Prowler HUB

Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts

iam_role_cross_account_readonlyaccess_policy

Severityhigh

Serviceiam

by Prowler

trustboundaries

Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts

Risk

The AWS-managed ReadOnlyAccess policy is highly potent and exposes the customer to a significant data leakage threat. It should be granted very conservatively. For granting access to 3rd party vendors, consider using alternative managed policies, such as ViewOnlyAccess or SecurityAudit.

Run this check with Prowler CLI

prowler aws --checks iam_role_cross_account_readonlyaccess_policy

Run in Prowler Cloud

ARN template

arn:partition:service:region:account-id:resource-id

Remediation

WUI

Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.

References:

https://docs.securestate.vmware.com/rule-docs/aws-iam-role-cross-account-readonlyaccess-policy

Source Code

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#awsmp_readonlyaccess

Resource Type

AwsIamRole

Check MetadataEdit

Check CodeEdit