Detected wildcard access granted to sts:AssumeRole and limit to a specific identity in your account

JSON pattern

Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:root.

references

"AWS": "*"

BEFORE
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      // wildcard-assume-role
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Deny",
      // wildcard-assume-role
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      // wildcard-assume-role
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:PutObject"
    }
  ]
}
AFTER
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      // wildcard-assume-role
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Deny",
      // wildcard-assume-role
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      // wildcard-assume-role
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:PutObject"
    }
  ]
}

"AWS": "arn:aws:iam::<account_id>:root"

BEFORE
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      // wildcard-assume-role
      "Principal": {
        "AWS": "arn:aws:iam::1234567890:root"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      // wildcard-assume-role
      "Principal": {
        "AWS": "arn:aws:iam::1234567890:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
AFTER
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      // wildcard-assume-role
      "Principal": {
        "AWS": "arn:aws:iam::1234567890:root"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      // wildcard-assume-role
      "Principal": {
        "AWS": "arn:aws:iam::1234567890:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}