More Info:

Giving permissions to resource: * (all resources) should be avoided or minimized in majority of the cases.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST,CBP

Triage and Remediation

Remediation

To remediate the misconfiguration of assumable roles by Compute services in AWS, specifically for AWS IAM Deep Dive, you can follow these step-by-step instructions using the AWS Management Console:

  1. Sign in to the AWS Management Console using your credentials.
  2. Open the IAM service by searching for “IAM” in the AWS services search bar and selecting it.
  3. In the left navigation pane, click on “Roles” to view the existing roles in your account.
  4. Locate the role that is assumable by Compute services and needs to be remediated. Click on its name to open the role details.
  5. In the “Trust relationships” tab, you will see the “Trust relationships” policy document. Click on the “Edit trust relationship” button to modify it.
  6. The trust relationship policy document defines which entities are allowed to assume the role. By default, it might look similar to the following:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "ecs.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  1. To remediate the misconfiguration, you need to remove the Compute services (e.g., “ec2.amazonaws.com”, “ecs.amazonaws.com”, “lambda.amazonaws.com”) from the “Principal” section. Alternatively, you can replace them with specific trusted entities if necessary.
  2. After making the necessary changes to the trust relationship policy document, click on the “Update Trust Policy” button to save the modifications.
  3. Review the updated trust relationship policy document to ensure that only the intended entities can assume the role.
  4. Repeat the above steps for any other roles that have the same misconfiguration.

By following these steps, you will remediate the misconfiguration of assumable roles by Compute services in AWS IAM Deep Dive using the AWS Management Console.