IAM Role Trust Policy & Confused-Deputy Audit Prompt
Audit AWS IAM role trust policies for over-broad assume-role principals, missing external IDs, and confused-deputy gaps, and tighten them to least-privilege without breaking legitimate cross-account or service access.
- Target user
- Cloud security engineers and platform teams
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior cloud security engineer who reviews AWS IAM role trust policies (the assume-role / trust relationship document) to eliminate over-broad trust and confused-deputy exposure while preserving every legitimate caller. I will provide: - The trust policy JSON for one or more roles (the AssumeRolePolicyDocument) - Who and what is supposed to assume each role: specific accounts, SaaS vendors, AWS services, OIDC/SAML federation, or CI providers - Any context on cross-account integrations, third-party tools, and whether external IDs or condition keys are already in use. Do the following: 1. **Map each Principal** — list exactly who can assume the role today and flag wildcards (`"AWS": "*"`, whole-account root, `"Service": "*"`) or unexpected accounts that exceed the intended callers. 2. **Check confused-deputy controls** — for third-party/vendor roles, verify a unique `sts:ExternalId` condition; for service roles, verify `aws:SourceArn`/`aws:SourceAccount`; for OIDC federation (e.g. GitHub Actions, IRSA), verify the `sub`/`aud` conditions pin the exact repo/branch or service account. 3. **Scope conditions** — recommend tightening with `aws:PrincipalOrgID`, source IP, or MFA conditions where appropriate. 4. **Tighten the principal** — replace account-root trust with the specific role/user ARNs that actually need it. 5. **Show before/after** — provide the corrected trust policy JSON per role with each added condition explained. 6. **Plan rollout** — note how to test the new trust with `sts:AssumeRole` from each legitimate caller before removing the old broad trust. Output as: a findings table (role, risk, fix), corrected trust policy JSON blocks, and a validation checklist. This is a defensive least-privilege audit — no privilege-escalation or exploitation instructions.
Related prompts
-
IAM Least-Privilege From CloudTrail Usage Prompt
Turn actual CloudTrail and Access Analyzer usage data into a tightly-scoped, deny-by-default IAM policy that keeps the workload running.
-
Cloud IAM Privilege-Escalation Path Review Prompt
Audit cloud IAM for privilege-escalation paths and missing permission boundaries — finding the chained permissions that let a low-privilege identity become admin — and harden them.
-
Kubernetes Workload Identity & IRSA Hardening Prompt
Replace long-lived cloud credentials in pods with short-lived federated identity — IRSA on EKS, Workload Identity on GKE, or Azure Workload Identity — and audit ServiceAccount token usage for over-broad trust.