Ensure principal element is not empty in AWS IAM Trust Policy

LOW

Description

Leaving the principal element empty or not specified in the trust policies implies that any entity could perform the specified action on the resource, which could lead to unintended consequences and security vulnerabilities. By explicitly specifying the principal element, you can control who has access to your resources and ensure that only the intended entities are able to perform the actions defined in the policy.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the IAM console.
  2. In the Navigation pane, select Policies.
  3. In the list of policies, select the policy to edit.
  4. On the Policy usage tab, select the role that has the invalid principal.
  5. In the new window opened for the role, select Trust relationships, and then choose Edit trust policy.
  6. On the review page, review the changes and click Save.

In Terraform -
The following applies to these resources: aws_iam_role_policy, aws_ecr_repository_policy, aws_backup_vault_policy, aws_s3_bucket_policy, aws_efs_file_system_policy, aws_secretsmanager_secret_policy, aws_api_gateway_rest_api_policy, aws_media_store_container_policy, aws_glue_resource_policy, aws_sns_topic_policy, aws_sqs_queue_policy, and aws_ses_identity_policy.

  1. In the impacted resource, edit the policy field so that the allowed Action list and/or Principal have appropriate values rather than leaving it blank or using a wildcard.
  2. Update the Resource ARN list to use specific IDs with valid regions rather than a wildcard.
    For more information on how to effectively write an IAM policy see the AWS and Terraform documentation.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/service_code_examples_iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy

Policy Details

Rule Reference ID: AC_AWS_0473
CSP: AWS
Remediation Available: Yes
Resource: aws_iam_policy
Resource Type: Policy

Frameworks