IAM Policy Rule: No Admin Access Statements
This rule ensures IAM policy does not have statements with admin access.
| Rule | IAM policy should not have statements with admin access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
The IAM policy should not include any statements that grant admin access privileges in accordance with the NIST 800-171 Revision 2 security guidelines. Admin access should be restricted to authorized personnel only to mitigate the risk of unauthorized access and potential security breaches.
Rule Impact:
Granting admin access to users in the IAM policy increases the risk of unauthorized actions being performed on the system, which can result in data breaches, data loss, and other potential security incidents. Adhering to the NIST 800-171 Revision 2 guidelines helps ensure that only trusted individuals have administrative privileges, thereby reducing the overall security risk.
Troubleshooting Steps:
- 1.
Identify the IAM policies or policy statements that have admin access:
- Review the existing IAM policies in the AWS Management Console or using AWS CLI commands.
- Look for statements that grant "admin" or "AdministratorAccess" permissions.
- 2.
Assess the necessity of the admin access:
- Determine if any user or group legitimately requires administrator privileges.
- Verify if alternative access levels, such as read-only or limited access, can adequately meet the user's needs.
- 3.
Modify the policy statements to remove admin access:
- Edit the relevant IAM policies to remove the offending statements.
- Replace the admin access permissions with more restricted permissions as per the specific user's requirements.
- Ensure that the updated policy provides least-privilege access, granting only the necessary permissions needed for each function.
- 4.
Test the modified policy:
- Associate the modified IAM policy with the relevant user or group.
- Verify that the newly assigned permissions are sufficient for the user's tasks.
- Test the system thoroughly to ensure that there are no unintended side effects or access restrictions.
- 5.
Regularly review and audit IAM policies:
- Periodically review IAM policies to ensure they align with the security requirements defined by NIST 800-171 Revision 2.
- Remove any outdated or unnecessary statements.
- Regularly audit and validate user access levels to ensure compliance with the policy.
Code Example:
N/A
Remediation Steps:
- 1.
Identify the IAM policies that need modification:
Run the following AWS CLI command:
aws iam list-policies --scope Local | grep -B 2 -A 6 "Effect.*Allow.*Action.*\*.*Resource.*\*"Review the output to identify the policies that contain admin access statements.
- 2.
Modify the policies:
a. Retrieve the policy document for the identified policy:
aws iam get-policy-version --policy-arn <policy_arn> --version-id <version_id> --output text --query 'PolicyVersion.Document'b. Edit the policy document using a text editor such as Vim, Nano, or your preferred editor.
c. Remove the statements that grant admin access.
d. Save the modified policy document.
- 3.
Update the policy with the modified document:
Run the following AWS CLI command:
aws iam create-policy-version --policy-arn <policy_arn> --policy-document <path_to_modified_document> --set-as-defaultReplace
with the ARN of the modified policy and<policy_arn>
with the location of the modified policy document on your local system.<path_to_modified_document> - 4.
Test the modified policy:
Associate the modified IAM policy with the relevant user or group. Verify that the changes align with their required level of access.
- 5.
Regularly review and audit IAM policies:
Repeat the auditing process periodically to ensure ongoing compliance with NIST 800-171 Revision 2 guidelines.