Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys
Requiring AWS Secure Transport for policies with IAM access keys permissions will add a security layer for these API calls.
Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.67
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
IamPolicy where document.Statement contain [Effect='Allow' and Action regexMatch /AccessKey/ ] and not ( roles isEmpty() and users isEmpty() and groups isEmpty()) should have document.Statement with [Effect='Allow' and Action regexMatch /AccessKey/ ] contain-all [Condition.Bool.aws:SecureTransport = 'true']
REMEDIATION
Note: Please notice this rule doesn't cover inline policies. It is recommended to use managed policies instead.
From Portal
- Go to 'IAM' and choose 'Policies' under 'Access management' in the menu
- Identify policies with the missing 'aws:SecureTransport' condition
- Update the relevant policies with the missing Bool condition
- Alternatively, detach all IAM entities from the policies
The required SSL/TLS Bool condition (JSON)
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
From TF
To update an IAM policy, update the policy document JSON in the following entity:
resource "aws_iam_policy" "policy_example" {
..
policy = jsonencode({POLICY-DOCUMENT-JSON})
..
}
Alternatively, update the related policy document entity:
data "aws_iam_policy_document" "policy_document_example" {
...
}
From Command Line
To list all IAM policies, run:
aws iam list-policies
To get an IAM policy document, run:
aws iam get-policy-version --policy-arn POLICY-ARN --version-id DEFAULT-VERSION-ID
To create a new version of the specified managed policy, run:
aws iam create-policy-version --policy-arn POLICY-ARN --policy-document POLICY-DOCUMENT-JSON --set-as-default
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policies.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-policy-version.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html
IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS GDPR Readiness
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS LGPD regulation
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago