AWS IAM

Cross-Account Access External ID and MFA With Roles

This plugin guarantees the access to AWS roles is done by either MFA(Multi-factor authentication) or external ID.

Risk Level: MEDIUM

Description: 

This plugin guarantees the access to AWS roles is done by either MFA(Multi-factor authentication) or external ID. IAM roles should be set to either need a common external ID or to utilize an MFA device for the role.

PingSafe strongly recommends updating the IAM role to either require MFA or use an external ID.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

If the access to AWS roles is not done by either MFA(Multi-Factor Authentication) or external ID the resources won’t be secure and it would be a door to "confused deputy" attacks.

Steps to reproduce :

To assess the usage of MFA or external IDs to determine if the AWS IAM roles providing cross-controlling access to your resources are:

  1. Sign-in to AWS management console.
  2. Navigate to the “IAM” dashboard.
    https://console.aws.amazon.com/iamv2/ 
  3. Select “Roles” from the panel on the left.
  4. Click on the name of the IAM Role that you want to examine.
  5. Select the “Trust relationships” tab on the “Summary” page.
  6. Check Trusted entities list to determine if the role allows cross-account access. If Trusted entities list AWS services as identity providers, as in this picture then the selected IAM role does not provide cross-account access to other AWS accounts. But if one or more AWS accounts are listed as trusted entities the selected IAM role provides cross-account access to other AWS accounts.
  7. Check the conditions section to discover how and when trustworthy entities can take over the function of IAM. If the following criteria are satisfied, the cross-account IAM role is not covered by MFA and external ID:
    1. The conditions do not include “aws: MultiFactorAuthPresent key” or “sts: ExternalId key”.
    2. The conditions include “aws: MultiFactorAuthPresent key” or “sts: ExternalId key” but the “aws: MultiFactorAuthPresent ” key value is set to false and the  “sts: ExternalId”  key does not have any value set.
  8. Repeat the steps to determine the other AWS IAM roles.

Steps for remediation :

  1. Sign-in to AWS management console.
  2. Navigate to the “IAM” dashboard.
    https://console.aws.amazon.com/iamv2/ 
  3. Select “Roles” from the panel on the left.
  4. Click on the name of the IAM Role that you want to examine.
  5. Select the “Trust relationships” tab on the “Summary” page and click “Edit trust relationship”
  6. Add one of the following to the existing policy: 
    1. Add the following Condition element block: "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" }, to the policy statement to enable Multi-Factor Authentication (MFA). 
      In the “Statement” add the following:
      {
                  "Action": "sts:AssumeRole",
                "Effect": "Allow",
                  "Condition": {
                      "Bool": {
                          "aws:MultiFactorAuthPresent": "true"
                      }
                  },
                  "Principal": {
                      "AWS": "arn:aws:iam::123456789012:root"
                  }
              }
    2. Add the following Condition element block: "Condition": { "StringEquals": { "sts:ExternalId": "<external_id>" }, then replace <external_id> with your own passphrase to enable external ID support.In the “Statement” add the following:
      {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "sts:ExternalId": "<external_id>"
                      }
                  },
                  "Principal": {
                      "AWS": "arn:aws:iam::123456789012:root"
                  }
              }
  7. To apply the policy changes click “Update Trust Policy”.
  8. Repeat steps to enable MFA/external ID support for other AWS cross-account roles.


References: