Notice about Trust Policy Evaluation changing affecting a Cognito Role

0

Hi,

We receive the notice: "[Action Required] Change to AWS IAM Role Trust Policy Evaluation" for one of our role. The notice reference this documentation about the change: https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/

The policy that we are notified about was created for Cognito, and is exactly the one shown in bullet point #3 in: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/

The policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "{{HIDDEN}}"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

It's really hard to know considering I believe this policy was created automatically by Cognito or Amplify to know what will be the impact here, and how to fix the issue.

Considering the article https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html still has that exact policy, maybe documentation needs to be updated there?

Appreciate the help.

3 Answers
1

Hey Denis,

The role self-assumption behavior may originate from AWS Amplify if you use that service, which uses Cognito to generate AWS IAM Role sessions for administrative purposes. The AWS Amplify CLI tool performs a self-assume role operation when it performs certain admin actions.

If you're not using AWS Amplify, it could be that someone running code with the credentials from your role in question performed a self assume role operation.

For now here is an example role-trust policy that you could use to explicitly allow this behavior:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CognitoAssumeRolePolicy",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<YOUR_COGNITO_AUD_VALUE>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    },
    {
      "Sid": "SelfAssumeRolePolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<YOUR_ROLE_ARN_OR_ID>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If you need help understanding the self assume role usage from this role, the blog post has some example queries to help find the events. If you're seeing a Role Session Name of 'AmplifyAdmin' for the self assume role events for this role, that would be a strong indicator that the events originated from AWS Amplify's tool.

Newer roles created by amplify already have the above additional statement included in their role trust policy.

AWS
answered a year ago
0

Thanks,

I very much appreciate the response. We do use Amplify.

Is this an non-issue for Amplify as Amplify will do things correctly going forward? Or do we need to go back and fix the role or some other things done by Amplify in the past for our account?

DenisB
answered a year ago
  • New deployments of Amplify (since roughly mid summer) will have a role trust policy like the above and already be covered. I've been working closely with the Amplify team and while they haven't finalized their rollout plan for pre-existing customers, it's likely that they'll ask you to make that addition to your role trust policy.

0

Jumping in here from the side -

So if you have the part:

{ "Sid": "SelfAssumeRolePolicy", "Effect": "Allow", "Principal": { "AWS": "<YOUR_ROLE_ARN_OR_ID>" }, "Action": "sts:AssumeRole" }

in your Trust relationship tab, you should be covered for the 30th of June?

Hochi
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions