Description:


Assume Role returns a set of temporary security credentials that you can use to access Amazon Web Services resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use roles within your account or for cross-account access. 

Rationale:


An IAM role does not have long term credentials associated with it; rather, a principal (an IAM user, machine, or other authenticated identity) assumes the IAM role and inherits the permissions assigned to that role. Using wildcards *, may expose confidential resources to unauthorized users.

Impact:


 Minimizing the permissions to provide just right permissions reduces the risk of unauthorized access to your AWS services and resources. 


Pre-Requisite:

  • Clear definition of “WHO to give access to WHAT” helps while creating a policy.

  • A backup copy of the policy document as a JSON file

Remediation


Test Plan

  1. Sign in to the AWS Management Console.
  2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
  3. In the left navigation pane, choose Roles.
  4. Choose IAM role that you want to examine and click on it.

  5. On the IAM role configuration page, select the Trust Relationships tab from the bottom panel.

  6. Click the Trust Relationships button to open the attached policy. 

  7. On the Edit Trust Relationship page, identify the Action and Principal elements and their current values. If the Action element value is set to "sts:AssumeRole" and the Principal element value is set to { "AWS": "*" }, anyone (any IAM entity) can assume the role, therefore the Trusted Entities policy attached to the selected IAM role is too permissive.





 CLI Commands

  • Use list-roles command to list all the names of all customer-managed IAM roles in the AWS account

 Implementation steps

  1. Sign in to the AWS Management Console.
  2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
  3. In the left navigation panel, choose Roles.
  4. Click on the IAM role that you want to reconfigure.

  5. Select the Trust Relationships tab from the bottom panel.

  6. On the Edit Trust Relationship page, replace the Principal element value with an AWS trusted entity such as EC2 service (e.g. “Service": "ec2.amazonaws.com" or any service that you want to give permission to), an entity that will assume the role.

  7. Click Update Trust Policy to apply the policy changes

 CLI Commands

Use the update-assume-role-policy command with the trust policy document name (filename.json) and the name of the IAM role that you want to reconfigure 



 Backout Plan:

  1. Sign in to the AWS Management Console.
  2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
  3. In the left navigation panel, choose Roles.
  4.  Click on the IAM role that you want to reconfigure.
  5. select the Trust Relationships tab from the bottom panel.
  6.  On the Edit Trust Relationship page, edit the attributes to the values they initially were using backup
  7. Make changes 
  8. Click on the Update Policy

CLI Commands


Use update-assume-role-policy with the copy of the original policy document  



Reference:

https://docs.aws.amazon.com/cli/latest/reference/iam/

https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html