Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard)

To reduce the risk of a misuse or abuse due an overly privileged IAM Role, minimize the scope your IAM Role is allowed to perform actions on, according to the principal of least privilege.

Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.108
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole where not path regexMatch /service-role/ should not have combinedPolicies contain [ (id regexMatch /^((?!arn:aws:iam::aws:policy).)*$/ and relationType != 'AssumeRole') and policyDocument.Statement contain [ Effect='Allow' and (Resource contain ['*']) and Action contain [$ regexMatch /^(?!sts|ssm|cloudwatch|ec2messages|ssmmessages|logs|route53).*$/] ] ]

REMEDIATION

Note: The provided rule covers managed IAM Roles only: AWS service-roles and AWS service-role policies are excluded. In addition, this rule ignores any policy document block with one or more actions from the following action groups: sts, ssm, cloudwatch, ec2messages, ssmmessages, logs, route53.

From Portal

  1. Sign in to the AWS Management Console and open the AWS IAM console at https://console.aws.amazon.com/iamv2/
  2. From the left pane, under 'Access management' select 'Roles'
  3. Identify and select the relevant IAM Role
  4. Edit its 'Permissions policies' according to the principal of least privilege

From TF
To edit an IAM Role inline policy, update the policy document referred in the 'policy' argument:

resource "aws_iam_role_policy" "iam_role_policy_example" {
	..
	policy = POLICY-DOCUMENT
	..
}

To edit an IAM Role attached policy, update the policy document correlated to the policy within 'policy_arn' argument:

resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment_example" {
	..
	role       = ROLE-NAME
	policy_arn = POLICY-ARN
	..
}

To edit an IAM policy document, update the 'resource' argument within the 'statement' block:

data "aws_iam_policy_document" "iam_policy_document_example" {
	statement {
		..
		resource = [ RESOURCE-LIST ]
		..
	}
}

From Command Line
To update an IAM Role inline policy, use:

aws iam put-role-policy --role-name ROLE-NAME --POLICY-NAME --policy-document POLICY-DOCUMENT-JSON

To update a managed policy, use:

aws iam create-policy-version --policy-arn POLICY-ARN --policy-document POLICY-DOCUMENT-JSON --set-as-default

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html
  7. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset