Cross-Account IAM Assume Role Policy Without ExternalId or MFA
- Query id: 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7
- Query name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
},
"Path": "/"
}
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument: >
{
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
},
"Path": "/"
}
}
}
}
Positive test num. 5 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument: >
{
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"StringEquals": {
"sts:ExternalId": ""
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"StringEquals": {
"sts:ExternalId": ""
}
}
}
},
"Path": "/"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"StringEquals": {
"sts:ExternalId": "98765"
}
}
}
]
}
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"StringEquals": {
"sts:ExternalId": "98765"
}
}
}
]
},
"Path": "/"
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": "",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
},
"Path": "/"
}
}
}
}