IAM AssumeRole on image builder

Hello,

I understand that you did a security analysis and identified that your IAM role is not compliant with the rule "Ensure IAM Service Roles prevents against a cross-service confused deputy attack.". So you modified the trust policy of role named "AWSSystemsManagerDefaultEC2InstanceManagementRole” by adding the aws:SourceArn": "arn:aws:sts::840197580751:assumed-role/* condition keys. But now you are unable to build the image builder due to the below error.

 RequestID: 4aa39afe-d250-4db3-be63-797a5cdb006e, api error AccessDeniedException: User: arn:aws:sts::<account number>:assumed-role/AWSSystemsManagerDefaultEC2InstanceManagementRole/i-01b72a0423b172f69 is not authorized to perform: imagebuilder:GetComponent on resource: arn:aws:imagebuilder:ap-east-1:aws:component/amazon-cloudwatch-agent-linux/1.0.1/1

Please note that, the trust policy of an IAM role used by the EC2 service (i.e. ec2.amazonaws.com) cannot be restricted via aws:SourceAccount/aws:SourceArn. This is because these condition keys are not supported by sts:AssumeRole action when EC2 service assumes the role. Thus, you are unable build the image.

That being said, I would like to mention that the cross-service confused deputy problem cannot occur for AssumeRole API calls happening from the context of the EC2 service (i.e. ec2.amazonaws.com ). This is because you cannot attach a cross-account IAM role to an EC2 instance directly. Thus you will not be able to retrieve the credentials for the IAM role belonging to another account by leveraging the EC2 instance profile feature.

For example, you cannot attach an IAM role present in account A to an EC2 instance belonging to account B. This way, the EC2 instance will never be able to fetch the cross-account role credentials.

Hope this helps. Please do let me know if you have any further queries or concerns. Have a great day ahead!!