CloudWiki

Amazon Web Service (AWS)

IAM Role

Permissions
An IAM role is an IAM identity attached with permissions policies that grant access and actions to AWS resources. A role can be delegated to users on an individual basis and can be assigned to as many individuals as needed.
aws_iam_role
IAM Role
attributes:

The following argument is required:

  • assume_role_policy - (Required) Policy that grants an entity permission to assume the role.

NOTE:

The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws_iam_policy resource. However, it can use an aws_iam_policy_document data source. See the example above of how this works.

The following arguments are optional:

  • description - (Optional) Description of the role.
  • force_detach_policies - (Optional) Whether to force detaching any policies the role has before destroying it. Defaults to false.
  • inline_policy - (Optional) Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Terraform will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Terraform to remove all inline policies added out of band on apply.
  • managed_policy_arns - (Optional) Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Terraform will ignore policy attachments to this resource. When configured, Terraform will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Terraform to remove all managed policy attachments.
  • max_session_duration - (Optional) Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
  • name - (Optional, Forces new resource) Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.
  • name_prefix - (Optional, Forces new resource) Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
  • path - (Optional) Path to the role. See IAM Identifiers for more information.
  • permissions_boundary - (Optional) ARN of the policy that is used to set the permissions boundary for the role.
  • tags - Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

inline_policy

This configuration block supports the following:

NOTE:

Since one empty block (i.e., inline_policy {}) is valid syntactically to remove out of band policies on apply, name and policy are technically optional. However, they are both required in order to manage actual inline policies. Not including one or the other may not result in Terraform errors but will result in unpredictable and incorrect behavior.

  • name - (Required) Name of the role policy.
  • policy - (Required) Policy document as a JSON formatted string. For more information about building IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.

Associating resources with a
IAM Role
Resources do not "belong" to a
IAM Role
Rather, one or more Security Groups are associated to a resource.
Create
IAM Role
via Terraform:
The following HCL creates an IAM role resource with assume role policy
Syntax:

resource "aws_iam_role" "test_role" {
 name = "test_role"

 # Terraform's "jsonencode" function converts a
 # Terraform expression result to valid JSON syntax.
 assume_role_policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Action = "sts:AssumeRole"
       Effect = "Allow"
       Sid    = ""
       Principal = {
         Service = "ec2.amazonaws.com"
       }
     },
   ]
 })

 tags = {
   tag-key = "tag-value"
 }
}

Create
IAM Role
via CLI:
Parametres:

create-role
[--path <value>]
--role-name <value>
--assume-role-policy-document <value>
[--description <value>]
[--max-session-duration <value>]
[--permissions-boundary <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-role --role-name Test-Role --assume-role-policy-document file://Test-Role-Trust-Policy.json

Best Practices for
IAM Role

Categorized by Availability, Security & Compliance and Cost

Warning
Ensure IAM Role has no inline policy
Critical
IAM Role inline policy has over permissive DynamoDB access
Critical
IAM Role inline policy has over permissive ElastiCache access
Critical
IAM Role inline policy has over permissive KMS access
Critical
IAM Role inline policy has over permissive Kafka access
Critical
IAM Role inline policy has over permissive OpenSearch access
Critical
IAM Role inline policy has over permissive RDS access
Critical
IAM Role inline policy has over permissive S3 access
Critical
IAM Role inline policy is over permissive
Warning
IAM Role inline policy is over permissive
Critical
IAM Role with Admin access (*:*)
Critical
IAM Role with Admin access (*:*)
Warning
IAM Role with high privileged policies
Critical
IAM Role with inline Admin access (*:*)
Warning
IAM user can execute a Privilege Escalation by using AssumeRole
No items found.
Critical
IAM user can execute a Privilege Escalation by using AttachRolePolicy
No items found.
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
Warning
IAM user can execute a Privilege Escalation by using PassRole
No items found.
Critical
IAM user can execute a Privilege Escalation by using PassRole and CreateFunction and lambda:InvokeFunction
No items found.
Critical
IAM user can execute a Privilege Escalation by using PassRole and CreatePipeline and PutPipelineDefinition
No items found.
Critical
IAM user can execute a Privilege Escalation by using PassRole and RunInstances
No items found.
Critical
IAM user can execute a Privilege Escalation by using UpdateAssumeRolePolicy and sts:AssumeRole
Critical
IAM user can execute a Privilege Escalation by using UpdateLoginProfile
No items found.
Critical
Resource with over permissive DynamoDB GetItem permissions (via IAM Role inline)
No items found.
Critical
Resource with over permissive ElastiCache permissions (via IAM Role inline)
No items found.
Critical
Resource with over permissive KMS permissions (via IAM Role inline)
No items found.
Critical
Resource with over permissive OpenSearch permissions (via IAM Role inline)
No items found.
Critical
Resource with over permissive RDS permissions (via IAM Role inline)
No items found.
Critical
Resource with over permissive S3 GetObject permissions (via IAM Role inline)
No items found.
Explore all the rules our platform covers
All Resources