IAM Roles Should Not be Assumed by Multiple Services

Risk Level: Medium (should be achieved)

Rule ID: IAM-072

Ensure that your Amazon IAM roles can only be assumed by a single, trusted service in order to prevent unauthorized access and potential security breaches. An IAM role assumed by multiple services can elevate the risk of a compromised service granting unauthorized access to AWS cloud resources.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

In Amazon IAM, a role can be assumed by various principals, including users, other roles, service principals, or external users authenticated by compatible Identity Provider (IdP) services. To define which entities are trusted to assume a role, a trust policy, also known as trust relationships policy, is used. The trust policy is attached to the IAM role and specifies the principals that are permitted to assume the role, ensuring that access is properly controlled. However, to enhance security, it is recommended that each role be assumed by a single AWS service to limit access, prevent privilege escalation, and ensure the role's permissions are confined to the intended service.

Audit

To identify Amazon IAM roles that can be assumed by multiple services, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Roles.

04 Click on the name (link) of the IAM role that you want to examine.

05 Select the Trust relationships tab to access the trust policy associated with the selected IAM role. A trust policy defines which entities (users, roles, accounts, and services) are allowed to assume a role and under what conditions.

06 In the Trusted entities section, check the "Principal" element value to identify the type of entity authorized to assume the role. If the "Principal" value is not "Service", the entity is not a service, therefore, the Audit process ends here. However, if the principal is a service, examine the "Service" element value to determine if the role can be assumed by multiple services. If the "Service" element lists two or more service names, the selected Amazon IAM role can be assumed by multiple services.

07 Repeat steps no. 4 – 6 for each Amazon IAM role available in your AWS cloud account.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) with custom output filters to list the names of all the IAM roles available within your AWS cloud account:

aws iam list-roles
  --query 'Roles[*].RoleName'

02 The command output should return an array with the requested IAM role identifiers (names):

[
	"tm-project5-developer-role",
	"tm-bedrock-studio-ai-role",
	"tm-dynamodb-data-manager-role",
	"tm-production-stack-set-role"
]

03 Run get-role command (OSX/Linux/UNIX) with the name of the Amazon IAM role that you want to examine as the identifier parameter and custom output filters to describe the role's trust policy that grants permission to assume the selected role. A trust policy defines which entities are allowed to assume a role and under what conditions:

aws iam get-role
  --role-name "tm-project5-developer-role"
  --query 'Role.AssumeRolePolicyDocument'

04 The command output should return the trust policy associated with the selected IAM role:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": [
					"ec2.amazonaws.com",
					"iam.amazonaws.com"
				]
			},
			"Action": "sts:AssumeRole"
		}
	]
}

If the list-users command output returns one or more IAM users, as shown in the example above, these users should be removed in order to enforce human users to use temporary credentials for AWS cloud access.
Check the "Principal" element value to identify the type of entity authorized to assume the role. If the "Principal" value is not "Service", the entity is not a service, and the Audit process ends here. However, if the principal is a service, examine the "Service" element value to determine if the role can be assumed by multiple services. If the "Service" element lists two or more service names, as shown in the output example above, the selected Amazon IAM role can be assumed by multiple services.

05 Repeat steps no. 3 and 4 for each Amazon IAM role available within your AWS cloud account.

Remediation / Resolution

To ensure that your Amazon IAM roles can only be assumed by a single service, perform the following operations:

Modifying the trust policy for a service-linked role is not currently allowed.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Roles.

04 Click on the name (link) of the non-compliant IAM role that you want to configure.

05 To change who can assume an IAM role, you must modify the role's trust policy. Select the Trust relationships tab and choose Edit trust policy to modify the trust policy associated with the selected IAM role.

06 In the Edit trust policy section, modify the "Service" element value by removing the name(s) of any service(s) that are incorrectly assuming the role. This ensures that only one service is authorized to assume the selected role, e.g. "Principal": { "Service": "ec2.amazonaws.com"}. Choose Update policy to apply the policy changes.

07 Repeat steps no. 4 - 6 for each non-compliant Amazon IAM role that you want to configure, available in your AWS cloud account.

Using AWS CLI

01 To change who can assume an IAM role, you must modify the role's trust policy. Open the trust policy associated with your IAM role and modify the "Service" element value by removing the name(s) of any service(s) that are incorrectly assuming the role. This ensures that only one service is authorized to assume the specified role, as shown in the example listed below. Save the modified policy document to a JSON file named tm-single-service-trust-policy.json:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "ec2.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

02 Run update-assume-role-policy command (OSX/Linux/UNIX) with the name of the non-compliant IAM role that you want to configure as the identifier parameter, to update the trust policy for the selected role, using the policy document modified at the previous step, i.e. tm-single-service-trust-policy.json (the command does not produce an output):

aws iam update-assume-role-policy
  --role-name "tm-project5-developer-role"
  --policy-document file://tm-single-service-trust-policy.json

03 Repeat steps no. 1 and 2 for each non-compliant Amazon IAM role that you want to configure, available within your AWS cloud account.

References

AWS Documentation
IAM roles
AWS Identity and Access Management (IAM) FAQs
Update a role trust policy

AWS Command Line Interface (CLI) Documentation
list-roles
get-role
update-assume-role-policy

Publication date Oct 23, 2024

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

IAM Roles Should Not be Assumed by Multiple Services

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules