Skip to content

Assume role support #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 26, 2025
Merged

Assume role support #474

merged 9 commits into from
Sep 26, 2025

Conversation

@bhendo
Copy link
Contributor

@bhendo bhendo commented Sep 8, 2025

What does this PR do?

Adds support for flagging risky trust policies in IAM roles, enhancing the tool's ability to detect cross-account and overly permissive role assumptions. The changes introduce a new flag_trust_policies option to both single-account and multi-account scan commands, propagate this flag through the scanning pipeline, and implement logic to identify risky trust policy configurations.

These changes make it easier to identify and flag IAM roles with risky trust policies, improving the security posture of scanned AWS environments.

New trust policy risk detection:

  • Added a new CLI option --flag-trust-policies (with shorthand -t) to both scan and scan_multi_account commands, allowing users to enable detection of risky trust policies in IAM roles.
  • Propagated the flag_trust_policies flag through all relevant functions and classes in the scanning pipeline, including scan, scan_multi_account, scan_accounts, scan_account, scan_account_authorization_details, AuthorizationDetails, and RoleDetails.

Trust policy analysis logic:

  • Enhanced AssumeRolePolicyDocument and AssumeRoleStatement classes to analyze trust policies, including detection of cross-account principals, wildcard principals, and conditions, enabling identification of risky configurations.
  • Integrated account ID and exclusions logic into trust policy analysis to avoid false positives for known accounts and support more accurate risk detection.

What gif best describes this PR or how it makes you feel?

homerincognito

Completion checklist

  • Additions and changes have unit tests
  • The pull request has been appropriately labeled using the provided PR labels
  • GitHub actions automation is passing (make test, make lint, make security-test, make test-js)
  • If the UI contents or JavaScript files have been modified, generate a new example report:
# Generate the updated Javascript bundle
make build-js

# Generate the example report
make generate-report

@bhendo
Add AssumableByComputeService findings to role detail output
44877db 
Surface compute service assumability findings at the role level to provide
better visibility into roles that can be assumed by EC2, ECS, EKS, or Lambda
services, helping security teams identify potential privilege escalation paths
through compute services.
@bhendo
Add AssumableByCrossAccountPrincipal findings to role detail output
52a6cc7 
Surface cross-account assumability findings at the role level to provide
better visibility into roles that can be assumed by principals from other
AWS accounts, helping security teams identify potential attack surface
expansion beyond organizational boundaries.
@bhendo
Add --flag-trust-policies CLI option to toggle trust policy findings
5052df1 
Add a new command line flag --flag-trust-policies that allows users to control
whether trust policy findings are included in role detail output, providing
more granular control over which security findings are reported.
@bhendo
Add AssumableByAnyPrincipal findings to role detail output
12d6bac 
Surface roles that can be assumed by any principal (*) or any AWS account
root to provide critical visibility into the most dangerous trust policy
configurations, helping security teams immediately identify roles that
present the highest risk of unauthorized access from any AWS account.
@bhendo
Add AssumableByAnyPrincipalWithConditions findings to role detail output
05997ff 
Surface roles that can be assumed by any principal (*) or any AWS account
root when conditions are present to provide enhanced visibility into
potentially dangerous trust policy configurations. While conditions may
appear to provide security controls, they can be overly permissive or
contain logical flaws, helping security teams identify roles that require
careful review to ensure conditions adequately restrict access and prevent
unintended privilege escalation.
@bhendo
Add known-accounts exclusions to reduce cross-account principal false…
aab032d 
… positives

Allow users to specify known AWS account IDs in the exclusions configuration
to filter out trusted accounts from cross-account assumability findings,
reducing noise from legitimate organizational accounts and third-party vendor
accounts while maintaining security visibility for unknown external principals.
@salesforce-cla
Copy link

salesforce-cla bot commented Sep 8, 2025

Thanks for the contribution! Before we can merge this, we need @bhendo to sign the Salesforce Inc. Contributor License Agreement.

@bhendo
Add documentation for new trust policy findings
47dcc00 
Provide documentation for the three new trust policy findings
(AssumableByCrossAccountPrincipal, AssumableByAnyPrincipal, and
AssumableByAnyPrincipalWithConditions) to help security teams understand
the risks associated with each type of role assumption configuration and
provide actionable guidance for remediation and review.
@bhendo bhendo force-pushed the assume-role-support branch from 1733a48 to 47dcc00 Compare September 10, 2025 09:57
gruebel
gruebel reviewed Sep 25, 2025
View reviewed changes
Copy link
Collaborator

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall change looks good, great job 🍻

@bhendo
Add trust policy severity caching to avoid repeated list scans
e226ccc 
Streamlined the trust policy aggregation to eliminate repeated loops over statements and cache the severity filter before building
findings to improve performance.
@bhendo bhendo requested a review from gruebel September 26, 2025 08:06
@bhendo
Copy link
Contributor Author

bhendo commented Sep 26, 2025

@gruebel I added some additional logic to cover shortened account id principals (something I'd previously overlooked) in 0ca67ef

gruebel
gruebel approved these changes Sep 26, 2025
View reviewed changes
@bhendo
Handle account ID principals in cross-account trust checks
14dcd6e 
Trust policies can list 12-digit account IDs in addition to arns ARNs. Normalizing principals through a shared helper (and exercising exclusions/current-account filtering in tests) keeps --flag-trust-policies from missing those roles that are assumable from other accounts when only the account ID is supplied.
@bhendo bhendo force-pushed the assume-role-support branch from 0ca67ef to 14dcd6e Compare September 26, 2025 09:09
@gruebel gruebel merged commit abeef3d into salesforce:master Sep 26, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gruebel gruebel gruebel approved these changes

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bhendo @gruebel