For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-role-allows-all-principals-to-assume.md. A documentation index is available at /llms.txt.

IAM role allows all principals to assume

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-iam-role-allows-all-principals-to-assume

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Description

IAM role trust policies must not grant account-root or wildcard principals permission to assume the role, because allowing principals like an account root ARN (arn:aws:iam::123456789012:root) or * effectively trusts every principal in an account or every AWS account and can enable privilege escalation or unintended cross-account access. Check AWS::IAM::Role resources’ Properties.AssumeRolePolicyDocument.Statement[].Principal.AWS. The principal value must not be * or contain :root. Only statements with Effect: Allow are evaluated. Resources with Principal.AWS containing :root or * will be flagged and should be replaced with explicit principal ARNs or specific service principals.

Secure example with an explicit principal ARN:

MyRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::123456789012:role/TrustedRole
          Action: sts:AssumeRole

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "AWS": "arn:aws:iam::root"
                    },
                    "Effect": "Deny",
                    "Sid": ""
                }
            ]
        }

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Deny",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::root"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RootRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: >
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "AWS": "arn:aws:iam::root"
                    },
                    "Effect": "Allow",
                    "Sid": ""
                }
            ]
        }

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RootRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::root"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}