Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Prevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS Accounts

Framework Reference: A.8.3 (Access Control for External Parties) Integration: AWS – IAM

Why this matters

Even limited-access policies like AWS's managed ReadOnlyAccess can expose sensitive data when granted to external AWS accounts. Roles that trust third-party accounts:

Could unintentionally expose internal system configurations or security logs

May leak information about infrastructure, services in use, or account metadata

Are often overlooked in reviews due to the perception of low risk

To reduce exposure, restrict such permissions to explicitly approved partners and ensure all external sharing is audited and justified.

What this check does

This Auto Check reviews IAM roles and flags those that:

Have trust relationships with external AWS accounts (outside your organization)

Include attachment of the AWS-managed ReadOnlyAccess policy

Lack conditions or documentation justifying the relationship

The check fails if roles with external trust grant this policy without proper constraints or review.

How to fix it

Review and update all IAM roles that grant ReadOnlyAccess to external AWS accounts.

From the AWS Console

Open the IAM Console.

Navigate to Roles and inspect trust policies for external account IDs.

Check if these roles attach the arn:aws:iam::aws:policy/ReadOnlyAccess managed policy.

Take one of the following actions:

Detach the policy from the role

Modify the trust policy to remove the external account

Add conditions that scope access to specific, verified contexts (e.g., using StringEquals, SourceArn, or tags)

Delete any roles that are no longer necessary.

Using AWS CLI

# List entities using the ReadOnlyAccess policy aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess # Detach from role aws iam detach-role-policy --role-name <role_name> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

Exceptions

In some collaboration scenarios with trusted partners (e.g., managed security services or vendors):

Use a formal access review and approval process

Restrict access to specific resources using IAM conditions

Consider creating a custom policy that limits read access to required services only

Monitor usage via CloudTrail and automate revocation if no longer used

Further Resources

IAM Best Practices – AWS Documentation

Managing IAM Role Trust Policies

ReadOnlyAccess Policy Documentation

AWS CLI IAM Reference

Was this article helpful?

Powered by Product Fruits