Guides

Ensure IAM user, group, or role should have MFA permissions restricted

IAM users,groups and roles must explicitly be given permissions to deactivate and reset multi-factor authentication (MFA) for other IAM resources. You can do this by attaching an identity-based policy to the resources.

Suggest Edits

Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.86
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamPolicy where attachmentCount >0 should not have document.Statement contain [ Effect='Allow' and (Action='iam:DeactivateMFADevice' or Action='iam:EnableMFADevice' or Action='iam:ResyncMFADevicem' or Action='iam:DeleteVirtualMFADevice' or Action='iam:CreateVirtualMFADevice' or Action='iam:ListMFADevices' or Action='iam:ListVirtualMFADevices') ]

REMEDIATION

Note: AWS managed policies cannot be deleted.

From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'Policies'
  3. For each incompliant policy, make sure there are no IAM entities attached to it:
  4. Choose the incompliant policy
  5. Under 'Policy usage', detach any IAM entity attached to it

From Command Line
To remove the specified managed policy from a specified user, run:

aws iam detach-user-policy --user-name USER-NAME --policy-arn POLICY-ARN

To remove the specified managed policy from a specified IAM group, run:

aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN

To remove the specified managed policy from a specified role., run:

aws iam detach-role-policy --role-name ROLE-NAME --policy-arn POLICY-ARN

References

  1. https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset

Updated about 1 year ago