Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)
To reduce the risk of a misuse or abuse due an overly privileged IAM Role, minimize the actions your IAM Role is allowed to perform according to the principal of least privilege.
Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.62
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
IamRole should not have combinedPolicies contain [ relationType != 'AssumeRole' and policyDocument.Statement contain [ Effect='Allow' and Action contain ['*'] ] ]
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the AWS IAM console at https://console.aws.amazon.com/iamv2/
- From the left pane, under 'Access management' select 'Roles'
- Identify and select the relevant IAM Role
- Edit its 'Permissions policies' according to the principal of least privilege
From TF
To edit an IAM Role inline policy, update the policy document referred in the 'policy' argument:
resource "aws_iam_role_policy" "iam_role_policy_example" {
..
policy = POLICY-DOCUMENT
..
}
To edit an IAM Role attached policy, update the policy document correlated to the policy within 'policy_arn' argument:
resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment_example" {
..
role = ROLE-NAME
policy_arn = POLICY-ARN
..
}
To edit an IAM policy document, update the 'actions' arguments within the 'statement' block:
data "aws_iam_policy_document" "iam_policy_document_example" {
statement {
..
actions = [ ACTIONS-LIST ]
..
}
}
From Command Line
Use following command to update an IAM Role inline policy.
aws iam put-role-policy --role-name ROLE_NAME --POLICY-NAME NAME_OF_POLICY --policy-document POLICY_DOCUMENT_JSON
Use following command to update a managed policy.
aws iam create-policy-version --policy-arn POLICY_ARN --policy-document POLICY_DOCUMENT_JSON --set-as-default
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html
IAM Role
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago