IAM Policy Should Not Have Statements with Admin Access Rule
This rule ensures IAM policies do not contain statements with admin access to enhance security measures.
| Rule | IAM policy should not have statements with admin access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
IAM policies within the organization should not have any statements that grant admin access, in accordance with the guidelines provided by NIST 800-53 Revision 5. This rule is implemented to ensure proper access control and minimize the risk of unauthorized or excessive privileges being granted to users or roles. Admin access should only be assigned to individuals or roles with a legitimate need for such high-level permissions.
Troubleshooting Steps:
If any IAM policy is found with statements granting admin access, the following troubleshooting steps should be undertaken:
- 1.
Identify the policy: Determine which IAM policy contains the statement(s) with admin access.
- 2.
Review policy permissions: Carefully examine the permissions granted by the policy and identify the statement(s) that provide admin access.
- 3.
Validate the necessity: Check if the admin access is essential for the identified users or roles. Evaluate whether the level of access can be reduced without impacting user requirements.
- 4.
Modify the policy: If admin access is not required or can be reduced, update the policy to remove or limit the admin statements. Make sure the modified policy still fulfills the legitimate needs of the users or roles.
- 5.
Test the modified policy: Verify the updated policy to ensure that it does not grant admin access. Test with appropriate scenarios to validate that the required functionality is maintained without any excessive permissions.
- 6.
Communicate changes: Notify the affected users or roles about the modification made to their policy, explaining the reasons for the change. Provide any necessary guidance or assistance for them to adapt to the updated policy.
Remediation Steps:
To remediate an IAM policy that grants admin access, follow these step-by-step instructions:
- 1.
Identify the Policy:
- Open the AWS Management Console.
- Navigate to the IAM service.
- 2.
Review Policies:
- Click on "Policies" in the left-hand menu.
- Search or browse for the policy that needs to be modified.
- 3.
Edit the Policy:
- Select the policy by clicking on its name.
- Click on the "Edit policy" button.
- 4.
Remove Admin Access Statements:
- Locate the statement(s) granting admin access.
- Carefully review and understand the implications of removing or modifying these statements.
- Delete or modify the statement(s) accordingly.
- 5.
Validate and Save Changes:
- Click on the "Validate policy" button to ensure the modified policy is valid.
- Resolve any validation errors, if applicable.
- Once successfully validated, click on the "Save changes" button.
- 6.
Test the Modified Policy:
- Verify that the policy has been updated as intended.
- Test the functionality and access rights of the affected users or roles to ensure they can still perform their required tasks without admin access.
- 7.
Communicate Changes:
- Notify the affected users or roles about the policy modification.
- Clearly communicate the reason for the change and provide any necessary guidance or assistance.
Additional Notes:
It is recommended to regularly review IAM policies and their permissions, ensuring that they adhere to the policy defined in the rule. Periodic audits and assessments can help identify any potential policy violations and take remedial actions promptly.