Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.
In Amazon, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another service (the called service). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access.
To prevent this, Amazon provides tools that help you protect your data for all services
with service principals that have been given access to resources in your account. We
recommend using the aws:SourceArn
and aws:SourceAccount
global condition context keys in trust
policies for Amazon EC2 Auto Scaling service roles. These keys limit the permissions that Amazon EC2 Auto Scaling
gives another service to the resource.
The values for the SourceArn
and
SourceAccount
fields are set when Amazon EC2 Auto Scaling uses Amazon Security Token Service (Amazon STS) to
assume a role on your behalf.
To use the aws:SourceArn
or aws:SourceAccount
global
condition keys, set the value to the Amazon Resource Name (ARN) or account of the
resource that Amazon EC2 Auto Scaling stores. Whenever possible, use aws:SourceArn
, which
is more specific. Set the value to the ARN or an ARN pattern with wildcards
(*
) for the unknown portions of the ARN. If you don't know the ARN of
the resource, use aws:SourceAccount
instead.
The following example shows how you can use the aws:SourceArn
and
aws:SourceAccount
global condition context keys in Amazon EC2 Auto Scaling to prevent
the confused deputy problem.
Example: Using
aws:SourceArn
and aws:SourceAccount
condition
keys
A role that a service assumes to perform actions on your behalf is called a service role. In cases where you want to create lifecycle hooks that send notifications to anywhere other than Amazon EventBridge, you must create a service role to allow Amazon EC2 Auto Scaling to send notifications to an Amazon SNS topic or Amazon SQS queue on your behalf. If you want only one Auto Scaling group to be associated with the cross-service access, you can specify the trust policy of the service role as follows.
This example trust policy uses condition statements to limit the
AssumeRole
capability on the service role to only the actions that
affect the specified Auto Scaling group in the specified account. The
aws:SourceArn
and aws:SourceAccount
conditions are
evaluated independently. Any request to use the service role must satisfy both
conditions.
Before using this policy, replace the Region, account ID, UUID, and group name with valid values from your account.
{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "autoscaling.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws-cn:autoscaling:
region
:account_id
:autoScalingGroup:uuid
:autoScalingGroupName/my-asg
" }, "StringEquals": { "aws:SourceAccount": "account_id
" } } } }
In the preceding example:
-
The
Principal
element specifies the service principal of the service (autoscaling.amazonaws.com
). -
The
Action
element specifies thests:AssumeRole
action. -
The
Condition
element specifies theaws:SourceArn
andaws:SourceAccount
global condition keys. The source's ARN includes the account ID, so it is not necessary to useaws:SourceAccount
withaws:SourceArn
.
Additional information
For more information, see Amazon global condition context keys, The confused deputy problem, and Modifying a role trust policy (console) in the IAM User Guide.