Skip to content

Assume role support #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Assume role support #474

wants to merge 7 commits into from

Conversation

bhendo
Copy link

@bhendo bhendo commented Sep 8, 2025

What does this PR do?

Adds support for flagging risky trust policies in IAM roles, enhancing the tool's ability to detect cross-account and overly permissive role assumptions. The changes introduce a new flag_trust_policies option to both single-account and multi-account scan commands, propagate this flag through the scanning pipeline, and implement logic to identify risky trust policy configurations.

These changes make it easier to identify and flag IAM roles with risky trust policies, improving the security posture of scanned AWS environments.

New trust policy risk detection:

  • Added a new CLI option --flag-trust-policies (with shorthand -t) to both scan and scan_multi_account commands, allowing users to enable detection of risky trust policies in IAM roles.
  • Propagated the flag_trust_policies flag through all relevant functions and classes in the scanning pipeline, including scan, scan_multi_account, scan_accounts, scan_account, scan_account_authorization_details, AuthorizationDetails, and RoleDetails.

Trust policy analysis logic:

  • Enhanced AssumeRolePolicyDocument and AssumeRoleStatement classes to analyze trust policies, including detection of cross-account principals, wildcard principals, and conditions, enabling identification of risky configurations.
  • Integrated account ID and exclusions logic into trust policy analysis to avoid false positives for known accounts and support more accurate risk detection.

What gif best describes this PR or how it makes you feel?

homerincognito

Completion checklist

  • Additions and changes have unit tests
  • The pull request has been appropriately labeled using the provided PR labels
  • GitHub actions automation is passing (make test, make lint, make security-test, make test-js)
  • If the UI contents or JavaScript files have been modified, generate a new example report:
# Generate the updated Javascript bundle
make build-js

# Generate the example report
make generate-report

@bhendo
Add AssumableByComputeService findings to role detail output
44877db 
Surface compute service assumability findings at the role level to provide
better visibility into roles that can be assumed by EC2, ECS, EKS, or Lambda
services, helping security teams identify potential privilege escalation paths
through compute services.
@bhendo
Add AssumableByCrossAccountPrincipal findings to role detail output
52a6cc7 
Surface cross-account assumability findings at the role level to provide
better visibility into roles that can be assumed by principals from other
AWS accounts, helping security teams identify potential attack surface
expansion beyond organizational boundaries.
@bhendo
Add --flag-trust-policies CLI option to toggle trust policy findings
5052df1 
Add a new command line flag --flag-trust-policies that allows users to control
whether trust policy findings are included in role detail output, providing
more granular control over which security findings are reported.
@bhendo
Add AssumableByAnyPrincipal findings to role detail output
12d6bac 
Surface roles that can be assumed by any principal (*) or any AWS account
root to provide critical visibility into the most dangerous trust policy
configurations, helping security teams immediately identify roles that
present the highest risk of unauthorized access from any AWS account.
@bhendo
Add AssumableByAnyPrincipalWithConditions findings to role detail output
05997ff 
Surface roles that can be assumed by any principal (*) or any AWS account
root when conditions are present to provide enhanced visibility into
potentially dangerous trust policy configurations. While conditions may
appear to provide security controls, they can be overly permissive or
contain logical flaws, helping security teams identify roles that require
careful review to ensure conditions adequately restrict access and prevent
unintended privilege escalation.
@bhendo
Add known-accounts exclusions to reduce cross-account principal false…
aab032d 
… positives

Allow users to specify known AWS account IDs in the exclusions configuration
to filter out trusted accounts from cross-account assumability findings,
reducing noise from legitimate organizational accounts and third-party vendor
accounts while maintaining security visibility for unknown external principals.
@salesforce-cla Salesforce CLA
Copy link

salesforce-cla bot commented Sep 8, 2025

Thanks for the contribution! Before we can merge this, we need @bhendo to sign the Salesforce Inc. Contributor License Agreement.

@bhendo
Add documentation for new trust policy findings
47dcc00 
Provide documentation for the three new trust policy findings
(AssumableByCrossAccountPrincipal, AssumableByAnyPrincipal, and
AssumableByAnyPrincipalWithConditions) to help security teams understand
the risks associated with each type of role assumption configuration and
provide actionable guidance for remediation and review.
@bhendo bhendo force-pushed the assume-role-support branch from 1733a48 to 47dcc00 Compare September 10, 2025 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cla:signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bhendo