AWS-IAM-Trusted-Cross-Account-Roles

Owned by naveen
Last updated: Feb 03, 2022
2 min read

Severity : Medium

Description: This control ensures that IAM roles used to establish a trusted relationship between an AWS account and third-party entity are trusted external IDs to secure the access to resources and using Multi-Factor Authentication. Cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service calls another service. The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. It is highly recommended if administrative access to the 3rd party account can assume this IAM role, users must be in the trusted account and provide the exact external ID or the unique passcode generated by the MFA device. The IAM roles associated with untrusted Ids must be deleted.

Remediation Steps:

Perform following to create a IAM role with external ID and MFA for cross account access :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to IAM console.

  3. In the navigation pane, click Roles and then Create Role.

  4. Choose the Another AWS account role type.

  5. For Account ID, type the AWS account ID to which to grant access to resources.

  6. Select Require external ID. Enter external ID that is agreed upon between this account and the administrator of the third-party account.

  7. Select Require MFA.

  8. Choose Next: Permissions.

  9. Select a policy to use for the permissions policy or choose Create policy to create a new policy.

  10. Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. Select the policy to use for the permissions boundary.

  11. Choose Next: Tags.

  12. Choose Next: Review.

  13. For Role name, type a name for role.

  14. For Role description, type a description.

  15. Choose Create role.

Perform following to delete old IAM role:

  1. Navigate to IAM console.

  2. In the navigation pane, click Roles.

  3. Select checkbox next to the role name to delete.

  4. Choose Delete.

Important:

  • Account administrator must configured external ID use when creating a role for a third party that accesses other AWS accounts in addition to this account.

  • In a scenario, when assuming roles on behalf of different customers, assign a unique external ID to each customer and instruct them to add the external ID to their role's trust policy.

Reference:

 

Blue Hexagon Proprietary