Skip to main content
CRITICALIAMSecurity

IAM Role Assumable By Any AWS Account

iam-role-anonymous-assume

What this rule checks

Detects IAM roles whose trust policy allows a wildcard principal to assume them with no scoping condition β€” anyone with an AWS account can become the role.

How to fix it

  1. 1Name the trusted principals explicitly (account root ARNs, service principals, or federated providers)
  2. 2If broad trust is intended, scope it with aws:PrincipalOrgID or an sts:ExternalId condition
FlaggedA trust policy with Principal {AWS: '*'} and no condition lets any principal in any AWS account assume the role β€” its permissions are effectively public.
import * as iam from 'aws-cdk-lib/aws-iam';

new iam.CfnRole(this, 'SupportRole', {
  assumeRolePolicyDocument: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Principal: { AWS: '*' },
        Action: 'sts:AssumeRole',
      },
    ],
  },
});
FixedNaming the trusted account and requiring an sts:ExternalId scopes the trust to the intended party, so the finding clears.
import * as iam from 'aws-cdk-lib/aws-iam';

new iam.CfnRole(this, 'SupportRole', {
  assumeRolePolicyDocument: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Principal: { AWS: 'arn:aws:iam::111122223333:root' },
        Action: 'sts:AssumeRole',
        Condition: { StringEquals: { 'sts:ExternalId': 'support-vendor' } },
      },
    ],
  },
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::IAM::Role

Compliance frameworks

SOC2HIPAAPCI-DSSCISNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate β€” a genuinely public endpoint, say. You can dismiss iam-role-anonymous-assume and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "iam-role-anonymous-assume", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::iam-role-anonymous-assume',
  reason: 'Why this is intentional',
});

Use the rule ID iam-role-anonymous-assume shown above β€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 136+ other rules locally against your synthesised CDK app β€” free, no account, your code never leaves your machine.

More IAM rules