Is it bad practice to allow my IAM user account to allow AssumeRole to every account (wildcard "*") ?

0

I have my AWS Account and I want other people to grant me access to their AWS resources (for example S3). For the following thing to work I want to assume the role that they have created in their accounts. I follow this tutorial - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html?icmpid=docs_iam_console

The problem is that I can't know which users will grant me access to their roles (and their ARNs), so are there any risks and is it bad (and if yes - why) from security and technical point of view to allow my user to assume roles from everywhere by adding this policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": "sts:AssumeRole",
			"Resource": "*"
		}
	]
}
backnot
asked 10 months ago676 views
2 Answers
3
Accepted Answer

It's always best to go with least privileged model and specify only those roles which are required to be assumed. But if your question is more towards cross account assume role, then this is fine, reason being, as long as other account role doesn't add this user in it's trust relationship, this user would not be able to assume other account role anyway.

I've seen developers following this practice to avoid the operational overhead as otherwise, you'll have to add the role every time to this IAM policy when you would need to assume a newly created role in another account. But certainly "*" is not recommended.

Please refer following documentation, which talk about this specific topic in very detail.

Hope this information helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
answered 10 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 10 months ago
  • Thanks. Are you aware of certain things that malicious user can do to my account if I allow my account to assume role in the malicious user account? It seems like my account is going to controller their resources, so I should not be worried about my user.

  • Yes, your understanding is correct. As long as you don't allow any of your account role to be assumed by third party unless verified, you are good. You have the access not the other party, that account can revoke your access in his/her account but that account role can't access your account.

0

From a general security standpoint, yes this would not be the most favorable practice.

Best practice would be for the source organization/account to apply the principle of least privilege and only provide access to the services as needed.

It would also be best for auditing/logging and MFA to be enabled on this role. This way users who assume the role must first be authenticated.

Also note – even if the role has AssumeRole permission, the target role must still allow the source role to assume it in the Trust Policy of the role.

Trust Policy info: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

MFA: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-cross-account-delegation

Roles/Scenarios https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html

Auditing/Logging https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

IAM Best Practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

The proper layers of protection can help to prevent the risk of account misuse, accidental changes to sensitive workloads, and unauthorized activity.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions