Json Yaml Allow Notprincipal Trust Policy
Description
Detects AWS IAM role trust policies that use NotPrincipal with Allow effect in CloudFormation templates. This is a security risk because using NotPrincipal with Allow creates overly permissive access by allowing all principals except those explicitly listed, which could lead to unintended access to AWS resources.
Detection Strategy
• Check if the resource type is AWS::IAM::Role in CloudFormation template
• Look for trust policy statements that contain NotPrincipal element
• Verify if the statement has Allow effect (explicit or default)
• Report vulnerability if an IAM role trust policy uses NotPrincipal with Allow effect
Vulnerable code example
Resources:
DangerousRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow...✅ Secure code example
Resources:
SafeRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17' # Always specify policy version
Statement:
- Effect: Allow...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.