You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Trust role policy generated for IAM role does not have controls for conditionals like aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths used for confused deputy problem prevention. Workaround for the problem is to provide custom trust policy with appropriate conditions for role assumption, however I think we should promote good security practices and have some of these controls added to role modules and perhaps enabled by default at some point in the future.
If approved I'm willing to submit PR (for start maybe just one conditional, like aws:SourceAccount) with backward compatible changes to test it out.
✋ I have searched the open/closed issues and my issue is not listed.
Hi @enver-multibank , thanks for creating a PR here. I got sidetracked and couldn't find the time recently to push this over the line with proper examples and local testing.
This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days
Description
Trust role policy generated for IAM role does not have controls for conditionals like
aws:SourceArn
,aws:SourceAccount
,aws:SourceOrgID
, oraws:SourceOrgPaths
used for confused deputy problem prevention. Workaround for the problem is to provide custom trust policy with appropriate conditions for role assumption, however I think we should promote good security practices and have some of these controls added to role modules and perhaps enabled by default at some point in the future.If approved I'm willing to submit PR (for start maybe just one conditional, like
aws:SourceAccount
) with backward compatible changes to test it out.Versions
5.28.0
Terraform v1.7.5
registry.terraform.io/hashicorp/aws v5.58.0
Steps to reproduce the behavior:
Generated trust policy looks like this:
Expected behavior
We should be able to generate policy like this
Actual behavior
There is no option to add conditions except for:
aws:PrincipalArn
Terminal Output Screenshot(s)
Additional context
The text was updated successfully, but these errors were encountered: