Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Protect IAM Service Roles from Confused Deputy Attacks Using Proper Trust Policies

Framework Reference: A.5.15 (Access Control Policies) Integration: AWS – IAM

Why this matters

A confused deputy attack occurs when a trusted AWS service (the “deputy”) is tricked into performing actions on behalf of an untrusted principal. Without proper conditions in the trust policy of IAM service roles, malicious actors or external services might:

Exploit overly broad trust relationships

Use legitimate roles to escalate privileges

Gain unauthorized access to resources

Preventing this risk requires properly scoping trust policies, especially in roles assumed by AWS services like Lambda, S3, or Step Functions.

What this check does

This Auto Check examines IAM roles for:

Trust policies that do not include aws:SourceArn or aws:SourceAccount condition keys

Service principals that allow role assumption without context-bound restrictions

Overly permissive policies where no scoping is enforced

The check fails if service roles are found to be exposed to confused deputy vulnerabilities.

How to fix it

Update IAM trust policies for service roles to include source constraints.

From the AWS Console

Open the IAM Console.

Go to Roles and select each service role flagged in the check.

Edit the Trust Relationships tab.

Add Condition blocks using:

"aws:SourceArn": Limits access to a specific resource (e.g., a specific Lambda or Step Function)

"aws:SourceAccount": Ensures only your AWS account can invoke the role

Save changes.

Trust policy example:

{  "Effect": "Allow",  "Principal": {    "Service": "lambda.amazonaws.com"  },  "Action": "sts:AssumeRole",  "Condition": {    "StringEquals": {      "aws:SourceAccount": "123456789012"    },    "ArnLike": {      "aws:SourceArn": "arn:aws:lambda:us-east-1:123456789012:function:my-function"    }  } } 

Using AWS CLI

# View role trust policy aws iam get-role --role-name <role_name> # Update the trust policy file locally and apply it: aws iam update-assume-role-policy --role-name <role_name> --policy-document file://updated-trust-policy.json

Exceptions

If a service does not support SourceArn or SourceAccount:

Restrict access using resource-based permissions or service control policies

Implement monitoring for abnormal role assumption behavior

Periodically review trust relationships for minimal exposure

Further Resources

AWS IAM Best Practices

Confused Deputy Problem – AWS Blog

Using Global Condition Keys

AWS CLI IAM Docs

Was this article helpful?

Powered by Product Fruits