Ensure cross-account IAM Role uses MFA or external ID as a condition

Ensuring your cross-account IAM Roles use Multi-Factor Authentication (MFA) or external ID is recommended as a security best practice.

Risk Level: Low
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.99
Category: Security, Identity, & Compliance


IamRole where assumeRolePolicy.Statement contain [ Effect = 'Allow' and Action = 'sts:AssumeRole' and Principal regexMatch /arn:aws:iam/ and not ~getValue('accountNumber') in (Principal.AWS split(':')) ] should have assumeRolePolicy.Statement contain [ Effect = 'Allow' and Action = 'sts:AssumeRole' and ( Condition.Bool.aws:MultiFactorAuthPresent= true or Condition.StringEquals.sts:ExternalId ) ]


From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'Roles'
  3. For each incompliant IAM Role:
  4. Go to 'Trust relationships' and click 'Edit trust policy'
  5. Edit the trust policy
  6. Click 'Update policy'

From TF
To update the trust policy, edit the 'assume_role_policy' argument:

resource "aws_iam_role" "example_iam_role" {
	assume_role_policy = POLICY-DOCUMENT

From Command Line
To update the trust policy, run:

update-assume-role-policy --role-name ROLE-NAME --policy-document POLICY-DOCUMENT


  1. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management