Ensure that an inline IAM user policy does not allow full administrative rights
IAM user policy should be setup in such a way that it follows the least privilege principle. Allowing full admin rights may result into critical security loopholes in the system.
Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.CFT.IAM.35
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_IAM_User should not have Policies contain-any [ PolicyDocument.Statement contain-any [ Effect = 'Allow' and Resource='*' and Action = '*' ] ]
REMEDIATION
From CFT
Set AWS::IAM::User Resource and Action elements in Policies.PolicyDocument.Statement
to a specific resources and actions.
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
IAM User
An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated about 1 year ago