The IAM role doesn't permit only specific services or principals for assumption. Make sure that IAM role permits only specific services or principals for assumption.
1resource "aws_iam_role" "over-privilege-role1" {
2 name = "over-privilege-role"
3
4 # Noncompliant: Specific assume role policy principal is not mentioned.
5 assume_role_policy = <<EOF
6 {
7 "Version": "2012-10-17",
8 "Statement": [
9 {
10 "Action": "sts:AssumeRole",
11 "Principal": {
12 "Service": "ec2.amazonaws.com"
13 },
14 "Effect": "Allow",
15 "Sid": ""
16 },
17 {
18 "Action": "sts:AssumeRole",
19 "Principal": {
20 "AWS": "*"
21 },
22 "Effect": "Allow",
23 "Sid": ""
24 }
25 ]
26 }
27 EOF
28}
1resource "aws_iam_role" "over-privilege-role2" {
2 name = "over-privilege-role"
3
4 # Compliant: Specific assume role policy principal is mentioned.
5 assume_role_policy = <<EOF
6 {
7 "Version": "2012-10-17",
8 "Statement": [
9 {
10 "Action": "sts:AssumeRole",
11 "Principal": {
12 "Service": "ec2.amazonaws.com"
13 },
14 "Effect": "Allow",
15 "Sid": ""
16 },
17 {
18 "Action": "sts:AssumeRole",
19 "Principal": {
20 "AWS": [
21 "123456789012",
22 ]
23 },
24 "Effect": "Allow",
25 "Sid": ""
26 }
27 ]
28 }
29 EOF
30}