Open
Description
CKV_AWS_61 checks only for root account principals. That (in my view) falsely flags cases that limit access with a condition:
resource "aws_iam_role" "role" {
name = "my-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::111111111111:root"
}
Condition = {
ArnLike = {
"aws:PrincipalArn" = "arn:aws:iam::222222222222:role/some-other-role"
}
}
}
]
})
}We use this pattern in cases where want the permissions to be limited to a single role, but not impacted by role deletions and recreations. (If a role is deleted and referenced directly as a principal, it gets replaced with the unique role ID.)
For the above snippet, Checkov prints:
Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services"
FAILED for resource: aws_iam_role.role
File: /iam.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45
$ checkov --version
3.2.441
(It looks like CKV_AWS_60 is similar)