IAM roles used for trust relationships should have MFA or external IDs

Description

IAM roles that establish trust with other AWS accounts should use additional security measures such as MFA or external IDs. This can protect your account if the trusted account is compromised and can also prevent the “confused deputy problem.”

NOTE: This rule only evaluates statements with the sts:AssumeRole action.

Remediation Steps

AWS Console

Enable MFA

• Log into the AWS Management Console.

• From the top navigation, select your Account Name > My Security Credentials.

• In the top navigation, select the Trust Relationships tab.

• Expand the Multi-factor authentication (MFA) drop-down, select Active MFA.

• Open your virtual MFA application, scan the QR code.

• Enter the two codes that are generated from your virtual MFA.

• Click Assign.

Add an External ID

• Navigate to IAM.

• Select Roles and select the desired IAM role.

• In the top navigation, select the Trust Relationships tab.

• Click Edit trust relationship.

• In "Conditions", add the following: "Condition": {"StringEquals": {"sts:ExternalId": "Unique ID Assigned by Example Corp"}}.

• Click Update Trust Policy.

AWS CLI

Enable MFA

• Enable MFA via the CLI.

  • create-virtual-mfa-device

  • --path <value>

  • --virtual-mfa-device-name <value>

  • --outfile <value>

  • --bootstrap-method <value>

Add an External ID

• Add an external ID to your IAM role.

  • update-assume-role-policy

  • --policy-document (string)

Terraform

• Ensure that the aws_iam_role resource has an assume_role_policy json policy block with a “aws:multifactorauthpresent” condition that validates whether MFA is used, or a “sts:externalid” condition that provides an external ID.

Note: The rule for Terraform assumes that any principal with an AWS account ID is an external account.

Example Configuration

resource "aws_iam_role" "example" {
  name = "example"

  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {"AWS": "Example Corp's AWS Account ID"},
      "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
    }
  })
}

Documentation Links

AWS Console and CLI

• Console: Enable a Virtual Multi-factor Authentication (MFA) Device

• Console: How to Use an External ID When Granting Access to Your AWS Resources to a Third Party

• CLI: Enable a Virtual Multi-factor Authentication (MFA) Device

• CLI: Update-assume-role-policy

Terraform

• Resource: aws_iam_role

  • Block: assume_role_policy