IAM role can be assumed by anyone







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Identity and Access Management (IAM) roles dictate the effective potential blast radius for any abused
credential. This vulnerability describes a scenario in which any user, workload, or other principal could
assume a role inside of the target account simply by making the right API call and knowing the role ARN.

Understanding Impact

Business Impact

Roles should never be assumable by any principal in any AWS account. This configuration is high risk due to
the impactful nature of an attacker abusing the credentials. The impact is dictated by how permissive the role
in question is.

Technical Impact

In AWS, IAM roles have a trust policy that defines who can assume the role. Assuming the role allows users to
retrieve temporary STS credentials bound to that role. Roles with a public trust policy
allow anyone to retrieve such credentials and compromise the role.

Trust policy changes should be audited continuously to detect this potential vulnerability.

Identify affected resources

Use aws iam list-roles or aws iam get-role --role-name <your-role> to see the trust policy of a role.

Sample vulnerable role:

  "Path": "/",
  "RoleName": "vulnerable-role",
  "Arn": "arn:aws:iam::0123456789012:role/vulnerable-role",
  "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
              "Effect": "Allow",
              "Principal": {
                  "AWS": "*"
              "Action": "sts:AssumeRole",
              "Condition": {}
  "Description": "",
  "MaxSessionDuration": 3600  

Remediate vulnerable resources

Adapt the trust policy to remove public access. In particular, consider restricting who can assume the role.
See also Common scenario for roles.

How Datadog can help


Datadog CSM detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | IAM role trust policy does not contain a wildcard principal".

Cloud SIEM

Datadog Cloud SIEM detects this vulnerability using the out-of-the-box rule "Datadog Cloud SIEM Rule | Detect when an attacker accesses your AWS account from their AWS account.".


How to use trust policies with IAM roles

aws documentation

Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads


Did you find this article helpful?