Guides
  1. aws policies
  2. IAM Group

Ensure IAM group do not have administrator privileges

Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.IAM.87
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamGroup should not have managedPolicies with [ name like 'AdministratorAccess' ]

REMEDIATION

From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'User groups'
  3. For each incompliant group:
  4. Click on the incompliant group name
  5. Under 'Permissions', select the policy 'AdministratorAccess'
  6. Click 'Remove'

From Command Line
To remove the specified managed policy from a specified IAM group, run:

aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html
  2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html

IAM Group

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago