Check provider logo

IAM service role prevents cross-service confused deputy attack

iam_role_cross_service_confused_deputy_prevention

Severityhigh
Serviceiam
by Prowler
identity-accesstrust-boundaries

IAM service role trust policies restrict AWS service principals to expected sources using global condition keys like aws:SourceArn or aws:SourceAccount, avoiding overly broad sts:AssumeRole trust relationships.

Risk

Unrestricted service-principal trust lets outsiders trigger a cross-service confused deputy, causing unintended sts:AssumeRole. This can enable data exfiltration, unauthorized changes, and lateral movement, impacting confidentiality and integrity.

Run this check with Prowler CLI

prowler aws --checks iam_role_cross_service_confused_deputy_prevention

Run in Prowler Cloud

Recommendation

Constrain service-role trust to expected callers using aws:SourceArn/aws:SourceAccount to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply least privilege and review trust relationships regularly.

Remediation

CLI

aws iam update-assume-role-policy --role-name <example_resource_name> --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"<service>.amazonaws.com"},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"aws:SourceAccount":"<ACCOUNT_ID>"}}}]}'

Native IaC
Terraform
Other
  1. In the AWS console, go to IAM > Roles
  2. Open <example_resource_name> and select the Trust relationships tab
  3. Click Edit trust policy
  4. In the statement for Principal Service "<service>.amazonaws.com", add a Condition block:
    • StringEquals: aws:SourceAccount = <ACCOUNT_ID>
  5. Save changes
  6. Re-run the check to confirm the role now prevents cross-service confused deputy attacks

Source Code

Resource Type

AwsIamRole

References