Profile Applicability:
- Level 2
Description:
A confused deputy attack occurs when a service with permissions inadvertently performs actions on behalf of an unauthorized entity. In AWS, cross-service confused deputy attacks can happen when a service role is used improperly, allowing unintended access to AWS resources. To mitigate this risk, IAM policies should explicitly limit which services can assume a role using the aws:SourceArn or aws:SourceAccount condition keys.
Rationale:
Mitigating confused deputy attacks ensures that IAM service roles are only used by authorized AWS services with defined permissions. This prevents unintended privilege escalation and unauthorized access, helping to enforce the principle of least privilege. By implementing condition-based access controls, organizations can prevent malicious or unintended use of IAM roles across AWS services.
Impact:
Pros:
Prevents unauthorized access through misconfigured or overly permissive IAM roles.
Reduces the risk of privilege escalation by restricting role assumptions.
Ensures compliance with security best practices and regulatory requirements.
Cons:
Requires careful management of IAM policies and conditions.
Can cause access issues if incorrectly configured, requiring additional troubleshooting.
Default Value:
By default, IAM roles do not enforce conditions preventing cross-service confused deputy attacks. AWS recommends explicitly defining service role permissions using condition keys.
Pre-requisites:
AWS IAM permissions:
iam:UpdateRolePolicy
iam:GetRolePolicy
iam:ListRoles
AWS CLI installed and configured.
Access to IAM role configurations and permission management.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to IAM and select Roles.
Identify IAM roles used for cross-service access.
Check the Trust Relationship section to ensure condition keys (aws:SourceArn or aws:SourceAccount) are used.
If missing, update the trust policy to restrict access to specific AWS services and accounts.
Using AWS CLI:
List IAM roles:
aws iam list-roles --query 'Roles[*].RoleName'
Check trust relationships for a specific role:
aws iam get-role --role-name <ROLE_NAME> --query 'Role.AssumeRolePolicyDocument'
If the policy does not contain aws:SourceArn or aws:SourceAccount, update it:
aws iam update-assume-role-policy --role-name <ROLE_NAME> --policy-document file://trust-policy.json
Ensure the trust-policy.json file includes conditions to restrict access.
Implementation Plan:
Using AWS Console:
Open the AWS Management Console and navigate to IAM.
Select Roles and choose the role that needs restriction.
Edit the Trust Relationship and add conditions like:
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::my-secure-bucket"
}
}Save the changes and verify restricted access.
Using AWS CLI:
Update the assume role policy with proper conditions:
aws iam update-assume-role-policy --role-name <ROLE_NAME> --policy-document file://trust-policy.json
Validate the policy changes by checking the role’s trust relationship:
aws iam get-role --role-name <ROLE_NAME> --query 'Role.AssumeRolePolicyDocument'
Backout Plan:
Using AWS Console:
Sign in to the AWS Management Console and navigate to IAM.
Select Roles and locate the affected role.
Edit the Trust Relationship to remove the restrictive conditions or revert to a previous version.
Save the changes and verify that the role functions as expected.
Using AWS CLI:
Identify affected roles and review logs for permission errors.
Restore the previous policy version using the following command:
aws iam update-assume-role-policy --role-name <ROLE_NAME> --policy-document file://previous-policy.json
Verify that authorized services can assume the role while blocking unauthorized ones.
Document changes and implement troubleshooting steps for future reference.
Reference:
AWS IAM: Understanding Trust Policies
AWS CLI: update-assume-role-policy
CIS Controls: