IAM roles should not have a trust policy that contains a wildcard principal

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Each IAM role must have a trust policy which defines the principals who are trusted to assume that role. It is possible to specify a wildcard principal which permits any principal, including those outside your organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a Condition element to restrict access.

Rationale

A trust policy with a wildcard principal permits any AWS account the ability to assume the role. It is therefore discouraged.

Remediation

Ensure the identified role does not have a principal value of "AWS": "*". If a wildcard principal is necessary, use a Condition element to restrict access. Follow the AWS documentation to properly scope the Principal policy element.

From the console

  1. In the AWS Console, navigate to the IAM role you would like to change.
  2. On the IAM role page, click the Trust relationships tab.
  3. Click Edit trust policy.
  4. Make changes to the trust policy to remediate the risk.
  5. Click Update policy.

From the command line

Use the update-assume-role-policy action to update the role trust policy to remediate the risk.

aws iam update-assume-role-policy
   --role-name Test-Role
   --policy-document file://<NEW_ROLE_POLICY>.json
PREVIEWING: rtrieu/product-analytics-ui-changes