Ensure IAM group do not have administrator privileges
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions
Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.IAM.87
Category: Security, Identity, & Compliance
GSL LOGIC
IamGroup should not have managedPolicies with [ name like 'AdministratorAccess' ]
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'User groups'
- For each incompliant group:
- Click on the incompliant group name
- Under 'Permissions', select the policy 'AdministratorAccess'
- Click 'Remove'
From Command Line
To remove the specified managed policy from a specified IAM group, run:
aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html
IAM Group
An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago