AWS IAM role with administrative privileges has an external cross-account trust relationship

문서 > Datadog 보안 > OOTB Rules > AWS IAM role with administrative privileges has an external cross-account trust relationship

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

This rule ensures that none of your IAM roles have highly-privileged policies or administrative policies attached to them and a trust policy to an external AWS account.

Rationale

An IAM role with highly privileged or administrative permissions can access all AWS services and resources in the account. A role with these privileges could potentially, whether unknowingly or purposefully, cause security issues or data leaks. Roles with these level of access may also be targeted by an adversary to compromise the entire AWS account. When a role has a trust relationship with an account outside of your AWS organization, if that account is compromised by an adversary, they will have a direct path to assume a highly privileged role in your AWS account.

Remediation

Datadog recommends reducing the permissions attached to an IAM role to the minimum necessary for it to fulfill its function. You can use AWS Access Advisor to identify effective permissions used by your instances, and use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.

Any roles with trust relationships to AWS accounts outside of your AWS organization should be audited to ensure their validity and compliance with any security requirements set in place by your organization.