Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:root.
references
Apply with the Grit CLI
grit apply wildcard_assume_role
"AWS": "*"
BEFORE
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
// wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Deny",
// wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
// wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject"
}
]
}AFTER
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
// wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Deny",
// wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
// wildcard-assume-role
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject"
}
]
}"AWS": "arn:aws:iam::<account_id>:root"
BEFORE
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
// wildcard-assume-role
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
// wildcard-assume-role
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "sts:AssumeRole"
}
]
}AFTER
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
// wildcard-assume-role
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
// wildcard-assume-role
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "sts:AssumeRole"
}
]
}