IAM role trust policies should not allow all principals to assume the role

Description

Using a wildcard in the Principal attribute in a role’s trust policy would allow any IAM user in any account to access the role. This is a significant security gap and can be used by anyone to gain access to an account with potentially sensitive data.

Remediation Steps

AWS Console

• Navigate to IAM.

• Select the role that includes the trust policy.

• Navigate to the Trust Relationships tab, and select Edit trust relationship.

• Ensure that the Principal attribute does not include any wildcards (*).

AWS CLI

• Ensure that IAM trust policies created via CLI do not use wildcards in the Principal attribute:

  • aws iam update-assume-role-policy --role-name Test-Role --policy-document file://policy.json

policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
        },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Terraform

• Ensure that IAM trust policies defined inline with the aws_iam_role or aws_iam_role_policy resources, or with a aws_iam_policy resource do not use wildcards in the policy block in the Principal field.

Example Configuration

resource "aws_iam_role_policy" "example" {
  name  = "my_role_policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: IAM role trust policy as a resource-based policy

• CLI: update-assume-role-policy

Terraform

• Resource: aws_iam_role

  • Field: inline_policy.policy

• Resource: aws_iam_role_policy

  • Field: policy

• Resource: aws_iam_policy

  • Field: policy