Roles assumable by Compute services
More Info:
Giving permissions to resource: * (all resources) should be avoided or minimized in majority of the cases.Risk Level
MediumAddress
SecurityCompliance Standards
CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST,CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of assumable roles by Compute services in AWS, specifically for AWS IAM Deep Dive, you can follow these step-by-step instructions using the AWS Management Console:
- Sign in to the AWS Management Console using your credentials.
- Open the IAM service by searching for “IAM” in the AWS services search bar and selecting it.
- In the left navigation pane, click on “Roles” to view the existing roles in your account.
- Locate the role that is assumable by Compute services and needs to be remediated. Click on its name to open the role details.
- In the “Trust relationships” tab, you will see the “Trust relationships” policy document. Click on the “Edit trust relationship” button to modify it.
- The trust relationship policy document defines which entities are allowed to assume the role. By default, it might look similar to the following:
- To remediate the misconfiguration, you need to remove the Compute services (e.g., “ec2.amazonaws.com”, “ecs.amazonaws.com”, “lambda.amazonaws.com”) from the “Principal” section. Alternatively, you can replace them with specific trusted entities if necessary.
- After making the necessary changes to the trust relationship policy document, click on the “Update Trust Policy” button to save the modifications.
- Review the updated trust relationship policy document to ensure that only the intended entities can assume the role.
- Repeat the above steps for any other roles that have the same misconfiguration.
Using CLI
Using CLI
To remediate the misconfiguration of roles assumable by Compute services in AWS IAM using AWS CLI, follow these steps:
-
Identify the misconfigured roles:
- Use the AWS CLI command
aws iam list-rolesto list all the roles in your AWS account. - Review the roles and identify the ones that are assumable by Compute services (such as EC2, Lambda, or ECS).
- Use the AWS CLI command
-
Update the trust policy of the affected roles:
- Use the AWS CLI command
aws iam update-assume-role-policyto update the trust policy of each misconfigured role. - Specify the role name using the
--role-nameparameter. - Provide the updated trust policy using the
--policy-documentparameter. - The trust policy should only allow trusted entities (such as specific AWS services or trusted AWS accounts) to assume the role.
- Use the AWS CLI command
-
Example of updating the trust policy:
- Assume that you have a role named “ComputeRole” that is assumable by Compute services.
- Create a JSON file (e.g.,
trust-policy.json) with the updated trust policy. The following is an example of a trust policy allowing only EC2 instances to assume the role: - Run the following AWS CLI command to update the trust policy for the “ComputeRole”:
- Repeat step 3 for each misconfigured role identified in step 1.
Using Python
Using Python
To remediate the misconfiguration of roles assumable by Compute services in AWS IAM, you can follow these step-by-step instructions using Python:
- Identify the affected Compute services: Determine which compute services in your AWS account have roles associated with them.
- Identify the misconfigured roles: Identify the roles that are currently assumable by the compute services. You can use the AWS SDK for Python (Boto3) to retrieve the list of roles and their associated policies.
- Review the role permissions: For each misconfigured role, review the permissions granted to it. Ensure that the roles have the least privilege necessary for the compute services to perform their intended tasks.
-
Update the role trust policy: Modify the trust policy of each misconfigured role to restrict the entities that can assume the role. The trust policy should only allow the specific compute services that require the role.
a. Use Boto3 to retrieve the existing trust policy for each role.
b. Parse the trust policy document to identify the entities that can assume the role.
c. Modify the trust policy document to remove any unnecessary or overly permissive entities.
d. Update the trust policy using Boto3’s
update_assume_role_policyAPI. - Test the remediated role: After updating the trust policy, it is essential to test the role to ensure it still functions as expected. You can create a test script using Python and Boto3 to verify that the compute service can assume the role and perform its intended tasks.
- Monitor and audit: Regularly review and monitor the roles assumable by compute services to identify any future misconfigurations or unauthorized access attempts. AWS CloudTrail can provide detailed logs and insights into role assumptions.