RCP should deny cross-account role assumption from outside the Organization

iam
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A Resource Control Policy (RCP) should deny cross-account role assumption from principals outside the AWS Organization. Without this control, IAM roles in member accounts can be assumed by any external AWS principal that satisfies the role’s trust policy, creating a lateral-movement risk and potential data exfiltration path. An RCP that denies sts:AssumeRole when aws:PrincipalOrgID does not match the organization ID ensures that only principals within the organization can assume roles on organization resources.

This rule also flags RCPs that use NotAction to exempt sts:AssumeRole from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Note: AWS service principals should be exempted using aws:PrincipalIsAWSService conditions to avoid disrupting AWS service integrations. Trusted third-party accounts can be exempted using aws:PrincipalAccount conditions.

Remediation

Create a Resource Control Policy that explicitly denies sts:AssumeRole using Action (not NotAction) from principals outside the organization and attach it to the organization root. Remove any NotAction-based deny statements that exempt STS actions. Refer to the RCP syntax documentation and the AWS data perimeter best practices for guidance.