Ensure that Amazon IAM roles used to establish a trusted relationship between your AWS cloud account and a third-party entity (also known as cross-account access roles) are using Multi-Factor Authentication (MFA) or external IDs to secure the access to your resources and to prevent "confused deputy" attacks. The MFA/external ID adds an extra layer of security on top of role's temporary security credentials and facilitates external third-party accounts to access your AWS resources in a secure way.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Increase the security of your cross-account IAM role by requiring either an optional external ID (similar to a password) or an MFA device to secure further the access to your AWS cloud resources and prevent "confused deputy" attacks. This is highly recommended if you don't own or have administrative access to the AWS account that can assume this IAM role. To assume this cross-account role, users must be available in the trusted account and provide the external ID or the unique passcode generated by the MFA device configured.
Audit
To determine if the Amazon IAM roles that provide cross-account access to your AWS resources use either MFA or external IDs, perform the following operations:
Remediation / Resolution
To update the trust relationship policies defined for your Amazon IAM cross-account roles in order to enable Multi-Factor Authentication (MFA) and/or external ID support for secure access, perform the following operations:
References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- IAM Identities (users, user groups, and roles)
- IAM Roles
- IAM tutorial: Delegate access across AWS accounts using IAM roles
- How to Use an External ID When Granting Access to Your AWS Resources to a Third Party
- AWS Command Line Interface (CLI) Documentation
- iam
- list-roles
- get-role
- update-assume-role-policy
- CloudFormation Documentation
- AWS Identity and Access Management resource type reference
- Terraform Documentation
- AWS Provider