Custom IAM policy does not allow STS role assumption on wildcard resources
iam_no_custom_policy_permissive_role_assumption
Custom IAM policies with Allow statements that grant sts:AssumeRole (or sts:*/*) to a wildcard Resource.
Risk
Broad AssumeRole rights let principals obtain temporary credentials for many roles, enabling privilege escalation, lateral movement, and cross-account access where trusts allow. This jeopardizes confidentiality and integrity of data and the control plane.
prowler aws --checks iam_no_custom_policy_permissive_role_assumption
Recommendation
Apply least privilege to sts:AssumeRole:
- Scope
Resourceto exact role ARNs - Require MFA and, for third parties,
ExternalId - Enforce permissions boundaries and SCPs to block wildcards
- Regularly remove unused role-assumption rights and separate duties
Remediation
aws iam create-policy-version --policy-arn <example_policy_arn> --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:AssumeRole","Resource":"arn:aws:iam::<example_account_id>:role/<example_resource_name>"}]}' --set-as-default
- Open the AWS Console and go to IAM > Policies
- Select the custom policy that FAILED and click Edit policy (JSON)
- Find any statement with Effect: Allow and Action including sts:AssumeRole (or sts:* or ) where Resource is ""
- Change Resource to the specific role ARN(s), e.g.: arn:aws:iam::<example_account_id>:role/<example_resource_name>
- Save changes to create the new default version
Source Code
Resource Type
AwsIamPolicy