AWS IAM role should not have permissive trust with the Cognito Identity service

Docs > Datadog Security > OOTB Rules > AWS IAM role should not have permissive trust with the Cognito Identity service

Description

Note: As publicly announced on April 15, 2024, it is no longer possible to assume roles with a trust relationship to the Cognito Identity service cross-account. This detection remains available for a few weeks after April 15, 2024 to allow customers to easily identify if any IAM roles were vulnerable in their account.

Each AWS IAM role must have a trust policy which defines the principals who are trusted to assume that role. IAM roles can be misconfigured when creating a trust relationship with the Cognito identity service. This allows anyone in the world to assume the role, not just those specified by the identity pool.

Rationale

If an IAM role is misconfigured in this way, the role can be used to gain initial access to the AWS account. Additionally, an adversary would have access to any resources the role is authorized to access by using its identity policies.

Remediation

Ensure the identified role uses an effective Condition element to restrict access to the role through the cognito-identity.amazonaws.com:aud parameter.

From the console

In the AWS Console, navigate to the IAM role you would like to change.
On the IAM role page, click the Trust relationships tab.
Click Edit trust policy.
Make changes to the trust policy to remediate the risk.
Click Update policy.

From the command line

Use the update-assume-role-policy action to update the role trust policy to remediate the risk.

    aws iam update-assume-role-policy
       --role-name Test-Role
       --policy-document file://<NEW_ROLE_POLICY>.json