Cross-service confused deputy prevention - Amazon EC2 Auto Scaling

Cross-service confused deputy prevention

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another service (the called service). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access.

To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. We recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in trust policies for Amazon EC2 Auto Scaling service roles. These keys limit the permissions that Amazon EC2 Auto Scaling gives another service to the resource.

The values for the SourceArn and SourceAccount fields are set when Amazon EC2 Auto Scaling uses AWS Security Token Service (AWS STS) to assume a role on your behalf.

To use the aws:SourceArn or aws:SourceAccount global condition keys, set the value to the Amazon Resource Name (ARN) or account of the resource that Amazon EC2 Auto Scaling stores. Whenever possible, use aws:SourceArn, which is more specific. Set the value to the ARN or an ARN pattern with wildcards (*) for the unknown portions of the ARN. If you don't know the ARN of the resource, use aws:SourceAccount instead.

The following example shows how you can use the aws:SourceArn and aws:SourceAccount global condition context keys in Amazon EC2 Auto Scaling to prevent the confused deputy problem.

Example: Using aws:SourceArn and aws:SourceAccount condition keys

A role that a service assumes to perform actions on your behalf is called a service role. In cases where you want to create lifecycle hooks that send notifications to anywhere other than Amazon EventBridge, you must create a service role to allow Amazon EC2 Auto Scaling to send notifications to an Amazon SNS topic or Amazon SQS queue on your behalf. If you want only one Auto Scaling group to be associated with the cross-service access, you can specify the trust policy of the service role as follows.

This example trust policy uses condition statements to limit the AssumeRole capability on the service role to only the actions that affect the specified Auto Scaling group in the specified account. The aws:SourceArn and aws:SourceAccount conditions are evaluated independently. Any request to use the service role must satisfy both conditions.

Before using this policy, replace the Region, account ID, UUID, and group name with valid values from your account.

{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "autoscaling.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:autoscaling:region:account_id:autoScalingGroup:uuid:autoScalingGroupName/my-asg" }, "StringEquals": { "aws:SourceAccount": "account_id" } } } }

In the preceding example:

  • The Principal element specifies the service principal of the service (autoscaling.amazonaws.com).

  • The Action element specifies the sts:AssumeRole action.

  • The Condition element specifies the aws:SourceArn and aws:SourceAccount global condition keys. The source's ARN includes the account ID, so it is not necessary to use aws:SourceAccount with aws:SourceArn.

Additional information

For more information, see AWS global condition context keys, The confused deputy problem, and Modifying a role trust policy (console) in the IAM User Guide.