Ensure IAM Service Roles prevents against a cross-service confused deputy attack
iam_role_cross_service_confused_deputy_prevention
Ensure IAM Service Roles prevents against a cross-service confused deputy attack
Risk
Allow attackers to gain unauthorized access to resources
Run this check with Prowler CLI
prowler aws --checks iam_role_cross_service_confused_deputy_prevention
ARN template
arn:partition:service:region:account-id:resource-id
Remediation
To mitigate cross-service confused deputy attacks, it's recommended to use the aws:SourceArn and aws:SourceAccount global condition context keys in your IAM role trust policies. If the role doesn't support these fields, consider implementing alternative security measures, such as defining more restrictive resource-based policies or using service-specific trust policies, to limit the role's permissions and exposure. For detailed guidance, refer to AWS's documentation on preventing cross-service confused deputy issues.
Source Code
Resource Type
AwsIamRole