Ensure that your Amazon IAM roles are configured to be used only by trusted AWS accounts in order to protect against unauthorized cross-account access. Before running this rule by the Conformity engine, the list with the trusted AWS account identifiers must be configured in the rule settings, on your Trend Cloud One™ – Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unknown cross-account access to your Amazon IAM roles will enable foreign accounts to assume these roles and gain control over your AWS services and resources. To prevent unauthorized cross-account access, allow only trusted entities to assume your Amazon IAM roles by implementing the appropriate policies.
Audit
To determine if there are any IAM roles configured to allow unknown cross-account access, available in your AWS cloud account, perform the following actions:
Remediation / Resolution
To update your IAM roles permissions in order to authorize only trusted AWS accounts to assume your roles, regardless of MFA/external ID support, perform the following actions:
References
- AWS Documentation
- IAM Identities (users, user groups, and roles)
- IAM Roles
- Modifying a Role
- Editing the Trust Relationship for an Existing Role
- AWS Command Line Interface (CLI) Documentation
- iam
- list-roles
- get-role
- update-assume-role-policy
- CloudFormation Documentation
- AWS Identity and Access Management resource type reference
- Terraform Documentation
- AWS Provider