Cross-Account IAM Assume Role Policy Without ExternalId or MFA

  • Query id: 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7
  • Query name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Principal": {
                "AWS": "arn:aws:iam::987654321145:root"
              },
              "Effect": "Allow",
              "Resource": "*",
              "Sid": ""
            }
          ]
        }
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Principal": {
                "AWS": "arn:aws:iam::987654321145:root"
              },
              "Effect": "Allow",
              "Resource": "*",
              "Sid": ""
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
          "Version": "2012-10-17",
          "Statement": {
                "Action": "sts:AssumeRole",
                "Principal": {
                  "AWS": "arn:aws:iam::987654321145:root"
                },
                "Effect": "Allow",
                "Resource": "*",
                "Sid": "",
                "Condition": { 
                  "Bool": { 
                      "aws:MultiFactorAuthPresent": "false" 
                    }
                }
          }
        }

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": {
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "",
            "Condition": { 
              "Bool": { 
                  "aws:MultiFactorAuthPresent": "false" 
                }
            }
          }
        },
        "Path": "/"
      }
    }
  }
}
Positive test num. 5 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
          "Version": "2012-10-17",
          "Statement": {
              "Action": "sts:AssumeRole",
              "Principal": {
                "AWS": "arn:aws:iam::987654321145:root"
              },
              "Effect": "Allow",
              "Resource": "*",
              "Sid": "",
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": ""
                }
              }
          }
        }
Positive test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": {
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "",
            "Condition": {
              "StringEquals": {
                "sts:ExternalId": ""
              }
            }
          }
        },
        "Path": "/"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Action": "sts:AssumeRole",
                "Principal": {
                  "AWS": "arn:aws:iam::987654321145:root"
                },
                "Effect": "Allow",
                "Resource": "*",
                "Sid": "",
                "Condition": {
                  "StringEquals": {
                    "sts:ExternalId": "98765"
                  }
                }
              }
            ]
        }
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Principal": {
                "AWS": "arn:aws:iam::987654321145:root"
              },
              "Effect": "Allow",
              "Resource": "*",
              "Sid": "",
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": "98765"
                }
              }
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Action": "sts:AssumeRole",
                "Principal": {
                  "AWS": "arn:aws:iam::987654321145:root"
                },
                "Effect": "Allow",
                "Resource": "*",
                "Sid": "",
                "Condition": { 
                  "Bool": { 
                      "aws:MultiFactorAuthPresent": "true" 
                    }
                }
              }
            ]
        }

Negative test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Principal": {
                "AWS": "arn:aws:iam::987654321145:root"
              },
              "Effect": "Allow",
              "Resource": "*",
              "Sid": "",
              "Condition": { 
                "Bool": { 
                    "aws:MultiFactorAuthPresent": "true" 
                  }
              }
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}