AWS IAM role should not have permissive trust with the Cognito Identity service and "FullAccess" permissions

WARNING: This rule is being deprecated on June 24 2024.

As publicly announced on April 15, 2024, it is no longer possible to assume roles with a trust relationship to the Cognito Identity service cross-account. This detection will remain available for a few weeks to allow customers to easily identify if any IAM roles were vulnerable in their account.

Description

Each AWS IAM role must have a trust policy which defines the principals who are trusted to assume that role. IAM roles can be misconfigured when creating a trust relationship with the Cognito identity service. This allows anyone in the world to assume the role, not just those specified by the identity pool. If the associated role has high privileges, such as those provided through FullAccess AWS managed policies, the impact of the role’s compromise will be more severe.

Rationale

If an IAM role is misconfigured in this way, the role can be used to gain initial access to the AWS account. Additionally, an adversary would have access to any resources the role is authorized to access by using its identity policies.

Remediation

Ensure the identified role uses an effective Condition element to restrict access to the role through the cognito-identity.amazonaws.com:aud parameter.

From the console

  1. In the AWS Console, navigate to the IAM role you would like to change.
  2. On the IAM role page, click the Trust relationships tab.
  3. Click Edit trust policy.
  4. Make changes to the trust policy to remediate the risk.
  5. Click Update policy.

From the command line

Use the update-assume-role-policy action to update the role trust policy to remediate the risk.

    aws iam update-assume-role-policy
       --role-name Test-Role
       --policy-document file://<NEW_ROLE_POLICY>.json