IAM misconfigurations

Role Can be Assumed by External Identity

Risk Level

Informational (4)

Compliance Frameworks

About IAM Roles in AWS

An IAM role in AWS is an identity with specific privileges and access rights. Just like an IAM user, the access policies associated with an IAM role dictate which resources it can access, and what actions it can perform. However, unlike an IAM user, a role isn’t bound to a single user; instead, it can be assumed by any user who requires it.

Roles are a great way to grant permissions to people who don’t require indefinite access to your resources. For example, you may want to grant your developers short-term access to the production servers to fix a critical bug. Or you may want users of an AWS account to access resources in another account. Roles are also the way to go when granting temporary access to third parties such as vendors, service providers, etc.

With that said, extra care must be taken when allowing external entities to assume an IAM role. It’s recommended to configure external IDs and MFA while granting cross-account access. External IDs ensure that only the right people assume a role, under the right circumstances. Moreover, only trusted external identities should be allowed to assume a role using an external ID.

Cloud Risk Description

IAM roles that can be assumed by untrusted external identities, allow unauthorized cross-account access to sensitive resources. These roles can also be assumed by malicious actors who can exploit the role’s privileges to compromise your infrastructure.

How Does Orca Help?

Orca detects and prioritizes identity and access management misconfigurations such as weak and leaked passwords, exposed credentials, and overly permissive identities. Continuous IAM monitoring across your cloud estate prevents malicious and accidental exposure. In this specific case, Orca helps by looking for “roles that can be assumed by external identities” and will alert on this type of issue as shown in the screenshot above.


Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.