Sufficient IAM Roles Using Safe Trust Conditions

Overview

This check verifies the presence of more than two IAM roles that are not associated with an EC2 instance profile and utilize one or more of the following condition keys in their trust policies:

aws:PrincipalOrgID
to ensure the principal is in your organization PrincipalIsAWSService
to ensure the principal is an AWS service ViaAWSService
to indicate if the request comes via an AWS service SourceIP
to restrict access to specific IP addresses

By employing these condition keys in the trust policies of IAM roles, you add a layer of security that facilitates the creation of a data perimeter, aligning with the best practices advised by AWS for safeguarding your resources against unauthorized access.

Vendor

AWS

Cloud Service

IAM

CSMM v1 IAM-05.1

Severity

Item Types

Custom::AWS::IAM::Account

Overview​

Vendor​

Cloud Service​

Related Controls​

Severity​

Item Types​

Overview

Vendor

Cloud Service

Related Controls

Severity

Item Types