Cross-Account IAM Assume Role Policy Without ExternalId or MFA
- Query id: af167837-9636-4086-b815-c239186b9dda
- Query name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create a role with description and tags
community.aws.iam_role:
name: mynewrole
assume_role_policy_document: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
description: This is My New Role
tags:
env: dev
Positive test num. 2 - yaml file
- name: Create a role with description and tags2
community.aws.iam_role:
name: mynewrole2
assume_role_policy_document: >
{
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
}
description: This is My New Role
tags:
env: dev
Positive test num. 3 - yaml file
- name: Create a role with description and tags3
community.aws.iam_role:
name: mynewrole3
assume_role_policy_document: >
{
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"StringEquals": {
"sts:ExternalId": ""
}
}
}
}
description: This is My New Role
tags:
env: dev
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create a role with description and tags4
community.aws.iam_role:
name: mynewrole4
assume_role_policy_document: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"StringEquals": {
"sts:ExternalId": "98765"
}
}
}
]
}
description: This is My New Role
tags:
env: dev
Negative test num. 2 - yaml file
- name: Create a role with description and tags5
community.aws.iam_role:
name: mynewrole5
assume_role_policy_document: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
description: This is My New Role
tags:
env: dev