Skip to content

Commit 8f9ae84

Browse files
authored
Merge pull request #463 from Hacking-the-Cloud/Frichetten-patch-1
Update why_recreating_an_iam_role_doesnt_restore_trust_a_gotcha_in_ro…
2 parents 371ea4f + 359f225 commit 8f9ae84

1 file changed

Lines changed: 25 additions & 0 deletions

File tree

content/aws/general-knowledge/why_recreating_an_iam_role_doesnt_restore_trust_a_gotcha_in_role_arns.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,31 @@ This trust policy will permit any AWS principal in the account `111111111111` to
117117
!!! warning
118118
It is important that you restrict who has access to the trusted account and limit what principals have `sts:AssumeRole` privileges.
119119

120+
As an alternative, you can modify the trust policy to trust the entire AWS account and then use a `Condition` block to restrict access to a specific role ARN. Unlike when a role ARN is listed directly in the `Principal` field, using `aws:PrincipalArn` in a condition does not evaluate the principal's role ID, it matches only the string value of the ARN. This means that if you delete and recreate the role with the same name, the trust policy will continue to work as long as the ARN matches.
121+
122+
```json
123+
{
124+
"Version": "2012-10-17",
125+
"Statement": [
126+
{
127+
"Effect": "Allow",
128+
"Principal": {
129+
"AWS": "arn:aws:iam::111111111111:root"
130+
},
131+
"Action": "sts:AssumeRole",
132+
"Condition": {
133+
"ArnEquals": {
134+
"aws:PrincipalArn": "arn:aws:iam::111111111111:role/Megan"
135+
}
136+
}
137+
}
138+
]
139+
}
140+
```
141+
142+
!!! warning
143+
Of course, while this approach improves resilience to role deletion, it also removes the protection from privilege escalation and lateral movement abuse offered by the original example. You should carefully evaluate what behavior you need depending on your specific scenario.
144+
120145
## Conclusion
121146

122147
IAM roles may look simple on the surface, but the way AWS handles trust relationships is complex: identity resources are more than their name. When you delete and recreate a role, even with the same ARN, AWS treats it as a completely different entity. That distinction can lead to subtle, hard-to-debug failures, especially in SaaS integrations.

0 commit comments

Comments
 (0)