IAM role cross-account trust should only reference organization accounts

Docs > Datadog Security > OOTB Rules > IAM role cross-account trust should only reference organization accounts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

IAM role trust policies that allow cross-account access should only reference principals from AWS accounts within the same organization. Trust policies that reference external account IDs may indicate unapproved cross-account access that has not been registered with the security engineering team. All cross-account trust relationships should be reviewed and approved to ensure they follow least-privilege principles and organizational access policies.

Remediation

Review the IAM role’s trust policy to verify that all cross-account principals are from accounts within the organization. Remove or update trust relationships that reference external accounts unless they have been explicitly approved and registered. For guidance, refer to Update a role trust policy.

IAM role cross-account trust should only reference organization accounts

Description

Remediation

How can I help you today?