AWS IAM policy does allow assume role permission across all services

Description

An IAM role in AWS represents an identity with a defined set of permissions. It is conceptually similar to an IAM user but is designed to be assumed by trusted entities (such as users, services, or applications). The permissions attached to a role determine the allowed and denied actions within AWS. When a user assumes a role, they are granted temporary security credentials, which provide limited, session-based access to the resources and actions specified by the role’s policies.

It is recommended to define fine-grained roles tailored to specific services or principals. For example, when configuring an AWS service role, it is best practice to assign only the permissions necessary for that service to access the required AWS resources. Additionally, specifying a Principal in IAM policies enables precise control over which entities are permitted to assume a role or perform actions on resources. The primary advantage of using Principals is to avoid the use of wildcards (e.g., "*"), which can inadvertently grant broad, unregulated access to AWS resources, improving the overall security posture of your AWS environment.

Fix - Runtime

CloudFormation

  • Resource: AWS::IAM::Role
  • Argument: Properties.AssumeRolePolicyDocument.Statement
Resources:
  ExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        ...
        AssumeRolePolicyDocument:
          ...
          Statement:
          - Effect: "Allow"
            Principal:
                AWS:
-                 - arn:aws:iam::123456789101:root
-                                   - 123456789101
ReLambda