Cross-Account Access Lacks External ID and MFA

Risk level: Medium (should be achieved)

Rule ID: IAM-050

Ensure that Amazon IAM roles used to establish a trusted relationship between your AWS account and a third-party entity (also known as cross-account access roles) are using Multi-Factor Authentication (MFA) or external IDs to secure the access to your resources and to prevent "confused deputy" attacks. The MFA/external ID adds an extra layer of security on top of roles temporary security credentials and facilitates external third-party accounts to access your AWS resources in a secure way. This rule can be configured with friendly AWS accounts (e.g. 123456789012). This configuration option can be found within the rule settings portion of the Conformity account dashboard.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Increase the security of your cross-account IAM role by requiring either an optional external ID (similar to a password) or an MFA device to secure further the access to your AWS resources and prevent "confused deputy" attacks. This is highly recommended if you do not own or have administrative access to the AWS account that can assume this IAM role. To assume this cross-account role, users must be in the trusted account and provide the exact external ID or the unique passcode generated by the MFA device installed.

Audit

To determine if the AWS IAM roles that provide cross-account access to your resources use either MFA or external IDs, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the name (link) of the IAM role that you want to examine.

05 On the Summary page, select the Trust relationships tab and verify the following details:

Check Trusted entities list to determine if the role allows cross-account access. If one or more AWS accounts are listed as trusted entities, e.g. , these can assume the role, therefore the selected IAM role provides cross-account access to other AWS accounts. If Trusted entities lists AWS services as identity providers, e.g. , the selected IAM role does not provide cross-account access and the audit process ends here.
Check Conditions section to determine the conditions that define how and when trusted entities can assume the IAM role. The selected cross-account IAM role lacks MFA-based protection and external ID support if the following conditions are met:
- The conditions listed within Conditions section does not include aws:MultiFactorAuthPresent key (representing Multi-Factor Authentication protection) or sts:ExternalId key (representing external ID-based access).
- The conditions listed include aws:MultiFactorAuthPresent key or sts:ExternalId key but the aws:MultiFactorAuthPresent key value is set to false or sts:ExternalId key does not have any value set.

06 Repeat steps no. 3 – 5 to determine if other AWS IAM roles, available in the current region, provide cross-account access using either MFA-based protection or external IDs support.

07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) to list the names of all IAM roles available within your AWS account:

aws iam list-roles
	--output table --query 'Roles[*].RoleName'

02 The command output should return information about the requested names:

----------------------------------
|            ListRoles           |
+--------------------------------+
|  cc-cross-account-iam-role     |
|  cc-ec2-admin-role             |
|  cc-prod-manager-role          |
+--------------------------------+

03 Run get-role command (OSX/Linux/UNIX) using the name of the IAM role that you want to examine to describe the policy that grants an entity permission to assume the selected role:

aws iam get-role
	--role-name cc-cross-account-iam-role
	--query 'Role.AssumeRolePolicyDocument'

04 The command output should return the trust policy (JSON format) for the selected role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

05 Based on the policy document information returned at the previous step, verify the following details:

Check the JSON document to determine if the role allows cross-account access. If one or more AWS accounts are listed as trusted entities, e.g. "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, as shown in the example above, these can assume the role, therefore the selected IAM role provides cross-account access to other AWS accounts. Otherwise, if the policy document lists AWS services as identity providers, e.g. "Principal": { "Service": "ec2.amazonaws.com" }, the selected IAM role does not provide cross-account access and the AWS CLI audit process ends here.
Check Condition element (block) to determine the conditions that define how and when trusted entities can assume the IAM role. If the policy document returned does not have any Condition elements defined, as shown in the example above, the AWS CLI audit process ends here. If there are Condition elements defined, check the elements block(s) for MFA and external ID support. The selected cross-account IAM role lacks MFA-based protection and external ID support if the following conditions are met:
- The conditions listed within Condition block(s) does not include the aws:MultiFactorAuthPresent key (Multi-Factor Authentication protection) or sts:ExternalId key (external ID support).
- The conditions listed include aws:MultiFactorAuthPresent key or sts:ExternalId key but the aws:MultiFactorAuthPresent key value is set to false (i.e. "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "false" } }) or sts:ExternalId key does not have any value set (i.e. "Condition": { "StringEquals": { "sts:ExternalId": "" } }).

06 Repeat steps no. 3 – 5 to determine if other AWS IAM roles, available in the current region, provide cross-account access using either MFA-based protection or external IDs support.

07 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update the trust relationship policies defined for your AWS IAM cross-account roles in order to enable Multi-Factor Authentication (MFA) or external ID support for secure access, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the name (link) of the cross-account IAM role that you want to reconfigure (see Audit section part I to identify the right resource).

05 On the Summary page, select the Trust relationships tab and click Edit trust relationship button to initiate the update process.

06 On the Edit trust relationship page, add one of the following blocks to the existing policy:

To enable Multi-Factor Authentication (MFA) to ensure that the users in the trusted account provide the passcode generated by the MFA device upon accessing your AWS resources, add the following Condition element block: "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" }, to the policy statement. Once updated, the trust policy document for the selected IAM role, should look like this:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}
```
To enable external ID support to make sure that the users within the trusted AWS account provide the required ID (passphrase) upon accessing your AWS resources, add the following Condition element block: "Condition": { "StringEquals": { "sts:ExternalId": "<external_id>" }, then replace <external_id> with your own passphrase. Once updated, the policy document for the selected IAM role, should look like this:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<external_id>"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}
```

(Optional) To enable both MFA and external ID support for the selected AWS IAM cross-account role, add the following Condition element block: "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" }, "StringEquals": { "sts:ExternalId": "<external_id>" } }, to the policy statement. Once updated, the policy document defined for the role, should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                },
                "StringEquals": {
                    "sts:ExternalId": "<external_id>"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}

Click Update Trust Policy to apply the policy changes.

07 Repeat steps no. 4 – 6 to enable MFA/external ID support for other Amazon IAM cross-account roles, available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Redefine the trust relationship policy for the selected AWS IAM role (see Audit section part II to identify the right resource), to enable MFA/external ID support and save it in a JSON file named cross-account-role-trust-policy.json. Based on the feature that you want to set up, add one of the following element blocks to the existing policy:

To enable Multi-Factor Authentication (MFA) to ensure that the users in the trusted account provide the passcode generated by the MFA device upon accessing your AWS resources, add the following Condition element block: "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" }. Once redefined, the trust policy document for the selected IAM role, should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}

To enable external ID support to make sure that the users within the trusted AWS account provide the required ID (passphrase) upon accessing your AWS resources, add the following Condition element block: "Condition": { "StringEquals": { "sts:ExternalId": "<external_id>" }, then replace <external_id> with your own passphrase. Once redefined, the trust policy document for the selected role, should look like this:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<external_id>"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}
```

(Optional) To enable both MFA and external ID support for the selected AWS IAM cross-account role, add the following Condition element block: "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" }, "StringEquals": { "sts:ExternalId": "<external_id>" } }. Once redefined, the trust policy for the selected AWS IAM role, should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                },
                "StringEquals": {
                    "sts:ExternalId": "<external_id>"
                }
            },
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            }
        }
    ]
}

02 Run update-assume-role-policy command (OSX/Linux/UNIX) to update the trust policy defined at the previous step (i.e. cross-account-role-trust-policy.json) for the selected Amazon IAM cross-account role (the command does not produce an output):

aws iam update-assume-role-policy
	--role-name cc-cross-account-iam-role
	--policy-document file://cross-account-role-trust-policy.json

03 Repeat step no. 1 and 2 to enable MFA/external ID support for other Amazon IAM cross-account roles, available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
iam
list-roles
get-role
update-assume-role-policy

AWS Blog(s)
How to Use External ID When Granting Access to Your AWS Resources

Publication date Feb 13, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Cross-Account Access Lacks External ID and MFA

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules