json.aws.security.wildcard-assume-role.wildcard-assume-role
returntocorpAuthor
unknown
Download Count*
License
Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:root.
Run Locally
Run in CI
Defintion
rules:
- id: wildcard-assume-role
patterns:
- pattern-inside: |
"Statement": [...]
- pattern-inside: |
{..., "Effect": "Allow", ..., "Action": "sts:AssumeRole", ...}
- pattern: |
"Principal": {..., "AWS": "*", ...}
message: "Detected wildcard access granted to sts:AssumeRole. This means anyone
with your AWS account ID and the name of the role can assume the role.
Instead, limit to a specific identity in your account, like this:
`arn:aws:iam::<account_id>:root`."
metadata:
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
category: security
technology:
- aws
references:
- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
subcategory:
- vuln
likelihood: HIGH
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- json
severity: ERROR
Examples
wildcard-assume-role.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
// ruleid: wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Deny",
// ok: wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
// ok: wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject"
},
{
"Effect": "Allow",
// ok: wildcard-assume-role
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "sts:AssumeRole"
}
]
}
Short Link: https://sg.run/7YEZ