CloudFormation Stack With IAM Role

Risk Level: High (not acceptable risk)

Rule ID: CFM-006

Ensure that the IAM service role associated with your Amazon CloudFormation stack grants least privilege access in order avoid unwanted privilege escalation as users with privileges within the CloudFormation scope implicitly inherit the stack role's permissions. When an IAM service role is associated with a stack, Amazon CloudFormation uses this role for all operations that are performed on that stack, therefore you need to make sure that the IAM role adhere to the Principle of Least Privilege (POLP) by giving it the minimal set of actions required to perform its tasks.

This rule can help you with the following compliance standards:

APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity solution.

Security

Providing the right permissions for the IAM service role associated with your Amazon CloudFormation stack will significantly reduce the risk of unauthorized access to the cloud resources running within the stack.

Audit

To determine if your CloudFormation stacks have IAM service roles that grant least privilege, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFormation console at https://console.aws.amazon.com/cloudformation.

03 Click on the name (link) of the CloudFormation stack that you want to examine.

04 Select the Stack info tab to access the configuration information available for the selected stack.

05 In the Overview section, check the IAM role attribute value to determine if the CloudFormation stack is using IAM roles. If the IAM role configuration attribute does not have a value, there is no IAM role configured for the selected stack, therefore the Audit process ends here. If the IAM role attribute has a value, note the identifier of associated role, and continue the Audit process with the next step.

06 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

07 In the navigation panel, under Access management, choose Roles.

08 Find the IAM role associated with your CloudFormation stack and click on its name (link).

09 Select the Permissions tab to access the identity-based policies attached to the selected IAM role.

10 In the Permissions policies section, click on the Expand button (plus icon) available next to each attached policy and check each policy document defined for the IAM role. If one or more policies contain overly permissive elements such as "Effect": "Allow", "Action": "*", "Resource": "*", the IAM service role associated with your Amazon CloudFormation stack is not using the Principle of Least Privilege (POLP) to define permissions and this can lead to unwanted privilege escalation.

11 Repeat step no. 3 – 10 for each Amazon CloudFormation stack available within the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the name of each active Amazon CloudFormation stack available in the selected AWS region:

aws cloudformation list-stacks
  --region us-east-1
  --stack-status-filter CREATE_COMPLETE
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack name(s):

-----------------------------
|         ListStacks        |
+---------------------------+
| cc-production-web-stack   |
| cc-project5-test-stack    |
+---------------------------+

03 Run describe-stackscommand (OSX/Linux/UNIX) using custom query filters to describe the ARN of the IAM service role associated with the selected Amazon CloudFormation stack:

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name cc-production-web-stack
  --query 'Stacks[*].RoleARN'

04 The command output should return the requested Amazon Resource Name (ARN). If the describe-stacks command output returns an empty array (i.e. []), there is no IAM role configured for the selected stack, therefore the Audit process ends here. If the command output returns the ARN of the associated IAM role, continue the Audit process with the next step:

[
	"arn:aws:iam::123456789012:role/cc-stack-admin-role"
]

05 To examine the access permissions defined for the associated IAM role, perform one of the following set of commands:

For managed IAM policies:

Run list-attached-role-policies command (OSX/Linux/UNIX) using the name of the IAM service role as the identifier parameter (extracted from the resource ARN) to list the managed policies attached to the selected role:
```
aws iam list-attached-role-policies
  --role-name cc-stack-admin-role
```

The command output should return the IAM policies metadata:

{
	"AttachedPolicies": [
		{
		   "PolicyName": "AdministratorAccess",
		   "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
		}
	]
}

Run get-policycommand (OSX/Linux/UNIX) using the ARN of the managed policy returned at the previous step as the identifier parameter to list the policy metadata:
```
aws iam get-policy
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
```

The command output should return the requested configuration metadata:

{
	"Policy": {
		"PolicyName": "AdministratorAccess",
		"Description": "Provides full access to AWS services and resources.",
		"CreateDate": "2015-02-06T18:39:46Z",
		"AttachmentCount": 2,
		"IsAttachable": true,
		"PolicyId": "AAAABBBBCCCCDDDDEEEE",
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::aws:policy/AdministratorAccess",
		"UpdateDate": "2015-02-06T18:39:46Z"
	}
}

For inline IAM policies:
- Run list-role-policies command (OSX/Linux/UNIX) using the name of the IAM service role as the identifier parameter, to list the inline policies defined to the selected role:
```
aws iam list-role-policies
  --role-name cc-stack-admin-role
```
- The command output should return the inline IAM policies metadata:
```
{
	"PolicyNames": [
		"cc-cfn-admin-policy"
	]
}
```
- Run get-role-policy command (OSX/Linux/UNIX) using the name of the inline policy returned at the previous step as the identifier parameter to list the policy document:
```
aws iam get-role-policy
  --role-name cc-stack-admin-role
  --policy-name cc-cfn-admin-policy
  --query 'PolicyDocument'
```
- The command output should return the requested policy document in JSON format:
```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:*"
			],
			"Resource": "*"
		}
	]
}
```

06 Check each policy document defined for the IAM role. If one or more policies contain overly permissive elements such as "Effect": "Allow", "Action": "*", "Resource": "*", the IAM service role associated with your Amazon CloudFormation stack is not using the Principle of Least Privilege (POLP) to define permissions and this can lead to unwanted privilege escalation.

07 Repeat steps no. 3 – 6 for each Amazon CloudFormation stack available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the permissions of the IAM service role associated with Amazon CloudFormation stack in order to adhere to the Principle of Least Privilege (POLP), perform the following actions:To enable the Termination Protection feature for your Amazon CloudFormation stacks, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Roles.

04 Click on the name (link) of the IAM service role associated with your CloudFormation stack.

05 Select the Permissions tab to access the identity-based policies attached to the selected role.

06 In the Permissions policies section, perform the following actions based on the policy type:

For managed IAM policies (AWS-managed and customer-managed policies):
- Choose Remove to detach the overly permissive policy from the selected IAM role.
- Inside the Remove confirmation box, choose Delete to confirm the action.
- Choose Add permissions and select Attach policies to attach new managed IAM policies to the selected role. Select one or more IAM policies from the provided list based on your role access requirements. Follow the Principle of Least Privilege (the security concept of providing every identity the minimal set of permissions required to perform successfully its tasks) when selecting the managed policies to attach to your IAM role. Choose Attach policies to confirm your action.
For inline IAM policies:
- Choose the overly permissive inline policy embedded within the selected IAM role, click on the Expand button (plus icon), and select Edit.
- Select the JSON tab and customize the policy document according to your IAM role access requirements. Follow the Principle of Least Privilege (POLP) when editing the inline policy associated with to your IAM role.
- Choose Review policy to review the inline policy before you save your changes.
- Choose Save changes to apply the permission changes.

07 Repeat steps no. 4 – 6 for each associated IAM role that you want to reconfigure, available in your AWS cloud account.

Using AWS CLI

01 Define new permissions for the associated IAM service role by following the Principle of Least Privilege, and save the policy document to a JSON file named cc-iam-role-policy.json.

02 Depending on whether you need to update a managed IAM policy or an inline IAM policy, execute one of the following sets of commands:

If the policy attached to your IAM role is a managed policy, run create-policy-version command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. cc-iam-role-policy.json) to create a new and compliant version of the attached managed policy. The following command request example creates a new version of an IAM managed policy identified by the ARN "arn:aws:iam::123456789012:policy/cc-cnf-managed-policy" and makes it the default version:
```
aws iam create-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/cc-cfn-managed-policy
  --policy-document file://cc-iam-role-policy.json
  --set-as-default
```

The command output should return the metadata of the new managed policy version:

{
	"PolicyVersion": {
		"CreateDate": "2020-12-18T10:00:00Z",
		"VersionId": "v2",
		"IsDefaultVersion": true
	}
}

If the policy associated with your Amazon IAM role is an inline policy, run put-role-policy command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. cc-iam-role-policy.json) to update the permissions of the selected inline policy. The following command request example updates an inline IAM policy named "cc-cfn-inline-policy" (the command does not produce an output):
```
aws iam put-role-policy
  --role-name cc-stack-admin-role
  --policy-name cc-cfn-inline-policy
  --policy-document file://cc-iam-role-policy.json
```

03 Repeat steps no. 1 and 2 for each associated IAM role that you want to reconfigure, available in your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
cloudformation
list-attached-role-policies
get-policy
list-role-policies
get-role-policy
put-role-policy
list-stacks

Publication date Feb 9, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

CloudFormation Stack With IAM Role

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFormation rules