Ensure that Amazon IAM roles used to establish a trusted relationship between your AWS account and a third-party entity (also known as cross-account access roles) are using Multi-Factor Authentication (MFA) or external IDs to secure the access to your resources and to prevent "confused deputy" attacks. The MFA/external ID adds an extra layer of security on top of roles temporary security credentials and facilitates external third-party accounts to access your AWS resources in a secure way. This rule can be configured with friendly AWS accounts (e.g. 123456789012). This configuration option can be found within the rule settings portion of the Conformity account dashboard.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Increase the security of your cross-account IAM role by requiring either an optional external ID (similar to a password) or an MFA device to secure further the access to your AWS resources and prevent "confused deputy" attacks. This is highly recommended if you do not own or have administrative access to the AWS account that can assume this IAM role. To assume this cross-account role, users must be in the trusted account and provide the exact external ID or the unique passcode generated by the MFA device installed.
Audit
To determine if the AWS IAM roles that provide cross-account access to your resources use either MFA or external IDs, perform the following:
Remediation / Resolution
To update the trust relationship policies defined for your AWS IAM cross-account roles in order to enable Multi-Factor Authentication (MFA) or external ID support for secure access, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- Identities (Users, Groups, and Roles)
- IAM Roles
- Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
- How to Use an External ID When Granting Access to Your AWS Resources to a Third Party
- AWS Command Line Interface (CLI) Documentation
- iam
- list-roles
- get-role
- update-assume-role-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Cross-Account Access Lacks External ID and MFA
Risk level: Medium