AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Roles assumable by Compute services
More Info:
Giving permissions to resource: * (all resources) should be avoided or minimized in majority of the cases.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST,CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of assumable roles by Compute services in AWS, specifically for AWS IAM Deep Dive, you can follow these step-by-step instructions using the AWS Management Console:
- Sign in to the AWS Management Console using your credentials.
- Open the IAM service by searching for “IAM” in the AWS services search bar and selecting it.
- In the left navigation pane, click on “Roles” to view the existing roles in your account.
- Locate the role that is assumable by Compute services and needs to be remediated. Click on its name to open the role details.
- In the “Trust relationships” tab, you will see the “Trust relationships” policy document. Click on the “Edit trust relationship” button to modify it.
- The trust relationship policy document defines which entities are allowed to assume the role. By default, it might look similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ecs.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
- To remediate the misconfiguration, you need to remove the Compute services (e.g., “ec2.amazonaws.com”, “ecs.amazonaws.com”, “lambda.amazonaws.com”) from the “Principal” section. Alternatively, you can replace them with specific trusted entities if necessary.
- After making the necessary changes to the trust relationship policy document, click on the “Update Trust Policy” button to save the modifications.
- Review the updated trust relationship policy document to ensure that only the intended entities can assume the role.
- Repeat the above steps for any other roles that have the same misconfiguration.
By following these steps, you will remediate the misconfiguration of assumable roles by Compute services in AWS IAM Deep Dive using the AWS Management Console.
To remediate the misconfiguration of roles assumable by Compute services in AWS IAM using AWS CLI, follow these steps:
-
Identify the misconfigured roles:
- Use the AWS CLI command
aws iam list-rolesto list all the roles in your AWS account. - Review the roles and identify the ones that are assumable by Compute services (such as EC2, Lambda, or ECS).
- Use the AWS CLI command
-
Update the trust policy of the affected roles:
- Use the AWS CLI command
aws iam update-assume-role-policyto update the trust policy of each misconfigured role. - Specify the role name using the
--role-nameparameter. - Provide the updated trust policy using the
--policy-documentparameter. - The trust policy should only allow trusted entities (such as specific AWS services or trusted AWS accounts) to assume the role.
- Use the AWS CLI command
-
Example of updating the trust policy:
- Assume that you have a role named “ComputeRole” that is assumable by Compute services.
- Create a JSON file (e.g.,
trust-policy.json) with the updated trust policy. The following is an example of a trust policy allowing only EC2 instances to assume the role:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } - Run the following AWS CLI command to update the trust policy for the “ComputeRole”:
aws iam update-assume-role-policy --role-name ComputeRole --policy-document file://trust-policy.json
-
Repeat step 3 for each misconfigured role identified in step 1.
By following these steps, you can remediate the misconfiguration of roles assumable by Compute services in AWS IAM using the AWS CLI.
To remediate the misconfiguration of roles assumable by Compute services in AWS IAM, you can follow these step-by-step instructions using Python:
-
Identify the affected Compute services: Determine which compute services in your AWS account have roles associated with them.
-
Identify the misconfigured roles: Identify the roles that are currently assumable by the compute services. You can use the AWS SDK for Python (Boto3) to retrieve the list of roles and their associated policies.
-
Review the role permissions: For each misconfigured role, review the permissions granted to it. Ensure that the roles have the least privilege necessary for the compute services to perform their intended tasks.
-
Update the role trust policy: Modify the trust policy of each misconfigured role to restrict the entities that can assume the role. The trust policy should only allow the specific compute services that require the role.
a. Use Boto3 to retrieve the existing trust policy for each role. b. Parse the trust policy document to identify the entities that can assume the role. c. Modify the trust policy document to remove any unnecessary or overly permissive entities. d. Update the trust policy using Boto3’s
update_assume_role_policyAPI. -
Test the remediated role: After updating the trust policy, it is essential to test the role to ensure it still functions as expected. You can create a test script using Python and Boto3 to verify that the compute service can assume the role and perform its intended tasks.
-
Monitor and audit: Regularly review and monitor the roles assumable by compute services to identify any future misconfigurations or unauthorized access attempts. AWS CloudTrail can provide detailed logs and insights into role assumptions.
By following these steps, you can remediate the misconfiguration of roles assumable by Compute services in AWS IAM using Python and ensure that only authorized entities can assume the necessary roles.