Ensure IAM group do not have administrator privileges

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions

Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.IAM.87
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamGroup should not have managedPolicies with [ name like 'AdministratorAccess' ]

REMEDIATION

From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'User groups'
  3. For each incompliant group:
  4. Click on the incompliant group name
  5. Under 'Permissions', select the policy 'AdministratorAccess'
  6. Click 'Remove'

From Command Line
To remove the specified managed policy from a specified IAM group, run:

aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html
  2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html

IAM Group

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset