Execution IAM Role

[0xjjoyy]

Hello,

Is there a way to have the config rule lambda execute with the same IAM Role?

If I specify to the Config rule parameter executionRoleArn and ExecutionRoleName, it first assumes executionRoleArn then ExecutionRoleName. If these are the same IAM role, then I have to establish a trust policy between the same role.

Is there a way to keep the lambda executing under the same IAM role without having to make a call to assume an IAM role?

[jonpbbc]

A related PHD notification from last week:

After carefully considering feedback from customers, AWS Identity and Access Management (IAM) is changing an aspect of how role trust policy evaluation behaves when a role assumes itself. Please read further to understand this change and actions you may need to take before February 15, 2023.

Beginning September 21, 2022, a role trust policy must explicitly grant permission to the principals, including the role itself, that need to assume it under the specified conditions. This change improves consistency with how other AWS resource policies behave and increases visibility into role assumption behavior.

We are contacting you because our data suggests that your AWS account may have one or more IAM Roles that assumes itself based on the permissions and conditions in its identity-based policy without explicitly granted permission in its role trust policy. No roles in your AWS account beyond those shown here exhibit potential for this behavior.

A list of your affected resource(s) can be found in the 'Affected resources' tab.

You should see no immediate impact due to the change, because these roles have been allow-listed to continue to behave as before. You may continue to use your existing configuration for the roles listed previously until February 15, 2023. We are allowing time for you to make any necessary changes to existing processes, code, or configuration in preparation for enforcement of an explicit permission grant in the role trust policy. If maintaining the existing behavior of your code is important for your use case, a role can continue to assume itself after February 15, 2023, by updating its role trust policy to explicitly trust the role itself.

After February 15, 2023, all roles that attempt to assume themselves will fail with an access denied error, unless the role trust policy explicitly grants the permission and the conditions and actions are satisfied.

In support of your efforts to address this behavior change in your account, we are providing additional guidance and details in the blog post "Announcing an Update to IAM Role Trust Policy Behavior" [1]. The blog discusses the most common use cases where roles are observed assuming themselves and how you can change your code or configuration prior to February 15, 2023.

For assistance with adding new roles to or removing existing roles from the list provided in the 'Affected resources' tab, please contact AWS Support [2].

[1] https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
[2] https://aws.amazon.com/support