Optional conditions for your role trust relationships - AWS Control Tower

Optional conditions for your role trust relationships

You can impose conditions in your role trust policies, to restrict the accounts and resources that interact with certain roles in AWS Control Tower. We strongly recommend that you restrict access to the AWSControlTowerAdmin role, because it allows wide access permissions.

To help prevent an attacker from gaining access to your resources, manually edit your AWS Control Tower trust policy to add at least one aws:SourceArn or aws:SourceAccount conditional to the policy statement. As a security best practice, we strongly recommend adding the aws:SourceArn condition, because it is more specific than aws:SourceAccount, limiting access to a specific account and a specific resource.

If you don't know the full ARN of the resource, or if you are specifying multiple resources, you can use the aws:SourceArn condition with wildcards (*) for the unknown portions of the ARN. For example, arn:aws:controltower:*:123456789012:* works if you don't wish to specify a Region.

The following example demonstrates the use of the aws:SourceArn IAM condition with your IAM role trust polices. Add the condition in your trust relationship for the AWSControlTowerAdmin role, because the AWS Control Tower service principal interacts with it.

As shown in the example, the source ARN is of the format: arn:aws:controltower:${HOME_REGION}:${CUSTOMER_AWSACCOUNT_id}:*

Replace the strings ${HOME_REGION} and ${CUSTOMER_AWSACCOUNT_id} with your own home Region and account ID of the calling account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "controltower.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:controltower:us-west-2:012345678901:*" } } } ] }

In the example, the Source ARN designated as arn:aws:controltower:us-west-2:012345678901:* is the only ARN allowed to perform the sts:AssumeRole action. In other words, only users who can sign in to the account ID 012345678901, in the us-west-2 Region, are allowed to perform actions that require this specific role and trust relationship for the AWS Control Tower service, designated as controltower.amazonaws.com.

The next example shows the aws:SourceAccount and aws:SourceArn conditions applied to the role trust policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "controltower.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "012345678901" }, "StringLike": { "aws:SourceArn": "arn:aws:controltower:us-west-2:012345678901:*" } } } ] }

The example illustrates the aws:SourceArn condition statement, with an added aws:SourceAccount condition statement. For more information, see Prevent cross-service impersonation.

For general information about permission policies in AWS Control Tower see Manage access to resources.

Recommendations:

We recommend that you add conditions to the roles that AWS Control Tower creates, because those roles are directly assumed by other AWS services. For more information, see the example for AWSControlTowerAdmin, shown previously in this section. For the AWS Config recorder role, we recommend adding the aws:SourceArn condition, specifying the Config recorder ARN as the permitted source ARN.

For roles such as AWSControlTowerExecution or the other programmatic roles that can be assumed by the AWS Control Tower Audit account in all managed accounts, we recommend that you add the aws:PrincipalOrgID condition to the trust policy for these roles, which validates that the principal accessing the resource belongs to an account in the correct AWS organization. Do not add the aws:SourceArn condition statement, because it will not work as expected.

Note

In case of drift, it is possible that an AWS Control Tower role may be reset under certain circumstances. It is recommended that you re-check the roles periodically, if you have customized them.