By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Uncontrolled Access Key Addition in IAM Role Trust Entities - A Security Concern in AWS

0

Hello everyone,

Recently, I came across an alarming security issue while managing IAM roles in my AWS environment. When updating the trust entities of an IAM role to add a role ARN from a different AWS account, I noticed that an access key was automatically added under the trust entities without my consent or control. This unexpected behavior poses a significant security risk, as unauthorized entities may gain access to sensitive resources within our AWS environment.

During the process of adding a cross-account IAM role ARN to the trust relationship of an IAM role, an access key belonging to an unknown entity was appended to the trusted entities list. This access key appears to be from a third-party source outside our AWS environment.

I would greatly appreciate any insights, suggestions, or troubleshooting tips you can provide.

Thank you in advance for your assistance!

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Account ManagementIAM Policies
Language
English
nmos
asked 9 months ago214 views
1 Answer
0
Accepted Answer

That does indeed sound like a potentially serious security concern. However, trust relationships in IAM roles don't typically involve access keys (access key ID and secret access key). Instead, IAM roles work with Amazon Resource Names (ARNs) to define who or what can assume the role.

So, if you see an access key being added to a trust policy, this could be a misunderstanding or potentially a misconfiguration of some sort. It's also possible that there's an issue with the AWS Management Console or the APIs you're using.

Here are few steps you can take to investigate and mitigate this issue:

  • Review Trust Relationships: Go through the trust policies of your IAM roles carefully and verify each of the entities that have been granted trust. If you see any access key here, it could be an error because IAM role trust policies should contain role ARNs, not access keys.

  • Check Access Key Usage: If you can identify the access key that has been added, you can use the AWS CLI or SDK to call the ListAccessKeys API and identify the user to which the access key belongs. You can then review the access key usage in CloudTrail to see if it's being used maliciously.

  • Delete Unauthorized Access Keys: If you find an access key that should not have been there, make sure to delete it. You can do this from the IAM console or using the DeleteAccessKey API. However, be careful not to delete keys that are in use for valid purposes.

  • Monitor Your Environment: Enable CloudTrail logging for your account to keep track of API calls. This can help you identify any unauthorized changes or suspicious activity.

  • Contact AWS Support: If you're unable to resolve the issue or if you suspect a potential security breach, reach out to AWS Support immediately. They have the tools and access to help identify and address potential security issues.

  • Use IAM Best Practices: Following IAM best practices can prevent many types of security issues. This includes rotating keys regularly, enforcing least privilege, auditing IAM roles and policies frequently, and never sharing access keys.

Remember, an IAM trust policy is a JSON document where you define who can assume the role (the principal). An access key should not be part of a trust policy document, and if it is, it's likely an error or misunderstanding. Be sure to thoroughly review any changes made to your IAM roles and policies.

profile picture
Ercan -flightlesstux-
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content