Risk Level: Low
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.97
Category: Security, Identity, & Compliance
IamRole where combinedPolicies with [ policyDocument with [ Statement with [ Principal.Service ='eks.amazonaws.com' ] ] ] should not have document.Statement contain[ Effect='Allow' and Action='*' ]
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Roles'
- For each incompliant Roles:
- Click on the incompliant Role name
- Under 'Permissions', select the policy that provides full access
- Click 'Remove'
From Command Line
To remove the specified managed policy from a specified IAM Role, run:
aws iam detach-role-policy --role-name ROLE-NAME --policy-arn POLICY-ARN
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated 5 months ago