Guides

Ensure that the IAM Policy does not grant full administrative rights

IAM policy should not grant administrative access to everyone as it violates the principle of least privilege.

Suggest Edits

Risk Level: High
Cloud Entity: AWS IAM Policy
CloudGuard Rule ID: D9.CFT.IAM.15
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

AWS_IAM_Policy should not have PolicyDocument.Statement contain-any [ Effect='Allow' and Action='*' and Resource='*' ]

REMEDIATION

From CFT
Set AWS::IAM::Policy Actions and Resources attributes to limited subset, e.g Actions: ['s3:Create*']

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html

AWS IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudFormation ruleset

Updated about 1 year ago