Ensure IAM policies that allow full '*:*' administrative privileges are not attached
It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges.
Risk Level: High
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.27
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
IamPolicy where (arn!='arn:aws:iam::aws:policy/AdministratorAccess' and arn!='arn:aws-us-gov:iam::aws:policy/AdministratorAccess' and arn!='arn:aws-cn:iam::aws:policy/AdministratorAccess') and document.Statement contain-any [Effect = 'Allow' and (Resource ='*' or Resource contain[$='*'] ) and (Action ='*' or Action contain[$='*']) ] should have users isEmpty() and roles isEmpty() and groups isEmpty()
REMEDIATION
From Portal
Using the GUI, perform the following to detach the policy that has full administrative privileges:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click Policies and then search for the policy name found in the audit step.
- Select the policy that needs to be deleted.
- In the policy action menu, select first Detach
- Select all Users, Groups, Roles that have this policy attached
- Click Detach Policy
- In the policy action menu, select Detach
From TF
resource "aws_iam_role_policy" "test" {
name = "test-policy"
description = "A-test-policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
- "Action": ["*"],
+ "Action": ["some:action"],
"Resource": "*"
}
]
}
EOF
}
From Command Line
To detach AWS IAM users, roles, and groups from policy, run below commands respectively:
aws iam detach-user-policy --user-name USERNAME --policy-arn POLICY_ARN
aws iam detach-role-policy --role-name ROLE_NAME --policy-arn POLICY_ARN
aws iam detach-group-policy --group-name GROUP_NAME --policy-arn POLICY_ARN
References
- https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
- https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam
- https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CIS Foundations v. 1.1.0
- AWS CIS Foundations v. 1.2.0
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS Dashboard System Ruleset
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago