Ensure AWS IAM policies allow only the required privileges for each role
IAM policies are the means by which privileges are granted to users, groups, or roles. IAM Policies should follow the standard principle of least privilege - granting only the permissions required to perform a task. It is recommended to begin with a minimum set of permissions and grant additional permissions as necessary, instead of allowing full administrative privileges.
Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.52
Category: Security, Identity, & Compliance
GSL LOGIC
IamPolicy where arn!='arn:aws:iam::aws:policy/AdministratorAccess' should not have document.Statement contain-any [ $ with [ Effect='Allow' and Action='*' ] ]
REMEDIATION
From Portal:
Perform the following to detach the policy that has excessive administrative privileges:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click Policies and then search for the policy name.
- Select the policy that needs to be deleted.
- In the policy action menu, select first Detach.
- Select all Users, Groups, Roles that have this policy attached.
- Click Detach Policy.
- In the policy action menu, select Detach.
From Command Line:
- Lists all IAM users, groups, and roles that the specified managed policy is attached to, identify and note any excessive privileges.
aws iam list-entities-for-policy --policy-arn policy_arn
- Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name iam_user --policy-arn policy_arn
- Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name iam_group --policy-arn policy_arn
- Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name iam_role --policy-arn policy_arn
References:
- https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/best-practices.html#grant-least-privilege
- https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/access_policies.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-group-policy.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-role-policy.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-entities-for-policy.html
IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago