Ensure IAM group do not have administrator privileges

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions

Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.IAM.87
Category: Security, Identity, & Compliance


IamGroup should not have managedPolicies with [ name like 'AdministratorAccess' ]


From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'User groups'
  3. For each incompliant group:
  4. Click on the incompliant group name
  5. Under 'Permissions', select the policy 'AdministratorAccess'
  6. Click 'Remove'

From Command Line
To remove the specified managed policy from a specified IAM group, run:

aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html
  2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html

IAM Group

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0