Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enforce "ExternalId" Condition for CloudConformity IAM Role

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act immediately)

Ensure that the Amazon IAM role used to establish a trusted relationship between your AWS cloud account and Trend Cloud One™ – Conformity (also known as a cross-account access role) includes an external ID. The external ID is a unique identifier that ensures no other customers can assume your Conformity IAM role, securing access to your account and addressing the confused deputy problem. This issue arises when an entity without sufficient permissions coerces a more privileged entity to perform an action on its behalf. By using an external ID, you add an extra layer of security to the role's temporary credentials, enabling Trend Cloud One™ to access your AWS account in a secure way.

Security

Enhance the security of your Conformity IAM role by requiring an optional external ID (implemented through the "externalId" condition) to safeguard access to your AWS cloud environment and prevent cross-account confused deputy attacks. Using an "externalId" condition for cross-account access roles helps mitigate the confused deputy problem by ensuring that only the intended account, with the correct external ID, can assume the role. This prevents malicious actors from exploiting the role by attempting to assume it from a different account that might otherwise have permission.

Audit

To determine if the role used by Trend Cloud One™ – Conformity for onboarding (i.e., CloudConformity role) is using the "externalId" condition, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Roles.

04 Click inside the Search box, type CloudConformity, and press Enter to find the IAM role required for onboarding to Trend Cloud One™. If the CloudConformity IAM role is not found, the Audit process ends here.

05 Click on the name (link) of the CloudConformity role and select the Trust relationships tab to access the trust policy configured for the selected role.

06 In the Trusted entities section, check the "Condition" policy elements to understand the specific circumstances under which trusted entities can assume the selected IAM role. If the trust policy does not have any "Condition" elements, the Audit process ends here. However, if one or more "Condition" elements are available, check them for external ID support. The CloudConformity IAM role lacks external ID support when the following is true:

  1. The conditions listed for the "Condition" element don't include the sts:ExternalId key.
  2. The conditions listed for the "Condition" element include the sts:ExternalId key but the key does not have a value (i.e. "Condition": {"StringEquals": {"sts:ExternalId": "" }}).

07 Repeat steps no. 1 – 4 for each AWS cloud account that you want to examine.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) with custom output filters to list the names of all the IAM roles available within your AWS cloud account: 

aws iam list-roles
	--query 'Roles[*].RoleName'

02 The command output should return an array with the requested IAM role identifiers (names). If the CloudConformity IAM role is not returned by the list-roles command, the Audit process ends here: 

[
	"CloudConformity",
	"MalwareProtectionIamRole",
	"tm-project5-developer-role",
	"tm-bedrock-studio-ai-role"
]

03 Run get-role command (OSX/Linux/UNIX) with custom output filters to describe the CloudConformity role's trust policy that grants permission to assume the selected role. A trust policy defines which entities are allowed to assume a role and under what conditions: 

aws iam get-role
	--role-name "CloudConformity"
	--query 'Role.AssumeRolePolicyDocument'

04 The command output should return the trust policy associated with the CloudConformity role: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

Search the policy document returned by the get-role command for "Condition" elements to understand the specific circumstances under which trusted entities can assume the selected IAM role. If the policy document does not have any "Condition" elements, the Audit process ends here. However, if one or more "Condition" elements are available, check them for external ID support. The CloudConformity IAM role lacks external ID support when the following is true:
  1. The conditions listed for the "Condition" element don't include the sts:ExternalId key (as shown in the example above).
  2. The conditions listed for the "Condition" element include the sts:ExternalId key but the key does not have a value (i.e. "Condition": {"StringEquals": {"sts:ExternalId": "" }}).

05 Repeat steps no. 1 - 4 for each AWS cloud account that you want to examine.

Remediation / Resolution

To update the trust relationship policy defined for your **CloudConformity** IAM role in order to enable external ID support and prevent cross-account confused deputy, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account and copy the external ID (e.g., abcd1234-abcd-1234-abcd-1234abcd1234) generated for your account.

02 Sign in to the AWS Management Console.

03 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, under Access management, choose Roles.

05 Click inside the Search box, type CloudConformity, and press Enter to find the IAM role required for onboarding to Trend Cloud One™.

06 Click on the name (link) of the CloudConformity role and select the Trust relationships tab to access the trust policy configured for the selected role.

07 In the Trusted entities section, choose Edit trust policy

08 Select the Trust relationships tab, choose Edit trust relationship, and add the following block to the existing policy to enable external ID support: "Condition": { "StringEquals": { "sts:ExternalId": "\<externalId>\" }. Replace \<external_id\> with your own ID, copied at step no. 1. The "Condition" element allows Trend Cloud One™ to assume the role only when the AssumeRole API call includes the external ID value of \<external_id\>. Trend Cloud One™ makes sure that whenever it assumes a role on behalf of a customer, it always includes that customer's external ID value in the AssumeRole call. Even if another customer supplies Trend Cloud One™ – Conformity with your ARN, it cannot control the external ID that Trend Cloud One™ includes in its request to AWS. This helps prevent unauthorized access. Once updated, the trust policy configured for the CloudConformity role should look like this: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"sts:ExternalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
				}
			}
		}
	]
}

09 Choose Update policy to apply the configuration changes.

10 Repeat steps no. 1 – 9 for each AWS cloud account that you want to configure.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account and copy the external ID (e.g., abcd1234-abcd-1234-abcd-1234abcd1234) generated for your account.

02 Modify the trust relationship policy for your CloudConformity IAM role. Add the following block to the existing policy to enable external ID support: "Condition": { "StringEquals": { "sts:ExternalId": "\<externalId>\" }. Replace \<external_id\> with your own ID, copied at step no. 1. Save the policy document to a JSON file named cc-conformity-trust-policy.json. The "Condition" element allows Trend Cloud One™ to assume the role only when the AssumeRole API call includes the external ID value of \<external_id\>. Trend Cloud One™ makes sure that whenever it assumes a role on behalf of a customer, it always includes that customer's external ID value in the AssumeRole call. Even if another customer supplies Trend Cloud One™ – Conformity with your ARN, it cannot control the external ID that Trend Cloud One™ includes in its request to AWS. This helps prevent unauthorized access. Once modified, the trust policy configured for your CloudConformity role should look like this: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "sts:AssumeRole",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Condition": {
				"StringEquals": {
					"sts:ExternalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
				}
			}
		}
	]
}

03 Run update-assume-role-policy command (OSX/Linux/UNIX) to apply the trust relationship policy modified at the previous step (i.e. cc-conformity-trust-policy.json), to the CloudConformity IAM role (if successful, the command does not produce an output): 

aws iam update-assume-role-policy
	--role-name CloudConformity
	--policy-document file://cc-conformity-trust-policy.json

04 Repeat steps no. 1 - 3 for each AWS cloud account that you want to configure.

References

Publication date Dec 4, 2024

Related Cloud Conformity rules