Ensure that Amazon IAM roles used to establish a trusted relationship between your AWS account and a third-party entity (also known as cross-account access roles) are using Multi-Factor Authentication (MFA) or external IDs to secure the access to your resources and to prevent "confused deputy" attacks. The MFA/external ID adds an extra layer of security on top of roles temporary security credentials and facilitates external third-party accounts to access your AWS resources in a secure way.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Increase the security of your cross-account IAM role by requiring either an optional external ID (similar to a password) or an MFA device to secure further the access to your AWS resources and prevent "confused deputy" attacks. This is highly recommended if you do not own or have administrative access to the AWS account that can assume this IAM role. To assume this cross-account role, users must be in the trusted account and provide the exact external ID or the unique passcode generated by the MFA device installed.
To determine if the AWS IAM roles that provide cross-account access to your resources use either MFA or external IDs, perform the following:
To update the trust relationship policies defined for your AWS IAM cross-account roles in order to enable Multi-Factor Authentication (MFA) or external ID support for secure access, perform the following actions: