Ensure that your Amazon Identity and Access Management (IAM) roles are configured to be used only by trusted (friendly) AWS accounts in order to protect against unauthorized cross-account access. Prior to running this rule by the Cloud Conformity engine, the list with the friendly AWS accounts identifiers (e.g. 123456789012) must be configured within the rule settings, on the Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing unknown cross-account access to your IAM roles will enable foreign accounts to assume these roles and gain control over your AWS services and resources. To prevent unauthorized cross-account access, allow only trusted entities to assume your Amazon IAM roles by implementing the appropriate policies.
To determine if there are any IAM roles configured to allow unknown cross-account access, available in your AWS cloud account, perform the following actions:
Remediation / Resolution
To update your IAM roles trust policy in order authorize only trusted (friendly) AWS accounts to assume these roles, regardless of MFA/external ID support, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Check for Untrusted Cross-Account IAM Roles
Risk level: Medium