Ensure IAM policies that allow full '*:*' administrative privileges are not attached

It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges.

Risk Level: High
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.27
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy where (arn!='arn:aws:iam::aws:policy/AdministratorAccess' and arn!='arn:aws-us-gov:iam::aws:policy/AdministratorAccess' and arn!='arn:aws-cn:iam::aws:policy/AdministratorAccess') and document.Statement contain-any [Effect = 'Allow' and (Resource ='*' or Resource contain[$='*'] ) and (Action ='*' or Action contain[$='*']) ] should have users isEmpty() and roles isEmpty() and groups isEmpty()

REMEDIATION

From Portal
Using the GUI, perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select first Detach
  5. Select all Users, Groups, Roles that have this policy attached
  6. Click Detach Policy
  7. In the policy action menu, select Detach

From TF

resource "aws_iam_role_policy" "test" {
	name = "test-policy"
	description = "A-test-policy"
	
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
		{
			"Effect": "Allow",
			-     "Action": ["*"],
			+     "Action": ["some:action"],
			"Resource": "*"
		}
		]
	}
	EOF
}

From Command Line
To detach AWS IAM users, roles, and groups from policy, run below commands respectively:

aws iam detach-user-policy --user-name USERNAME --policy-arn POLICY_ARN

aws iam detach-role-policy --role-name ROLE_NAME --policy-arn POLICY_ARN

aws iam detach-group-policy --group-name GROUP_NAME --policy-arn POLICY_ARN

References

  1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  2. https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  5. https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam
  6. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset