Security Hub: cross-account access warning for SSO and OIDC
I followed the article about how to setup OICD for IAM:
Works like a charm, however Security Hub now reports a
cross-account access violation.
Same happens when I setup a SSO group in our organisation, attach one of the predefined roles and attach it to the account.
What am I missing here? Do I need to manually modify these permissions? In the case of the SSO am actually not sure how, as the group is intended to provide access to multiple accounts.
Hi, Thank you for reaching out.
Most likely you are getting these SecurityHub findings from
IAM Access Analyzer. If that's true than in my view it sounds like the
zone of trust of IAM Access Analyzer is within the account not the organization. You may know this but below is short description on how IAM Access Analyzer analyse policies:
Access Analyzer does not examine access logs to determine whether an external entity accessed a resource within your zone of trust. It generates a finding when a resource-based policy allows access to a resource, even if the resource was not accessed by the external entity. Access Analyzer also does not consider the state of any external accounts when making its determination. That is, if it indicates that account 11112222333 can access your S3 bucket, it knows nothing about the state of users, roles, service control policies (SCP), and other relevant configurations in that account. This is for customer privacy – Access Analyzer doesn't consider who owns the other account. It is also for security – if the account is not owned by the Access Analyzer customer, it is still important to know that an external entity could gain access to their resources even if there are currently no principals in the account that could access the resources.
If SSO and OIDC roles are shared within the same organization then recreating IAM Access Analyzer zone of trust might help here to expand the trust boundary from an account to an organizational view. Below is a how-to document on the same, effectively remove the account level analyzer and create a organization wide analyzer from the delegated admin account (organization admin account):
This is awesome! I'll give it a go!
I also got this recommendation in a different forum:
archive AWS SSO roles automatically so things like this aren't flagged:
MyAnalyzer: Type: AWS::AccessAnalyzer::Analyzer Properties: Type: ORGANIZATION AnalyzerName: my-analyzer ArchiveRules: - RuleName: ArchiveSSORoles Filter: - Eq: - 'false' Property: isPublic - Contains: - aws-reserved/sso.amazonaws.com/AWSReservedSSO Property: resource
Security Hub: cross-account access warning for SSO and OIDCasked 3 months ago
AWS SSO Access for Linux?asked 3 months ago
ELI5: AWS CLI and SSOasked 5 months ago
Can I keep existing IAM users and add SSO to our accountsasked 2 years ago
AWS Service Catalog. Grant SSO Users to the Portfolioasked 17 days ago
Generate OIDC token from EC2 assigned IAM Role temporary credentialsasked 4 months ago
Docker Hub Login for AWS CodeBuild (Docker Hub Limit)?Accepted Answerasked a year ago
IAM Condition keys: How to access nested attributes in custom OIDC token claims?asked 4 months ago
How do I sign into re:Post using AWS SSO?Accepted Answerasked 6 months ago
Enable AWS SSO programatically?asked 12 days ago