Skip to main content

Change to IAM Role Policy Configuration

Overview

This detector will create an issue when one or more policies that apply to an IAM role are added or removed. It will also create an issue when an inline policy is created, updated, or deleted.

There are two types of policies that apply to an IAM role:

  1. Identity-based permissions policies determine what actions can be performed with the role.
    • Identity-based permissions policies are frequently referred to as "IAM policies", although they are not the only type of policy relevant to IAM
    • Note: Changes to the content of managed policies are not monitored by this detector.
  2. Role Trust Policies determine what AWS services, and users / resources from other AWS accounts are allowed to assume the role and perform actions, as defined by the identity-based permissions policies that apply to the role.
  • The AWS User Guide, Management Console, and other documentation refer to the Role Trust Policy as the "AssumeRolePolicy", "Trust Relationship", "Role Trust Policy", and "Trust Policy" in various places.
  • You can view the Role Trust Policy for an IAM role by navigating to the role in the IAM console, and then selecting the Trust relationships tab.

A change could consist of one or more of the following CloudTrail events:

  • Updating a Role Trust Policy 'UpdateAssumeRolePolicy'
  • Adding or updating an inline permission policy: 'PutRolePolicy'
  • Deleting an inline permission policy: 'DeleteRolePolicy'
  • Attaching a managed permission policy: 'AttachRolePolicy'
  • Detaching a managed permission policy: 'DetachRolePolicy'

Issues are automatically resolved after a configurable duration so that future changes to the policy configuration for this role will create new issues, periodically.

Changes to Role Trust Policies are particularly important to pay attention to, because they can permit other AWS accounts and their users to assume the role. These changes could be an indicator of persistence through the creation of a cross-account trust relationship, in addition to privilege escalation.

Changes to identity-based permissions policies could be an indication of privilege escalation.

Vendor

AWS

Severity

3