Ensure IAM policies that allow full administrative privileges are not attached Rule
This rule ensures that IAM policies with full administrative privileges are not mistakenly attached, reducing security risks.
| Rule | Ensure IAM policies that allow full "*:*" administrative privileges are not attached |
| Framework | cis_v140 |
| Severity | ✔ Medium |
Ensure IAM policies that allow full ":" administrative privileges are not attached
Rule Description
IAM policies with full administrative privileges are defined as policies with statements that allow all actions ("") on all resources (""). These policies essentially grant the bearer unlimited access to the AWS resources and services, which violates the principle of least privilege and thereby increases the security risks. It is a best practice to avoid attaching such overly permissive policies to any user, group, or role within your AWS environment.
Troubleshooting Steps and Remediation
The following steps outline how to identify and remediate IAM policies that grant full administrative privileges:
1. Identifying Full Administrative Policies
Use the AWS Management Console or AWS CLI to list all existing IAM policies.
AWS CLI Command:
aws iam list-policies --scope LocalLook for policies with an Action element set to "" and the Resource element set to "".
2. Review Policy Usage
Determine which IAM users, groups, or roles the policy is attached to.
AWS CLI Command:
aws iam list-entities-for-policy --policy-arn <PolicyArn>
3. Determine the Necessity of Full Access
- Analyze the necessity of full access for each entity the policy is attached to.
- If full access is not justified, proceed to the next step; otherwise, re-evaluate whether the policy should exist.
4. Create and Attach Limited Privilege Policies
- Design IAM policies that adhere to the principle of least privilege based on the roles' needs.
- Test these policies to ensure they meet the user or role requirements without excessive permissions.
5. Detach Full Administrative Policies
Gradually detach full administrative policies, replacing them with the new limited privilege policies.
AWS CLI Command to Detach a Policy:
aws iam detach-user-policy --user-name <UserName> --policy-arn <PolicyArn> aws iam detach-group-policy --group-name <GroupName> --policy-arn <PolicyArn> aws iam detach-role-policy --role-name <RoleName> --policy-arn <PolicyArn>
6. Delete Full Administrative Policies
Once detached from all entities, delete the full administrative policies if they are no longer required.
AWS CLI Command to Delete a Policy:
aws iam delete-policy --policy-arn <PolicyArn>
Final Recommendations
- Regularly audit IAM policies and attachments to ensure compliance with the principle of least privilege.
- Implement automated monitoring using AWS Config or similar tools to detect when a ":" policy is created or attached.
Code and CLI Commands (Summary)
List policies:
aws iam list-policies --scope Local
List entities for a policy:
aws iam list-entities-for-policy --policy-arn <PolicyArn>
Detach a policy:
aws iam detach-user-policy --user-name <UserName> --policy-arn <PolicyArn> aws iam detach-group-policy --group-name <GroupName> --policy-arn <PolicyArn> aws iam detach-role-policy --role-name <RoleName> --policy-arn <PolicyArn>
Delete policy:
aws iam delete-policy --policy-arn <PolicyArn>
The steps provided are focused, step-by-step, and avoid unnecessary filler information. Following these guidelines will also contribute to creating an SEO-friendly content structure.