Ensure IAM policies that allow full *:* administrative privileges are not attached

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Risk Level: High
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.TF.AWS.IAM.10
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

aws_iam_policy should not have assume_role_policy regexMatch /.*"\*:\*".*/

REMEDIATION

  1. Run aws iam list-policies --only-attached --output text 2. For each policy returned, run aws iam get-policy-version --policy-arn <policy_arn> --version-id <version> 3. In output ensure policy should not have any Statement block with Effect Allow and Action set to * and Resource.

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • Terraform AWS CIS Foundations