Listen to this Post
AWS has introduced a critical update requiring specific claims in IAM role trust policies when using OpenID Connect (OIDC) for new or updated roles. This change directly addresses vulnerabilities, such as those previously exploited in attacks demonstrated at DEFCON and those inadvertently introduced by AWS in Cognito/Amplify.
Key Details:
- Scope: Applies only to newly created or modified IAM roles (not retroactive).
- Impact: Mitigates unauthorized role assumption via shared OIDC providers.
- Reference: AWS Documentation on OIDC Provider Controls.
You Should Know:
1. Verify OIDC Claims in IAM Trust Policies
To enforce stricter controls, AWS now mandates explicit `Condition` clauses in IAM trust policies. Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/example.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"example.com:aud": "aws-oidc-client",
"example.com:sub": "[email protected]"
}
}
}
]
}
2. Audit Existing Roles
Use AWS CLI to list roles with OIDC trust policies:
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument.Statement[].Principal.Federated!=<code>null</code>].RoleName'
3. Enforce Least Privilege
Update legacy roles manually to include `Condition` blocks. Example command to update a role:
aws iam update-assume-role-policy --role-name YourRole --policy-document file://updated_policy.json
4. Monitor for Anomalies
Enable AWS CloudTrail and GuardDuty to detect suspicious `AssumeRoleWithWebIdentity` calls:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRoleWithWebIdentity
What Undercode Say:
AWS’s move to enforce OIDC claim validation is a proactive step toward reducing identity-based attacks. However, organizations must:
1. Retrofit old roles manually to avoid blind spots.
2. Automate policy checks using tools like AWS Config or Open Policy Agent (OPA).
3. Combine with MFA for critical roles.
Expected Output:
Sample output for role audit: [ "LambdaOIDCRole", "CognitoAccessRole" ]
Prediction:
As OIDC adoption grows, expect stricter default policies from cloud providers and increased scrutiny of third-party identity providers.
Relevant URL:
IT/Security Reporter URL:
Reported By: Nick Frichette – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
