Ensure that your Amazon IAM roles can only be assumed by a single, trusted service in order to prevent unauthorized access and potential security breaches. An IAM role assumed by multiple services can elevate the risk of a compromised service granting unauthorized access to AWS cloud resources.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
In Amazon IAM, a role can be assumed by various principals, including users, other roles, service principals, or external users authenticated by compatible Identity Provider (IdP) services. To define which entities are trusted to assume a role, a trust policy, also known as trust relationships policy, is used. The trust policy is attached to the IAM role and specifies the principals that are permitted to assume the role, ensuring that access is properly controlled. However, to enhance security, it is recommended that each role be assumed by a single AWS service to limit access, prevent privilege escalation, and ensure the role's permissions are confined to the intended service.
Audit
To identify Amazon IAM roles that can be assumed by multiple services, perform the following operations:
Remediation / Resolution
To ensure that your Amazon IAM roles can only be assumed by a single service, perform the following operations:
Modifying the trust policy for a service-linked role is not currently allowed.References
- AWS Documentation
- IAM roles
- AWS Identity and Access Management (IAM) FAQs
- Update a role trust policy
- AWS Command Line Interface (CLI) Documentation
- list-roles
- get-role
- update-assume-role-policy