Role alias allows access to unused services - AWS IoT Core

Role alias allows access to unused services

AWS IoT role alias provides a mechanism for connected devices to authenticate to AWS IoT using X.509 certificates and then obtain short-lived AWS credentials from an IAM role that is associated with an AWS IoT role alias. The permissions for these credentials must be scoped down using access policies with authentication context variables. If your policies are not configured correctly, you could leave yourself exposed to an escalation of privilege attack. This audit check ensures that the temporary credentials provided by AWS IoT role aliases are not overly permissive.

This check is triggered if the role alias has access to services that haven't been used for the AWS IoT device in the last year. For example, the audit reports if you have an IAM role linked to the role alias that has only used AWS IoT in the past year but the policy attached to the role also grants permission to "iam:getRole" and "dynamodb:PutItem".

This check appears as IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK in the CLI and API.

Severity: Medium

Details

The following reason codes are returned when this check finds a noncompliant AWS IoT policy:

  • ALLOWS_ACCESS_TO_UNUSED_SERVICES

Why it matters

By limiting permissions to those services that are required for a device to perform its normal operations, you reduce the risks to your account if a device is compromised.

How to fix it

Follow these steps to fix any noncompliant policies attached to things, thing groups, or other entities:

  1. Follow the steps in Authorizing direct calls to AWS services to apply a more restrictive policy to your role alias.

You can use mitigation actions to:

  • Apply the PUBLISH_FINDINGS_TO_SNS mitigation action if you want to implement a custom action in response to the Amazon SNS message.

For more information, see Mitigation actions.