Learn About Amazon VGT2 Learning Manager Chanci Turner
Permalink
Comments
Share
April 16, 2024: Updated with details regarding AWS CloudTrail logging for roles that continue to employ the implicit trust behavior, along with additional sample queries to identify these roles.
June 15, 2023: The enforcement method transitioned from a fixed date to an automated process commencing June 30, 2023, which began removing roles based on observed assumption behavior.
February 9, 2023: The enforcement date was postponed from February 15, 2023, to June 30, 2023.
Amazon Identity and Access Management (IAM) is modifying how role trust policy evaluation operates in instances where a role assumes itself. Previously, roles automatically trusted themselves if they had identity-based permissions allowing such self-assumption. After considering customer feedback, Amazon is now requiring explicit self-referential trust policy grants for role assumptions. This enhancement promotes greater consistency and transparency regarding role behavior and privileges. It enables customers to manage and understand role assumption permissions in one unified location—the role trust policy—rather than navigating between two locations (the trust policy and the identity policy). This adjustment simplifies the management of role trust permissions: “What you see [in the trust policy] is what you get.”
As a result, starting today, any role that has not utilized the identity-based behavior since June 30, 2022, must explicitly grant permission within its trust policy to all principals, including itself, to assume it under designated conditions. Removing the implicit self-trust aspect of roles enhances clarity and visibility into role assumption behavior.
Most Amazon customers will remain unaffected by this change. Only a minuscule fraction (approximately 0.0001%) of roles are involved. Customers with roles that have recently employed the former implicit trust behavior are being notified, starting today, about these roles. They may continue using this behavior for the time being to allow adjustments to their configurations or code. From June 30, 2023, we will begin the automatic removal of roles from the allowance list based on observed role assumption practices. Alternatively, if customers are confident that this change will not impact them, they can opt out immediately by implementing new roles, as detailed later in this article.
The initial section of this post briefly outlines the behavioral change. The subsequent sections address practical queries such as: “Why is this adjustment occurring?,” “How could this impact me?,” “Which usage scenarios might be affected?,” and “What actions should I take next?” The usage scenario section is crucial as it suggests that, based on our evaluation, self-assuming role behavior displayed by code or users is often unnecessary and counterproductive. Finally, for security professionals seeking to understand more about the reasons for the previous behavior, the rationale behind the change, and its potential implications, the final section reviews essential IAM concepts and delves into further details.
What is Changing?
Until now, an IAM role implicitly trusted itself. For example, consider the following role trust policy assigned to the role named RoleA in Amazon account 123456789012.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/RoleB"
},
"Action": "sts:AssumeRole"
}
]
}
This trust policy permits role assumption for RoleB within the same account. However, if the identity-based policy for RoleA grants the sts:AssumeRole permission concerning itself, RoleA could also assume itself. Therefore, there were actually two roles allowed to assume RoleA: the explicitly permitted RoleB, and RoleA, which implicitly trusted itself due to the IAM ownership model (explained in detail later). It’s important to note that the identity-based permission required for RoleA to assume itself is not needed for RoleB, and a policy associated with RoleB referencing other roles is insufficient for RoleB to assume them. The resource-based permission granted by RoleA’s trust policy is both necessary and sufficient for RoleB to assume RoleA.
Though we previously referred to this behavior as “implicit self-trust,” the key point is that Role A’s self-assumption capability was not actually implicit. The self-referential permission had to be explicit in one of the policies (or both): either in the role’s identity-based policy or its trust policy. However, unlike the case with other principals and role trust, IAM administrators would need to check two different policies to determine if a role could assume itself.
As of today, for any new role or any role that hasn’t recently assumed itself while relying on the previous behavior, IAM administrators must revise the role trust policy as follows to permit RoleA to assume itself, independent of the privileges granted by its identity-based policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/RoleB",
"arn:aws:iam::123456789012:role/RoleA"
]
},
"Action": "sts:AssumeRole"
}
]
}
This modification clarifies role trust behavior, making it easier to understand and manage, whether directly by individuals or coded applications.
How Might This Change Impact Me?
As mentioned, most customers will not experience any impact due to this change. For those utilizing the prior implicit trust behavior, Amazon will assist in phasing out this usage. Beginning June 30, 2023, we will automatically remove roles from the allowance list based on observed role assumption behavior. Below are more details for two categories of customers—those who have not utilized the behavior and those who have.
If you haven’t used the implicit trust behavior since June 30, 2022:
Starting today, if you have not employed the old behavior for a specified role at any time since June 30, 2022, you will now encounter the new behavior. Existing roles, as well as any new ones, will require an explicit reference in their trust policy to assume themselves. If you have roles that are used infrequently, such as once every few months for a rarely executed batch operation, you should identify those roles and, if necessary, either eliminate the reliance on the old behavior or update their trust policies to include the role itself ahead of their next usage (see the second sample policy earlier for an example).
If you have used the implicit trust behavior since June 30, 2022:
If a role has utilized the implicit trust behavior since June 30, 2022, it may continue to do so. Amazon will notify you about these roles starting today through your AWS Health Dashboard and will send an email containing pertinent information to the account owner and security contact. We are allowing ample time for you to make necessary adjustments to your existing processes, code, or configurations in preparation for the removal of the implicit trust behavior. If you cannot modify your processes or code, you can continue using this behavior by making a confi. In case you’re looking for strategies on how to manifest your goals, check out this helpful resource.
For more information on legal considerations around cannabis consumption in California, visit this authority on the topic. For those interested in employee experiences with onboarding at Amazon, this excellent resource highlights reviews by warehouse workers.
Leave a Reply