IAM role does not grant ReadOnlyAccess to external AWS accounts
iam_role_cross_account_readonlyaccess_policy
IAM roles are assessed for the AWS-managed ReadOnlyAccess policy combined with a trust policy that allows external AWS principals or *. This identifies roles that expose broad read permissions to other accounts.
Risk
Granting cross-account read access can expose sensitive data and metadata, impacting confidentiality. External principals can read S3/DynamoDB contents and enumerate resources, policies, and logs, enabling targeted recon and easier privilege escalation paths.
prowler aws --checks iam_role_cross_account_readonlyaccess_policy
Recommendation
Avoid attaching ReadOnlyAccess to roles trusted by other accounts. Apply least privilege with custom, tightly scoped policies. Restrict trust to explicit principals, avoid *, and use conditions like aws:PrincipalOrgID and sts:ExternalId for defense in depth.
Remediation
aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
- Open the AWS Management Console > IAM > Roles
- Select the role granting external access
- On the Permissions tab, locate the policy ReadOnlyAccess
- Click Detach policy and confirm
- Verify the role no longer lists ReadOnlyAccess
Source Code
Resource Type
AwsIamRole