Ensure IAM user, group, or role should have MFA permissions restricted
IAM users,groups and roles must explicitly be given permissions to deactivate and reset multi-factor authentication (MFA) for other IAM resources. You can do this by attaching an identity-based policy to the resources.
Risk Level: Low
Cloud Entity: IAM Policy
CloudGuard Rule ID: D9.AWS.IAM.86
Category: Security, Identity, & Compliance
GSL LOGIC
IamPolicy where attachmentCount >0 should not have document.Statement contain [ Effect='Allow' and (Action='iam:DeactivateMFADevice' or Action='iam:EnableMFADevice' or Action='iam:ResyncMFADevicem' or Action='iam:DeleteVirtualMFADevice' or Action='iam:CreateVirtualMFADevice' or Action='iam:ListMFADevices' or Action='iam:ListVirtualMFADevices') ]
REMEDIATION
Note: AWS managed policies cannot be deleted.
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Policies'
- For each incompliant policy, make sure there are no IAM entities attached to it:
- Choose the incompliant policy
- Under 'Policy usage', detach any IAM entity attached to it
From Command Line
To remove the specified managed policy from a specified user, run:
aws iam detach-user-policy --user-name USER-NAME --policy-arn POLICY-ARN
To remove the specified managed policy from a specified IAM group, run:
aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN
To remove the specified managed policy from a specified role., run:
aws iam detach-role-policy --role-name ROLE-NAME --policy-arn POLICY-ARN
References
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago