Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.62
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole should not have combinedPolicies contain [ relationType != 'AssumeRole' and policyDocument.Statement contain [ Effect='Allow' and Action contain ['*'] ] ]

REMEDIATION

From Portal

Sign in to the AWS Management Console and open the AWS IAM console at https://console.aws.amazon.com/iamv2/
From the left pane, under 'Access management' select 'Roles'
Identify and select the relevant IAM Role
Edit its 'Permissions policies' according to the principle of least privilege

From TF
To edit an IAM Role inline policy, update the policy document referred in the 'policy' argument:

resource "aws_iam_role_policy" "iam_role_policy_example" {
	..
	policy = POLICY-DOCUMENT
	..
}

To edit an IAM Role attached policy, update the policy document correlated to the policy within 'policy_arn' argument:

resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment_example" {
	..
	role       = ROLE-NAME
	policy_arn = POLICY-ARN
	..
}

To edit an IAM policy document, update the 'actions' arguments within the 'statement' block:

data "aws_iam_policy_document" "iam_policy_document_example" {
	statement {
		..
		actions = [ ACTIONS-LIST ]
		..
	}
}

From Command Line
Use the following command to update an IAM Role inline policy.

aws iam put-role-policy --role-name ROLE_NAME --POLICY-NAME NAME_OF_POLICY --policy-document POLICY_DOCUMENT_JSON

Use the following command to update a managed policy.

aws iam create-policy-version --policy-arn POLICY_ARN --policy-document POLICY_DOCUMENT_JSON --set-as-default

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset