AWS-IAM-Trust-Policy-Unrestricted

Severity : Critical

Description: This control ensures that IAM role policies are not using “Allow” permission with AWS principal as “*” for IAM role policies . The IAM trust policies with principal as “*” and allow permission allows any other account to assume the role.

Remediation Steps:

Perform following to update IAM policy for IAM user :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. On the Left Pane, click on Roles.

4. Select the role in report.

5. Select Trust relationships tab, on Role summary page,

6. Select Edit trust policy.

7. Update the policy either by removing “Allow” from the statement where principal is “*” or by specifying a specific service, user and user group.

8. Select Update the trust policy.

Important:

Reference:

• https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

• https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html