Merge pull request #30 from NHSDigital/mm-odin-316-confused-deputy-prevention

matt-mercer · web-flow · commit d76c9c3bff9e · 2025-09-15T16:02:13.000+01:00
odin-316: only allow assume role from current account
diff --git a/iam.tf b/iam.tf
@@ -1,4 +1,6 @@
 
+data "aws_caller_identity" "current" {}
+
 resource "aws_iam_role" "this" {
   name = "lambda-${var.name}"
   assume_role_policy = jsonencode(
@@ -10,7 +12,12 @@ resource "aws_iam_role" "this" {
           Principal = {
             Service = "lambda.amazonaws.com"
           },
-          Effect = "Allow"
+          Effect = "Allow",
+          Condition = {
+            StringEquals = {
+              "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+            }
+          }
         }
       ]
     }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,6 @@`
`1`	`1`
	`2`	`+data "aws_caller_identity" "current" {}`
	`3`	`+`
`2`	`4`	`resource "aws_iam_role" "this" {`
`3`	`5`	`name = "lambda-${var.name}"`
`4`	`6`	`assume_role_policy = jsonencode(`
`@@ -10,7 +12,12 @@ resource "aws_iam_role" "this" {`
`10`	`12`	`Principal = {`
`11`	`13`	`Service = "lambda.amazonaws.com"`
`12`	`14`	`},`
`13`		`- Effect = "Allow"`
	`15`	`+ Effect = "Allow",`
	`16`	`+ Condition = {`
	`17`	`+ StringEquals = {`
	`18`	`+ "aws:SourceAccount" = data.aws_caller_identity.current.account_id`
	`19`	`+ }`
	`20`	`+ }`
`14`	`21`	`}`
`15`	`22`	`]`
`16`	`23`	`}`