Ensure IAM Policies with Full Administrative Privileges Are Not Attached Rule
This rule ensures that IAM policies granting full administrative privileges are not attached, enhancing security measures.
| Rule | Ensure IAM policies that allow full "*:*" administrative privileges are not attached |
| Framework | cis_v150 |
| Severity | ✔ High |
Ensure IAM Policies Do Not Grant Full Administrative Privileges
Overview
AWS Identity and Access Management (IAM) policies define permissions for actions and resources in AWS services. Best security practices dictate that IAM policies should follow the principle of least privilege, granting only the permissions required to perform a task.
Rule Details
IAM policies that allow full administrative privileges (
"*:*"Troubleshooting Steps
If an IAM policy with full administrative privileges is detected, follow these steps for remediation:
- 1.
Identify Users/Roles/Groups With Admin Policies: Use the AWS Management Console or AWS CLI to list all IAM policies attached to IAM entities that grant full administrative privileges.
- 2.
Review Policy Usage: Investigate why full administrative privileges are necessary. Check IAM access advisor for these entities to understand their service usage patterns.
- 3.
Revise Policies: Modify policies to restrict permissions to the necessary level for the entity's function.
- 4.
Monitor and Audit: Continuously monitor IAM policies and access patterns using AWS CloudTrail and AWS Config to ensure compliance and detect policy violations.
Necessary Commands
To assist in identifying and updating IAM policies, use the following AWS CLI commands:
List Policies Granting Full Administrative Access
aws iam list-policies --scope Local --query 'Policies[?PolicyVersionList[?Document.Statement[?Effect==`Allow` && Action==`*` && Resource==`*`]]].{PolicyName: PolicyName, PolicyArn: Arn}'
List Entities Attached to a Concerning Policy
aws iam list-entities-for-policy --policy-arn ARN_OF_POLICY --query 'PolicyGroups[].{GroupName:GroupName}|PolicyUsers[].{UserName:UserName}|PolicyRoles[].{RoleName:RoleName}'
Note: Replace
ARN_OF_POLICYUpdate or Remove Full Access Policies
- Detach the policy:
aws iam detach-user-policy --user-name USER_NAME --policy-arn ARN_OF_POLICY aws iam detach-group-policy --group-name GROUP_NAME --policy-arn ARN_OF_POLICY aws iam detach-role-policy --role-name ROLE_NAME --policy-arn ARN_OF_POLICY
Note: Replace
USER_NAMEGROUP_NAMEROLE_NAMEARN_OF_POLICY- Delete the policy (if custom and no longer required):
aws iam delete-policy --policy-arn ARN_OF_POLICY
Step by Step Guide for Remediation
- 1.
Identify the full access policies using the list policies AWS CLI command provided above.
- 2.
Review attached entities using the list entities AWS CLI command to determine where the policy is applied.
- 3.
Communicate with users or team responsible for the entities to understand if the full access is required for their operational needs.
- 4.
Restrict access by creating new limited policies that align with the principle of least privilege.
- 5.
Detach the overly permissive policy and attach the new, restrictive policy using the provided AWS CLI detach and attach commands.
- 6.
Delete the overly permissive policy if it's a custom policy not used elsewhere.
- 7.
Ensure logging and monitoring are in place by setting up AWS CloudTrail and AWS Config.
- 8.
Regularly review and audit IAM permissions with scheduled checks and compliance monitoring tools.
Following these detailed steps and commands will help ensure that IAM policies in your AWS environment do not grant full administrative privileges unless absolutely necessary, thereby enhancing your security posture and meeting compliance with the CIS AWS Foundations Benchmark v1.5.0.