AWS_IAM_46
Typically, you use AssumeRole within your account for cross-account access. In order to follow least privilege principle, it recommended NOT to use AssumeRole across ALL the accounts.
From Portal:
1. Sign in to the AWS Console
2. Navigate to the ‘IAM’ service
3. Identify the reported policy
4. Change the Service element of the policy document to be more restrictive so that it only allows AssumeRole permission on select services.
From TF:
Note: User with an administrative AWS account can allow a another user to assume an IAM role. To do that, you create a new policy and attach it to that user. The policy must include a statement with the Allow effect on the sts:AssumeRole action, plus the Amazon Resource Name (ARN) of the role in a Resource element, as shown in the following example. Users that get the policy, either through group membership or direct attachment, can switch to the specified role.
resource aws_iam_role” “CloudTrailRoleForCloudWatchLogs-management-events” {
name = “CloudTrailRoleForCloudWatchLogs-management-events”
policy = {
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: “sts:AssumeRole”,
“Effect”: “Allow”,
“Resource”: “arn:aws:iam::aws_account_id:role/workdocs_app_role”
}
]
}
EOF
}
References:
1. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
2. https://docs.aws.amazon.com/workdocs/latest/developerguide/wd-iam-grantdev.html
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.