Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)

To reduce the risk of a misuse or abuse due an overly privileged IAM Role, minimize the actions your IAM Role is allowed to perform according to the principal of least privilege.

Risk Level: High
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.62
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole should not have combinedPolicies contain [ relationType != 'AssumeRole' and policyDocument.Statement contain [ Effect='Allow' and Action contain ['*'] ] ]

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console and open the AWS IAM console at https://console.aws.amazon.com/iamv2/
  2. From the left pane, under 'Access management' select 'Roles'
  3. Identify and select the relevant IAM Role
  4. Edit its 'Permissions policies' according to the principal of least privilege

From TF
To edit an IAM Role inline policy, update the policy document referred in the 'policy' argument:

resource "aws_iam_role_policy" "iam_role_policy_example" {
	..
	policy = POLICY-DOCUMENT
	..
}

To edit an IAM Role attached policy, update the policy document correlated to the policy within 'policy_arn' argument:

resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment_example" {
	..
	role       = ROLE-NAME
	policy_arn = POLICY-ARN
	..
}

To edit an IAM policy document, update the 'actions' arguments within the 'statement' block:

data "aws_iam_policy_document" "iam_policy_document_example" {
	statement {
		..
		actions = [ ACTIONS-LIST ]
		..
	}
}

From Command Line
Use following command to update an IAM Role inline policy.

aws iam put-role-policy --role-name ROLE_NAME --POLICY-NAME NAME_OF_POLICY --policy-document POLICY_DOCUMENT_JSON

Use following command to update a managed policy.

aws iam create-policy-version --policy-arn POLICY_ARN --policy-document POLICY_DOCUMENT_JSON --set-as-default

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html
  7. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management