For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-policy-grants-assumerole-permission-across-all-services.md. A documentation index is available at /llms.txt.

IAM policy grants AssumeRole permission across all services

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-iam-policy-grants-assumerole-permission-across-all-services

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Description

IAM policies must not grant the sts:AssumeRole action against all resources (*), because allowing AssumeRole on * enables principals to assume any role and can lead to privilege escalation and broad lateral movement. Check AWS::IAM::Policy resources’ Properties.PolicyDocument.Statement entries for Effect: Allow with Action containing sts:AssumeRole (case-insensitive) and Resource equal to * or containing *. Statements that allow sts:AssumeRole must instead restrict Resource to explicit role ARNs or a limited set of ARNs (for example, arn:aws:iam::123456789012:role/MyRole). Resources missing this restriction or with Resource: "*" will be flagged.

Secure configuration example (restrict the resource to a specific role ARN):

MyPolicy:
  Type: AWS::IAM::Policy
  Properties:
    PolicyName: RestrictAssumeRole
    PolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Resource: arn:aws:iam::123456789012:role/SpecificRole
    Roles:
      - Ref: SomeRole

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  MyPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectAcl
            Resource: arn:aws:s3:::myAWSBucket/*
      Groups:
        - myexistinggroup1
        - !Ref mygroup

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "MyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
              ],
              "Resource": "arn:aws:s3:::myAWSBucket/*"
            }
          ]
        },
        "Groups": [
          "myexistinggroup1",
          "mygroup"
        ]
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  mypolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: ["sts:AssumeRole"]
          Resource: "*"
      Users: ["SomeUser"]

{
  "Description": "A sample template",
  "Resources": {
    "mypolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "sts:AssumeRole"
              ],
              "Resource": "*"
            }
          ]
        },
        "Users": [
          "SomeUser"
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}