Rule: IAM Policy Should Not Have Statements with Admin Access
This rule ensures IAM policies do not grant admin access, promoting least privilege principle.
| Rule | IAM policy should not have statements with admin access |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description:
The IAM policy should not contain any statements that grant administrator access permissions for GxP (Good Practices) 21 CFR Part 11. This regulation focuses on electronic records and electronic signatures in various industries such as pharmaceutical, biotechnology, and medical device companies. Granting admin access in this context may pose security and compliance risks.
Troubleshooting Steps:
If an IAM policy contains statements with admin access for GxP 21 CFR Part 11, it can result in violations of compliance requirements and potential security breaches. To troubleshoot and rectify this issue, follow these steps:
- 1.
Review existing IAM policies:
- Identify any policies that include statements granting admin access.
- Pay particular attention to policies applicable to GxP 21 CFR Part 11-regulated systems or resources.
- 2.
Identify the affected permissions:
- Determine which specific permissions or actions are granted by the policy statement with admin access.
- Ensure these permissions do not violate regulatory requirements related to GxP 21 CFR Part 11.
- 3.
Remove or modify policy statements:
- Remove the policy statement entirely if admin access is not necessary for GxP 21 CFR Part 11 compliance.
- If admin access is required, consider modifying the statement to minimize access by granting only necessary permissions.
- 4.
Test and validate changes:
- After removing or modifying the policy statements, thoroughly test the impact of the changes.
- Verify that users or roles assigned the updated policy can perform their required tasks without any unnecessary admin access.
Necessary Codes (if applicable):
The following code snippets demonstrate how to modify an IAM policy using the AWS Command Line Interface (CLI). These examples showcase the removal of an admin access statement for GxP 21 CFR Part 11:
- 1.To remove an entire policy statement:
aws iam delete-policy --policy-arn <policy-arn>
- 1.To modify a policy statement, you may:
- Change the "Effect" from "Allow" to "Deny" if admin access should be completely restricted.
- Modify the "Action" or "Resource" fields to limit the permissions granted.
aws iam update-policy --policy-arn <policy-arn> --policy-document file://policy.json
Note: Replace
<policy-arn>policy.jsonStep-by-Step Guide for Remediation:
- 1.Identify the IAM policies associated with GxP 21 CFR Part 11-regulated resources.
- 2.Review each policy document to determine if any statements grant admin access.
- 3.If admin access is found, evaluate whether it is necessary for compliance purposes.
- 4.If admin access is not necessary:
- Take a backup of the existing policy document (optional but recommended).
- Remove the policy statement entirely using the AWS Management Console or the command-line interface.
- 5.If admin access is required:
- Take a backup of the existing policy document (optional but recommended).
- Modify the policy statement to minimize excessive access permissions while still meeting compliance requirements.
- Test the modified policy to ensure it functions as intended.
- 6.Monitor and regularly review IAM policies to ensure ongoing compliance with GxP 21 CFR Part 11 regulations.
Note: It is crucial to involve a qualified compliance or security expert during the process to ensure adherence to applicable regulations.