Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys

Requiring AWS Secure Transport for policies with IAM access keys permissions will add a security layer for these API calls.

Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.67
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy where document.Statement contain [Effect='Allow' and Action regexMatch /AccessKey/ ] and not ( roles isEmpty() and users isEmpty() and groups isEmpty()) should have document.Statement with [Effect='Allow' and Action regexMatch /AccessKey/ ] contain-all [Condition.Bool.aws:SecureTransport = 'true']

REMEDIATION

Note: Please notice this rule doesn't cover inline policies. It is recommended to use managed policies instead.

From Portal

  1. Go to 'IAM' and choose 'Policies' under 'Access management' in the menu
  2. Identify policies with the missing 'aws:SecureTransport' condition
  3. Update the relevant policies with the missing Bool condition
  4. Alternatively, detach all IAM entities from the policies

The required SSL/TLS Bool condition (JSON)

"Condition": {
	"Bool": {
		"aws:SecureTransport": "true"
	}
}

From TF
To update an IAM policy, update the policy document JSON in the following entity:

resource "aws_iam_policy" "policy_example" {
	..
policy = jsonencode({POLICY-DOCUMENT-JSON})
	..
}

Alternatively, update the related policy document entity:

data "aws_iam_policy_document" "policy_document_example" {
	...
}

From Command Line
To list all IAM policies, run:

aws iam list-policies

To get an IAM policy document, run:

aws iam get-policy-version --policy-arn POLICY-ARN --version-id DEFAULT-VERSION-ID

To create a new version of the specified managed policy, run:

aws iam create-policy-version --policy-arn POLICY-ARN --policy-document POLICY-DOCUMENT-JSON --set-as-default

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policies.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-policy-version.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS LGPD regulation
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset