AWS IAM role should not have permissive trust with the Cognito Identity service and "FullAccess" permissions
Description
Note: As publicly announced on April 15, 2024, it is no longer possible to assume roles with a trust relationship to the Cognito Identity service cross-account. This detection is available for a few weeks after April 15, 2024 to allow customers to easily identify if any IAM roles were vulnerable in their account.
Each AWS IAM role must have a trust policy which defines the principals who are trusted to assume that role. IAM roles can be misconfigured when creating a trust relationship with the Cognito identity service. This allows anyone in the world to assume the role, not just those specified by the identity pool. If the associated role has high privileges, such as those provided through FullAccess
AWS managed policies, the impact of the role’s compromise will be more severe.
Rationale
If an IAM role is misconfigured in this way, the role can be used to gain initial access to the AWS account. Additionally, an adversary would have access to any resources the role is authorized to access by using its identity policies.
Ensure the identified role uses an effective Condition
element to restrict access to the role through the cognito-identity.amazonaws.com:aud
parameter.
From the console
- In the AWS Console, navigate to the IAM role you would like to change.
- On the IAM role page, click the Trust relationships tab.
- Click Edit trust policy.
- Make changes to the trust policy to remediate the risk.
- Click Update policy.
From the command line
Use the update-assume-role-policy
action to update the role trust policy to remediate the risk.
aws iam update-assume-role-policy
--role-name Test-Role
--policy-document file://<NEW_ROLE_POLICY>.json