Ensure that there are no Amazon IAM users with administrator permissions (i.e. privileged users) available in your AWS account in order to adhere to IAM security best practices and implement the principle of least privilege (the practice of providing every user the minimal amount of access required to perform its tasks). A privileged IAM user is an IAM identity that has admin access to AWS services and resources. Administration access is defined as being able to perform any action on an AWS account. This rule checks AWS IAM Users assigned to AWS Managed Policies, Customer Managed Policies and Inline Policies.
Examples of what this rule checks:
- Users assigned to AWS Managed Policies that give them Administration, Power or Full Access to AWS services
- Users assigned permissions to Create, Update or Delete AWS resources
Cloud Conformity strongly recommends that the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master and IAM Manager role policies must replace the admin policy with permissive permissions attached to privileged IAM user in order to create and configure other IAM users and roles with limited permissions that follow the same principle of least privilege.
You can specify the list of AWS Managed Policies or Actions for which Users with Administration Privileges will be checked, within the rule settings, on your Trend Micro Cloud One™ – Conformity account console.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When an IAM user with administrator-level permissions (i.e. has authorization to create, modify or remove any resource, access any data within the AWS environment and use any service or component) is an inexperienced person within your organization, their actions can lead to severe security problems, data leaks, data loss or unexpected charges on your AWS bill.
To determine if there are any IAM users with administrator permissions available within your AWS account, perform the following:Note: This conformity rule checks for the "AdministratorAccess" AWS managed policy.
To adhere to security best practices and implement the IAM Master and IAM Manager role policies for your privileged AWS IAM user, perform the following:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
AWS IAM Users with Admin Privileges
Risk level: High