IAM role has trust policy containing cross-organization principal

문서 > Datadog 보안 > OOTB Rules > IAM role has trust policy containing cross-organization principal

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This control examines whether IAM roles have trust policies that allow access to principals from different AWS organizations. The control will fail if the following conditions are true:

The role’s trust policy contains an Allow statement
The statement references a principal from an AWS account that is onboarded to Datadog
AWS Organizations data is available for both the role account and the principal account
The role account and the principal account belong to different AWS organizations

Note: The impact of Condition elements of statements in the role trust policy is not assessed by this control.

Cross-organization access in trust policies may introduce security risks by allowing access across deliberately isolated organizations. This type of access should be carefully controlled and limited to specific, well-documented business requirements.

Organizations should maintain strict organizational boundaries and only allow cross-organization access when there is a legitimate business need and proper security controls are in place.

Remediation

Review the IAM role’s trust policy to ensure that cross-organization principals are intentional and necessary.

For guidance on modifying IAM role trust policies, refer to the Update a role trust policy section of the AWS Identity and Access Management User Guide