Cross-Account IAM Assume Role Policy Without ExternalId or MFA

  • Query id: af167837-9636-4086-b815-c239186b9dda
  • Query name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create a role with description and tags
  community.aws.iam_role:
    name: mynewrole
    assume_role_policy_document: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
          }
        ]
      }
    description: This is My New Role
    tags:
      env: dev
Positive test num. 2 - yaml file
- name: Create a role with description and tags2
  community.aws.iam_role:
    name: mynewrole2
    assume_role_policy_document: >
      {
        "Version": "2012-10-17",
        "Statement": {
          "Action": "sts:AssumeRole",
          "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
          },
          "Effect": "Allow",
          "Resource": "*",
          "Sid": "",
          "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": "false"
            }
          }
        }
      }
    description: This is My New Role
    tags:
      env: dev
Positive test num. 3 - yaml file
- name: Create a role with description and tags3
  community.aws.iam_role:
    name: mynewrole3
    assume_role_policy_document: >
      {
        "Version": "2012-10-17",
        "Statement": {
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "",
            "Condition": {
              "StringEquals": {
                "sts:ExternalId": ""
              }
            }
        }
      }
    description: This is My New Role
    tags:
      env: dev

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create a role with description and tags4
  community.aws.iam_role:
    name: mynewrole4
    assume_role_policy_document: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "",
            "Condition": {
              "StringEquals": {
                "sts:ExternalId": "98765"
              }
            }
          }
        ]
      }
    description: This is My New Role
    tags:
      env: dev
Negative test num. 2 - yaml file
- name: Create a role with description and tags5
  community.aws.iam_role:
    name: mynewrole5
    assume_role_policy_document: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "",
            "Condition": {
              "Bool": {
                "aws:MultiFactorAuthPresent": "true"
              }
            }
          }
        ]
      }
    description: This is My New Role
    tags:
      env: dev