IAM roles used for trust relationships should have MFA or external IDs

Description

IAM roles that establish trust with other AWS accounts should use additional security measures such as MFA or external IDs. This can protect your account if the trusted account is compromised and can also prevent the “confused deputy problem.”

Console Remediation Steps to Enable MFA

  • Log into the AWS Management Console.

  • From the top navigation, select your Account Name > My Security Credentials.

  • In the top navigation, select the Trust Relationships tab.

  • Expand the Multi-factor authentication (MFA) drop-down, select Active MFA.

  • Open your virtual MFA application, scan the QR code.

  • Enter the two codes that are generated from your virtual MFA.

  • Click Assign.

Console Remediation Steps to Add an External ID

  • Navigate to IAM.

  • Select Roles and select the desired IAM role.

  • In the top navigation, select the Trust Relationships tab.

  • Click Edit trust relationship.

  • In "Conditions", add the following: "Condition": {"StringEquals": {"sts:ExternalId": "Unique ID Assigned by Example Corp"}}.

  • Click Update Trust Policy.

CLI Remediation Steps for to Enable MFA via the CLI

  • Enable MFA via the CLI.

    • create-virtual-mfa-device

    • --path <value>

    • --virtual-mfa-device-name <value>

    • --outfile <value>

    • --bootstrap-method <value>

CLI Remediation Steps to Add an External ID

  • Add an external ID to your IAM role.

    • update-assume-role-policy

    • --policy-document (string)