Restrict assumed IAM role access High

The IAM role doesn't permit only specific services or principals for assumption. Make sure that IAM role permits only specific services or principals for assumption.

Detector ID
terraform/restrict-assumed-role-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_iam_role" "over-privilege-role1" {
2  name = "over-privilege-role"
3
4  # Noncompliant: Specific assume role policy principal is not mentioned.
5  assume_role_policy = <<EOF
6      {
7        "Version": "2012-10-17",
8        "Statement": [
9          {
10            "Action": "sts:AssumeRole",
11            "Principal": {
12              "Service": "ec2.amazonaws.com"
13            },
14            "Effect": "Allow",
15            "Sid": ""
16          },
17          {
18            "Action": "sts:AssumeRole",
19            "Principal": {
20              "AWS": "*"
21            },
22            "Effect": "Allow",
23            "Sid": ""
24          }
25        ]
26      }
27  EOF
28}

Compliant example

1resource "aws_iam_role" "over-privilege-role2" {
2  name = "over-privilege-role"
3
4  # Compliant: Specific assume role policy principal is mentioned.
5  assume_role_policy = <<EOF
6      {
7        "Version": "2012-10-17",
8        "Statement": [
9          {
10            "Action": "sts:AssumeRole",
11            "Principal": {
12              "Service": "ec2.amazonaws.com"
13            },
14            "Effect": "Allow",
15            "Sid": ""
16          },
17          {
18            "Action": "sts:AssumeRole",
19            "Principal": {
20              "AWS": [
21                "123456789012",
22              ]
23            },
24            "Effect": "Allow",
25            "Sid": ""
26          }
27        ]
28      }
29  EOF
30}