Cloud Conformity engine, the list with the friendly AWS accounts identifiers (e.g. 123456789012) must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Allowing unknown cross-account access to your IAM roles will enable foreign accounts to assume these roles and gain control over your AWS services and resources. To prevent unauthorized cross-account access, allow only trusted entities to assume your Amazon IAM roles by implementing the appropriate policies.

Audit

To determine if there are any IAM roles configured to allow unknown cross-account access, available in your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Identity and Access Management (IAM), choose Roles.

04 Click on the name (link) of the IAM role that you want to examine.

05 On the Summary page, select the Trust relationships tab and identify the AWS account ID(s) configured for cross-account access, available in the Trusted entities list.

06 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and compare the ID(s) found at the previous step against each account ID defined in the rule configuration section. If the account ID(s) do not match any of the trusted account identifiers listed on your Cloud Conformity management console, the selected Amazon IAM role can be assumed by untrusted AWS entities, therefore the cross-account access is not secured.

07 Repeat steps no. 4 – 6 to determine if other AWS IAM roles, available in your AWS account, are configured to allow unknown cross-account access.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) to list the names of all IAM roles available within your AWS account:

aws iam list-roles
	--output table
	--query 'Roles[*].RoleName'

02 The command output should return information about the requested identifiers:

----------------------------------
|            ListRoles           |
+--------------------------------+
|  cc-external-mgmt-role         |
|  cc-lambda-admin-role          |
|  ...                           |
|  cc-ec2-admin-role             |
|  cc-prod-manager-role          |
+--------------------------------+

03 Run get-role command (OSX/Linux/UNIX) using the name of the IAM role that you want to examine as identifier parameter, to describe the policy that grants another entity the permission to assume the selected role:

aws iam get-role
	--role-name cc-external-mgmt-role
	--query 'Role.AssumeRolePolicyDocument'

04 The command output should return the trust policy defined for the selected IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "ideo5"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}

Identify the AWS account ID configured for cross-account access, included within the ARN available as value for the "Principal" element (highlighted).

05 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and compare the ID returned at the previous step against each account ID listed in the rule configuration section. If the AWS account ID does not match any of the trusted account identifiers listed on your Cloud Conformity management console, the selected Amazon IAM role can be assumed by untrusted AWS accounts, therefore the cross-account access is not authorized.

06 Repeat steps no. 3 – 5 to determine if other AWS IAM roles, available within your AWS account, are configured to allow untrusted cross-account access.

Remediation / Resolution

To update your IAM roles trust policy in order authorize only trusted (friendly) AWS accounts to assume these roles, regardless of MFA/external ID support, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity account, access Check for Untrusted Cross-Account IAM Roles conformity rule settings and copy the ID of the AWS account authorized to assume and use your IAM role(s).

02 Sign in to the AWS Management Console.

03 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, under Identity and Access Management (IAM), choose Roles.

05 Click on the name (link) of the cross-account IAM role that you want to reconfigure (see Audit section part I to identify the right resource).

06 On the Summary page, select the Trust relationships tab and click Edit trust relationship button to update the trust policy defined for the selected role.

07 On the Edit Trust Relationship page, in the Policy Document section, replace the 12-digit account number included within the ARN (e.g. "arn:aws:iam::123456789012:root") set as value for the "Principal" element, with the trusted AWS account ID copied at step no. 1. If required, repeat this step for other entities that are authorized to assume the role.

08 Click Update Trust Policy to save the changes and update the required policy for the selected IAM role.

09 Repeat steps no. 5 – 8 to update the trust relationship policy for other AWS IAM roles that are configured to grant unknown cross-account access.

Using AWS CLI

02 Redefine the trust relationship policy for the IAM role that you want to reconfigure (see Audit section part II to identify the right role), to authorize only trusted AWS accounts to assume the selected role. Replace the 12-digit account number included in the ARN (e.g. "arn:aws:iam::123456789012:root") set as value for the "Principal" element, with the trusted AWS account ID copied at step no. 1 and save the policy to a JSON file named trusted-cross-account-access.json, e.g.:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "ideo5"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123412341234:root"
            }
        }
    ]
}

03 Run update-assume-role-policy command (OSX/Linux/UNIX) to replace the trust policy available for the selected Amazon IAM role with the one defined at the previous step, i.e. trusted-cross-account-access.json, (the command does not produce an output):

aws iam update-assume-role-policy
	--role-name cc-external-mgmt-role
	--policy-document file://trusted-cross-account-access.json

04 Repeat steps no. 1 – 3 to update the trust relationship policy for other AWS IAM roles that are configured to allow untrusted cross-account access.

References

AWS Documentation
Identities (Users, Groups, and Roles)
IAM Roles
Modifying a Role
Editing the Trust Relationship for an Existing Role

AWS Command Line Interface (CLI) Documentation
iam
list-roles
get-role
update-assume-role-policy

Publication date Oct 21, 2019

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Check for Untrusted Cross-Account IAM Roles

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules